Why Ledger “Underestimated” the Recover Backlash

BY Matt Medved

June 15, 2023

Last month, Ledger introduced its latest feature into a full-blown firestorm.

The French hardware wallet provider envisioned its paid, optional Ledger Recover subscription service as a safety net for users to recover their digital assets in the case of a lost or forgotten seed phrase. However, the company quickly found itself embroiled in controversy with critics claiming the service, which encrypts and stores fragments of user seed phrases with three parties, undermined its wallets’ security and contradicted previous claims that private keys never leave the devices.

The blowback prompted CEO Pascal Gauthier to postpone the launch, accelerate the company’s open-source roadmap, and pen an open letter to Ledger users apologizing for the “unintentional communication mistake.”

One month after the uproar, Ledger Chief Experience Officer Ian Rogers sits down with nft now for a reflective interview on lessons learned from the backlash, the challenges of communicating in web3, and the future of digital security.

Matt Medved: Ledger received significant backlash for the rollout of Ledger Recover. What did you learn from it?

Ian Rogers: The trouble that we got into with it was twofold. We really underestimated people’s response, and I apologize for that… I would have loved to have had an argument about the merits of the product rather than the merits of Ledger. I wasn’t really prepared for the debate we ended up having. We were surprised that the main question was, “How is this even possible?”

If you sign transactions, your hardware wallet has your private key. It protects your private key and you confirm access on a secure screen with buttons connected to a secure element, but it does use your private key… There were lots of people in the music business that wanted digital rights management in the 90s and 2000s, and the joke was that the only way to really protect music so people can’t bootleg it is to make it so no one can hear it. Obviously, that wasn’t a real solution.

If there’s a silver lining, it’s that people now understand how Ledger works better. You need to have access to your private key to sign a transaction, so where do you want that to be? You could be on an exchange where you just have an account and let someone else worry about the back end, but now you have the challenge of “Do I really have any crypto?” You have the FTX problem. Are you in a software wallet where your private key might be available to any app running in your web browser? That’s scary. Are you in a piece of software on your phone where anyone can have access to your private key if your phone gets routed? Is it a secure enclave with the risk of being routed when you come out to do an operation? Or a hardware wallet with an open-source chip that isn’t secure? Or do you want a hardware wallet like Ledger, which has a purpose-built operating system that is always directly connected to a secure element and secure screen buttons that you are prompted to push anytime your private key is accessed? That’s really your decision tree.

We were actually quite happy to be pushed to open-source by the community. Despite criticisms, Ledger is majority open-source. We’d like to open source as much as possible, with the exception of the secure element… Prioritization is the name of the game in any startup, no matter how big you are. Seeing the response, we said, “We’re happy to share the code.” After all, our motto is “Don’t trust, verify.”

Respected devs like 0xfoobar were saying, “Stop using Ledger hardware wallets.” How do you address the challenge of communicating these concepts in this fast-paced, 24/7 space?

That’s a great question. I’d handle it differently. Timing matters. We’ve been talking about it publicly for so long and received only good feedback. People say, “Oh yeah, that’ll bring a lot of people to self-custody.” But the way you tell people really matters. That’s also where we screwed up here because this leaked out a week ahead of when we were planning to announce it through some vague release notes. So people didn’t really know what we were offering and jumped to conclusions. We were on our back foot trying to explain what it was. Where I think if we’d have come out saying, “Hey, here’s the service. It’s optional, it’s 10 bucks a month.” People might say, “Don’t use that service,” which is different than saying “Don’t use Ledger.”

So, we could have approached this differently. There are two separate markets: those who have known us and our product for a long time, mainly on Reddit and Twitter, and the newcomers. The lesson for me and Ariel is that it’s impossible to communicate effectively with both groups at once. They have different expectations and levels of knowledge. A newcomer might thank us for Ledger Recover, while a long-standing Ledger user might vow never to provide their government ID online… A fundamental belief of Ledger is that participation is always your choice.

Part of our mission at nft now is taking this technology mainstream. The debate was interesting because I understood the concerns of crypto purists around a new potential attack vector, while also understanding that retail users are not going to go through convoluted op-sec steps. How do you reconcile that?

Ledger is almost 10 years old at this point. When they added Ethereum support in 2016, people lost their minds. When Bluetooth was introduced to Ledger, people saw it as another attack vector. It’s not and you can read endless security things on why it isn’t… But the reality is that having access to your private key is not an additional attack vector. It’s hard to get people to understand that as they didn’t understand how it worked to begin with… I’m totally empathetic. It shouldn’t be on every user to understand that.

But I’m in the same boat as you where I had a board meeting with Dr. Martens last week and talked to them about what Nike is doing with dotSWOOSH. I’m having meetings with artists and talking about how important it is that they think about the security of where their contracts are protected. I’m having dinner with a couple of folks from the NFT community tonight, including Betty from Deadfellaz and Benoit from RTFKT. Their security is literally the security of their communities, right? They have a lot of people in their communities who have one NFT. Do we need to care for those people too? That’s the challenge.

“One of my fundamental beliefs is that we don’t have a mass culture. We haven’t for a long time.”

Ledger’s Ian Rogers

The lesson is that we really need to have a different communication plan for each of those audiences. One of my fundamental beliefs is that we don’t have a mass culture. We haven’t for a long time. Nike talks to skateboarders differently than they talk to footballers. That makes sense. We’re not an infinite number of people, so that’s not always practical, but that’s what’s required.

Ledger Stax

The ERC 4337 standard has the potential to simplify the use of wallets and also store private keys on a smartphone’s security module. How does that potentially impact Ledger’s business?

I think account abstraction is a real boon for hardware wallets down the road because now you’ve got this scenario where you can just add security. You can go from having a software wallet to having another factor. As a consumer, you’ll be able to program what you can do with what, and you would be crazy not to set those rules with a hardware wallet.

I picture a world like the world we live in now, which is quite heterogeneous. If I open my wallet, I have a bunch of different ways of identifying myself and ways of paying for things that have different rules around them… I’ve got a checking account and a savings account and a brokerage account and a little bit of cash… I think we’ll have that same thing just with digital value and you’ll be able to set all kinds of user-defined and user-generated rules around that. There will be certain things you will protect with hardware, for example, a huge sum of value. Setting those rules with a software wallet would not be wise… There will be other things where you set a daily limit or whatever you’d like. It’s going to take some time before it’s really something that the average person is using. But I think it’s a bit of a promised land and secure hardware has an important role to play there. It’s really important that people realize there is no software that will make your insecure hardware secure. You need to get that idea out of your head.

“It’s not all just about monetary value. People who don’t understand the space miss this one.”

Ledger’s Ian Rogers

If you have 20 bucks in your wallet, there’s no security on that. That’s fine. It’s not the end of the world if you lose it. I always remind people, especially in the NFT space, that it’s not all just about monetary value. People who don’t understand the space miss this one. They think that the whole world of crypto is just about money and get-rich-quick. I don’t see it that way at all. When my mom was born, there was not much plastic in the world. Now there’s a lot of plastic in the world. It’s hard to imagine a world without plastic. When we were born, there was no digital stuff in the world. When we’re our parents’ age, there’s going to be a lot of digital stuff. Just like plastic, most of it won’t be valuable but it will be useful in some way in our lives. It is a new class of stuff that will need different levels of security, depending on its overall value. Some of that value will be sentimental. In the 90s, if you smashed my car window and stole my CD wallet, it’s not like I couldn’t pay rent anymore. You didn’t take my life savings, but I’m super bummed. I spent years collecting those. I love those records. And that’s how I’d feel if you took my Tezos wallet. Those are a bunch of artists that I love and I have relationships with.

This interview transcript has been edited for concision and clarity.

For the full and uncut interview, listen to our podcast episode with Ledger’s Ian Rogers.

Dive Deep

Features & Guides