New Jersey slaps MIT Bitcoin hackers with subpoena
venturebeat.comFollow the lobbyists.
Figure out who was threatened enough by a bitcoin model to want the government to step in.
Because there is no way they have this kind of time on their hands to pursue this and have such in depth technical knowledge to know what to look for, without some corporate lobbyists spoon feeding it to the prosecutor.
Not that I believe tidbit could ever be profitable or useful, but still.
No conspiracy necessary. From the article:
"With a snippet of embedded code, Tidbit could enable websites to tap into visitors’ computers and borrow CPU cycles to mine Bitcoin."
Ads that take over the screen for a few seconds are bad enouogh. A website that takes over a computer to run computationally expensive tasks? With ads, at least their is the opportunity to run adblockers. With a javascript miner, visitors are left with the choice of disabling javascript, and essentially their access to the modern web, or risking a website abusing their computer.
The subpoena and accompanying interrogatories issued to Rubin demonstrate that the people working for New Jersey’s division of consumer affairs have made little effort to understand what Tidbit’s software actually does.
Based on how Tidbit has described their software, it sounds like New Jersey knows exactly what the software actually does: it runs a BTC miner on a website visitor's computer, potentially without their knowledge. And as the ESEA fiasco demonstrated, this could result in actual, physical damage to people's computers.
Is this overreaching? Maybe. Maybe not. That's what the purpose of the investigation is for.
The javascript miner was not deployed anywhere. At no point was anyone in New Jersey knowingly or unknowningly served Tidbit's bitcoin mining code.
The Tidbit team claims that the miner was not deployed anywhere. The purpose of the investigation is presumably to make sure this is the case.
Unfortunately, due to the antics of many other major Bitcoin players, anyone doing something Bitcoin-related is generally deemed untrustworthy unless they prove otherwise. (And from a ideological standpoint, if one believes in the free market, this is how it should be--trust must be earned, not granted.)
The mining was opt-in. Maybe derivatives of Tidbit could be a problem, but there's no evidence at all that Tidbit itself could be a problem.
there's no evidence at all that Tidbit itself could be a problem.
We don't have all the evidence. We just have Tidbit's claims. Unfortunately, no entity in the Bitcoin industry has proven itself trustworthy, so Tidbit doesn't get the benefit of the doubt. It has to prove it. (Note: it's a civil case, not a criminal case, so it's not a matter of guilt and thus the presumption of innocence doesn't apply.)
Okay, I thought that you could only have subpoenas in criminal cases, but I'm not from a common law country, so this is probably different over here.
Can someone with a background in law tell me if or why it wouldn't be legal to turn over bitcoin private keys, complying exactly with a request, while also using your own retained copies of those keys to sign transfer transactions sending all those bitcoins held by the previous (now compromised) keys to your new ones that are not covered by the subpoena?
It seems to me that you'd be complying exactly with their request, as furnishing a copy of data does not obligate you to delete your own.
Isn't this like suggesting that when the image of an HDD is subpoenaed, you might first copy all the data off it, then wipe it, then image that? Because that trick doesn't work.
Relevant statute: 18 U.S.C. § 401. It's pretty broad.
I am talking about providing exactly what the subpoena is asking for, complying both in letter and in spirit.
And transferring your coins to different keys.
The subpoena isn't "for all keys, and no using them on the blockchain". It's just for the data. There is no such thing as ownership of bitcoin.
> There is no such thing as ownership of bitcoin.
That’s like arguing that there is no such thing as ownership of land. (Which some have argued, but it is a bit tenuous.)
If I post my private key to a bitcoin on pastebin and 100 people download it, who owns that bitcoin the moment before someone does a sweep transaction when 101 strangers all have the private key?
If I throw some money in the air towards a group of people, who owns it before one of them catches it?
I would guess that I still own it. In the same way, you still own the bitcoin until someone else does.
When you throw money and it's floating in the air and not in your hand, you can't spend it.
When I leak a private key and the coins remain unspent, I can still spend them.
Tossing money into the air clearly ends my ownership of it. Pastebinning bitcoin keys does not (at least until someone sweeps the coins somewhere else using that published key).
It's not strictly illegal. The government isn't asking you for your Bitcoins, its asking for your keys. It's like asking you for your account number but not the cash in the account. If the Government wanted to prevent the movement of your bitcoin assets, they would request an order barring outbound transfers. Alternatively, they'd simply move to seize the assets under some sort of forfeiture doctrine. (Forfeiture generally only applies to drug money or money acquired through the commission of a crime, but thanks to the Silk Road and other underground marketplaces, that will be the default presumption in most courts.)
In practice you'd be hard pressed to find prosecutors or judges who understand the conceptual difference between bitcoins and keys. The DoJ has a digital currency task force that is working on a legal blueprint for dealing with these sorts of issues, but it will be months before they get anywhere.
Subverting the intent of a ruling or law is not viewed favorably, and can easily be fixed, if need be, by tighter wording.
I don't think it's subverting the intent to move the BTC out. The point of subpoenas is to get information, not resources; if you want resources the correct mechanism is a seizure. The court is probably just asking for everything it can just in case.
Is it the intent of this subpoena to confiscate their bitcoins? It doesn't seem to be.
Have there been any cases where Bitcoin private keys have been requested?
I don't know of any, and it's not the case here.
(If law enforcement had a legal claim to the balances controlled by the keys, they'd craft their order or enforcement action to achieve that end. I think the sweep of funds to a new address, after the Ross Ulbrecht arrest, suggests they understand the key-control issues involved.)
Hysteria aside, what happens when a court subpoena demands someone hand over something they don't have? Does the person just say, "I don't have it." and that's that? What if they lie about not having it?
The prosecutor's would have to...
1. prove they have the evidence.
or
2. prove they destroyed or concealed it.
Greatest quote I've ever heard: "it's not what they know, it's what they can prove in court"
Law Abiding Citizen is a pretty thought-provoking (and pessimistic) take on the US justice system.
...this is sarcastic, yes?
Contempt of court faces up to 5yrs in jail.
A judge can and will hold someone in contempt of court for not producing documents they haven't even been shown to possess?
That doesn't sound right...
There's no jail limit for contempt of court.
14 years: http://blogs.wsj.com/law/2009/07/14/man-jailed-on-civil-cont...
Ah, in Canada it's 5 years. "Punishment can range from the person being imprisoned for a period of less than five years or until the person complies with the order or fine."
If these New Jersey prosecutors fail with this one, I'm sure they can slap some felony computer fraud charges on them for violating X website's ToS agreement.
Prosecutors need to lose their immunity, then we might get some sanity back in the justice system.
> "felony computer fraud charges"
Just for violating a ToS? I thought those were mostly legalese and overly broad.
Of course. Yet still, Carmen Ortiz approved a felony indictment of up to 37 years against Aaron Swartz for breaking one of those vague/broad terms.
http://www.theatlantic.com/technology/archive/2013/01/aarons...
What prosecutors?
"What prosecutors?"? What do you imagine the difference is between saying "prosecutors need to lose their immunity" and "we need to lose prosecutorial immunity"?
All prosecutors, obviously.
New Jersey Attorney General John Hoffman and Deputy Attorney General Glenn Graham... since you asked.
Note the caption: Rubin v. New Jersey. Rubin is the plaintiff. The AG is acting in its capacity as the government's lawyer, not in its capacity as a prosecutor. There is no prosecutor, because there is no criminal complaint. What's at issue is a civil subpoena (a request for information and materials) issued by a state consumer protection agency.
I hope they are asking for sanctions in addition to quashing the subpoena. Whoever wrote this subpoena is not only ignorant but has a massive attitude problem, for which some jail time would be therapeutic.
No. Let us, instead, wish for justice for all.
Umm.... what were they issued the subpoena FOR!? I read the entire article waiting for this to be explained.
Or can you just be subpoena'd without any case?
The article explains the case pretty well:
> ...the language in the subpoena reads much like the state’s computer fraud act, which carries some stiff penalties. Last year, New Jersey alleged that E-Sports Entertainment (ESEA) hijacked their [subscribers'] computing power to mine Bitcoins... the state believes Tidbit may similarly violate consumers’ rights.
According to the EFF:
> the New Jersey Division of Consumer Affairs issued a subpoena to Rubin, requesting he turn over Tidbit's past and current source code, as well as other documents and agreements with any third parties. It also issued 27 interrogatories -- formal written questions -- requesting additional documents and ordering Rubin to turn over information like the names and identities of all Bitcoin wallet addresses associated with Tidbit, a list of all websites running Tidbit's code and the name of anybody whose computer mined for Bitcoins through the use of Tidbit, although Tidbit's code was not configured to mine for Bitcoins.
https://www.eff.org/deeplinks/2014/02/eff-challenges-new-jer...
It reads "much like" the computer fraud act, but that doesn't mean a case was brought forward. Can a subpoena really be issued without a corresponding case?
When subpoenas can be issued, by who, and when, varies from state to state (and in the federal world, agency to agency). There are definitely administrative subpoenas, investigatory subpoenas, etc, depending on who and where.
Back in 2000 (best data i can find on short notice), at least 12 states permitted prosecutors to serve investigative subpoenas on targets, witnesses, and record keepers before they charge a person with a crime
Where the state wants to, it can press charges on its own. It's up to the prosecutors, generally. This is why there are cases like "so and so vs. New Jersey". In cases like murder and such, the state is the only viable prosecutor, which is why the prosecutor works for the state.
That said, I don't know the procedure for determining whether or not an actual crime has been committed, and without there being an actual case in hand, I have no idea if the subpoenas are valid.
This is the first I've heard of Tidbit and I have to say that it is absolutely ingenious!!!
If they do open source the code, I strongly hope that webmasters would actually replace obtrusive ads with the mining protocol and not just add it in addition to ad revenue.
It should be noted that their intent was to be purely opt-in. Stealing a user's CPU/GPU cycles is extremely bad form. (It's bad enough when ads/tracking code does it by accident.)
CPU bitcoin mining doesn't really do much. The idea is nice, but it would take way too long to be competitive as a form of revenue generation if all it had access to was the CPU.
i'm willing to wager it's possible to write a WebGL shader to mine bitcoins.
It's been posted before and quite frankly, it can very easily be abused as a malicious feature. Especially if the user is unaware of their being complicit in mining.
I can actually see their point, although yes, they're going about it completely the wrong way.
Bitcoin mining using malicious javascript will cost people a lot of money in power bills if done without permission, and this project has good intentions, but I'd be unsurprised if it has already been forked to run without victims knowing. It's just another form of intrusive advert.
I'm all for state's rights, but, given what the article says, I cannot understand how NJ has any ability to issue the subpoena. It isn't an active product that has been used in production so no NJ resident has been "harmed". Its like the NJ prosecutor read some tech article and decided to act.
Sounds like a wonderful way to waste electricity and kill browser performance at the same time.
The concept could be adapted for a more productive proof-of-work currency like PrimeCoin[1]. I wonder why PrimeCoin and others don't get more exposure.
[1] : http://primecoin.io/
> Tidbit uses the Stratum protocol, which would enable websites to get paid based on total work contributed to the mining pool rather than total Bitcoins mined
No, that's what P2Pool, or really any pool, does. Stratum, as the link states, is just a long-poll protocol to reduce stale shares when a new block is found.
But speaking of pools, it seems like the best bang for their buck would be a scrypt profit-switching multipool, that mines the most profitable scrypt coin and exchanges for btc or dollars or whatever. This would potentially create a huge pool so p2pool is better in that respect, but it's just not profitable to mine BTC like this at all.
Ridiculous prosecution aside, something tells me Tidbit will be used in addition to, not as a replacement of display ads.
(That assumes there will always be a cryptocoin worth mining with a CPU/GPU. Right now it's silly to do so for bitcoin)
if you do something that is legally ambiguous and you get penalised for it then it is your own fault.
this is one reason why i am reluctant to buy any bitcoins or cryptocurrency in general - esp given the strong background of money laundering.
its a shame. i do think the future of currency lies in bitcoin or similar... its just not there yet.
sure if everyone ends up using it the legality will need resolving sooner, but to a very good approximation nobody uses it at the moment (!)
i base this on the data that there are a great deal fewer bitcoin addresses in use atm than enough to assign one of them to each out of 0.1% of the world population - given that many people use multiple addresses i don't think its unreasonable to consider it very close to non-existent in that naive sense... penalising all of the people currently involved is not out of the question yet... not by a very long way imo.
(source: http://blockchain.info/charts/n-unique-addresses?timespan=30...)
I can't stand it anymore! Why are we prosecuting these people instead of Comcast who is on a course to destroy our infrastructure? Of course I know the answer. I just can't deal with it anymore. I will just stop reading any news.
I can't make heads or tails of this—why is New Jersey, specifically, issuing this subpoena? Do they have jurisdiction? Is the student from New Jersey?