Last month, Ledger rolled out its latest feature in a full-blown firestorm.
The French hardware wallet provider envisioned its paid, optional Ledger Recover subscription service as a safety net for users to recover their digital assets in the event of a lost or forgotten seed phrase. However, the company quickly became embroiled in controversy with critics claiming that the service, which encrypts and stores snippets of user seed sentences using three parties, undermined the security of its wallet and contradicted previous claims that private keys never leave the devices.
The backlash led CEO Pascal Gauthier to delay launch, accelerate the company’s open-source roadmap, and open letter to Ledger users apologizing for the “accidental communication error”.
A month after the uproar, Ian Rogers, Chief Experience Officer of Ledger, now sits down with nft for a reflective interview about the lessons learned from the backlash, the challenges of communication in web3 and the future of digital security.
Matt Medved: Ledger was heavily criticized for the rollout of Ledger Recover. What did you learn from it?
Ian Rogers: The problems we ran into were twofold. We really underestimated people’s reaction, and my apologies for that… I would have liked to argue about the merits of the product rather than the merits of Ledger. I was not really prepared for the debate we ended up having. We were surprised that the main question was “How is this even possible?”
When you sign transactions, your hardware wallet has your private key. It protects your private key and you confirm access on a secure screen with buttons connected to a secure element, but it does use your private key… There were a lot of people in the music business who wanted digital rights management in the 90’s and 2000’s, and the joke was that the only way to really protect music so people can’t bootleg it is to make it so no one can hear it. Of course that wasn’t a real solution.
Exciting update, Ledger has a new product, Ledger Recover, launching soon: https://t.co/nT1VHnnSYz
Here’s what Ledger Recover is and what it isn’t, explained by @P3b7_ & in the thread below. pic.twitter.com/RW1w07H6pK
— Ledger (@Ledger) May 16, 2023
If there’s a silver lining, it’s that people now have a better understanding of how Ledger works. You need to access your private key to sign a transaction, so where do you want that? You could be on an exchange where you just have an account and let someone else worry about the back end, but now you’re faced with the challenge, “Do I really have crypto?” You have the FTX problem. Are you in a software wallet where your private key might be available to any app running in your web browser? That’s creepy. Are you in a piece of software on your phone where anyone can access your private key if your phone is routed? Is it a safe enclave with the risk of being routed if you come out to do surgery? Or a hardware wallet with an open source chip that is not secure? Or do you want a hardware wallet like Ledger, which has a purpose-built operating system that is always directly connected to a secure element and secure screen buttons that you must press when your private key is opened? That’s really your decision tree.
We were actually quite happy to be pushed to open source by the community. Despite criticism, Ledger is largely open-source. We would like to open source as much as possible, with the exception of the secure element… Prioritizing is the message with every startup, no matter how big you are. When we saw the response, we said, “We’re happy to share the code.” After all, our motto is “Don’t trust, verify”.
Ledger’s mission is and always will be to provide our users with the right tools to securely own their digital value.
We’ve decided to accelerate our open source roadmap to bring more verifiability to everything we do.
A thread
— Charles Guillemet (@P3b7_) May 23, 2023
Respected developers like 0xfoobar said, “Stop using Ledger hardware wallets.” How do you tackle the challenge of communicating these concepts in this fast-paced, 24/7 space?
That’s a great question. I would handle it differently. Timing matters. We’ve been talking about it publicly for so long and got nothing but good feedback. People say, “Oh yeah, that’s going to put a lot of people into self-preservation.” But the way you tell people really matters. That’s also where we messed up here, as this leaked a week earlier than we planned to announce it via some vague release notes. So people didn’t really know what we were offering and jumped to conclusions. We stood on our back foot and tried to explain what it was. Where I think if we had come out and said, ‘Hey, here’s the service. It’s optional, it’s $10 a month.” People might say “Don’t use that service” which is different from “Don’t use Ledger”.
So we could have handled this differently. There are two separate markets: those who have known us and our product for a long time, mainly on Reddit and Twitter, and the newcomers. The lesson for me and Ariel is that it’s impossible to communicate effectively with both groups at once. They have different expectations and levels of knowledge. A newcomer might thank us for Ledger Recover, while a longtime Ledger user might swear never to give out their government ID online… A fundamental belief of Ledger is that participation is always your choice.
I want to address the feedback on Ledger Recover, the way it has been communicated, and share our way forward. Read my letter and join our town hall with our leadership team for more information.
https://t.co/2hlPrMwzaN pic.twitter.com/juVBOpWeeG
— Pascal Gauthier @Ledger (@_pgauthier) May 23, 2023
Part of our mission at nft now is to make this technology mainstream. The debate was interesting because I understood crypto purists’ concerns about a new potential attack vector, while also understanding that retail users won’t go through complicated op-sec steps. How do you reconcile that?
Ledger is currently almost 10 years old. When they added Ethereum support in 2016, people lost their minds. When Bluetooth was introduced in Ledger, people saw it as another attack vector. It’s not and you can read endless security articles about why it isn’t… But the reality is that accessing your private key is not an additional attack vector. It’s hard to get people to understand that because they didn’t understand how it worked at first… I’m totally empathetic. It shouldn’t be up to every user to understand that.
But I’m in the same boat as you where I had a board meeting last week with Dr. Martens and talked to them about what Nike is doing with dotSWOOSH. I meet with artists and talk about how important it is for them to think about the safety of where their contracts are protected. I’m going out for dinner tonight with a few people from the NFT community, including Betty from Deadfellaz and Benoit from RTFKT. Their safety is literally the safety of their communities, right? They have many people in their community who have one NFT. Should we also take care of those people? That’s the challenge.
“One of my fundamental beliefs is that we don’t have a mass culture. We haven’t done that for a long time.”
Ledger’s Ian Rogers
The lesson is that we really need to have a different communication plan for each of those target groups. One of my fundamental beliefs is that we don’t have a mass culture. We haven’t had that for a long time. Nike talks differently to skateboarders than to football players. That makes sense. We are not with an infinite number of people, so that is not always practical, but it is necessary.
The ERC 4337 standard has the potential to simplify the use of wallets and also store private keys in a smartphone’s security module. How might that affect Ledger’s business?
I think account abstraction is a real boon for future hardware wallets because now you have this scenario where you can just add security. You can go from a software wallet to another factor. As a consumer, you can program what you can do with it, and you’d be crazy not to set those rules with a hardware wallet.
I envision a world like the one we live in now, which is quite heterogeneous. When I open my wallet I have a lot of different ways to identify myself and ways to pay for things that have different rules… I have a checking account and a savings account and a brokerage account and a little bit of cash… I think we’re going to have the same thing, just with digital value, and you can set all sorts of user-defined and user-generated rules around that. There will be certain things that you want to protect with hardware, for example a huge sum of money. Setting those rules with a software wallet wouldn’t be wise… There will be other things where you set a daily limit or whatever you want. It’ll be a while before it’s actually something the average person uses. But I think it’s kind of the promised land and secure hardware plays an important role there. It is very important that people realize that there is no software that will protect your insecure hardware. You need to get that idea out of your head.
“It’s not just about monetary value. People who don’t understand space miss it.”
Ledger’s Ian Rogers
If you have $20 in your wallet, there’s no security on that. That’s fine. It’s not the end of the world if you lose it. I always remind people, especially in the NFT space, that it’s not just about monetary value. People who don’t understand space miss it. They think the whole world of crypto is all about money and get rich quick. I don’t see it that way at all. When my mother was born, there wasn’t much plastic in the world. Now there is a lot of plastic in the world. A world without plastic is hard to imagine. When we were born there was no digital stuff in the world. When we get to our parents’ age, there will be a lot of digital stuff. Like plastic, most of it will not be valuable, but it will be useful in our lives in some way. It’s a new class of things that require different levels of security depending on the total value. Some of that value will be sentimental. If you smashed my car window and stole my CD wallet in the ’90s, it’s not like I couldn’t pay rent anymore. You didn’t take my savings, but I’m really bummed. I have collected them for years. I like those plates. And that’s how I’d feel if you took my Tezos wallet. Those are a bunch of artists that I love and have relationships with.
This interview transcript has been edited for brevity and clarity.
For the full and uncut interview, listen to our podcast episode with Ledger’s Ian Rogers.
