Ledger’s Hard Lesson: Being Right Isn’t Good Enough

Ledger, the Paris-based hardware wallet maker, has had a terrible week. And in large part, it seems they have themselves to blame.

Things started out badly enough. Ledger’s May 16 introduction of the “Ledger Recover” seed phrase recovery service was greeted with skepticism from the crypto community, who worried about new security risks being introduced to one of the most widely-trusted hardware wallets on the market.

This article is excerpted from The Node, CoinDesk’s daily roundup of the most pivotal stories in blockchain and crypto news. You can subscribe to get the full newsletter here.

Then it all got much worse. By midweek, Twitter filled with wild speculation that Ledger devices were now compromised. There were even Ledger-smashing videos of a sort normally associated with far-right culture war boycotts. In part that was thanks to spiraling paranoia, social-media hyperbole and basic misunderstandings of crypto architecture. But Ledger’s own communications also poured fuel on the fire.

The incident’s key takeaway for other crypto companies is simple: It’s not enough to be technically correct, especially in a crisis. As crypto attracts more and more users with limited technical knowledge, it’s more important than ever to communicate clearly and carefully.

In other words, it’s important to not make tweets like this. For the sake of our industry.

You can’t handle the truth

Some of those piling on to attack Ledger have simply misunderstood that the new Ledger Recover service, and the identity documentation involved, are entirely optional. Ledger Recover is aimed at less rigorous crypto users who may want an insurance policy against losing their private keys. Strategically for Ledger, and frankly for crypto as a whole, offering this sort of middle-ground security option makes sense.

But the backlash only spun further out of control after someone at Ledger, purportedly a customer support agent, tweeted that “technically speaking it is and always has been possible to write firmware that facilitates key extraction.”

Now here’s the thing: while Ledger has wisely deleted and rephrased its message, this tweet seems to be basically accurate. As cryptography pioneer Christopher Allen laid out in this Twitter thread, “all it requires is a signed firmware update and seeds can go wherever they want.” And that applies to many kinds of hardware wallets, not just Ledger.

But boy oh boy, is “you have always trusted Ledger not to steal all your money” not the right way to phrase that. Despite being broadly accurate, the message added immensely to the confusion, fueling even more panicky rhetoric on Twitter – including claims that Ledger devices have been revealed to have some deep flaw or “back door.”

The offending comment seems to simultaneously affirm all of the worst fears being floated – and also belittle the worriers for not catching on sooner. Regardless of intent, both “technically speaking” and “whether you knew it or not” will be heard as condescending, even dismissive. “Yes we can do the thing you’re most worried about, but you shouldn’t be worried about it because we could always do it, and you’re kind of dumb for not already realizing that” is not a way to calm anybody down.

(A note on responsibility here: If they were indeed a rank-and-file customer service rep, whoever wrote this tweet should not have felt empowered or responsible to make such a broad statement at all. True culpability for the misstep lies further up the chain of command.)

Even worse, the message commits a sin that we in journalism call “burying the lede.” A second tweet, threaded onto the “technically speaking” post, emphasized that every update has to be manually approved by the user. This is the core of Ledger’s rebuttal of the ongoing attacks against it.

You can still use a Ledger

While the technical nuances are beyond my scope here, some extremely trustworthy experts have rebutted the most extreme worries circulating about Ledger.

Most significantly, Taylor Monahan, founder of the MyCrypto wallet and now part of the Metamask team, has vigorously condemned the worries about Ledger as “sensationalist bullshit.” Haseeb Qureshi of Dragonfly Capital also notably walked back his initial concerns, writing “now I’m in the ‘nvm it’s fine’” camp.

It’s too soon to completely sign off on the idea that everything is fine, but the main misunderstanding is clear. A hardware wallet needs an updatable operating system (OS), including so it can add support for new tokens and chains. So users have to allow updates at some point, and most Ledger users have likely gotten an update or two before the current controversy popped off.

That is, they’ve trusted Ledger, whether they knew it or not. The fact that an update would be used to implement a recovery scheme was what finally drew attention to the process. The alternative isn’t to buy a different hardware wallet, but to store your seed phrase on a piece of paper in a safe.

The one ding on Ledger that does seem valid is that these updates, and the Ledger code, are not open source, while many other hardware wallets’ code is. This genuinely makes the trust placed in Ledger even higher than with other wallets. But this real question has become muddled with a lot of off-base and ill-informed speculation, and Ledger has so far failed to quell either the real concerns or the mistaken ones.

One way of thinking about this unfortunate drama is that language is not like computer code. If you’re writing a smart contract or a physics engine, you can construct the same function a half dozen different ways with little functional difference. When you’re writing a tweet, by contrast, tiny variations matter immensely to how it will be received. It’s art, not science – and the gap between the two is only going to grow wider as more and more average folks adopt crypto.