Restricting Personal Rights to Protect Privacy

-- By Hiroyuki Tanaka - 6 May 2022

Cryptojacking

As is often the case with creative and cutting edge new technologies, the cybercrime law becomes a tool for authorities to restrict personal rights. Cases regarding cryptojacking, “the use of system resources of a target device to compute hashes and make profit out of mining without the consent of the target device’s owner,” fall into this category.

Jeremy Rubin, a 19-year-old student at Massachusetts Institute of Technology was one of the pioneers for cryptojacking. After Rubin’s “Tidbit” was demolished in 2015 triggered by New Jersey's investigation (Under the order, the parties agreed to the imposition of a $25,000 settlement amount that is suspended and will be automatically vacated within two years as long as Tidbit does not access or attempt to access the computers of persons in New Jersey without obtaining verifiable consent of the viewers), technologies with similar concepts have been continuously arising.

The most famous and infamous cryptojacking service in history must be Coinhive (Coinhive is fundamentally and technically no different from Tidbit or other cryptojacking predecessors other than the coin it mines, a privacy-centric coin called Monero instead of Bitcoin.), as it targeted everything from government websites to even Google and YouTube? users. As a result, multiple security firms identified Coinhive as the top malicious threat to web users. Although Coinhive too is already history because it shut down in March 2019 , history is worth examining as it is though-provoking not only for the restriction on personal rights and privacy regarding cryptojacking technologies we face today, but also for our internet activities in general.

A Brief Tidbit Case

In December 2013, a month after Hackathon of Tidbit, the New Jersey Attorney General's office issued a sweeping subpoena to Rubin and Tidbit. The subpoena sought for all information in regard to Tidbit, including but not limited to, all documents concerning Tidbit’s source codes, control logs and installation logs, as well as the Bitcoin accounts and wallet addresses associated with Tidbit. Rubin resisted, and moved to quash the subpoena, but in the end, the superior court of New Jersey Essex County concluded to give a green light for the State to investigate Tidbit under the necessity of protecting personal privacy. It stated that “the Court is mindful… of the State’s concerns that this tool could also be subject to abuse and misuse.” This decision virtually compelled Rubin to enter into a consent order in May 2015, ending New Jersey's investigation of Tidbit.

Issues

I find two fundamental issues in this lawsuit. Nonetheless, these issues emerged out of the Tidbit case, they are never case specific. These issues could apply to any cryptojacking codes, and more importantly, could be applied to any general actions on internet today.

Investigation Rights

The first issue is the State’s absolute discretion granted to investigate codes on the internet. The rationale of the State of New Jersey was to seek “information as to whether there may be violations of the privacy rights of New Jersey citizens and whether Tidbit can be used as a vehicle to hijack consumer’s computers.” This seems to be a widely-acknowledged concept in the modern U.S.

However, Tidbit was merely a “proof of concept” and was never implemented. The purpose of Tidbit was useful and legitimate rather than subject to abuse and misuse, which the State of New Jersey even agreed by admitting that, nothing “evidences an inherently improper or malicious intent or design” by Rubin or Tidbit. Lastly, there was nothing technologically distinguishable between Tidbit and online advertisements as they both operate in a similar manner, and even in those days online advertisements could be found everywhere on internet.

Provided that surreptitious mining produces a large part of cryptocurrencies’ base today, the investigation will have a strong impact on economic activities on internet, and concurrently restrict activities with extremely abstract grounds of “protection”. Further, a protection of rights could be a pretext. In such case, the rationale to protect consumers’ privacy will function as a justification to restrict nation’s rights, with no actual cause. This could literally be applied to any actions of internet.

Scope of Investigation

The second issue is the State’s unlimitedly wide scope of subpoenas and investigations to persons located outside of the state (Rubin was a Massachusetts resident!) The Court admitted the subpoena as proper and appropriate exercise of authority under N.J. Consumer Fraud Act, given the broad scope of the statute (on the grounds that the act says “on any person” ).

The problem of allowing state laws to restrict out-of-state residents’ rights, is its potential width of the scope. Different state laws altogether virtually can form an unlimited surveillance system across the nation. This surveillance network can be expanded globally too, with each country imposing a restriction of its own. For example, cryptojacking in Japan is criminalized in general.

Therefore, allowing the States or countries to apply their original rule would be a risk for the whole society, allowing to mitigate privacy for the sake of “protection of rights”, if not surveillance.

Conclusion

With no doubt, personal rights are severely restricted through subpoenas and investigations. Whether an individual is penalized or not, these offenses certainly will discourage future innovations and challenges. It is not that investigations should not be allowed at all, however, schemes to surveil and prevent authority from pretextual interventions for personal rights, must be established.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.