1. The NJAG is not prosecuting the MIT student(s) (at least not yet). Therefore, this is not similar to the alleged overzealous prosecutors in the Swartz case.
2. A subpoena is a writ compelling testimony or evidence. A subpoena is not synonymous with being a defendant.
3. NJAG served one MIT student with a subpoena to turn over documentation (source code, downloads, users, ect...)for a program which maybe being used by third party websites in a way that violates the rights of NJ residents vis-a-vis unauthorized access to computer systems.
4. It seems there is an issue raised arguing NJAG does not have jurisdiction over the MIT student(s). Personally I would find this analysis the most compelling because it is at the intersection of where facts and law meet.
5. EFF is arguing that complying with the subpoena may violate the students right against self-incrimination. I think this is a losing argument where one's right against self-incrimination is rather limited, generally to information contained within their mind and not typically extended to documentation and records.
6. Though this is not at issue, it would be almost impossible for the MIT student(s) to have committed a crime, as the crime would require intent. It would be nearly impossible to prove the student(s) intended that their code be downloaded by third-party websites for the specific purpose of running on the end users computers without their knowledge. It would be on par with charging a gun manufacturer criminally for intending that their guns be manufactured and sold for the exclusive purpose of committing crimes.
3. All documents and correspondence concerning all breaches of security and/or unauthorized access to computers by you.
10. All documents concerning complaints against you...concerning the unauthorized access of computers and/or Bitcoin code.
Items 11 - 14 are also aimed at finding evidence that they've done something wrong.
Edit: trying to cut down on tone
"For example, Mr. Fakhoury's Certification describes how Plaintiff discovered that the Division issued subpoenas to the New Jersey Coded Websites, Plaintiff's state of mind upon discovering this information, and Plaintiff's decision to send an email to its entire list of users."
"The state has already made clear it believes Rubin and Tidbit are in violation of New Jersey's Consumer Fraud Act. The state recently used consumer protection laws to secure a $1 million settlement from a gambling website that turned its users' computers into a botnet to mine for Bitcoins without the users' knowledge. It appears the state suspects Tidbit of something similar here, despite the fact Tidbit's code was only a proof of concept that could not mine for Bitcoins, and despite the fact Tidbit was clearly not planning to develop code that mined without a user's knowledge and consent."
"Some of the interrogatories also suggest that New Jersey believes Rubin and Tidbit are in violation of criminal hacking laws. One interrogatory asks Rubin to provide a list of all instances where Tidbit and websites using the code "accessed consumer computers without express written authorization or accessed consumer computers beyond what was authorized." That language comes from New Jersey's computer fraud act, which, in turn, is modeled after the federal Computer Fraud and Abuse Act. Since the subpoena is clearly demanding Rubin incriminate himself by opening himself to both civil and criminal liability, the privilege against self incrimination applies and he should be given immunity if ordered to comply with the subpoena."
EFF simply wants immunity. Everything else is posture:
>The state has already made clear it believes Rubin and Tidbit are in violation of New Jersey's Consumer Fraud Act.
If that's what the state believed criminal charges would be filed, not a subpoena issued.
>One interrogatory asks Rubin to provide a list of all instances where Tidbit and websites using the code "accessed consumer computers without express written authorization or accessed consumer computers beyond what was authorized."
Note how the question is not just focused on Tidbit but also 3rd party websites.
From my vantage point AG is either:
1. Looking to build a case against the students, which in all likelihood appears to a loosing bet (if you apply any common sense to the fact pattern). However, he can always trump up bogus charges, like Ortiz did against Schwartz, and look to settle for something lesser to check off a win on his/her scorecard.
2. Pressuring students to collect information necessary to build a case against a third party without tipping off such third party. If this is the case, it is pure evil and constitutes a gross overreach. There are a handful of other ways to accomplish the same goal without exerting an undue toll on these guys.
Let's remember we are talking about a couple of talented kids from MIT, who could be building the next $1bn business instead of being bogged down by some bogus nonsense. Also, can imagine what sort of financial/emotional/time sink this represents.
Then again, we are talking about the state where Governor makes Sopranos script look like a child play...
While I agree with your remaining points, them being talented kids from MIT should be irrelevant and so should be their business potential. These are exactly kind of things criminal law and process should be blind to.
Really hoping they get in front of a sensible judge who puts a kibosh on this whole nonsense.
>"There is a lot of confusion in this thread regarding basic concepts of the law."
Just so that we have some idea how to weigh your comments with those of the EFF, could you tell us a little bit about your expertise? Are you a lawyer? Have you worked with this kind of subpoena before?
I also agree that (5) is an odd argument. From :
> Know this, however: There is no Fifth Amendment privilege to refuse to produce subpoenaed documents on the ground their contents are self-incriminating; courts hold that such information is not "compelled testimony." However, as explained below, there is a crucial corollary: In certain circumstances the act of producing such documents may indeed be entitled to protection under the Fifth Amendment. - See more at: http://www.callawyer.com/Clstory.cfm?eid=920910#sthash.NmnSC...
On the last point, by a strict definition of intent , you are probably correct. However, recklessness and negligence can constitute criminal intent.
You can argue that it's not reasonable to hold someone accountable for what someone else does with their program. It's easy to fall into what I call the "engineer's trap" here.
An example is "you can't prove someone else didn't use my Wifi to distribute [pick your poison], therefore you can't find me guilty". While strictly true, the law doesn't work that way. Subjective standards and tests are applied in situations like this. So if law enforcement can show [bad activity] was happening only when you were home, stopped when you went on vacation and happened on many occasions the balance of evidence will suggest you're responsible even if you can't strictly prove it.
So if you designed and distributed a Windows program that was a RATing toolkit that worked with the click of a button and the only real purpose is [illegal stuff] then an argument like "I'm not responsible for what people use this for" will fail before a judge and jury as not being "reasonable".
I would like to know if that's selective reporting from Wired, or spectacular fishing from NJ state atorney.
Also, neither the hackathon, nor MIT appear to be in NJ: what is their jurisdiction? Those two issues should be clarified in any basic coverage of the incident: at this point, it is plain bad reporting.
It's spectacular fishing from NJ state attorney, it could in theory violate the law as written if deployed on a website and mined bitcoins without implied consent by the client (but then again I could argue the same for flash ads), but the whole thing took place in MA and as far as anyone is aware only in lab environments in MA as part of the competition. The code could be used maliciously, but wasn't and there is no evidence it ever was, its NJ overreaching, pure and simple.
From New Jersey's point of view, it seems rather as if Tidbit is, or was, in the business of distributing something that could very easily be abused, and whose distribution in NJ is regulated by law - in much the same way that some items in catalogs are marked 'Not for sale in [list of states]' because such items are restricted from sale i those places. For example, I don't think you can sell lock-picking tools to the general public in California, and I imagine that it's illegal to sell ATM skimming devices in many states.
On the other hand, you'll also rarely be wrong if you assume Wired fucked up the story.
50/50, flip a coin.
Based on a quick skim, this is the closest NJ comes to making a case: https://www.eff.org/document/nj-attorney-general-response-ef...
But it doesn't sound like the AG has much evidence (or simply isn't providing such evidence) that anyone in NJ ever actually downloaded or ran the code.
Is this a normal ask for Attorneys General to make in any circumstance regarding software?
As such, one has to wonder either whether the cyber fraud unit of the state department has basic understanding of programming or whether the state department is willfully taking this action to send some sort of message.
That's because NJ literally doesn't have a case against the students -- there have been no charges filed. This is an unconstitutional fishing expedition that I suspect is intended to intimidate and create an atmosphere of fear, not just among Bitcoiners but all tinkerers and hackers (in the MIT/HN sense of the word).
But it really feels like there is more to the story. Perhaps someone reused the existing code in malware? Or maybe New Jersey is simply confused.
As someone at Berkeley who's been to many events at MIT, I feel like the definition of Silicon Valley/West Coast "hacker" is very different from the MIT hacker.
SV/West Coast has largely adopted the same term, albeit in a much looser sense.
Hack was then used by MIT's TMRC of which many members became involved with/helped build the AI-lab. The first third of Hackers (http://www.amazon.com/Hackers-Computer-Revolution-Anniversar...) gives a good perspective on the evolution.
But all that is pretty immaterial to the question at hand. Both hacker subcultures are probably intended as the target of intimidation.
I found a couple examples that do the scrypt part with GPU in browser, but your browser has to support custom shaders, I think (I forget the details), and the version most browsers support doesn't allow this (again, my memory is sketchy about the details).
Anyway Here you go, NJ! https://github.com/borlak/cryptocoin_scrypt_stratum
I cannot see how a fraud or hacking case of any kind could be made here, even if they got the code.
Even if the code in question was being run on a publicly accessible website, was used by a New Jersey consumer, and was fully functional and actually mined Bitcoins (all of those points are disputed by the students' counsel)...The only thing that's being taken by the website operators would be users' CPU cycles and bandwidth. And if the users have implicitly consented to the website's arbitrary use of those resources, how is anyone being harmed?
In an implied contract, it's the expectations of a "reasonable person" that count.
What about analytics tools ?
Last year a a friend and I spent an evening napkin-sketching a service that would piggyback on an existing js platform (ads, analytics, etc) but would do a little "extra" work performing quality of service tests. For example, it could do timed fetching of images from different sites to test promised speeds. So you could know how fast sever X could deliver to a user in Guatamala, when some other client in Guatamala connected to server Y.
"Officials claimed that Rubin’s project, which allowed people to replace advertisements on websites with Bitcoin mining capabilities, had the potential to breach computer security through unauthorized access and possibly violated the New Jersey Consumer Fraud Act."
never mind code, it covers everything from soldering irons to telephones
Not sure how they can say they gained "unauthorized access" if the users were willfully installing this on their PC's. I could certainly see a cyber thief using this to run a botnet to mine BTC, but the MIT guys already said it wasn't really ready for prime time. Again, not sure how this makes this software so dangerous.
Documentation from a hackathon? If anything they should print out their source code on paper and hand it over.
The reason that this could be illegal is because it is using someone's computer in an unauthorized way to mine bitcoins.
That said, running these things without user consent isn't even the business model - they are specifically talking about allowing users to choose whether they'd like to do bitcoin mining or view ads, and they haven't released the product yet, so, basically the reason it "could be illegal" is because someone could take it and use it contrary to the intent of its creators in such a way that their actions have dubious legality. Should we also arrest all mask manufacturers because someone could wear one when robbing a bank?
The problem here is the word 'unauthorized'. What if the website has an EULA that says something like "By visiting foo.bar.com your computer will be used to mine Bitcoins, if you do not accept this agreement please close this website". Now by most legal definitions I understand it is no longer unauthorized, the TOS authorized such uses.
Next, why should mining Bitcoins be directly illegal in such a manner? Are stupid, slow, annoying flash ads that play music and videos illegal? They are 'programs' that use my computers resources for the end result of generating revenue for the website.
Stop being dishonest. It isn't and never has.
I'm simply trying to enlighten people as to what the prosecution's stand is on the issue, not that I agree with them. Just trying to contribute a bit more than "ehrmehgerd evilll!!!11"
That's why you're being downvoted. Plenty of people present non-majority views without being slammed for it. They happen to do it without being condescending.
You can use the code to:
(a) legally mine bitcoins on visitors' computers
(b) illegally mine bitcoins on visitors' computers
Potential for a law to be broken is a stupid basis for a subpoena.
The Natinal Science Foundation did discipline a researcher who did some mining on their computers.
Their concerns aren't completely unfounded in that it is granted it is quite possible to use any piece of code for ill. However, their complete failure to understand that this wasn't a case of "hijacking" computers by black hackers, but a potentially innovative business revenue generating project says to me that the cyber unit of the state department has no understanding whatever of programming. If that is the case, these 19 year olds should be awarded damages so that this reckless behaviour can be discouraged.
In it NJAG lay out exactly what they think Rubin did:
...Plaintiffs development, use and deployment of the Tidbit Code which, by plaintiffs own description, strongly suggests the code was designed to hijack consumer's computers to mine for bitcoins, including the computers of New Jersey consumers. Further, prior to the issuance of the Subpoena and Interrogatories, the Division determined that the Tidbit Code was present and active on the websites of entities located in New Jersey and Plaintiff affirmatively sent the Tidbit Code to the New Jersey based entities.
They posit that the code was
1. Designed to hijack a consumer's computer for the purpose of mining bitcoins
2. The computers targeted for hacking (implicitly the entire internet) include those of New Jersey consumers
3. The code was found on websites owned by New Jersey entities
4. Rubin sent the code "affirmatively" to those New Jersey entities
I think 1. is the weakest point, but that weakness is based on my understanding of the definition of 'hijack'. 2. and 3. seem to follow easily from assumptions, or could be easily shown as fact. 4. seems like it would be harder to prove, but I don't know the implications of the term affirmatively used here.
It wouldn't even make sense as a business model anymore, because asic miners are so much more efficient than GPUs, but I heard many people talking about building this kind of service years ago.
NJ could pay a software developer to write them code to let people generate small amounts of bitcoin in a browser. Why would they possibly want this MIT student's code so badly?
Mining bitcoins with a CPU is an extremely futile endeavor, and on top of that, it is implemented in asm.js.
Even with thousands of workers, GPU and ASIC mining is anywhere from hundreds to over a MILLION MH/S while modern cpus top out at 20 with most around 5.
Here's the relevant parts (lightly edited):
The Division issued the Subpoena and Interrogatories in furtherance of its investigation into an entity called Tidbit. Tidbit is a group of students who developed a software code that may have hijacked the computer resources of consumers within the State of New Jersey and improperly accessed and/or used such computer resources to mine for bitcoins for the benefit of Tidbit and its customers and without any notice to, or obtaining consent from, New Jersey consumers, in possible violation of the New Jersey Consumer Fraud Act ("CFA") and Computer Related Offenses Act ("CROA"). Bitcoins are a digital medium of exchange that can be traded on online exchanges for a dollar value. Bitcoins are "mined" through the use of computer resources to solve complex algorithms. Many times, consumers' computer resources are unknowingly accessed by entities through software code or otherwise in order to mine for Bitcoins.
Plaintiff's own description of its services strongly suggests that the code it developed is, in fact, designed to hijack consumer's computers. .... Further, contrary to Plaintiffs allegations in its brief, the Division specifically found Plaintiff's code on the websites of entities located in New Jersey. Furthermore, the Division determined that the code was active.
The following representations, among other things, are made on the Tidbit Website: "Monetize without ads"; "Let your visitors help you mine for Bitcoins;" and "Built on the bleeding edge." The Tidbit Website further provides: "How does it work? ...  Make an account - Sign up with your Bitcoin wallet ...  Paste the code - we'll give you a snippet to put in your website ...  Cash Out! - We'll send a transaction to your Bitcoin wallet." ...
E. The Division's Undercover Investigation
On February 7,2014, the Division re-accessed the Tidbit Website and "Sign up" button. While on the Tidbit 'Website, the Division submitted Sign-up Information to Tidbit using an undercover e-mail address and an undercover bitcoin wallet id. In response to receiving the Division's undercover Sign-up information, Tidbit sent the Tidbit Code to the Division's investigator via a confirmation page on the Tidbit website ("Confirmation Page"). The Tidbit Code that the Division received includes the Division's undercover bitcoin wallet id. Additionally, among other things, the Confirmation Page states: "Your embed code - Paste this at the bottom of your HTML page, and your visitors will start mining Bitcoins for you!" (emphasis in original).)
I see your point but few of the comments here are responsive to any of the legal issues, and indeed the EFF's briefs are not (IMHO) very responsive to NJ AG's legal arguments, offering some quite fallacious arguments in rebuttal.
And selecting the EFF as your charity of choice. Note that only orders made via smile.amazon.com are counted, not orders made on normal amazon.com.
How this works: On normal Amazon.com third parties can earn referer fees if you click on an ad to Amazon and purchase something. With smile.amazon.com referer fees don't exist, and the money is instead given to the chosen charities.
Note: As far as I know this isn't tax deductible from your perspective since Amazon themselves are the ones doing the "donating." You're just ordering something like you normally would (which might be tax deductible in its own right, but not as a charitable contribution).
This has no real downsides to users except remembering to use smile.amazon.com instead of amazon.com(!).
To add to this: The EFF works tirelessly to protect rights online. It's always a good time to support them.