With friend.tech user data leaks fresh in the news cycle, let’s dig into how web3 can handle user data better than web2, and pitfalls to watch out for.
User Data
When you visit any website on the internet, you can bet on all of your data being harvested at the most intimate levels. It’s simply good business to track and monetize all available data.
Level 1: Passive behavioral data
-Pixel tracking heatmaps as your mouse cursor or thumb moves across the screen (courtesy of tools like Hotjar) and the like track you.
-Time watched on videos, how far you scroll down articles, etc.
-This also includes your IP addresses, type of device used to access etc.
Level 2: Identified Data
-Your email address, social addresses and the like.
-These can either be pseudo-anonymous (like your Twitter/X handle) or more identifiable like your LinkedIn name or real name work email address.
Level 3: Sensitive Data
Things you really want to keep safe like credit card information, physical address information, KYC information (driver’s licenses and passports) or even PHI - personal health information.
--
Web3 User Data
So what happens when we bring web3 wallets into this mix.
We add Level 4: An open public database of pseudo-anonymous wallets
-Once you can tag related user data to a pseudo-anonymous wallet it becomes identified.
-Once identified, you can track every single transaction ever made.
Imagine having your bank account number floating around on the open internet. As long as it's just a random string of letters and numbers you are perfectly safe. Once that random string is associated with Jane Smith at 123 Fake Street worth exactly 1.34 million in her checking account, less so.
--
friend.tech
In the friend.tech case - the data leak was less sophisticated.
The dump merely contained 2 data points - wallet addresses and Twitter handles.
Still, with only these two data points attackers can start to build some profiling around web3 user accounts.
Are there any Twitter handles associated with large crypto balances? Do those Twitter accounts link out to other socials that might lead to doxxing?
--
Opsec and Identity
The crypto diehards will say - of course just create a new wallet every time to access a new site. Why not also create a new proton email address to go with each new account. And only access via TOR of course.
This isn’t the solution for 99% of lay internet users. If they ever get web3 curious enough to try friend.tech say - it’s likely not going to be with a fresh 0x address.
Just like you utilize the same identity or pseudo identity in web2 to build clout and social proof - you’re also likely to sign in with your .eth ENS and want to create a web3 identity.
Thus any real solution needs to protect Web3 user data just like Web2. Eg - don’t go leaking the IP addresses and emails of your users.
--
Solution
There is no solution. Users will click on the newest flashy product without thinking about any security ramifications.
For teams with some kind of real world mooring that don’t exist purely in degenland - be thoughtful about the data you collect and how it’s safeguarded.
Don’t leak email addresses, social handles, IP addresses, analytics and other sensitive information especially when it’s associated with a crypto wallet!