What You Should Know About MetaMask's Privacy Policy (And All ETH In-Browser Wallets)

in ethereum •  7 years ago 

Screen Shot 2018-02-07 at 5_Fotor.jpg

I think it’s time for another friendly reminder to be aware of what you’re doing when your dealing with cryptocurrency.

Today I’m focusing on Metamask and their privacy policy.

I know that I’ve made a few videos that show how to use this wallet and how it can be awfully convenient compared to other wallet options. But as with many other things in life, convenience often brings a sacrifice to security.

I know we’ve all had that experience of wanting to use a new software or update our phones and computers and we’re presented a page that represents that company’s terms of service and privacy policy. Of course these papers read like a dry legal document and that’s because they are.

If you’ve ever just clicked the “agree” box just to get going with the process without reading it you are certainly not the only one. But don’t you ever wonder what it is exactly that you’re agreeing to?
In the case of Metamask their privacy policy is available for anyone to read.
It’s actually not that long or difficult to get through and it’s implications can have an impact on your experience using their wallet.

Here’s what I’m talking about:

Their privacy policy is worded in a way that seems to give them some wiggle room. For example, when it states that “The personal information we collect from you generally may include:”
(and it goes on to list:)

  • “Network information regarding transactions”
  • “We become aware of the first public key created by virtue of the system design...”
  • “We may receive network information from you as a result of your interaction with our Service.”
  • “Our service requires the highest level of browser permissions that could potentially lead to procurement of more personal information...”
  • “...Any identifying information collected via Google Analytics is controlled by Google.”

The preceding paragraph explains that the initial public key created is made aware to them because that’s how their system is designed and that all public keys thereafter are anonymous.
However, not only are they “aware” of the initial public key that you produce on their plug in, they also store it.
They also explain that your interaction with their service may result in their servers receiving information like your IP addresses and possibly more.

Also since this plug in has “full browser permissions” this may also lead to them receiving personal information about you. They say that these permissions are for “extremely limited technical purposes” yet go on to vaguely explain that they don’t obtain anything beyond what is necessary, without detailing what it is that is necessary.

The privacy policy also states that your information will be shared with their affiliates or any third party that is required for the provision of the “Service”
Also, as I stated earlier, the policy reiterates that MetaMask uses Google analytics and for that purpose, any identifying information that is collected by Google Analytics is then controlled by Google.

The next paragraph explains all of the scenarios where they will disclose your information.

When it comes to securing your information that they’ve collected, that section is a bit thin and explains that they store the personal information on limited access or encrypted computer systems.

Now if you’re wondering if these security measures are sufficient, there has been instances where some users’ information, for whatever reason has been compromised. They were required to download a new web browser and create a new MetaMask account and transfer their funds into that new account.

This all means that they do indeed collect your data, maybe not all of it, but it’s data that could leave you vulnerable or exposed to outside third parties.

Granted, I can’t tell exactly how many others have had this same experience or how drastic this security breach was for their network, but regardless, it’s something to be aware of when considering if this service is worth it to you.

Again, I myself have used Metamask in the past, and this post certainly isn’t meant to be FUD in any way.

I think it’s important to be educated when making decisions, especially when it involves your crypto investments.

While we’re on the subject of using of in-browser wallets, there’s another thing I think we should all be aware of that also involves the sharing of your data.

Did you know that if you use any type of Ethereum based in-browser web wallet you could be sharing the fact that you use Ethereum with nearly every website that you visit?

This doesn’t mean they can steal your crypto without you knowing, I’m sure you’d get a confirmation notification at least.
But this does mean that you could be put on a hackers radar if they know you’ve got an investment in crypto.

To MetaMask’s credit they are making efforts to address these security issues.

You can check out their GitHub to see their progress.

It’s also important to note that this is still very much a new application that is still working out it’s kinks.

This is also the case for many crypto wallets, not just those that are based on your web browser.

You are ultimately assuming the risk when you choose to store your cryptos.

It’s very much worth it to take your time and educate yourself on the status of any wallet you want to use and how the team behind it is addressing its issues.

Additional Reading/Sources:

MetaMask Privacy Policy
Steemit User's Experience with Security Breach
MetaMask GitHub Addressing Security
Risks of Using Ethereum In-Browser Wallets

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Knowledge is power.

Another great video!!! Can you shed some light onto DAICO? will it be the benchmark for new ICOs?

The whole issue of wallet security has to be addressed this year if the crypto community wants mass adoption of the technology. I created a metamask wallet on PC and it crashed after installing it. Thankfully there were no tokens in there.
I am concerned by your comment about Ethereum based in-browser web wallets. I would like to invest in several coins that run on the Ethereum network such as PPT.
Where can you store such coins if not in an Ethereum based in-browser web wallet?

very valuable information, help us all, thanks for sharing it on the platform, this helps us grow as a community. Congratulations

  ·  7 years ago (edited)

😮 wow that is some great information that I didn’t realize that they did. Keep up the great work and thank you 😊 resteemed.

better than myetherwallet?

Reference the comment I replied to above :)

Great post!

I follow you on here to be informed! Thanks and keep steeming

this information is very useful, at least we can be more careful with the crypto wallet that we use to be safe from the hackers.

this is good information about crypto and video worth watching

Good luck master

your information will be shared with their affiliates or any third party that is required for the provision of the “Service”

Truly a lol statement in terms of how broad that application can be.

Thankfully I don't have any crypto to steal... good luck hackers!

That makes me wonder, should we perhaps start to encourage people from countries where the rule of law isn't strong enough to guarantee their personal safety against threats like kidnappings, to not post their personal info and pictures on steemit?

  ·  7 years ago (edited)

Wow, thanks for this post. Here i was thinking metamask was awesome. That kinda pisses me off really, especially since a lot of dAPPs rely on metamask and don't really make it easy to use other options.

Even if you use metamask as a "quick" wallet, This means that they can trace any transactions to or from that first public key... God damn wish i knew that, would have used a second key immediately.

I wish MEW would make an extension that integrates with dAPPS like metamask that you could use a hardware wallet with...

Congratulations @heiditravels, this post is the eighth most rewarded post (based on pending payouts) in the last 12 hours written by a Superhero or Legend account holder (accounts hold greater than 100 Mega Vests). The total number of posts by Superhero and Legend account holders during this period was 30 and the total pending payments to posts in these categories was $2072.30. To see the full list of highest paid posts across all accounts categories, click here.

If you do not wish to receive these messages in future, please reply stop to this comment.

  ·  7 years ago (edited)

I am thinking to use a seperate browser just for crypto. I recently sign up to your youtube channel, I like your short to the point summaries. Great job.

MEW is entirely client-side interface. They don't collect any info at all. Check it out: https://medium.com/@trustwallet/trust-and-myetherwallet-using-together-and-separately-3184a17a6071

🚨IMPORTANT: MyEtherWallet

We feel as though addressing this is of the upmost importance as MyEtherWallet (MEW) is such an important part of the Ethereum (and crypto) ecosystem.

Earlier today, as we previously reported, the MEW Twitter handle was changed to MyCrypto. Then, MEW CoFounder Taylor Monahan posted a - very long - Medium article (see below) explaining the lifecycle of MEW and the evolution to MyCrypto.

But then the @MyEtherWallet Twitter handle was reopened and posted the following:

@myetherwallet Twitter handle was changed without knowledge or permission of MEW's founder. We are investigating the matter, and will update everyone shortly. Stay tuned for further updates.”

Without this tweet, everything else looks very legitimate, the article is digitally signed by Taylor, and she even tweeted an image of herself with MyCrypto stickers. We are confident that this is real information and that MEW has in fact evolved in some way (rebranded) to MyCrypto.

Then we get a tweet from Brayton Williams (@BraytonKey), advisor to MyEtherWallet and EtherScan, showing support for MyCrypto.

Taylor mentions in the article that Kvhnuke, CoFounder of MEW, is still in control of the MEW repository and it will remain operational for the foreseeable future. He’s also, allegedly, still in control of the MEW twitter.

If this transition is in fact legitimate and the MEW Twitter is being operated by a founding member, then the tweet they sent out is one of the most egregious and irresponsible acts we’ve witnessed of late by leaders in the space. The amount of confusion that surrounds this now is not healthy, it even opens the door for scammers to pray on confused users.

For that reason, until there is significant clarity to this situation, we recommend you avoid using MyCrypto or MEW for the time being. You can use a different ERC20 wallet to access your coins if need be, using your private key.

As always, do your own research and be extremely careful when access your wallets. Always double check the URL.

We’ll keep you posted.

You can read the Medium article here: https://medium.com/mycrypto/mycrypto-launch-6a066bf41093

Have a look at the Brave Browser, it's pretty neat.
https://brave.com/

This is a good reminder.
Most people (myself included) never read the privacy policy. It doesnt surprise me though that they collect and store all kinds of information, these days I assume that they all do.
The only safe wallets are private wallets I think.

MEW is also a safe option if you follow their directions for protecting yourself and making sure you're on the legitimate site.

Yeah. It was my first ether wallet and I still use it.
I still feel more comfortable with a private wallet though, probably because I just don't fully understand the technical aspects of all of this yet.

Now I'm going to have to test MEW :p

Wow I'm shocked!
Thanks for bringing this to our attention! I have been a METAMASK fan all the way and didn't even think of reading the fine print. I just shows how naive the software and users are in crypto.

I'm going to repost because I think this is something people need to be aware of.