Ethereum Core Developer Reveals ‘Weird Trackers’ Exposing User Location Information
With any digital interaction online, there is a certain amount of information exposed for the user in the process. There are privacy settings on social media and bank accounts, but the nature of a decentralized ledger is to be transparent.
Péter Szilágyi recently engaged in an interview to speak on the various components on the Ethereum blockchain and software of Geth, specifically speaking on the information that consumers put out. As he says,
“People don’t realize how much information is out in the open.”
What Szilágyi seems to be talking about is how little people have examined the network layer of Ethereum, which exposes a lot of information about the individuals who participate. Bringing this type of awareness has helped encourage research about how to hide it in a better way from the application, considering how it is hosted on a transparent system that posts directly to the blockchain.
When speaking during the interview, Szilágyi said that that the various peer-to-peer components that contribute to the massive blockchain are more of a “black magic thing.”
This issue was brought to light by Szilágyi when he spoke at Devcon4, an annual developer conference that was hosted in Prague. Of the many concerns, he spoke about the possibility of metadata being leaked about the users, which would essentially provide the wrong hands with the locations of every single user.
When Szilágyi started pursuing a side project – his decentralized and privatized alternative social media option to Facebook, he discovered that the risk of metadata leaks is the biggest roadblock to anonymous interactions. He explained,
“We don’t have that in Ethereum. The reason why these leaks begin to bother me is because of that project.”
On Friday, Szilágyi added more concerns, like the fact that the issues run so deeply into the core of Ethereum’s blockchain that it is nearly impossible to work on them without crashing everything. Still, he believes that there are ways to get around this issue. Adding to his CoinDesk interview, he said,
“Most people in blockchain and Ethereum, they want to build on top, while there’s a team at the bottom doing the dirty work.”
He added, “It’s not that they are unsolvable problems, but someone needs to understand that they exist.”
There are two ways that Szilágyi believes that this could end up happening – through websites or through apps. One of the examples of such a website is Etherscan, which creates a link to the IP address of the user with their Ethereum address.
IP addresses are associated with a particular location, which could mean a big problem for users and their Ethereum wallet accounts. Even the comment tool from Etherscan – Disqus – gains access to this information. Specifically, Szilágyi said,
“Disqus actually reveals the IP-to-Ethereum address mapping to Facebook, Twitter, and Google Plus.”
As if that was not enough risk, Disqus is already integrated into 11 different services, including websites like YouTube and Vimeo, which means that they are provided with location information. Szilágyi said that there are other “weird trackers” with the tool, like AI platforms and data marketplaces. However, those issues do not simply affect Etherscan, but it impacts any decentralized app that uses the tools.
He added, “This is an issue because you are essentially associating your IP-to-Ethereum address mapping and you’re revealing that to a whole lot of services.”
Etherscan has been working on ways to eliminate these risks, even going as far as making the ad network internalized. Unfortunately, there are many dApps that are less proactive. Szilágyi explained,
“We get Etherscan to fix it, but can we get random dApp number 2000 to fix it? Probably not. So, users need to protect themselves too.”
This information is still shared on services like MetaMask, MyCryptoWallet, and Infura.
Luckily, Szilágyi does not come without solutions in hand. Based on his information, there are subtle ways to get around these issues, like using the Tor network to conceal the IP address of the user.
The Brave browser is an option too, though they primarily block trackers from following the IP address. However, Szilágyi also references “light clients,” which are low-storage ways of accessing the network, which still have two different ways that users can be traced.
The main way that Szilágyi brings up is called the “discovery protocol.” Whenever someone connects as a light client to the network, the IP is shown. The reason that this is risky is because the protocol makes it possible to show the user’s location in real time. Explaining, he said,
“Every time I connect to the network, I am actually revealing to the network that this machine, which last week is in Berlin, this week was in Prague.”
Considering how public this information can be, it would not be hard for someone to do a network scan to find the current location of many users.
Szilágyi continued, saying,
“If you are willing to do this, for example, every day, just try to scan the network every day, then actually you can create an extremely accurate history of where each individual Ethereum node was moving over time.”
Software for light clients reduces the activity they need to perform, which reduces traffic, bandwidth, and latency. However, the shortcut leaves plenty of details exposed for users, including the IP address and the physical location.
“Light servers will be able to statistically map out that this particular IP address is interest in one particular address.” The process is a lot like the discovery protocol, in that the information is easy to get ahold of. As Szilágyi put it,
“Now we don’t have a world map of moving IPs, now we have a world map of moving Ethereum addresses. And again, similar to the Ethereum discovery protocol, this can be done publicly by everyone.”
Ultimately, there is not a simple way to correct this damage or protect users, since a lot of it has to do with how some of the individual light client’s function. Even so, Szilágyi managed to offer a few bits of advice to users and developers to help them protect themselves. The three specific ways include:
- Users should run full nodes. A full node allows the users to store data locally, protecting it from other users. Even though some users prefer to not use full nodes, Szilágyi considers them “the best anonymizers in the Ethereum ecosystem.”
- Developers should defer to the work done by Tor browser and I2P to learn how to protect metadata. Szilágyi encourages users to “learn from their results” in any attempt to solve location issues.
- Developers should not blame users for the privacy issues. Szilágyi believes that the responsibility of privacy is up to the dApp and platform developers to solve.
Szilágyi left the attendees with a warning to protect themselves. Embedding privacy features from the start is crucial, and Facebook is a perfect example the repercussions that could happen. He noted,
“I don't think Facebook was created to gather user data, it wasn't created to abuse elections, that kind of just happened. We don't want to fix it to protect users from not only external attacks – I think it's really important to also highlight that we want to protect users from ourselves too.”