Topic: Foundation Passport (FE) hardware wallet review and walkthrough - page 2. (Read 1539 times)

I can't speak for Foundation, but I do know that - especially with outgoing emails - self-hosting these days is a pretty big challenge.
Some providers will immediately flag your emails or delete them outright due to too strict firewall settings. Imagine a customer not receiving a response because their email provider didn't let Foundation team's reply through. That will probably be the main issue.

Maybe a support thread on Bitcointalk, together with support through DM (even if it may sound silly) could be a better way, avoiding email completely.

I agree that local and international brick-and-mortar resellers / distributors would be a great idea.
Though up until now everything was preorder - I don't believe that in-person preorders are very convenient; the customer would at least need to visit the store 2x. But on the other hand, they may actually be ready to do it.

Hopefully we'll see in-stock, in-person offerings around the world, after preorders are shipped!

If you self-host everything else, why don't you do the same thing for emails as well?
I know most people use gmail, but you can't seriously expect them to respect any customer privacy.
You don't sell anything directly to third parties, but google can and probably are sharing all email content with government agencies.

Do you have any official reseller stores in US and in other parts of the world that can sell Passport devices for cash or bitcoin in person?
I think this is a best way for reducing digital footprint and there is no risk of any leaks happening in future.

Thanks for your answers! I don't think I have follow-up questions to these points directly, but I started to watch BTCSessions' Passport video for batch 2 and he quickly said that you can 'decide what you get notifications for'.
There is a selection of 'All', 'Transactions', 'Updates' and 'Security'.



Does this mean the application has some kind of remote notifications built-in (that to the best of my knowledge need to go through Google and / or Apple servers)? Or is it just a 'notification page' inside the app?
And do you use Firebase or any other Analytics / similar type framework?

I've yet to try Envoy, as I'm generally skeptical of most mobile wallet applications; none could really satisfy my privacy requirements until now.

Hi all, I have been summoned to this thread, and I appreciate all your comments and discussion! I lurk here from time-to-time but will make a more intentional effort to reply to comments in this thread. If you have any questions, please send my way! And thank you to n0nce and dkbit98 for being especially active.

Regarding our privacy policy – we currently have our Wordpress + WooCommerce instance set to automatically clear personal data from orders 60 days after shipping. For cancelled orders, those clear automatically after 30 days.

We do download, encrypt, and store data offline for sales tax reporting (typically need the zip code for each order) and for warranty/repair requests. If someone contacts us 6 months after ordering, for example, we need to be able to look up the order details and confirm they are a customer in order to send a replacement device. I hope this is reasonable, as it is necessary to store some information when operating a business where customers are buying a physical product.

We are working on an internal "vault" tool that will allow us to automatically encrypt all customer data and rate limit + audit internal requests to view that data. That will be live internally sometime next year, and will allow us to more aggressively purge data from Wordpress + WooCommerce.

We self host a lot – Wordpress, our own mailing list, our customer support center, even our internal video chat tool and scheduling website. But we do sadly rely on some third parties. First is Google, who we use for company email. This means any interaction with our customer support team has emails stored with Google.

Second is our outgoing marketing emails – we do not host our own email server, so we use Mailgun for SMTP. They log messages for 2 days (I believe).

Therefore, in our official privacy policy, we legally are required to say that we share data with third parties for marketing reasons – because we use Mailgun for SMTP for marketing emails.

We 100% do not sell your data to marketing companies or anything like that.

We have a new privacy policy going live soon that better details the exact systems we use.

As always, when buying a hardware wallet, we recommend providing as little personal information as possible. As an American company we may be required to comply with law enforcement requests (though we'd fight any request as hard as possible).

Our blog actually lays out some posts on how to preserve your privacy when buying a Passport:

Buying a Passport with PayJoin and general privacy tips: https://foundationdevices.com/2022/03/passport-coinjoin/
Using Bitcoin more privately: https://foundationdevices.com/2022/05/interacting-with-bitcoin-privately/

Thank you for reading and please send your questions!

Generally I read them but sometimes I don't manage to read 100% with full attention especially if they contain a lot of reading material.
Before I used to be much less careful but I guess I learned my lesson.

For anyone who is interested BTC Sessions posted good video tutorial for new Foundation Passport batch2 hardware wallet signing device.
This is full video starting with turning on device, generating seed words, to using their new envoy app, blue wallet and sparrow wallet.
Watch to the end of this video if you want to see downsides he noticed so far:
https://www.youtube.com/watch?v=_uGZHg64wwA

I do, not just for things I order, but for any site which requires me to make an account or sign up, although I appreciate I am very much on the extreme end of the spectrum here. It's why I don't have a single social media profile, why I use alternative or burner emails for almost everything, and why I buy as much stuff in person as I can.

Privacy policies for companies which delivery goods are pretty much universally awful, exactly because they must collect a name and address for shipping purposes, and they almost always retain that information and share it with third parties. This maybe isn't such a privacy or security issue for you that data brokers know you have bought a new bed, say, but it is certainly a major issue if they know you have bought a hardware wallet or other bitcoin related products, which is why bitcoin related companies need to be held to higher standard than the likes of Home Depot.

And of course I would advocate ordering to a PO Box or other location which is not directly linked to your real name and address whenever possible.

Good points! I hope @zherbert will answer them, as I've no idea about those questions myself, either.

Good news, though: I just got a DM that I successfully summoned him and he'll reply soon..

---

Side question, though: How many of you guys read every company's privacy policy who you order from? Do you do this categorically, just for Bitcoin-related stuff, and if so, why? Interested in hearing / reading your thoughts.

Yeah I think they need to update their website with this information to clarify everything, and I think I saw one of their team members saying they are working on that.
I prefer buying my stuff offline without leaving any personal information whenever possible, but it's impossible to do this with Passport if you live outside United States.
I don't even know if they have any official shop that sells them locally, but going to Bitcoin conferences you can probably find and buy one of this devices.

I went digging on their Twitter profile based on your comment here, and I found some conflicting information:
Yeah, as I said above, not great. Sharing with law enforcement on production of a valid subpoena or similar, while I don't like it, is absolutely necessary for a company which operates within the US, so there is nothing they can do about that. Sharing with "private parties as they believe appropriate" is not, and shouldn't be there.

You mean anonymized, or de-identified. Still, anonymized data is a marketing trick, with one study showing that a staggering 99.98% of anonymized data could still be used to re-identify specific individuals. I don't want my data anonymized - I want it wiped.

Since I took at their Privacy Policy not that long ago, I will share some quotes from my thread.


The data gets de-anonymized, but they don't mention when. And you are right, I don't remember seeing anything about how long the data is stored on their servers in either form. Maybe it depends on the local laws of the State they operate in

Information I have is that Foundation Passport deletes (auto-purge) every customer information 60 days after device shipping, and some stuff gets deleted even after 30 days.
This is unofficial information and maybe they didn't add this in official website yet, but it should be done in near future.
To be sure if something was changed I would contact them on official email [email protected].

I haven't asked them, yet. Not sure if mentioning @zherbert here summons him, but I'll also send a DM.
It would be great if he could answer directly here in this thread.

I do know they self-host all (or at least most?) of their infrastructure, to make sure that customer data leaks can't happen through service providers (like mailing list services).

---

One thing that springs to mind about the missing 90 day limit is that as they're doing preorders that take more than 90 days to ship, they have to keep customer information at least until the shipping date.
Keeping the information a bit longer is useful in case there's an issue with the shipment and whatnot.

Taking my question over from this thread so as not to derail it.

How do Foundation handle your data? Their privacy policy states the usual, that they collect your name, address, email, etc., which is obviously required to ship you a product. It also says that they can share your data with third parties for various reasons, including marketing, which is not great and frankly unnecessary. They also make no mention of how long they keep your data, so presumably that means indefinitely.

I couldn't see this discussed yet previously, but apologies if I've missed it. Has anyone asked them directly? Why not scrub all sensitive data after 90 days like Trezor do?

Yes, it's a concept that is implemented in a lot of mobile electronics, from all sorts of vendors.
As Pmalek mentioned, though, the issue with triple-A's is that the device manufacturer (in this case Foundation) doesn't know which battery type you are using.

The whole issue with this design choice is that Alkalines are less efficient (drain excess power) if you hit them with a too high load, plus the electronics of 'Passport FE' can't handle a low voltage (below 1.1-1.2V-ish). This combined means that a pretty full pair of Alkalines can drain quickly if you initiate a firmware upgrade, while it would happily do a multiple of the energy-equivalent in 'transaction signatures'.

Anyhow, I don't think we have a lot more to add to the topic of 'v1 battery choice bad', since the company is actively shipping v2 with Li-Ion rechargeable batteries, by now...

I know that Lenovo Thinkpad laptops doesn't allow you to complete BIOS update unless you plug in your working battery, and you need to plug in electric cable as well.
This was done so that you wouldn't brick your device in case electric power suddenly cuts off for whatever reason, your battery would prevent that.
To conclude, if you don't have working battery you can't update BIOS on Thinkpad laptops.
Hardware wallets I use didn't have any battery, but you could use them connected with your laptops (that has battery) to prevent issues during firmware update.

I did a software BIOS update the other day on a DELL laptop and noticed something interesting. A few days earlier, I failed to get the installation running and I wasn't sure what was wrong. And when I tried it a few days later, it worked flawlessly. The reason being that my laptop was charging at the time. I guess DELL won't allow you to perform BIOS updates unless your device is on a charger, just in case you run out of juice. Or the remaining battery capacity has to be above a certain percentage.

Would be a cool addition to a battery-powered hardware wallet to have some sort of meter that wouldn't allow you to perform firmware upgrades if the battery is below 50% or 20% depending on how long the process usually takes and how much power it wastes. With on-screen instructions to charge your battery fully and try again. Of course that wouldn't be easy to do since there are so many different types of batteries with different run times. 

I do share your opinions completely. It's interesting that Foundation has never put out any marketing material (website, videos, ...) claiming its resemblance to an older mobile phone to be a feature for concealment, so that's the reason I can't go too hard on them not 100% fulfilling this concept. The design could just as well be the result of a design process that was looking for something which is easy to carry and use in one hand, with good legibility on the screen and large enough buttons for everyone to use.

You're also absolutely right that the gold elements and strong accents (in shape and color) don't reduce the chance of being targeted during robbery and make it stand out more in general. Both v1 and v2 don't really look like old phones, but I'd love this concept to be pursued by Foundation or another company in the future. In a lot of countries, such phones are still used either as primary, secondary or burner phones, so even seeing a person fiddling with what looks like a 2000's mobile phone, doesn't draw a lot of attention, in my opinion.

I'm debating on 'stealthening' my v2, through removing gold paint and maybe even painting the backside completely in black.
Another (much bigger) project idea would be to 'retrofit' the hardware into a real old phone's chassis; by using all the open-source files. This would also allow to confirm the hardware is 'really open-source' - if a random person on the internet is able to build their own device from scratch.

In the end, I'm not sure why they chose this design. Maybe it was simply a good shape / form factor (as described above), maybe they think that it can still pass as an old phone, even with modern styling, I'm not sure. Of course, it can't be too ugly if you're trying to sell thousands of it. But at least for the very limited v1 run, I guess they could have found 1,000 customers who buy a non-attractive looking (but very nicely concealed) model. Maybe @zherbert is reading and can reply!
I'm not sure about v2, but in v1 the back cover is simply a 'dumb shell' (no electronics or complex components whatsoever), so it would be nice and appreciated if they offered replacement back covers in e.g. black in the future. Easy, cheap, non-destructive mod which would give better concealment.

Fair enough answer, thank you for your input.  I, for one, am particularly pleased by their idea about creating a Hardware Wallet device that is, similarly to Ledger, concealed under another object.  Ledger did great with the USB design, Foundation did great with the mobile one.

But at the same time, there is one thing I personally hate about both ideas.  It is that I think the more futuristic/modern design you put into the final product, the more likely it is that a criminal would take the device(s) during a robbery.  I can only guess the logo on the back and all of that is part of a marketing plan, right?  Would you say a less slick design and the lack of a logo on the back would make this device less of a target during robbery?

For instance, you have the FE vs v2 in a comparison image above.  My personal thoughts on the upgrade is that it is great they made it thinner, which makes it more concealed, but on the other hand it turned modern and reminds me of the more expensive classic devices we had decades ago.

If I had the choice, I would pick a very boring design with the same functionality over the modern v2.  But I definitely can not ignore that Foundation has one goal in their mind, which is SELLING products, for which reason a more modern aspect of it is more approachable by the public than a boring one would be.  Am I just too paranoid or does anyone else share my thoughts?

-
Regards,
PrivacyG

Thanks, PrivacyG! To be fair, it comes with one set of the 'good batteries' (that don't suddenly die and do last for multiple hours), so you could use those in case you didn't use them right when you got the device.
If I remember correctly, either the device tells you to check the battery charge isn't too low or their instructions do. So you kind of do it at your own risk. I certainly haven't tried what happens when cutting power during a firmware update, but speaking in broad terms, this is something that can indeed happen when updating microcontroller firmware.
Keep in mind there are only 1,000 FE devices sold, and v2 fixed the battery issue so it's possible that nobody will ever run into a bricked Passport due to low battery...

That's a good question. I believe the biggest benefit is airgap; not only for security but also for convenience. Especially when used through QR codes, you don't need to carry (or search for) anything, except the wallet itself (no cable and no microSD). Just hold the wallet's screen up to your computer / laptop / smartphone camera and transfer the PSBT that way. Best convenience I've had yet in a hardware wallet; and it doesn't even require a 'convenience vs security tradeoff', which is otherwise often the case.

Probably second would be that it has a secure element, which the Trezor doesn't. So less worry about what happens when it sits on your desk for 2 weeks while on holiday or something.
Third would be the larger 'user interface' (both screen size and buttons). It allows for much more comfortable, quick (pin / passphrase input) and confident use (e.g. when it comes to checking the recipient's address).

I don't know if Trezor is as good when it comes to the open-source hardware aspect, but I don't see hardware attacks as a very likely attack vector for most people anyway. It's still nice to have though, e.g. it's easily user-verifiable that the screen hasn't been tampered with (circuit etched on glass) and there are no closed-source chips anywhere in the device (e.g. keypad), just gives you a little extra peace of mind.

Great thread.  I share your fears about battery dying while the device is getting a firmware upgrade, particularly if you never used a particular batch of batteries, never bought from the brand of batteries you just put in the Passport or if you unknowingly initialize an upgrade with low battery.  Is it actually likely this device could get hard bricked during an update if it dies during it?  I for one know this can definitely at least soft brick a Ledger, so would not be too surprised.

n0nce, would you mind sharing your thoughts about why someone should choose Foundation Passport over, say, a Trezor device?

-
Regards,
PrivacyG