Hacker News new | comments | show | ask | jobs | submit login
EFF Challenges New Jersey Subpoena Issued to MIT Student Bitcoin Developers (eff.org)
254 points by Smerity on Feb 5, 2014 | hide | past | web | favorite | 59 comments

If it's possible to replace advertising with your CPU cycles, how, exactly, could this hurt the consumer? Sounds like it could benefit the consumer immensely. This could be another form of micropayments for people who might not be able to afford the cash upfront.

What the developer has created actually sounds rather ingenious.

I think what the state of New Jersey is worried about is either that the authors are being dishonest about the informed nature of the consent, or are viewing this as producing a tool that is too easy to exploit (whatever that means).

Personally, I think that's pretty absurd, but I can understand how a non-technical attorney reading about a MIT student developing something that lets websites mine bitcoins on consumer computers might get the wrong idea. As usual, the hard-headed nature of american prosecutors does us all a disservice.

Edit: rayiner points out that no one is being prosecuted, so I should probably rein in my rhetoric about prosecutors. Still seems like an extreme reaction.

Being worried or unsure does not give the Government a right to harass people. As we seem to both agree, the prosecutors have too much power and way too little common sense.

Well, it's all motivated by money, I suspect. Governments throw a lot of money into these so-called 'cyber-enforcement' agencies anymore. And for prosecutors, administrators, etc..., anything to raise their state/agency/organization's precived status under the blanket of 'cyber' and battling malicious hackers is a gain. Common sense be damned; things like Bitcoins and distributed computing are still magic to most people, so it's really easy for them to take things out of context.

Looks to me like New Jersey is fishing.

Some of the things they are asking for seem to be beyond the capability of anyone to provide, other than a Supreme Deity.

Nobody is being prosecuted. Its an agency issuing a subpoena to get information. That's how agencies get information.

That's true, but there are ways to obtain information that are less aggressive. Having someone call the author, for instance.

I thinks it's a little more than that. They are requesting answers to questions framed using language from criminal law with the expectation that the response can be used against them.

You cannot just reply to this "information request" unless you know what the consequences would be to any answer and if one could be potentially incriminating oneself inadvertently. The only sensible solution would be to consult a specialist lawyer and they don't come cheap.

I would guess you are looking at thousands of dollars at a minimum and easily much more.

of course you can reply, only in the USA do you have such a proponderance to rely on the law to ask or respond to questions.

That makes sense, since most of the world's countries have civil law systems, and the US has a common law system.

It would be great if CPU mining of bitcoin wasn't so laughably inefficient as to be pointless. The hashing rate that Tidbit claims to achieve, if left running continuously at the current difficulty level, would earn about a penny per decade.

This idea has been around for years, Tidbit is nothing new [1]. GPU mining through browsers is just as old [2]. None of this is particularly hard to conceive of or difficult to implement. I would love to know who advised to proceed on this matter and their reasoning.

[1] https://bitcointalk.org/index.php?topic=9042.0 [2] https://bitcointalk.org/index.php?topic=9876.0

With ASIC miners starting to become common, isn't GPU mining also becoming extremely inefficient?

For small miners, there are plenty of profitable GPU coins.

Considering modern Javascript allows to program WebGL shaders, one could develop a very efficient miner for Srypt-based altcoins and make quite a lot from a popular website.


If sites started doing this (using a visitor's GPUs and Litecoin more likely), the downside to a consumer is the extra cost in electricity (which goes to electricity co, not the website) and lower lifetime of hardware. If it's all opt-in, it's up to the consumer whether they think it's worth their cost to "support" the website. I don't see an offer of removing ads as a benefit because that can easily be done by just installing AdBlockPlus, the real benefit is feeling good about "supporting" a site. (And unless they happen to have a good GPU they'd probably support the site more by just clicking a few ads, or actually sending them real money via any of the micropayment services including bitcoin.)

I think the fear is this happening in the background, without your knowledge, causing you to pay more for electricity or draining your laptop battery.

An infinite loop can do that just as well. Is that illegal now as well?

Intentional infinite loops might be illegal.

Only if the court can prove whether a program halts or not.

Slow clap.

which is possible

I would hope so (if done intentionally and without the user's informed consent). It would be a DoS attack.

It wouldn't happen concealed, this could be similar to a paywall, but you pay with your cpu( read:gpu ) time.

Mobile app ad networks commit all kinds of horrors "in the background."

A trade of unused processing time for displaying the site content. I usually block every ad, but I this is something I would be ok with.

"One interrogatory asks Rubin to provide a list of all instances where Tidbit and websites using the code "accessed consumer computers without express written authorization or accessed consumer computers beyond what was authorized."

Sigh. This is why we need more judges and lawyers who have at least knee-deep knowledge of technical details about the subjects they regularly rule on. This absurd language would not have been put into the subpoena if they even had a basic understanding of how client-side scripting works on the web, and by extension if they had a rudimentary understanding of how the web works at all.

How so? If I embed a piece of malware in a website that launches an .exe on your computer without you knowing it, that certainly constitutes access "beyond what was authorized." If that piece of malware mines bitcoins and uses my power supply to do it, the lack of authorization is extremely relevant. I agree that "written" authorization might be overkill, but the general idea of access without permission comes across clearly.

Of course, I don't think Tidbit was actually being spread as malware -- but it's easy to imagine a similar system that does.

<script type="text/javascript"> var x = 1 + 2; </script>

Is this "beyond what is authorized"? What was authorized to begin with?

Also, since "unauthorized computer access" is a crime, isn't that effectively just asking them to provide the court with a list of crimes that they are involved in?

You can't just subpoena people for a list of crimes that they have committed, surely the 5th amendment prevents that. (For instance, you cannot legally compel felons to register firearms that they are not legally allowed to have). You couldn't subpoena a suspected bank robber for a list of robberies that they committed.

"Time for some [web] traffic problems at MIT."

I wonder who in the New Jersey legal team/government thought this was a good idea...

Did Jeremy Rubin forget to endorse Christie last election?

There's one part of the subpoena that I don't understand. Why not turn over the source code? Since this is partially cryptographic software and also software that can be used to control a user's machine, it seems to me imperative for anyone who wants to give up control of their CPU cycles to know precisely how they're being used, or to trust the pool of smart cows who can study it for us.

>Why not turn over the source code?

They do not want to and don't believe the state has the power to compel them to. What more reason should they need?

>Since this is partially cryptographic software and also software that can be used to control a user's machine, it seems to me imperative for anyone who wants to give up control of their CPU cycles to know precisely how they're being used, or to trust the pool of smart cows who can study it for us.

Your set includes every piece of closed source software ever installed.

> Your set includes every piece of closed source software ever installed.

Indeed it does. My machine, my rules.

It is sheer folly to trust cryptographic software without source code. Do we need to fall prey to another RSA fiasco again?

>It is sheer folly to trust cryptographic software without source code. Do we need to fall prey to another RSA fiasco again?

This software does not encrypt anything and thus the user does not care about the correctness of the implementation. User machines would be testing hashes for bitcoin mining as compensation for access to web resources. What does the user care if the hashing fails as long as they get credited properly for the CPU time?

>Indeed it does. My machine, my rules.

"I choose not to run this software while it remains closed source." does not create a reason for the government to compel the creators to release the code. Otherwise, I don't see what your comment has to do with the story other than a generic comment saying "People shouldn't use closed source software."

Responding substantively to the subpoena opens yourself up to needless legal jeopardy. They request "all past versions" and you squashed some commits at some point? Maybe that's perjury if the attorney general doesn't like you.

> Why not turn over the source code?

Other than a reflexive, blind compliance with capricious government demands, why would they? If you want it to be open sourced, it's of course fine to ask for that, but using the government's threat of force to accomplish it is just sinister.

So now everyone writing code has to fear the state of New Jersey will overstep its bounds and try to get them into court when they clearly have no jurisdiction or right to do so? I don't even see why this subpoena has to be answered by an out of state resident that has nothing to do with the state of New Jersey. Will the state pay for all these expenses?

It's bigger than that. Theoretically, anyone can use the law to go after anyone, anywhere, for anything. For example, the government of California, where I don't live and have never once been, could accuse me of trafficking drugs there, which I haven't done. Or, I could sue you for personal injury, even though we've never had contact outside this comment thread. Indeed, you could do the same to me.

Our legal system exists to resolve these claims. Ideally, when an absurd claim is made, the courts toss it. But crucially, that doesn't prevent the victim having to waste time and resources on a defense or response.

What's the solution to this problem? Usually, it's to create some disincentive against outrageous or frivolous legal actions. Sometimes, this can take the form of sanctions, which can involve a monetary penalty. But what happens when a state government is the one initiating the action? Theoretically, sanctions might be possible in some scenarios. But I'd imagine that in practice, governments get sanctioned only once in a blue moon, if that.

Exactly. The part that I don't understand is why the programmer even has to acknowledge the subpoena at all or show up to court. It's obviously out of jurisdiction. If NJ issues a warrant, then NJ would have to be avoided in travels, but beyond that I cannot see anything that NJ could do to him if he just ignored the subpoena. Then again, I'm not a legal expert, so perhaps someone with more information about such processes could comment more.

> The part that I don't understand is why the programmer even has to acknowledge the subpoena at all or show up to court.

That's actually the whole point of subpoenas. They're a step up from a simple letter demanding information. In the latter case, the recipient may choose to respond in the hopes of placating the sender, or s/he may choose to ignore it. You can see why that would be a problem. Sometimes litigants genuinely need to force the other party to produce information. There has to be some method of doing so, and there has to be some way to enforce compliance. Thus the subpoena: A request you're not allowed to simply ignore.

Obviously, if you create a procedural right like this, there's room for abuse. The courts theoretically serve as a check on such abuse. The court may reject a litigant's application for a subpoena outright. Alternatively, the recipient may file a motion to quash, explaining to the court why s/he shouldn't have to comply with the subpoena. Subpoenas that are abusive, oppressive, overly burdensome, unreasonable, or downright outrageous will likely be quashed.

Even with these checks in place, the system is imperfect. Recipients of defective subpoenas are still burdened with, at the very least, filing a motion to quash. Practically speaking, anyone who receives a subpoena will have to pay for a lawyer or find one to represent him/her for free.

This problem is not unique to subpoenas. The same argument could be made about nearly any legal process. If I sue you frivolously, you still have to get a lawyer. If the state arrests you for no reason, you still have to get a lawyer. Et cetera. Is there a solution? There may be a partial solution available to our society: We could increase the penalties for abuse of legal process, and make those penalties applicable in a broader range of circumstances. Of course, this approach increases the risk to those who would make legitimate use of legal processes, so it's not without downsides. It's a difficult balance to strike.

Why should he have to avoid NJ, though?

'Will the state pay for all these expenses?' For the most part, no.

I strongly suspect that one of the reasons for using a subpoena here is that it transfers the effort and cost of performing an investigation to the respondents, who have been put in the position of proving their innocence, or rather that no crime has actually occurred.

The interrogatories show that the attorney-general's office has made no effort to understand what this software does, and has made no investigation into whether anything suspicious has actually happened. They are on a fishing trip, with the subpoena as the dynamite.

Right, when did coding something at a hackathon as a proof of concept become a crime?

Why does NJ think they have any jurisdiction here? Frankly, this is just as absurd as another country issuing demands for legal docs from someone in the US for them doing something that's perfectly legal in the US, but illegal in that country.

Funny you should mention it, but the converse is true: The US seems to reserve the right to prosecute someone for doing something in another country that is legal in that country: http://www.huffingtonpost.com/2011/10/06/us-drug-policy-war-...

Well, before this you just didn't know you needed to worry about it.

But a prominent digital rights group has stepped in and it is likely a reasonable resolution will come of it.

Thought crimes are not far behind.

First they came after climate scientists ( http://en.wikipedia.org/wiki/Attorney_General_of_Virginia's_... ), but I am not a climate scientist...

Seems like so many times these days, people's actions are defined by a process of:

I don't understand this -> I don't like this -> I'll research reasons to not like this -> You may never be permitted to do this.

Never, "Let's weigh the pros and cons and figure out what we will do about it." It's decision first, then rationalization.

I built something similar to this at a hackathon in 2011. The source is has been on github ever since. No one has come after me yet. Don't understand what the big deal is.

I was joking with my friends when WebGL came out, that we could mine for bitcoins on the GPU instead of displaying advertising.

The really stupid part of this is cpu mining for btc could not even be measured as a btc fraction at current difficulty.

You could probably run your cpu 100% for a year and not generate one satoshi.

That said, there are some botnets out there stealing gpu cycles and generating massive hashrates for scrypt coins. So I could see the cause for alarm but knowledge like that is going to get out regardless.

With a Core i7 3930k you could get 66.6 Mhash/sec.

That would give you 0.00001278 bitcoins per day or 1278 satoshis per day.

Ah I stand corrected. I was thinking scrypt Khash/sec

So you are making 1 cent a day while burning 200 watts 24/7

Think about it like CPM

If you have 1000 users doing this, is it better than a 1-5$ CPM banner ad?

um, for the 1 minute they are on your site? using only part of their cpu?

see the above example for 1 cent per day going at full tilt all day

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact