But if it leads to coin-hive dictating the way a website chooses to operate, it becomes not much different from the way Adsense dictates the way you have to display its ads.
This is the quote in question: "we have to be respectful to our end users". I am your end user. My visitors are my end user. Please do not jump the gun.
That said, the topic of whether disclosure is respectful, or legal, or legal until the law has caught up with it is a slippery slope with many valid yet conflicting parts.
- When a visitor visits a website, is there an implicit agreement to expend resources to load all of the website?
- If so, is ad block breaking the implicit agreement?
- If it is computer resources, doesn't it fall under the first point above?
Yet, there are many types of tracking tools besides cookies that are even more invasive and take up CPU, bandwidth and electricity like tracking cursor movements (session replay) that never gets disclosed either out in the wild.
It may seem like the whole world is against undisclosed mining, but to a fish, an aquarium could be the whole world.
I think its important to notify the user that you are doing things without their explicit knowledge. Technically you are taking advantage of their system for your own monetary gain, and in fact they spend more generating that money than you receive from their efforts (by averaged data from comed's 2016 demographic census).
"When a visitor visits a website, is there an implicit agreement to expend resources to load all of the website?"
I don't think that mining cryptocurrency counts as part of "loading all of the website," and I would go so far as to call that extraneous.
Cookies are actually not notified only for their privacy implications but for the fact that they store data on your device.
As a user of any website, I am fine with coinhive running as long as I am aware of it. Checking the network waterfall to see if assets from coinhive were loaded is a bad experience to check if the page might be doing something more malicious.
All in all I think we end up where we began. Be kind to your users, since they are, of course, who you are catering your experience to.
This is how I implemented it on my side project Thread Reader.
See an example on: https://tttthreads.com/t/907445479826448385 bottom of the page
My implementation use 1 thread max with 35% of the CPU max.
I've done it this way because it is what I'm ready to give as an user
Also it does not start (and show a Paypal donate instead) if:
- you are on a mobile device (tested with user agent)
- you are on battery (tested with the browser.getBattery API)
If the miner starts: you get an info box at the bottom of the page,
with an user accessible explanation (should be understandable by anyone)
and a STOP button (that stop it for 90 days)
Also before using the miner I took some time to communicate about it,
even if I did not get much user feedback (I use my project twitter account to do so)
If you get the Paypal donate box it means that the script decided not to start the miner for some reason.
Forcing an opt-in won't work. Many users doesn't even know what mining is and won't agree with it. Most of the users doesn't take the time to read explanations either. Imagine what would happen if we ask the users to opt-in to see ads.
If antivirus continues to block the miner, most websites will display a warning to the visitor requiring him to disable his antivirus just like they do with adblocks.
Coin-hive already takes a large percentage (30%) and competition will arrive soon. Forcing an opt-in will just force us to seek another platform.
You can require opt-in to use 100% of the users cpu or something close to it to prevent abuse, but never to small percentages such as 10 or 20%. You should focus on contacting those antivirus companies and explain to them that the miner is not a virus and it does not harm the visitor.
And that is running it on relatively benign settings. :/
cloudflare suspend now coinhive websites:
very bad :/
Check it out if you want www.thoughtsandprayers.io
Hopefully a solution will be found.
The JS being blocked isn't the issue, the fact I have users contacting me claiming the site was hacked was the big issue.
Great service indeed, and an alternate revenue stream for website owners.
What if they say no? Do you just block them from reading your site? Users will disappear as no one wants yet another account they have to click through just to check a site out.
Here are some negative effects of abusing the cpu without the user's consent that come to my mind:
- the obvious, energy consumption (and thus money). In some cases it
can be significant, and it will for sure be if these things become
- it can rev-up the fans, up to extremely annoying noise levels
- on the many old devices that are unable to keep the temperatures
down on high loads it can warm-up the device up to dangerous
levels, high enough to:
- make the device protection features shut it down
- make the device catch fire, if there are no protection features
or they don't work well enough
- ruin some components of the device
- in any case for sure reduce the lifetime of some components
- it lowers battery life on battery-powered devices
- it can easily interfere with the other activities of the user: a
process using a lot of cpu time will easily reduce the performance
of other parts of the system, even if the user were to lower its
- on the many browsers that don't allow constraining the resources
allotted to individual tabs/servers/scripts it can interfere with
the usage of the browser
- even on the browsers that do support constraining the resources it
will easily require some annoying work on the part of the user to
investigate which tab/server/script is responsible
You should consider that an user might be concurrently visiting multiple sites that use this thing, so individual low cpu usages can add-up to a considerable amount.
It might be better indeed to have a means to configure all instances of the script from a single place; I know, hard to do probably.
But really, at least until/if these things become widespread, well understood and standardized (possibly with apis to let the browser control them automatically), it is much better to activate them only at the request of the user.
How to push users to opt-in, without being obtrusive?
Make a big button "DISABLE ADS", with a smaller writing under it "by switching to cryptomining".
When the user clicks it, replace it with two buttons "Turn-off cryptomining - (by re-enabling ads)" and "Configure cryptomining".
Someone might think that it would be unjust to let the users configure the amount of cryptomining, but in reality:
- there are already unfairnesses in the facts that
- users with more energy-hungry systems will pay more than others
- users with more powerful systems will mine more and thus give
more money to the sites and the others involved
- it will always be possible to block them entirely with
script-blockers or other means; that's the state of things and we
should be glad that it's so: Internet would probably become a much
less useful sh*t in the unlikely event that blockers became
preventable; an unprofitable internet would most likely have still
much more potential than one that supported forcing ads or scripts
to the end-users.