Cryptos and privacy: The Ledger Recover scandal decoded

Over the past two weeks, Ledger, a crypto security firm, found itself at the center of a major controversy. This controversy revolved around the new product called Ledger Recover. It is an optional update presented as a useful tool for recovering lost wallet keys. However, Ledger users were not pleased with this technical evolution. They suspected that the company was violating their fundamental right to privacy.

The origins of the Ledger Recover controversy

It all started on Tuesday, May 16. On that day, Charles Guillemet, the CTO of Ledger, posted an update on his Twitter feed. In the update, he explained the ins and outs of Ledger Recover, the new product implemented by the company. The concept behind accessing this optional but chargeable service ($10 per month) is relatively simple.

Ledger wanted to allow its users to recover the keys to their Ledger wallets in case of loss. In a context where such an option simply isn’t available, this initiative is quite ambitious. However, the realization of this concept requires a Know Your Customer (KYC) identity verification process.

This verification procedure involves third-party companies, namely Tessi and FIDO Alliance. Each of these companies is responsible for conducting the KYC identification process, which includes access to users’ facial recognition and national identification cards.

Additionally, two other companies, Coincover and EscrowTech, along with Ledger itself, are involved in the process. Each of them will have a portion of the wallet key that may potentially be requested for recovery. This is done through three end-to-end encrypted channels, making the operation independent. Unexpectedly, Guillemet’s announcement of the project had a bombshell effect. Users did not hesitate to express their criticism and concerns regarding an initiative considered risky in many ways.

Fierce criticism from Ledger users

Users quickly criticized the optional update for operationalizing Ledger Recover. They raised concerns about the privacy of user data, which is justified given the platform’s insufficient security measures.

For instance, in 2020, Ledger experienced a hacking attack that resulted in the personal data of thousands of users being exposed online. This highlights Ledger’s privacy vulnerabilities. This is also the second major concern of users that has sparked so much resistance.

Many fear that hackers might succeed in obtaining information that is supposed to be confidential. Moreover, a secret agreement detrimental to users’ interests cannot be ruled out. In many cases, users take a backseat when faced with significant issues, as is the case here. These technical concerns raise another legal concern regarding the transferability of user data to authorities.

What about the transferability of user data to authorities?

This is one of the most vehement criticisms directed at Ledger Recover. The remark is so relevant that it forced the company’s executives to respond. That is precisely what Ledger’s CEO did a few days later, on Monday, May 22.

In a podcast, Pascal Gauthier, the CEO of Ledger, addressed the Ledger Recover controversy. Unfortunately, he brought unsettling news for subscribers to this service. According to Gauthier, information regarding the wallet keys of users could potentially be shared with authorities.

However, he clarified that this possibility would only be considered in the event of a judicial procedure involving a subpoena. In cases deemed serious, such as terrorism-related crimes, the company would comply and share the information it possesses.

Gauthier emphasized that this possibility would not apply to all users. He stated, “It’s not true that the average person is summoned to court every day.”

Ledger reassures Its users

To mitigate concerns, Gauthier reminded users what subscribing to Ledger Recover entails. “What you create, if you opt for Ledger Recover, is an encrypted backup divided into pieces. These fragments are completely useless unless the user restores the backup on a Ledger device, and only on a Ledger device, where multiple parties are required for decryption. If you don’t want to use Ledger Recover, nothing changes for you,” explained the Ledger CEO.

Perhaps users are worrying unnecessarily? The Twitter user 0xFoobar doesn’t see it that way. For them, this Ledger update is simply a blatant violation of user privacy.

While several users, like 0xFoobar, view this innovation negatively, Ledger aims to reassure them. Pascal Gauthier took the opportunity to apologize for the “poor communication” from the company.

Furthermore, the CEO made an announcement. His company is committed to making a larger part of its codebase accessible to the public. This initiative aims to improve Ledger’s transparency and involve users more actively. It includes the core components of the Ledger Recover operating system.

In addition, Charles Guillemet, Ledger’s CTO, stated that a whitepaper on the Recover protocol will be published soon. Technical blog articles are also planned to “explain the operational principles of Recover.” The big question is whether all these planned initiatives will yield positive results. In any case, the issue of privacy and personal data preservation is a major concern. That is also one of the reasons why blockchain presents itself as a relevant alternative.