"People do not realize how much information is available in the open".
This is Péter Szilágyi, a leading developer of ethereum who manages the development of the Geth ethereum client software. It refers to the fact that little attention has been paid to the underlying ethereum network layer, where information is exposed in complex and unpredictable ways.
In fact, there is an awareness of the implications of this exposure that gave rise to a continuous acceleration in research on how to obscure user data at the application level, which sits atop a completely system. transparent that publishes the contracted data and intelligent transaction the blockchain yes.
In an interview, Szilágyi described the peer-to-peer components that underlie the second blockchain in the world by market capitalization as a "black magic thing".
This state of affairs was highlighted during his speech at the annual developer conference, Devcon4, in Prague last week. Szilágyi described a series of doubts that could cause loss of user metadata over time and, in the worst case, provide the basis for an accurate global map of the positions of ethereum users.
During last Friday's speech, Szilágyi focused on two ways this could happen, with a focus on sites like the popular blockchain explorer, Etherscan, and "light clients" like mobile or browser-based apps.
"When people are moving from complete nodes, they are giving up certain guarantees and I just want to highlight what potential problems might arise," Szilágyi told CoinDesk.
Szilágyi began to confront the issues that followed his search for a side project: an alternative to Facebook that is decentralized and private by default. As a result of the research, Szilágyi said that metadata losses make it difficult for anonymous interaction with others.
"We do not have this in ethereum," explained Szilágyi. "The reason this news started to bother me is because of that project."
Speaking on Friday, Szilágyi said that many of the problems are so ingrained that it is difficult to deal with them without running the risk of breaking the overlapping applications of ethereum. However, the developer has detailed the methods that could alleviate the risk to users.
"Most of the people in blockchain and ethereum want to build on, while there's a team at the back that does the dirty work," he told CoinDesk, adding:
"It's not that they are unsolvable problems, but someone has to understand that they exist."
& # 39; Weird tracker & # 39;
During Devcon's speech, Szilágyi divided the various ways in which sensitive user information can be exposed by interacting with ethereum.
Taking Etherscan's example, Szilágyi said that a particular combination is revealed to the website when users access it – that is, a link between a user's IP address and their ethereum address.
And this is remarkable because, as a unique computer identification number, an IP address reveals user location data – which could pose a high risk when combined with the ethereum portfolio accounts.
This information is shared with Google Analytics and Etherscan. In addition, Etherscan's underlying comment tool – a popular add-on for website comments, called Disqus – also receives this information and further shares this activity with its partners.
"Disqus actually reveals the mapping of IP-to-ethereum addresses on Facebook, Twitter and Google Plus," said Szilágyi.
Disqus has a total of 11 such integrations, such as YouTube, Vimeo and other services to which this information is also provided. The tool also contains other "strange trackers", explained Szilágyi, including artificial intelligence platforms and data markets.
And this is remarkable because it has not only an impact on Etherscan, but on any decentralized application (dapp) that uses the same tools.
"This is a problem because you're essentially associating IP-to-ethereum address mapping and revealing it to a lot of services," continued Szilágyi.
Eterican has taken steps to remove these features, said Szilágyi. Currently it uses Google Analytics, but the team behind it tries to remove that aspect from the website. After relying on an external advertising company, Etherscan is also taking steps to internalize the advertising network.
But other affected individuals may not be as proactive as Etherscan in coping with losses, according to Szilágyi.
"We get Etherscan to solve it, but could we randomly get the number randomly to solve it? Probably not, so users have to protect themselves too."
The same information (IP-etereum address) is shared when users access other services, continues Szilágyi, such as Infura, MetaMask and MyCryptoWallet.
Szilágyi offered someone else about this dilemma, including using the Tor network to hide IP addresses and the Brave browser to block online trackers.
But there are other, more subtle ways in which access to ethereum can also expose sensitive information, according to the developer.
Taking the example of clear customers – the way in which ethereum users can access the network in a way that is bare and with little memory – Szilágyi said that there are two types of highly traceable network activity.
The first is the so-called "discovery protocol".
When clear clients connect to the ethereum network, IP is also revealed. Since the light clients are continually reconnected over time, the detection protocol reveals an accurate map of the user's location.
"Every time I connect to the network, I'm actually revealing to the network that this car that last week is in Berlin, this week was in Prague," said Szilágyi.
This location data is public, so in theory anyone can scan the network to create a highly accurate global map of the positions of the users of ethereum.
"If you are willing to do it, for example, every day, just try to scan the network every day, so you can actually create an extremely accurate chronology of where every single ethereum node was moving in time," said Szilágyi.
In addition, the key to how lightweight clients work is how the software minimizes activity by connecting to addresses associated with a user. But while this approach reduces bandwidth, latency and traffic, the impact is that IP and address relationships are made explicit on the network.
"The light servers will be able to statistically map that this particular IP address is interested in a particular address," said Szilágyi.
Like the discovery protocol, this information can easily be accessed. And unfortunately, the Tor connection will actually damage the reliability of the lightweight client.
"Now we do not have a world map of moving IPs, we now have a global map of ethereum addresses on the move," said Szilágyi, adding:
"And again, similar to the ethereum discovery protocol, this can be done publicly by everyone."
The best practice
Unfortunately, according to Szilágyi, there is no simple solution to many of these problems, as some are inherent in the functioning of clients and explorers.
However, speaking to the public on Friday, the developer has received clear recommendations to share with the users and developers of ethereum in the future.
In particular, Szilágyi has divided three ways in which this information can be better concealed in the short term.
First, he claimed that users should execute complete nodes. While integer nodes require more hardware, it is possible to store all data locally and access that data without interacting with anyone else. Moreover, because the complete nodes verify that the underlying ethereum state is correct, the execution of a complete node also brings advantages in terms of safety.
"Although people do not like complete nodes, complete nodes are actually the best anonymous in the ethereum ecosystem," said Szilágyi.
Secondly, Szilágyi argued that developers should look at work that has been done anonymous network layers, such as the Tor and I2P browser, for research on how to better hide metadata losses at the network level.
"Privacy on ethereum is bad, really, really bad, but that does not mean it's an impossible task to solve," he said. "There have been 20 years of research on how to do it properly, so let's at least try to learn from their results and try to solve it."
Finally, Szilágy urged developers not to blame users for bad privacy practices when they interact with ethereum. He also noted that many users may not know that options like the Tor browser exist in the first place.
As such, Szilágy said: "It's as if we and the platform's developers understand and solve the problem".
With this in mind, Szilágy ended with a note of caution. By pointing to Facebook as an example, the developer said that when privacy enhancing features are not integrated at the outset, such an approach could impact in the future.
"I do not think Facebook was created to collect user data, it was not created to abuse the elections, it just happened," said Szilágy, concluding:
"We do not want to fix it to protect users not just from external attacks, I think it's really important to stress that we want to protect users from ourselves."
Map with the image of the pins via Shutterstock