[Bug]: As a user, I do not have enough control over, nor do I always consent, to what is sent via MetaMetrics, Sentry, APIs, and RPCs

[tayvano]

Background

After the incident with Solana's Slope wallet a couple weeks ago combined with the escalation in US govt actions against decentralized protocols this week, it is increasingly important that we ensure MetaMask is able to serve the OGs in this community and especially those who need and/or value the censorship resistant aspects of Web3, even as our company and product evolves.

Obviously, given the sheer quantity and diversity of users we now serve, it is unreasonable to expect that we simply not use mature tools that allow us to make better product decisions and ship fixes faster.

Similarly, given our placement in the ecosystem and that we are a US-based company, it is unreasonable to expect that we ever refuse to comply with the law, especially when those laws regard matters of national security.

That said, we should all be well-aware of the reality that every one of our users is at increased risk of being targeted by sophisticated nation-state cyberattacks, just as we are already well-aware that our own team, as well any services we utilize to facilitate logging, storing, distributing, or communication, have already been and will continue to be the target of highly sophisticated and targeted nation-state cyberattacks. Therefore, there is no excuse for us to ever fall into the same shitty situation that Apple created for itself because our products should always be built, at every step of the way, knowing the environment in which we have always operated in.

One of our the most fundamental principles that guides our product is around consent. Our whole job is to ensure users can, and do, have full, informed control over the authority they manage from within MetaMask. These principles do not solely apply to how users interact with Web3 and dapps—they apply to every aspect of our being and therefore to every product choice we make.

We ensure users are able to consent. We ensure we limit the choices we make on users' behalf because we are not early-Phantom and we do not automatically approve the sending of shit to third-parties on behalf of our users. This is especially true when we are literally not able to allow people to consent at the time, e.g. things that we are legally required to do or provide. Therefore, in any cases where consent cannot be granted by the user at the time, we must ensure users provides informed consent up front.

Lastly, MetaMask expects, and even demands, that our legal teams keep us legally compliant and protect us from needing to understand and navigate laws and policy and to prevent us from being thrown in jail. That is their job and their expertise and they are the best at it—not our job. Similarly, it is not their job to protect our users. That is our job. That is what we are experts in and what we should be the best at.

Things to Fix

1. We need to do a better job identifying risks and understanding the long-term implications and, in some cases, limitations our choices are forcing upon our current and future users. I propose we start by documenting (birds-eye view) what is sent to what party via what tool/service.
2. Moving forward, it is the responsibility that any material changes to who/what/where and how to get sign-off from Security and from Legal before product and development work is started and again after the work is complete but before the changes are merged.
3. We need to resolve any existing areas where our product does not give the user the proper ability to consent, opt-in, opt-out, or provide a custom endpoint in case the infrastructure being utilized fails on the whole or fails a specific user. Obviously, exactly what consent looks like will vary and it is the responsibility of Product to determine how things are implemented and on what timeline.

Specific areas of concern are

1. Any RPC calls that include multiple user-addresses in a single call. Specifically, a user reached out today asking if all requests would be blocked by Infura across all their addresses if any one of their addresses somehow made it onto Infura's denylist. MetaMask is not responsible for Infura, or any other RPC provider's choices in this regard. However, we can and should ensure a more robust future for MetaMask users.
2. Ability to turn off sentry and if sentry information is sent if the user has opted out of metametrics.
3. No user addresses hit MetaMetrics ever.
4. No user addresses hit Sentry.
5. No secrets ever hit the network ever (in addition to never being saved on disk unencrypted)

Steps to reproduce

1. Use MetaMask.
2. Care about who can see your entire comprehensive transaction history across all accounts.
3. Care about who controls what you can and can't do.
4. Live in the US or live outside the US.

Additional context

MеtaMask has also added additional intrusive tracking. It's time to stop using it and move to another open-source wallet that doesn't track you.

https://twitter.com/bantg/status/1558408291969015812

I'm not sure it's possible to boot the official extension with metametrics off, then your metametrics id might not change, and some calls still override isOptIn forcing events to be sent. Also our good friend sentry is part of the package as well anyways.

https://twitter.com/elyx0/status/1558472169734250500

There's a few calls to analytics services before I even get the choice to opt out, but they seem to not be too big of a deal. Might be okay with it, maybe you can muff those until after the choice is made? Sentry keeps pinging after even if I opt out but the payloads are thin.

https://twitter.com/elyx0/status/1558494187347132416

Can we disable Sentry locally? I'd turn it on if I'm experiencing a bug so you can get stack traces, but I'd want to do that in a fresh account rather than having it always ready to report while I use a real account.

https://twitter.com/MikeSylphDapps/status/1558486499821223938

Does the default RPC Infura log IP addresses and wallets?
Are these used for analysis and could this information be used for blacklisting in the future? e.g one wallet under the same IP as another, where one has used tornado

https://twitter.com/LANCEROBJ/status/1558468222139129856

MetaMetrics is a slippery slope to a future where we send all our users addresses to a secret database and wholesale decide whether or not they are worthy of using our product in a non-transparent way, and potentially far beyond what the law requires us to do.

https://twitter.com/DeFi_Ted/status/1558507094185111552

E.g. if you use many addresses in Metamask - some can be associated with you while you want to keep others private? Your RPC provider will learn that all your addresses belong together - if you want to keep that private you need to use your own node!

https://twitter.com/koeppelmann/status/1490085719557165056

Since your RPC provider also sees your IP address, they can link it to your Ethereum address and thereby link ALL your Ethereum addresses, even the ones that you aren't using right now

https://twitter.com/SCBuergel/status/1484409273513922567

Accounts are actually not just linkable via your IP address
MM uses a getter contract to get all your token & ETH balances FROM ALL YOUR ADDRESS in one request 👀
No bad intent here, I guess just performance optimizations with privacy implications

https://twitter.com/SCBuergel/status/1484409278161170432

Are you using MetaMask? Well, I have bad news for you - your privacy is at risk!

https://twitter.com/alxlpsc/status/1484102749566476291

[danfinlay]

I think the onboarding privacy opt-out screen is going to help this a lot. It will give us a place for privacy-minded people to learn about their information surface, as well as an opportunity to opt out of any centralized services (and into self hosting) as much as possible.

[3nprob]

Thank you so much for raising this @tayvano. This has been on my mind a lot recently.

Lots of thoughts about this and why it's so, so important and the many risk dimensions both to individual users, MetaMask itself, and the whole community. It does seem that push is starting to come to shove. I can only hope a silver lining is that thought-leaders and buidlers like yourselves who have the heart in the right place but have been apathetically going along with the status quo will be waking up before doors actually start closing on this issue. Anyway...

As a user, when I judge whether to trust an application in this space this is one of the most vital points. More specifically, for an application to count as "good" (as opposed to "evil" or "stupid"), I expect:

1. The application complies with the GDPR. As in actually, not as in "oops nobody told us IP addresses count as PII", which is not a valid excuse just because "everyone else is doing it". MetaMask needs to lead by example here. For example, All communication with hardcoded or external endpoints like Infura, metadata CDNs, etherscan, etc are explicitly opt-in¹.
2. The application degrades gracefully. If I run it in an airgapped network with only access to an internal RPC endpoint and no internet acccess, everything should still be functional except for things that inherently require it, like syncing with mobile.
3. Endpoints should be configurable. Even if many APIs may be proprietary and closed, I should be able to use my own API-compatible endpoint should one exist (and hey, suddenly users would can use HTTP proxies regardless what their OS and browser say about it).
4. As a technical user and developer unaffiliated with the development team, I should be able to easily build and run my own release without any of these and supply my own alternatives as build-time configuration
5. As above, so below. As far as feasible, there are actually accessible self-hostable alternatives for any important server-side functionality, available under a Free license².

As I mentioned, the above are general points. For MetaMask specifically, there is one further factor: Much of the network activity going on which is not visible in the Network tab for the extension in either Chrome or Firefox. This raises the bar significantly in terms of effort and skill needed to see the requests and may fool some technical users who do try. I'm not saying this necessarily needs to change but it does affect the situation.

MetaMask used to be good on all of this back in the days. We got here bit by bit, death by a thousand cuts over many years. From where I sit I don't see any bad actors (and I do hope that MC found a good new home BTW!).

I fully sympathize with how things got to where they are and how easy it is to internalize that "this is mostly fine, we just have a couple of kinks to iron out and it's mostly a theoretical problem anyway" in order to build product and align with contemporary dev culture as the team grows...

And maybe being on this trajectory this way was a factor that actually helped MetaMask to grow to were it is today. But it is also clear as day to me where this trajectory leads if direction is not changed. And it is not good. The time to wake up is now.

I'm a bit sleep-deprived so this comment may not be distilled perfectly - I do hope it's of use.

Peace,
threenodeproblem

Footnotes

1. MetaMask has work to do here. @danfinlay already hints at one example: Requests start going to sentry.io at the "Help us improve MetaMask" onboarding screen before the user has been fully informed, which you may actually get in trouble in European countries like Germany for. Sorry if this is harsh but not violating the most known data privacy laws is not a very high bar for a cryptocurrency wallet... ↩

2. A bit hesitant to include this one since I know some see it as extremist. If the rest of points are fulfilled and the documentation is clear enough this would be what takes it from "good" to "great". ↩

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days. Thank you for your contributions.

[legobeat]

@github-actions: not-stale

[legobeat]

Related: #20132

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.

[legobeat]

not stale