Tuesday, September 23, 2014

MIT Students Battle State’s Demand for Their Bitcoin Miner’s Source Code

MIT Media Lab (where Jeremy Rubin is a researcher)
MIT Media Lab (where Jeremy Rubin is a researcher) jeanbaptisteparis | CC BY­ND
Four MIT students behind an award-winning Bitcoin mining tool will face off against New Jersey state authorities in court today when they attempt to fight back against a subpoena demanding their source code.
The Electronic Frontier Foundation is representing 19-year-old MIT student Jeremy Rubin and three classmates in a remarkable case that stands out for the measure of aggression the state is using to obtain the code and identify anyone who might have tested the mining tool.
The case is reminiscent of a federal one that targeted Aaron Swartz after he was arrested by MIT police in 2011 for downloading more than 4 million scholarly journal articles from the JSTOR digital library, offered to MIT students, to make them more widely available. Swartz faced multiple charges for his activity and killed himself as he was preparing for trial. Although there is currently no indictment or pending criminal charges against Rubin and his friends, state authorities have indicated that they believe the researchers may have violated state laws. The case marks a disturbing trend among authorities to go after researchers, innovators, tinkerers and others who try to do cutting-edge projects to help the tech community, says EFF staff attorney Hanni Fakhoury.
“It’s a very broad subpoena that hints at criminal liability and civil liability,” he says. “For a bunch of college kids who put something together for a hackathon—they didn’t make any money, the project never got off the ground and now is completely disbanded—there are some very serious implications.”
The mining tool, known as Tidbit, was developed in late 2013 by Rubin and his classmates for the Node Knockout hackathon—only Rubin is identified on the subpoena but his three classmates are identified on the hackathon web site as Oliver Song, Kevin King and Carolyn Zhang. The now defunct tool was designed to offer web site visitors an alternative way to support the sites they visited by using their computers to mine Bitcoins for them in exchange for having online ads removed.
“We believe our utility for the end user comes in freeing up real estate on web pages,” King wrote about their program on the Node Knockout site. “Imagine a web where your amazon shopping cart doesn’t follow you around to every website you visit. We believe there should be more options than advertising for monetizing a website, and we believe we have a novel and non-intrusive solution. In this way, we provide utility to developers who can now include higher quality content on their websites, and utility to end users who are spared the wasted time in looking at ads.”
The clever design won the award for innovation in the programming competition.
“This is a very intriguing idea that could really transform online economics if it works,” one supporter wrote on the hackathon site. “There is a much broader discussion to have about mining bitcoins vs doing other useful tasks (e.g. a friendly form of mechanical turk).”
But the program never got beyond the proof-of-concept stage before Rubin and Tidbit, as an entity, were hit with subpoenas from the New Jersey
Jeremy Rubin
Jeremy Rubin  rubin.io
Division of Consumer Affairs just weeks after winning the award.
The state’s attorney general claims Rubin and his classmates violated New Jersey computer crime laws and demanded they hand over source code for their creation and any documentation related to the tool. Rubin was the only one named in the subpoena, Fakhoury says, because he registered the web site for Tidbit.
The authorities also demanded the names and addresses of any Bitcoin wallets used in association with Tidbit, the names of anyone whose computer was used for mining in the project and a list of web sites that may have run the code.
Fakhoury says that although Tidbit made the code available to download and embed on web sites, it wasn’t fully functional and no Bitcoins actually got mined through the Tidbit server.
Indeed, one person on the hackathon site said that although he embedded the code on a website and it looked like Tidbit was successfully mining Bitcoins, “the coins did not seem to show up in the account info dashboard,” he wrote. “Maybe there is a bug? (or is the dashboard not real time?)”
Rubin responded that they had not been able to finish implementing the dashboard before the hackathon ended, but they would eventually complete it.
The MIT community has rallied behind the Tidbit students in support of them and their efforts, in stark contrast to the school’s silence when Swartz was arrested.
MIT sent a letter to the New Jersey attorney general asking his office to withdraw the subpoenas, noting that such actions would have a “chilling effect on MIT teaching and research.” More than 800 people—students and faculty—have also signed letters of support in vain.
The EFF’s Fakhoury will argue in court that the attempt by New Jersey state authorities to target a Massachusetts resident like Rubin is unconstitutional and that the out-of-state authorities have no jurisdiction over him.
“While the state certainly has a right to investigate consumer fraud, threatening out of state college students with subpoenas isn’t the way to do it,” Fakhoury noted in a statement about the case. “As MIT students and faculty have warned, the fear that any state can issue broad subpoenas to any student anywhere in the country will have a chilling effect on campus technological innovation beyond Tidbit.”
He is also arguing that if the court does demand the students hand over any data, they should be given immunity. If not, the court would be forcing the students to relinquish their Fifth Amendment protection against incriminating themselves, since the documentation they provide may contain information that authorities could use to charge them under New Jersey’s anti-hacking law or under the federal Computer Fraud and Abuse Act.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.