In a privacy update published Dec. 6, ConsenSys, the developer of the popular MetaMask browser wallet, said it would reduce its retention of user data such as wallet addresses and IP addresses to seven days. Previously on Nov. 24, ConsenSys updated its privacy policy to clarify how Infura, or MetaMask's default Remote Procedure Call (RPC), works with user data such as including IP addresses. The revelation sparked controversy in the crypto community regarding privacy concerns, leading the firm to clarify that IP addresses collected through MetaMask will not be monetized or "exploited."
We are committed to protecting the privacy of MetaMask users. Last month, the ConsenSys privacy policy update raised questions and misconceptions.
— MetaMask (@MetaMask) December 6, 2022
We heard you, went to work, and would like to share some important clarifications and updates https://t.co/5HGlWFuIEq
In today's update, ConsenSys further elaborated that it does not store MetaMask wallet information when users make "read" requests through Infura, such as logging in to check their account balance. Instead, users' IP and wallet addresses are only logged after "write" requests by making transactions through Infura's RPC endpoints. ConsenSys also claims the two data types are not stored together to allow its systems to inference from them.
After community feedback, the firm said it would be building a new advanced settings page to give all new users the opportunity to choose their own RPC during onboarding and thereafter. Users have the option to opt-out of Infura and choose a third-party RPC. However, ConsenSys warned that:
"From a privacy perspective, we caution that these alternatives may not actually provide more privacy; alternate RPC providers have different privacy policies and data practices, and self-hosting a node may make it even easier for people to associate your Ethereum accounts with your IP address."