The LedgerGate Timeline - Can Ledger Gain Back Trust?
Co-published on Odysee, Publish0x, and Steemit.
When Ledger announced its optional Ledger Recover service, a lot of customers grew incredibly frustrated with the company because they saw it as an affront to financial privacy and a direct contradiction to what Ledger originally said about the secure element chip. Word-for-word, Ledger said on Twitter that "a firmware update cannot extract the private keys from the Secure Element". However, because the Secure Element Chip can send out three shards of the private key via a firmware update, technically Ledger's claim is false. The company would admit in a now-deleted tweet (but archived by yours truly) that it was always possible to do such a thing. You can guess how that statement was received by the public.
On May 22, CEO Pascal Gauthier went on the What Bitcoin Did podcast to discuss about the recover service. The conversation was overall cordial and productive, though there was one ominous statement that alarmed privacy advocates. As pointed out by CryptoSlate, Gauthier said "the only concern really is if [the shard holders] get subpoenaed by a government [that says they] would like [us] to retrieve the three shards". He stated that such subpoenas would be rare cases related to terrorism, drugs, and other criminal offenses. However, considering how trigger-happy the current US government is at handing out the domestic terrorist label and how anti-crypto the Biden administration is, I personally have doubts.
A day later, the CEO made an official statement on Ledger's website with some very significant announcements. The company would delay the rollout of the Recover service because it will open source the Recover protocol. A whitepaper will be published, thus allowing the protocol to be audited and consumers to make their own fragment backup provider. Most importantly, the service will not launch until the firmware portion of Recover is open-source.
As I stated in my last post regarding the Ledger Recover controversy, the best way for the company to salvage the fiasco was to open source the firmware. There is evidence to suggest that it was losing customers as Trezor reported to CryptoSlate on May 25 that it experienced a 900% or 10x growth in sales. While most people are still wary after the CEO's May 23'rd announcement (just look at the subreddit as an example), credit where credit is due. At least Ledger did not go out and call consumers entitled and it is putting forth an effort to be transparent with how the protocol works.
On the other hand, as I mentioned before, trust is a two-way street. I should emphasize that the firmware portion of Recover will be open source. That does not necessarily mean that the entirety of the firmware will be open source. CTO Charles Guillemet stated on Twitter that the Secure Element and the know-how behind it are Ledger's intellectual property, and thus, the company does not want the latter to be leaked and the firmware cannot be fully open source. As a result, as a Ledger user, you will still need to put some trust that the closed source portion of the firmware does not contain anything nefarious. Whether you are comfortable with that fact is up to you.