Almost two years ago, I published a post on the privacy ramifications of running a web3 client. The overarching concern is that web3 clients inject your Ethereum address into every page you visit, and even if you don’t think of that page as a dApp, it can use that address to uniquely identify you, link your Ethereum address to your IP address, and even find details of your personal financial information by way of looking at the transactions on your account.
About nine months after my original post (and one year ago today) EIP-1102 was adopted, introducing a “privacy mode” to web3 clients, requiring dApps to request personal information from the client, and letting the user give or deny permission to access that information. This is a step in the right direction, but there’s still some huge privacy ramifications in the web3 space.
As I was preparing to do another series of blog posts on Privacy and Web3, I realized that I never published the statistics from our prior experiment. This wasn’t out of any attempt to keep that data secret, it was just a matter of shifting priorities and forgetting about the things on the backburner. But today I’m keeping my word and publishing the stats that I promised around 20 months ago (I’m also disabling the stats collection, so as of this post we’re no longer collecting Web3 data).
Looking at the raw statistics for whether or not web3 accounts were exposed, I thought it would be useful to break down the stats into visitors prior to the implementation of EIP-1102 and visitors following the implementation of EIP-1102. This shows us how much impact EIP-1102 actually had on the amount of information being exposed. Bear in mind this data was collected on blog.openrelay.xyz, which does not ask users to authorize Web3.
- 39.98% of visitors were not running any web3 client
- 30.49% of visitors were running web3 clients, but their accounts were locked
- 29.53% of visitors exposed their Ethereum addresses
- 56.93% of visitors were not running any web3 client
- 26.62% of visitors were running web3 clients, but their accounts were locked
- 16.45% of visitors exposed their Ethereum addresses
Depending on the Web3 client, EIP-1102 may have made it look to our analytics script that the user was not running a web3 client, which mostly explains the uptick in visitors not running a web3 client.
There was a definite decrease in exposed Ethereum addresses after EIP-1102’s activation, but even almost a year after EIP-1102 activated, we’re still seeing occasional visits from users with exposed web3 addresses.
In the 20 months since we started this experiment, we’ve seen 1,256 distinct addresses. The following looks at the ETH holdings of these addresses at the time of this writing (that is, we’re looking at their ETH holdings today, not when they visited the blog).
- Those 1,256 held a combined total of 7,135.183 ETH
- The highest single account held around 3,200 ETH
- The median account held around 0.005 ETH
- 411 of accounts held 0 ETH
In the coming weeks we’ll be posting some new articles about other privacy concerns in the web3 space. In the meantime, we still recommend using a separate browser profile for interacting with dApps than you use for your day-to-day browsing. Even if an application has to ask for your private information, they can trivially see that you’re using a Web3 client without asking, which is one more piece of information to create a fingeprint unique to you.
As a final note, we’re no longer running this experiment. We’ve disabled Web3 metrics collection, and going forward we won’t even know if you have a Web3 client, much less how much ETH you’re holding.