|
Computers, Privacy & the Constitution
|
|
Restricting Personal Rights to Protect Privacy-- By Hiroyuki Tanaka - 11 Mar 2022CryptojackingAs is often the case with creative and cutting edge new technologies, the cybercrime law becomes a tool for authorities to restrict personal rights. Cases regarding cryptojacking, “the use of system resources of a target device to compute hashes and make profit out of mining without the consent of the target device’s owner,” fall into this category.Tidbit CaseThe new idea of coin mining by jacking other people’s computer was invented in May 2011, and was revived by Jeremy Rubin, a 19-year-old student at Massachusetts Institute of Technology. He, together with his colleagues, developed “Tidbit” for the Node Knockout Hackathon held in November 2013. Tidbit was designed, when implemented, to allow website operators to mine for Bitcoins and earn money leveraging the amassed under-utilized computing power of the website visitors. The revolutionary aspect of Tidbit was its purpose. The computer code allowed website owners to replace traditional website advertisements by instead using viewers’ computer power to mine for Bitcoins. As a result, Tidbit was presented as a proof of concept and won the award for having the highest innovation score at the Hackathon. In December 2013, a month after Hackathon, the New Jersey Attorney General's office issued a sweeping subpoena to Rubin and Tidbit. The subpoena sought for all information in regard to Tidbit, including but not limited to, all documents concerning Tidbit’s source codes, control logs and installation logs, as well as the Bitcoin accounts and wallet addresses associated with Tidbit. Rubin resisted, and moved to quash the subpoena, but in the end, the superior court of New Jersey Essex County concluded to give a green light for the State to investigate Tidbit under the necessity of protecting personal privacy. It stated that “the Court is mindful… of the State’s concerns that this tool could also be subject to abuse and misuse.” This decision virtually compelled Rubin to enter into a consent order in May 2015, ending New Jersey's investigation of Tidbit. Soon after this order, Tidbit was demolished.Investigation RightsI find two fundamental issues in this lawsuit. The first issue is the State’s absolute discretion granted to investigate codes on the internet. The rationale of the State of New Jersey was to seek “information as to whether there may be violations of the privacy rights of New Jersey citizens and whether Tidbit can be used as a vehicle to hijack consumer’s computers.” However, Tidbit was merely a “proof of concept” and was never implemented. Even if it were actually implemented as the State of New Jersey argued, the operation of Tidbit was apparently minimal since the subpoena was issued immediately after the Hackathon. Moreover, the purpose of Tidbit was useful and legitimate rather than subject to abuse and misuse, which the State of New Jersey even agreed by admitting that, nothing “evidences an inherently improper or malicious intent or design” by Rubin or Tidbit. Lastly, there was nothing technologically distinguishable between Tidbit and online advertisements as they both operate in a similar manner, and even in those days online advertisements could be found everywhere on internet. Overall, the danger of Tidbit violating personal privacy seems to have been extremely abstract. Therefore, the rationale to protect New Jersey consumers’ privacy ironically functioned as a justification to restrict nation’s rights, with no actual cause.Scope of InvestigationThe second issue is the State’s unlimitedly wide scope of subpoenas and investigations to persons located outside of the state (Rubin was a Massachusetts resident!) The Court admitted the subpoena as proper and appropriate exercise of authority under N.J. Consumer Fraud Act, given the broad scope of the statute (on the grounds that the act says “on any person” ). The problem of allowing state laws to restrict out-of-state residents’ rights, is its potential width of the scope. Different state laws altogether virtually can form an unlimited surveillance system across the nation. This surveillance network can be expanded globally too, with each country imposing a restriction of its own. For example, cryptojacking in Japan is criminalized in general.ConclusionWith no doubt, personal rights are severely restricted through subpoenas and investigations. Whether an individual is penalized or not, these offenses certainly will discourage future innovations and challenges. Schemes to surveil and prevent authority from pretextual interventions for personal rights, must be established.I'm not sure what the draft is really about. State AGs have broad powers to conduct investigations in the public interest. They issue subpoenas in the course of those investigations, to parties out of state as well as in-state. There's nothing unusual about those actions here. The motion to quash the subpoena failed; that decision could have been appealed and might have been overturned, but probably not. So the party subpoenaed, after exercising its right to due process, complied. There is no evidence presented that the subpoena in some way terminated the project. We are hardly short of crypto-mining malware in the world right now. Some of my clients at SFLC who develop cryptocurrencies like Monero find that surreptitious mining produces a large part of their monetary base. So what has this nearly decade-old instance of one AG subpoena to one software project got to teach us about anything? The next draft could be improved by more legal context and a clear focus not on an incident but on an issue. You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:
|
|
