Computers, Privacy & the Constitution

View   r3  >  r2  ...
HiroyukiTanakaFirstPaper 3 - 07 May 2022 - Main.HiroyukiTanaka
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"

Restricting Personal Rights to Protect Privacy

Changed:
<
<
-- By Hiroyuki Tanaka - 11 Mar 2022
>
>
-- By Hiroyuki Tanaka - 6 May 2022
 

Cryptojacking

As is often the case with creative and cutting edge new technologies, the cybercrime law becomes a tool for authorities to restrict personal rights. Cases regarding cryptojacking, “the use of system resources of a target device to compute hashes and make profit out of mining without the consent of the target device’s owner,” fall into this category.
Changed:
<
<

Tidbit Case

The new idea of coin mining by jacking other people’s computer was invented in May 2011, and was revived by Jeremy Rubin, a 19-year-old student at Massachusetts Institute of Technology. He, together with his colleagues, developed “Tidbit” for the Node Knockout Hackathon held in November 2013. Tidbit was designed, when implemented, to allow website operators to mine for Bitcoins and earn money leveraging the amassed under-utilized computing power of the website visitors. The revolutionary aspect of Tidbit was its purpose. The computer code allowed website owners to replace traditional website advertisements by instead using viewers’ computer power to mine for Bitcoins. As a result, Tidbit was presented as a proof of concept and won the award for having the highest innovation score at the Hackathon.
>
>
Jeremy Rubin, a 19-year-old student at Massachusetts Institute of Technology was one of the pioneers for cryptojacking. After Rubin’s “Tidbit” was demolished in 2015 triggered by New Jersey's investigation (Under the order, the parties agreed to the imposition of a $25,000 settlement amount that is suspended and will be automatically vacated within two years as long as Tidbit does not access or attempt to access the computers of persons in New Jersey without obtaining verifiable consent of the viewers), technologies with similar concepts have been continuously arising.
 
Changed:
<
<
In December 2013, a month after Hackathon, the New Jersey Attorney General's office issued a sweeping subpoena to Rubin and Tidbit. The subpoena sought for all information in regard to Tidbit, including but not limited to, all documents concerning Tidbit’s source codes, control logs and installation logs, as well as the Bitcoin accounts and wallet addresses associated with Tidbit. Rubin resisted, and moved to quash the subpoena, but in the end, the superior court of New Jersey Essex County concluded to give a green light for the State to investigate Tidbit under the necessity of protecting personal privacy. It stated that “the Court is mindful… of the State’s concerns that this tool could also be subject to abuse and misuse.” This decision virtually compelled Rubin to enter into a consent order in May 2015, ending New Jersey's investigation of Tidbit. Soon after this order, Tidbit was demolished.
>
>
The most famous and infamous cryptojacking service in history must be Coinhive (Coinhive is fundamentally and technically no different from Tidbit or other cryptojacking predecessors other than the coin it mines, a privacy-centric coin called Monero instead of Bitcoin.), as it targeted everything from government websites to even Google and YouTube? users. As a result, multiple security firms identified Coinhive as the top malicious threat to web users. Although Coinhive too is already history because it shut down in March 2019 , history is worth examining as it is though-provoking not only for the restriction on personal rights and privacy regarding cryptojacking technologies we face today, but also for our internet activities in general.
 
Changed:
<
<

Investigation Rights

I find two fundamental issues in this lawsuit.
>
>

A Brief Tidbit Case

In December 2013, a month after Hackathon of Tidbit, the New Jersey Attorney General's office issued a sweeping subpoena to Rubin and Tidbit. The subpoena sought for all information in regard to Tidbit, including but not limited to, all documents concerning Tidbit’s source codes, control logs and installation logs, as well as the Bitcoin accounts and wallet addresses associated with Tidbit. Rubin resisted, and moved to quash the subpoena, but in the end, the superior court of New Jersey Essex County concluded to give a green light for the State to investigate Tidbit under the necessity of protecting personal privacy. It stated that “the Court is mindful… of the State’s concerns that this tool could also be subject to abuse and misuse.” This decision virtually compelled Rubin to enter into a consent order in May 2015, ending New Jersey's investigation of Tidbit.
 
Changed:
<
<
The first issue is the State’s absolute discretion granted to investigate codes on the internet. The rationale of the State of New Jersey was to seek “information as to whether there may be violations of the privacy rights of New Jersey citizens and whether Tidbit can be used as a vehicle to hijack consumer’s computers.”
>
>

Issues

I find two fundamental issues in this lawsuit. Nonetheless, these issues emerged out of the Tidbit case, they are never case specific. These issues could apply to any cryptojacking codes, and more importantly, could be applied to any general actions on internet today.
 
Changed:
<
<
However, Tidbit was merely a “proof of concept” and was never implemented. Even if it were actually implemented as the State of New Jersey argued, the operation of Tidbit was apparently minimal since the subpoena was issued immediately after the Hackathon. Moreover, the purpose of Tidbit was useful and legitimate rather than subject to abuse and misuse, which the State of New Jersey even agreed by admitting that, nothing “evidences an inherently improper or malicious intent or design” by Rubin or Tidbit. Lastly, there was nothing technologically distinguishable between Tidbit and online advertisements as they both operate in a similar manner, and even in those days online advertisements could be found everywhere on internet. Overall, the danger of Tidbit violating personal privacy seems to have been extremely abstract.
>
>

Investigation Rights

The first issue is the State’s absolute discretion granted to investigate codes on the internet. The rationale of the State of New Jersey was to seek “information as to whether there may be violations of the privacy rights of New Jersey citizens and whether Tidbit can be used as a vehicle to hijack consumer’s computers.” This seems to be a widely-acknowledged concept in the modern U.S.
 
Changed:
<
<
Therefore, the rationale to protect New Jersey consumers’ privacy ironically functioned as a justification to restrict nation’s rights, with no actual cause.
>
>
However, Tidbit was merely a “proof of concept” and was never implemented. The purpose of Tidbit was useful and legitimate rather than subject to abuse and misuse, which the State of New Jersey even agreed by admitting that, nothing “evidences an inherently improper or malicious intent or design” by Rubin or Tidbit. Lastly, there was nothing technologically distinguishable between Tidbit and online advertisements as they both operate in a similar manner, and even in those days online advertisements could be found everywhere on internet.

Provided that surreptitious mining produces a large part of cryptocurrencies’ base today, the investigation will have a strong impact on economic activities on internet, and concurrently restrict activities with extremely abstract grounds of “protection”. Further, a protection of rights could be a pretext. In such case, the rationale to protect consumers’ privacy will function as a justification to restrict nation’s rights, with no actual cause. This could literally be applied to any actions of internet.

 

Scope of Investigation

The second issue is the State’s unlimitedly wide scope of subpoenas and investigations to persons located outside of the state (Rubin was a Massachusetts resident!) The Court admitted the subpoena as proper and appropriate exercise of authority under N.J. Consumer Fraud Act, given the broad scope of the statute (on the grounds that the act says “on any person” ).

The problem of allowing state laws to restrict out-of-state residents’ rights, is its potential width of the scope. Different state laws altogether virtually can form an unlimited surveillance system across the nation. This surveillance network can be expanded globally too, with each country imposing a restriction of its own. For example, cryptojacking in Japan is criminalized in general.

Changed:
<
<

Conclusion

With no doubt, personal rights are severely restricted through subpoenas and investigations. Whether an individual is penalized or not, these offenses certainly will discourage future innovations and challenges. Schemes to surveil and prevent authority from pretextual interventions for personal rights, must be established.

I'm not sure what the draft is really about.

State AGs have broad powers to conduct investigations in the public interest. They issue subpoenas in the course of those investigations, to parties out of state as well as in-state. There's nothing unusual about those actions here. The motion to quash the subpoena failed; that decision could have been appealed and might have been overturned, but probably not. So the party subpoenaed, after exercising its right to due process, complied. There is no evidence presented that the subpoena in some way terminated the project. We are hardly short of crypto-mining malware in the world right now. Some of my clients at SFLC who develop cryptocurrencies like Monero find that surreptitious mining produces a large part of their monetary base.

So what has this nearly decade-old instance of one AG subpoena to one software project got to teach us about anything? The next draft could be improved by more legal context and a clear focus not on an incident but on an issue.

>
>
Therefore, allowing the States or countries to apply their original rule would be a risk for the whole society, allowing to mitigate privacy for the sake of “protection of rights”, if not surveillance.
 
Added:
>
>

Conclusion

With no doubt, personal rights are severely restricted through subpoenas and investigations. Whether an individual is penalized or not, these offenses certainly will discourage future innovations and challenges. It is not that investigations should not be allowed at all, however, schemes to surveil and prevent authority from pretextual interventions for personal rights, must be established.
 

Revision 3r3 - 07 May 2022 - 00:01:18 - HiroyukiTanaka
Revision 2r2 - 04 Apr 2022 - 15:03:44 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM