Is the HB 380 a legal backdoor to hardware wallets?

[m2017]

Bitcoiners have been waiting for years for mass adoption and the legalization of cryptocurrencies. This is starting to happen, but the regulator is inevitably trying to distort everything related to cryptocurrencies to suit its own agenda. I fear the BTC-community will receive a very different crypto future (contrary to expectations).

In the US (Kentucky), Section 33, an amendment to the bill House Bill 380, was quickly introduced, by a vote of 85 \ 0, the essence of which is the requirement to:

"The amendment directs hardware wallet manufacturers to help customers reset access credentials. It expressly covers any “password, PIN, seed phrase, or other similar information” used to unlock on-device funds. Moreover, it applies to any information needed to access wallet contents, effectively tying technical design to state-level compliance rules."

This directly contradicts the operating principles of hardware wallets and is a massive backdoor, allowing not only users but also any malicious actor to regain access to their wallet. Of course, this is being presented as "concern for hardware wallet customers" (the road to hell is paved with good intentions), but the effect will be the exact opposite. If this law is passed (it has already been sent to the Senate), other states will follow suit, and then the entire US, and other countries will follow suit, potentially becoming a global norm (I'm not saying it will be exactly that way, but there are certainly similar risks).

Perhaps HW manufacturers will simply leave the US market if the law is passed. Or they'll sell out himself completely to the regulator. What do you think about this?

Would you want a regulator-imposed backdoor in your hardware wallet? What if they don't even ask you about it?

Source: https://abstractcrypto.com/kentucky-hb-380-proposal-on-hardware-wallet-recovery-sparks-self-custody-concerns/

[ABCbits]

This proposal is a terrible joke. Resetting seed phrase is technical non-sense, since different seed phrase leads to different generated address.

Perhaps HW manufacturers will simply leave the US market if the law is passed. Or they'll sell out himself completely to the regulator. What do you think about this?

Many HW manufacturers will leave, but it doesn't apply to Ledger who is halfway ready since they already offer Ledger Recover subscription service .

[Yamane_Keto]

Ledger employees.



If the legislation isn't binding, companies might disregard it.

If it is passed, how will companies compensate their customers for any technical problems?

[Lucius]

From the perspective of those who propose it, it makes sense, because there are obviously a lot of people who are not capable of keeping their backup safe and don't care (or don't understand) the expression "not your keys, not your coins". For those of us who know what this is about, we wouldn't take such a device even if it were given away.

Still, I always wonder if we all live under the grand illusion that such devices are secure today and have no backdoor without someone needing to officially tell us?

[dkbit98]

Would you want a regulator-imposed backdoor in your hardware wallet? What if they don't even ask you about it?

They obviously want full control of everything, and you can see that with all the latest changes with Linux OS, reddit, discord, smartphones, social media, age verification, etc.

Perhaps HW manufacturers will simply leave the US market if the law is passed. Or they'll sell out himself completely to the regulator. What do you think about this?

There are not many hardware wallet manufacturers from US, I think it's only Passport Foundation, but they will probably have to move and relocate.
And with current stupid wars they can always have some martial law and introduce more crazy regulations as justification for protection against evil ''terrorists''.
Luckily we have option to make DIY hardware wallets, and now it's more important than ever to have that available as open source.

[ABCbits]

From the perspective of those who propose it, it makes sense, because there are obviously a lot of people who are not capable of keeping their backup safe and don't care (or don't understand) the expression "not your keys, not your coins".

IMO such people should either start learn how to handle their own key and it's backup or simply use 3rd party custodial service.

Still, I always wonder if we all live under the grand illusion that such devices are secure today and have no backdoor without someone needing to officially tell us?

It's one of reason why people prefer hardware wallet that fully open it's code and hardware design. I remember Ledger only open some stuff and later they introduce Ledger Recover on their device, which means they lie about security of their hardware wallet.

[Lucius]

From the perspective of those who propose it, it makes sense, because there are obviously a lot of people who are not capable of keeping their backup safe and don't care (or don't understand) the expression "not your keys, not your coins".

IMO such people should either start learn how to handle their own key and it's backup or simply use 3rd party custodial service.~snip~

They (most) don't want to learn about it and are actually not interested in anything more than how much they invested and how much (when) they will profit from it. Ideas like Bitcoin are one thing, but their adoption is something else entirely. I think this has been proven over the past 15+ years.

[m2017]

This proposal is a terrible joke. Resetting seed phrase is technical non-sense, since different seed phrase leads to different generated address.

We live in a wonderful world where these terrible jokes are almost the norm (considering the absurdity of some laws).

Many HW manufacturers will leave, but it doesn't apply to Ledger who is halfway ready since they already offer Ledger Recover subscription service .

And given the examples from Ledger, I expect that few manufacturers will "leave" this market, as it would mean a loss of profit. They will adapt to this law and sell this forced service to their customers under the guise of "convenience and some kind of alternative backup". Moreover, I'm even sure that there will be many device buyers who will be satisfied with this feature, just like the Ledger Recover subscription service (paying a subscription fee for strangers to access your wallet- how ingeniously simple!).

This is how people quietly lose their privacy, confidentiality, the sole right to own and manage their assets, and ultimately, financial freedom.

If it is passed, how will companies compensate their customers for any technical problems?

This is certainly not a problem for legislators.

From the perspective of those who propose it, it makes sense, because there are obviously a lot of people who are not capable of keeping their backup safe and don't care (or don't understand) the expression "not your keys, not your coins". For those of us who know what this is about, we wouldn't take such a device even if it were given away.

This is exactly what I'm saying: despite the accessibility and low barrier to entry into the cryptocurrency industry, it turns out that cryptocurrencies aren't for everyone, as not everyone can ensure the necessary level of security for their assets (seed phrase).

I also expect that there is a demand for these backdoors among cryptocurrency users. As much as we might not like it, some people will be willing to shift responsibility for storing seed phrases to 3rd parties, even risking the safety of their assets.

Despite all the troubles with banks (bankruptcies, thefts by depositors, and losses), the entire world still uses their services (giving your money to strangers is the same as giving away your seed phrase).

Still, I always wonder if we all live under the grand illusion that such devices are secure today and have no backdoor without someone needing to officially tell us?

If I were a HW manufacturer, of course I wouldn't tell anyone about it.

They obviously want full control of everything, and you can see that with all the latest changes with Linux OS, reddit, discord, smartphones, social media, age verification, etc.

It seems a bit absurd (but at the same time it seems like a priority): to want control over something that (cryptocurrencies) allows one to avoid this control.

Luckily we have option to make DIY hardware wallets, and now it's more important than ever to have that available as open source.

Until it's banned yet.

I think in the world of the future, financial freedom will be impossible without it.

[ABCbits]

Many HW manufacturers will leave, but it doesn't apply to Ledger who is halfway ready since they already offer Ledger Recover subscription service .

And given the examples from Ledger, I expect that few manufacturers will "leave" this market, as it would mean a loss of profit. They will adapt to this law and sell this forced service to their customers under the guise of "convenience and some kind of alternative backup". Moreover, I'm even sure that there will be many device buyers who will be satisfied with this feature, just like the Ledger Recover subscription service (paying a subscription fee for strangers to access your wallet- how ingeniously simple!).

This is how people quietly lose their privacy, confidentiality, the sole right to own and manage their assets, and ultimately, financial freedom.

Since it costs 10 USD/month, i wonder how many people decide not to use it because it's cost rather than security concern. After all, some people may hate paying for additional stuff even if they like convenience.

Luckily we have option to make DIY hardware wallets, and now it's more important than ever to have that available as open source.

Until it's banned yet.

I think in the world of the future, financial freedom will be impossible without it.

That means they need to either ban or restrict usage of certain electronic or computer parts, which include Raspberry Pi.

[Pmalek]

This proposal is a terrible joke. Resetting seed phrase is technical non-sense, since different seed phrase leads to different generated address.

Of course it is, but the idea was never to protect you as the user and customer of hardware wallets. It's only presented that way. It's a way for law enforcement and nation states to have the capabilities to crack open the wallets of their subjects if the need arises. If the system is non-custodial, they need your keys to enter. They don't like not having a reset button. They want complete custody or shared custody. Perhaps a seemingly non-custodial solution (in your eyes) that is in fact a custodial one they can gain entry to if they want.

[Yamane_Keto]

Since it costs 10 USD/month, i wonder how many people decide not to use it because it's cost rather than security concern. After all, some people may hate paying for additional stuff even if they like convenience.

A Ledger Recover user will not use the service to secure an account with $10 or $50; it will certainly be an amount higher than $500, and then a monthly subscription of 10 USD/month or 120 USD/year will not be a large amount that affects the decision, especially if the fear is of losing the entire amount.