Dev

New Jersey slaps MIT Bitcoin hackers with subpoena — and they’re fighting back

Above: The four-member Tidbit development team.

Image Credit: Oliver Song

The MIT students behind Bitcoin mining program Tidbit won the “most innovative” award at a recent hackathon.

But they will soon face a ruling from another kind of judge: one employed by the state of New Jersey.

In early December, a few weeks after the hackathon, the New Jersey division of consumer affairs issued a subpoena to 19-year-old Tidbit developer Jeremy Rubin. The subpoena demanded he turn over everything related to Tidbit: all versions of the source code, all Bitcoin wallets associated with Tidbit, all agreements and communications with third parties, the name and IP addresses of everyone who mined Bitcoins using Tidbit, and so on. It explicitly asked for “all documents and correspondence concerning all breaches of security and / or unauthorized access to computers” by Tidbit.

(Disclosure: I’ve known Rubin for several years through mutual connections, though we’ve never maintained regular contact.)

Tidbit developer Jeremy Rubin

Above: Tidbit developer Jeremy Rubin

The student hackers bill Tidbit as an alternative to display advertising: With Tidbit, websites could let their visitors help them mine Bitcoins instead of serving up ads. While there are other remote mining solutions, Tidbit is the first project that seeks to replace advertising revenue with Bitcoin mining.

New Jersey hasn’t accused Rubin or Tidbit of a crime, but the language in the subpoena reads much like the state’s computer fraud act, which carries some stiff penalties.

Last year, New Jersey alleged that E-Sports Entertainment (ESEA), a competitive gaming company based in New York, embedded malicious code in its anti-cheating software. The software reportedly enabled ESEA to monitor 14,000 subscribers’ computers and also hijacked their computing power to mine Bitcoins worth around $3,750. Following New Jersey’s investigation, the company agreed to a $1 million settlement to avoid a prolonged legal battle.

Several of the formal written requests posed to Rubin suggest the state believes Tidbit may similarly violate consumers’ rights.

A proof of concept

As for the information New Jersey is demanding from the team, it isn’t going to get the bulk of it, because most of it doesn’t exist.

A bit about Bitcoin

Bitcoin is a digital “cryptocurrency” that exists outside central financial institutions. Every Bitcoin transaction is automatically transcribed on the “block chain,” a shared public ledger supported by a worldwide network of Bitcoin miners. In exchange for their computational power, miners sometimes earn blocks of Bitcoin, although those chances grow slimmer as the network of Bitcoin miners grows.

Tidbit remains a proof of concept: No one has ever used the program to mine Bitcoins or any other virtual currency.

Although 98 percent of Tidbit’s infrastructure is in place, it isn’t ready for production use, according to the developers. They intentionally left out the final interaction (with Bitcoin pooling service P2Pool) while they worked on a set of terms and conditions. That’s why they were so surprised when New Jersey came knocking.

“We were served right before finals,” Rubin told VentureBeat. “I think what was hardest is that I, and perhaps most MIT students, just want to build, make, and tinker towards a better future.”

Faced with a daunting legal challenge, a stressed Rubin sought help from the Electronic Frontier Foundation (EFF). The technology law nonprofit readily agreed to assist Rubin and his peers.

“These are college kids, and they’ve got this thing hanging over their heads,” Hanni Fakhoury, an EFF staff attorney representing Tidbit, told VentureBeat in an interview. “During the middle of their finals, they had to take time off to deal with the subpoena.”

After negotiating a few extensions, Rubin’s lawyers filed an official complaint in late January. To quash the “unconstitutional” subpoena, Tidbit is taking New Jersey to court.

Bitcoin mining through the browser

Tidbit instructions

Above: Tidbit instructions

Rubin and three classmates initially developed Tidbit in 48 hours for Node Knockout 2013, a Node.js programming competition held November 11 to 13. With a snippet of embedded code, Tidbit could enable websites to tap into visitors’ computers and borrow CPU cycles to mine Bitcoin. In exchange, the sites would remove display advertising for those who opt-in.

“We’re hoping that Tidbit can completely replace ad revenue,” wrote Tidbit developer Oliver Song on the Node Knockout site late last year.

Tidbit uses the Stratum protocol, which would enable websites to get paid based on total work contributed to the mining pool rather than total Bitcoins mined. But in its current form, Tidbit still isn’t very economical: If people ran Tidbit for a full day, they might each generate around a cent in revenue for a website, but their personal electricity costs would be much higher.

To improve Tidbit’s performance, Song said the team wanted to integrate WebGL and run computations on the graphics processing unit (GPU). He also proposed support for cryptocurrencies that are easier to mine, like Litecoin. An early December email sent to the Tidbit mailing list (and obtained by VentureBeat) confirmed Litecoin support as a key goal for the beta release, which the team had planned for early February.

New Jersey complicated those plans.

Tidbit vs. New Jersey

Rubin v. New Jersey

With help from the EFF, Tidbit has moved to quash the subpoena in New Jersey state court. Tidbit’s representatives argue the state has no personal jurisdiction over Rubin because he’s not a New Jersey resident, and Tidbit has no direct involvement in New Jersey — the source code isn’t stored there, and it’s not targeting New Jersey consumers in any way. New Jersey has no right to regulate out-of-state Internet activity, said EFF staff attorney Hanni Fakhoury.

“This is one of those rare circumstances where the common sense explanation also matches the legal argument,” he told us.

Not surprisingly, New Jersey disagrees.

“The state feels confident that its issuance of a subpoena in this matter will be found to be entirely legitimate, for reasons that will be detailed in its forthcoming opposition to Tidbit’s motion to quash,” Neal Buccino, a spokesperson for the New Jersey division of consumer affairs, told VentureBeat. He declined to comment further, citing the ongoing nature of the investigation.

If the court upholds the subpoena, Rubin’s lawyers have requested he receive protection under the fifth amendment, which states the no one should be compelled to be a witness against himself in a criminal case.

“He should be given immunity from criminal prosecution because the state is basically asking him to incriminate himself,” said Fakhoury.

The court is expected to set a hearing for late February where the judge will make a determination. In the meantime, Rubin and his peers are trying to focus on their studies.

“Dealing with this subpoena has put an undue amount of stress on me and my colleagues,” Rubin told us. “To have our progress be hindered by such a subpoena definitely hurt our team morale.”

Rubin declined to comment on whether they intend to move forward with Tidbit. Fakhoury seems to think they’re interested in forming a startup, however.

“I would imagine that they’d want to make this something more formalized,” he said. “After all, they won an award at the hackathon for a reason. But everything is going to basically be on hold until the subpoena is dealt with.”

Fakhoury feels confident that Tidbit has “presented the best argument,” but noted that it’s impossible to predict a judge’s determination. “Any lawyer who will give you his chances is a bad lawyer,” he said.

Phishing for evidence

Even if the subpoena is dismissed, the Tidbit case represents a worrying disparity between the tech community and government regulators. With its investigation, New Jersey is trying to protect its populace, but Tidbit never even launched a functional product.

The court should — and likely will — declare this subpoena unconstitutional and unenforceable, as Rubin’s lawyers have requested. But that won’t erase the time and resources it cost Rubin and his classmates, who should have been working toward that beta release, not battling a state regulator.

The subpoena and accompanying interrogatories issued to Rubin demonstrate that the people working for New Jersey’s division of consumer affairs have made little effort to understand what Tidbit’s software actually does. With their broad demands, they’ve placed the burden of the investigation on some college students — and they’ve done so before the students’ software is even fully functional.

Let’s hope the New Jersey court is smarter than the consumer affairs division.

blog comments powered by Disqus