Polkadot-js Extension: New Privacy Feature

Polkadot-js Extension: New Privacy Feature

Authored by Thibaut Sardan

The Polkadot-js extension is a browser extension for Firefox and Chrome dedicated to managing accounts for Substrate-based chains, including Polkadot, Kusama, and all their parachains.

While the extension focuses on stability and mostly gets maintenance releases, the community also regularly makes improvements. To that end, Chainsafe received a grant from Web3 Foundation to make the extension more private, which we'll discuss in detail below.

New functionality: control what accounts are shared

In previous versions of the Polkadot-js extension, when connecting to a Dapp, a user would be asked whether or not they want to share their accounts with the application. Any account that was visible (with the eye open-close icon) would be shared with the Dapp.

The only way to share a specific set of accounts with a specific Dapp would have been to selectively turn on and off the visibility of accounts, using the eye open-close icon. Needless to say, that's not a practical solution.

Some accounts are visible, and some are hidden

Sharing many accounts with a Dapp can have serious privacy repercussions. Although it hasn't been seen in the wild yet, there's nothing preventing a malicious application from collecting all your accounts and tracking what type of user you are, based on your interactions with different parachains. This is no different than the tracking that the advertising industry has become infamous for.

When you interact with a Dapp, you rarely need to share more than a couple of accounts. For instance, say you are on the Karura dashboard. Why would you want to share the account you used for another crowd loan or an old account that you used in the early days of Polkadot? It would be much better to only share the strict minimum to protect your privacy.

Enter a new feature that will make its way to your extension in the next release: account selection per website. When you connect the Polkadot.js extension to a new Dapp, you will now be presented with a list of visible accounts, and you will be able to simply select the ones you want to share.

Selection of accounts to be shared with a website

This gives you more control, only sharing accounts relevant to the website you're using. This way, the Dapp will not be able to access any other account than the one you granted access to, regardless of whether they're visible or not. If you make an account invisible, using the eye open-close icon, the behavior will not change. Invisible accounts will not be shared.

Now, what if you have only selected some accounts but decide later that you would like to share other accounts with this Dapp or unshare some accounts? No problem. While you are visiting the Dapp, click on the "Connected" button. This will allow you to update your selection for this particular Dapp. You can also visit the "Manage Website Access" menu to see and edit the accounts connected to any other Dapp.

Edit the accounts connected to a Dapp

Bonus feature: ask me later

Although this is considered bad practice, some Dapps may ask you to connect with the extension as soon as you land on their page. Instead of having to decide now, you may click "ask me later." This way, if you refresh the page or visit the app later, you will be asked again.

Note - if you know that you do not want to share any of your accounts with a website, you can also choose to share zero accounts, meaning that you will not be asked again. This is equivalent to the previous "reject" option. As explained above, you can always change your selection by visiting the "Manage Website Access" menu.

Feedback and contributions welcome

The Polkadot-js extension doesn't use tracking or analytics, so user engagement is critical to making it better. If you have any feedback, feel free to open an issue on the Github repo.

To learn more about Thibaut's work, follow him on Twitter.

About ChainSafe

ChainSafe is a leading blockchain research and development firm specializing in infrastructure solutions for web3. Alongside its contributions to major ecosystems such as Ethereum, Polkadot, Filecoin, Mina, and more, ChainSafe creates solutions for developers and teams across the web3 space utilizing our expertise in gaming, bridging, NFTs and decentralized storage.
As part of its mission to build innovative products for users and improved tooling for developers, ChainSafe embodies an open source and community-oriented ethos to advance the future of the internet. To learn more, click here.

Website |Twitter |Linkedin |GitHub |Discord |YouTube