Yesterday, there was a controversy in the gun owning community over Liberty Safe’s disclosure of an electronic safe’s passcode to the FBI. There were quite a few unanswered questions: Are Liberty Safe’s factory passcodes unique to each safe? Does Liberty Safe keep a database of those passcodes? How secure is that database? Did the disclosure result from a verbal request by the FBI or a search warrant? If it was a search warrant, who was the subject of that warrant?

In response to the customer outrage, Liberty Safe has made some policy changes and published them online (archived links):

pic.twitter.com/EOvUXdOTkm

— Liberty Safe (@libertysafeinc) September 7, 2023

At Liberty Safe, we are dedicated to safeguarding the rights and privacy of all our customers. It is a promise that remains deeply personal to our employees and leadership. Our company, one of America’s oldest and largest safe manufacturers, was founded on the belief that Americans should have the fundamental right to protect and safeguard their valuables and property.

As a courtesy to our customers, Liberty Safe has long adhered to industry standards by maintaining a secure database of factory-set combinations. This practice helps customers regain access to their safe for a wide range of reasons, including loss of the original combination, service requests, and warranty issues. Liberty Safe processes over 4,000 requests of this type annually and provides combinations to safe owners only once they provide clear documentation of their identity and their ownership of the safe.

We can glean answers to the unanswered questions from their policy update. Liberty Safe does indeed maintain a database of factory default passcodes unique to each safe. They’re saying that it’s a secure database, and we can only hope that it’s well-secured. No online system is really hack-proof, as we can tell from numerous highly publicized hacks just from the past decade alone, such as the Equifax, Office of Personnel Management (OPM), RSA, or even the air-gapped Iranian uranium centrifuge hacks.

We listen to our customers and update our products and practices in response to their evolving needs. Today, we are announcing a change that empowers our customers with greater control over their information: Effective immediately, existing customers can visit www.libertysafe.com/pages/combination-removal and fill out the form to have records of their access codes expunged. In the coming weeks, we will be releasing a feature that gives every new customer this option when registering their safe.

This change allows customers to take control of how their information is stored and protected. We understand that many of our customers are willing to assume the responsibility of safeguarding their own combination. While those who opt out of our data storage process will have limited recourse in case of a lost combination, we respect their choice and are here to support them in the way that’s best for them.

This policy update will allow a customer to remove the factory passcode from Liberty Safe’s database. I can see why a well-intentioned company would keep backup codes to help a customer in case he or she loses the passcode, but there are unintended consequences to just about every policy. Letting a customer make that decision offloads the risk to a willing customer.

We have also revised our policies around cooperation with law enforcement. Going forward we will require a subpoena that legally compels Liberty Safe to supply access codes but can only do so if these codes still exist in our system. Our mission is to protect what matters most to our customers, whether that be valuables or privacy.

It is our pledge to continue to make excellent products that serve gun owners everywhere.

This is a good pro-customer policy change. Something as important and private as a passcode should not be disclosed to law enforcement easily. From yesterday’s announcement, we know that the FBI informed Liberty Safe about a warrant, but implied in the above announcement is that the warrant was not directed at Liberty Safe themselves. They complied with the FBI’s request either out of goodwill to help law enforcement, or out of the human tendency to cooperate and the innate trust most people have in law enforcement. Either way, this policy will assure customers that they can opt out of keeping a backup passcode in Liberty Safe’s database, and even if they don’t opt out, the passcode won’t be disclosed without a subpoena.

What a difference a day makes. Liberty Safe made a big mistake and acted to address it quickly. It remains to be seen if their current and future customers find it reassuring.

Most importantly, other safe manufacturers who have maintained tactical silence so far should not remain quiet any longer. Secure It has been an exception, but the others will hopefully announce soon what they are going to do to reassure their customers.