This report analyzes a chosen website, metamask.io and some of its externally located pages, from a data processing and regulation compliance perspective. == Web access The website, through HTML and JavaScript, causes web browsers to send web requests to the following 3rd-party URLs • px.ads.linkedin.com, www.linkedin.com, snap.licdn.com (LinkedIn, direct ad and analytics purposes) • i.ytimg.com (YouTube, via thumbnails) • images.ctfassets.net (a content delivery network/) These references can be analyzed in more detail e.g. www.google-analytics.com is referred to as and , not to mention the fact that Google Analytics and LinkedIn Analytics code is inlined. Some, but not all, of these, are blocked by uBlock Origin (a popular browser plugin with large databases targeting ad-blocking and tracker-blocking). The website grabs some fonts, though they are locally hosted. == Blind trust of remote code One important problem that is universally prevalent is the enforced trust on remote code (JavaScript in this case) by the lack of integrity checking. Any remote code provider could run mild cryptojacking, fingerprinting, Spectre-based memory scanning tools or other malware on the computers of users that visit websites that rely on remote code, and such users would never know, because they don't practice checking things manually. This includes metamask.io's use of Google Analytics. Also, the privacy polity et al is hosted on consensys.net, which takes JS code from acsbapp.com. It would be possible for the website operators to review a piece of code and then to record a hash of the code at one time, as in