Yesterday, Ledger, a prominent hardware wallet manufacturer, introduced a new and highly controversial feature called "Ledger Recover" to its devices, creating a significant stir within the crypto community​​.

This feature, an opt-in system available on the Ledger Nano, is designed to help users recover their private keys in a theoretically safe way​. However, the announcement has been met with considerable backlash due to concerns over security and privacy.

The "Recover" Concept

The crux of Ledger's new offering is the ability to split a user's seed phrase into three encrypted shards. Users provide their identity and a selfie recording, and then the shards are entrusted to three custodians for secure storage​. This is apparently a safe solution, however, most consumers have doubts and opinions on how this actually harbors significant issues.

In order to use the system, users must connect their identity to their Ledger account, creating another Know Your Customer (KYC) checkpoint. While this might seem like a routine security measure, it exposes users to the risk of data leaks, hacks, and potential governmental censorship or surveillance. This essentially means entrusting a third party with sensitive information—both your personal ID and information about your Bitcoin holdings.

Data Leaks, Hacks, and Privacy Concerns

Despite Ledger's theoretical safeguards, the crypto community has rightfully so expressed significant concerns about the new feature. The main contention is that Ledger Recover gives Ledger access to customers' seed phrases, which contradicts the fundamental purpose of a hardware wallet—to provide a secure and private method for users to store their seed phrases​.

Additionally, for years, Ledger has also promoted that it is impossible to ever move seed phrases from Ledger devices. Now, this is clearly not true.

The mere possibility of data leaks or hacks is a significant concern, but it doesn't stop there. User data, particularly for Ledger users, could prove extremely valuable. Any of the "authorized third parties" may decide to monetize your data at any point, which would be a significant breach of trust and privacy.

Moreover, most Ledger users employ Ledger Live, software that uses Ledger's nodes for all wallet syncing. This software reveals every detail of your cryptocurrency activity, which Ledger could easily link to your ID. The introduction of the "Recover" feature further exacerbates this issue, bringing privacy concerns to the forefront.

Another critical issue is the requirement for Know Your Customer (KYC) registration to use the Recover feature. This process necessitates that users submit a photo of a government-issued identification document, a step that many crypto enthusiasts find intrusive and contrary to the principles of privacy that they value​.

Technical Aspects and Trust Issues

There are also several technical aspects to consider. The entire process is closed-source and unverifiable, meaning we must entirely trust Ledger as no one else can verify what happens or the level of security provided​. The fact that the code designed to send your seed over USB or Bluetooth is now running on your Ledger device opens up new attack vectors for phishing and malware​.

Also, the decryption process during restore is unclear. How does your new device get the decryption key? Is there a copy of the decryption key stored somewhere, and if so, who has it? These are important questions that remain unanswered by Ledger.

Implications for Government Seizures

There are additional risks related to government seizures. At least one custodian (CoinCover) and the identity provider (Onfido) are UK-based, and if EscrowTech is indeed the third custodian, they are US-based. This puts two out of three companies within the jurisdiction of the "Five Eyes" alliance (UK and US).

The "Five Eyes" is an intelligence alliance consisting of Australia, Canada, New Zealand, the United Kingdom, and the United States. These countries are known for their cooperative efforts in intelligence gathering and sharing.

The implications of this geographical distribution of custodians are significant. In scenarios where legal or government entities wish to gain access to a user's funds or information, they can potentially exert pressure on these custodians or identity providers. Governments have various tools at their disposal, such as court orders or national security letters, which can compel organizations to provide user data. In extreme cases, these tools can also be used to seize assets directly if they are within the government's jurisdiction.

For instance, if a government agency in the United States or the United Kingdom decided that they wanted access to a particular Ledger user's information or funds, they could theoretically issue a court order to EscrowTech or CoinCover, respectively. Given that these companies are based in those countries, they would be legally obliged to comply.

This scenario presents a very real risk, particularly for users residing in or citizens of Five Eyes countries, where government surveillance and data requests are more common.

The Backlash from Consumers

Users' reactions to Ledger Recover have been overwhelmingly negative. Much of this criticism stems from Ledger's past security breaches, which have eroded trust in the company.

In 2020, Ledger suffered security breaches that resulted in the loss of physical addresses for 270,000 Ledger users and subsequent extortion attempts against those users. Although Ledger claimed there was no link between the compromised data and the funds in users' wallets, these incidents have fuelled the community's distrust​.

Ian C. Rogers, Ledger's Chief Experience Officer, sought to reassure users that Ledger Recover is entirely optional and that not opting in would not alter the user's attack surface. However, this assurance doesn't seem to have placated many users' concerns​.

When discussing the controversy in a Twitter Spaces, the clearly agitated Ledger CEO, Pascal Gauthier, abruptly told all listeners to take their crypto off their Ledger and to another hardware wallet if they don't like the new Recover feature. Honestly, this is great advice. People should do this!

You can listen to the whole Twitter Spaces here.

Final Thoughts

While Ledger's Recover feature is intended to provide an additional layer of convenience to users, the backlash it has received underscores the need for hardware wallet manufacturers to prioritize security and respect for user autonomy.

As of now, the Ledger Recover feature seems to have created more concerns than solutions in the eyes of the crypto community, highlighting the tensions between ease of use and maintaining the principles of privacy and security inherent to Bitcoin and the wider cryptocurrency community​.

As the situation unfolds, it will be important to see how Ledger addresses these criticisms and whether it can restore trust among its users.

For alternative hardware wallets - check out BitBox, Coldcard, Foundation Passport, Trezor, and Seed Signer.

BitByte is 100% community funded. If you are a fan of the content on BitByte and want to support us, you can share this post, follow us on Twitter, or donate Sats below or by clicking the boost button.

Share this post