The Little-Known Ways Ethereum Reveals User Location Data FEATURE Nov 8, 2018 at 10:00 UTC | Updated Nov 8, 2018 at 10:15 UTC
"People don't realize how much information is out in the open."
That's Péter Szilágyi, an ethereum core developer who manages development on the ethereum software client Geth . He's referring to the fact that little attention has been paid to ethereum's underlying network layer, where information is exposed in complex, unpredictable ways.
Indeed, there's an awareness of the implications of such exposure that's given rise to an ongoing acceleration in research on how to better obscure user data at the application level, which sits on top of a fully transparent system that publishes smart contract and transaction data the blockchain itself.
In an interview, Szilágyi described the peer-to-peer components that underlie the world's second-largest blockchain by market capitalization as a "black magic thing."
This state of affairs was highlighted during his talk at the annual developer conference, Devcon4 , in Prague last week. Szilágyi detailed a number of concerns that could cause user metadata to leak out over time – and under the worst-case scenario, provide the basis for an accurate, global map of ethereum user locations.
During last Friday's talk, Szilágyi focused on two ways in which this could happen, with a focus on websites like popular blockchain explorer, Etherscan, and "light clients" such as mobile or browser-based apps.
"When people are transitioning away from full nodes they are giving up certain guarantees and I just want to highlight what potential issues might arise," Szilágyi told CoinDesk.
Szilágyi began encountering the issues following his pursuit of a side project: an alternative to Facebook that is decentralized and private-by-default. As a result of the research, Szilágyi said metadata leaks make it difficult to interact anonymously with others.
"We don't have that in ethereum," Szilágyi explained. "The reason why these leaks began to bother me is because of that project."
Speaking on Friday, Szilágyi said that many of the problems are so deeply ingrained that it's hard to address them without running the risk of breaking applications that run on top of ethereum. Still, the developer detailed methods that could alleviate the risk for users.
"Most people in blockchain and ethereum they want to build on top, while there's a team at the bottom doing the dirty work," he told CoinDesk, adding:
"It's not that they are unsolvable problems, but someone needs to understand that they exist." 'Weird trackers'
During the Devcon talk, Szilágyi broke down the various ways in which sensitive user information can be exposed by interacting with ethereum.
Taking the example of Etherscan, Szilágyi said that a particular combination is revealed to the website when users access it – namely, a link between a user's IP address and their ethereum address.
And that's notable because, as a unique computer identification number, an IP address reveals user location data – which could constitute a high risk when combined with ethereum wallet accounts.
This information is shared with Google Analytics and Etherscan. Plus, Etherscan's underlying comment tool – a popular website comment add-on named Disqus – also receives this info, and further shares that activity with its partners.
"Disqus actually reveals the IP-to-ethereum address mapping to Facebook, Twitter and Google Plus," Szilágyi said.
Disqus has 11 such integrations in total, such as YouTube, Vimeo, and other services, that are given this information as well. The tool also contains other "weird trackers," Szilágyi explained, including artificial intelligence platforms and data marketplaces.
And that's notable because it doesn't just impact Etherscan, but any decentralized application (dapp) that uses the same tools.
"This is an issue because you are essentially associating your IP-to-ethereum address mapping and you're revealing that to a whole lot of services," Szilágyi continued.
Etherscan has taken measures to remove these features, Szilágyi said. Currently, it uses Google Analytics, but the team behind it is looking to remove that aspect from the website. Once having relied on an external ad company, Etherscan is taking steps to internalize the ad network as well.
But other dapps that are affected may not be as proactive as Etherscan in addressing the leaks, according to Szilágyi.
As he explained:
"We get Etherscan to fix it, but can we get random dapp number 2000 to fix it? Probably not. So users need to protect themselves too."
The same information – IP-to-ethereum address – is shared when users access other services as well, Szilágyi continued, like Infura, MetaMask, and MyCryptoWallet. Discovery protocol
Szilágyi offered some other routes around this dilemma, including the use of the Tor network to hide IP addresses and the Brave browser to block online trackers.
But there are other, more subtle ways that access to ethereum can ...