This report analyzes a chosen website, metamask.io and some of its externally located pages, from a data processing and regulation compliance perspective.
== Web access
The website, through HTML and JavaScript, causes web browsers to send web requests to the following 3rd-party URLs
• px.ads.linkedin.com, www.linkedin.com, snap.licdn.com (LinkedIn, direct ad and analytics purposes)
• i.ytimg.com (YouTube, via thumbnails)
• images.ctfassets.net (a content delivery network/)
These references can be analyzed in more detail e.g. www.google-analytics.com is referred to as and , not to mention the fact that Google Analytics and LinkedIn Analytics code is inlined.
Some, but not all, of these, are blocked by uBlock Origin (a popular browser plugin with large databases targeting ad-blocking and tracker-blocking).
The website grabs some fonts, though they are locally hosted.
== Blind trust of remote code
One important problem that is universally prevalent is the enforced trust on remote code (JavaScript in this case) by the lack of integrity checking. Any remote code provider could run mild cryptojacking, fingerprinting, Spectre-based memory scanning tools or other malware on the computers of users that visit websites that rely on remote code, and such users would never know, because they don't practice checking things manually.
This includes metamask.io's use of Google Analytics. Also, the privacy polity et al is hosted on consensys.net, which takes JS code from acsbapp.com.
It would be possible for the website operators to review a piece of code and then to record a hash of the code at one time, as in , and even better would be to host the code locally.
== Access through Tor
Using services through Tor is getting more annoying with every day. WordPress-hosted websites are blocking Tor, and CloudFlare-hosted websites force "anonymous"¹ Tor users to solve annoying CAPTCHA challenges; both are very large service providers. On a side-note, centralization of service providers poses a risk of world-wide service blackouts and surreptitious massive data collection practices.
¹ it seems that solving a CAPTCHA challenge is needed when the browser resists fingerprinting — "privacy lovers can suck it" — for example, FireFox have been shown to be the most fingerprintable browser (e.g. forced updates-checking, captive portal detection — why not shut the fuck up?)
On the other hand, MetaMask seems to be well-accessible through Tor, and its key services, such as downloading the latest version of a MetaMask plugin, are not significantly hindered. Likewise, the nature of submitting cryptocurrency transactions, whether through MetaMask or otherwise, is slow, so latency added due to Tor is not a problem.
This makes it likely that user experience through VPNs should be even better.
== Legal defence
In legal terms, the privacy policy is stuffed empty: essentially it's "we may collect anything in any way and use it for anything, but we're not revealing anything concrete", forcing users to keep guessing whether some data in question is collected. Regarding the GDPR and the CCPA, the privacy policy is weasel-worded: they don't nearly describe all the rights the GDPR/CCPA give users, but were probably put into the privacy to give the benefit of the doubt in the eyes of regulators.
Unfortunately, MetaMask's company, ConsenSys, is in the USA, a wild west in data processing.
== Conclusion
Although, if we discount the analytics services, the metamask.io website itself doesn't seem to be embarrassingly invasive. However, the key information that MetaMask can get at is financial information, when MetaMask is connected to a blockchain access provider, namely infura.io. In this case, if transactions are submitted through such a blockchain access provider, they can be linked to analytics information, possibly leading to de-anonymization (although infura.io also seems to be accessible through Tor). Actual de-anonymization based on blockchain analysis is a far-reaching business.