Ledger CEO Pascal Gauthier has confirmed that the private seed phrases of users who opt for Ledger's controversial new Recover upgrade could theoretically be turned over to the government if they are subpoenaed.
In general, Ledger's latest firmware update and hardware wallets have been a touchy subject over the past week. The company describes the new Recover upgrade as an optional firmware update that allows users to back up their mnemonic phrases with a third-party entity , with the goal of helping users recover their mnemonic phrases if they are lost.
If a user opts in to the service, the seed phrase is split into three encrypted pieces, called "shards," which are then stored by three separate parties Coincover, Ledger, and an independent backup service provider.
On Peter McCormack's What Bitcoin Did podcast, Gauthier admitted that while the new Recover update could technically see the seed phrases users provided to government entities, it would only be used for "serious behavior," such as those involving drugs and terrorism crime. "It is not true that ordinary people receive subpoenas on a daily basis."
McCormack, the host of the podcast, disputed this claim, noting that Coinbase was subpoenaed by the IRS in 2018 and forced to hand over the personal information of 13,000 users.
Gauthier countered that the example was an inaccurate comparison. Unlike Coinbase, Ledger is not a banking institution and is not subject to the same laws as cryptocurrency exchanges, he said. It's worth noting that while some users, such as the pseudonymous cryptocurrency commentator 0xFoobar on Twitter, viewed the update as an inexcusable invasion of privacy, Ledger representatives insisted that these concerns were largely overblown. Ledger further clarified what the new Recover update really means for its users.
“The core value proposition remains the same the ethos of self-regulation and self-sovereignty means you have choices,” a Ledger spokesperson said. “The launch of Ledger Recover doesn't change that, it's entirely up to you if you feel like this is a service you want to subscribe to.”
Ledger shared that despite numerous allegations against the company on social media, the original seed phrase itself still hasn’t left the device.
“What you are creating is SSS encrypted and sharded backups, if you will. The shards are completely useless unless the user restores the backup on the Ledger device, and only on the Ledger device, where multiple parts are required to decrypt. " "If you don't want to use Ledger Recover, nothing changes for you."
When asked if there were any plans to open-source their firmware code a direction that rival cold wallet provider Grid Plus is currently moving in Ledger claimed it was impossible to open-source the inner workings of its “secure element” chips because Legal constraints from chipmakers. "What we're going to do is continue to open source more and more of the code until we get to a level similar to the Raspberry Pi where only a small portion of the secure element-related code is turned off -- again a legal imperative."
