Posted By: Alek Emery
In May of 1999, researchers at the University of California Berkeley began the SETI@home project. The basic concept behind the project is asking people to “donate” some of their spare computing power to help process blocks of the immense amount of observational data the Search for Extraterrestrial Intelligence Project acquires. Now, almost two decades later, the development of certain types of cryptocurrencies—in particular Monero—has transformed that concept into a way to commercialize internet traffic. This browser-based cryptocurrency mining can occur without a website visitor’s knowledge or consent if he or she visits a webpage running a browser-based mining script—a phenomenon known as cryptojacking. The implementation of this type of web-browser based mining raises significant legal concerns—especially when there is no notice or “opt-out” provided to visitors regarding the script. The viability of such an implementation is also dependent on how the market—and mining the various different cryptocurrencies—continues to develop in light of rapidly evolving technological challenges and regulatory concerns. This post is intended to provide an overview of how cryptojacking utilizes the technologies behind cryptocurrencies to generate revenue, and subsequently examine the legal and regulatory issues surrounding cryptojacking.
- A Broad Overview of the Cryptocurrency Industry
Beginning with the work of Satoshi Nakamoto—a pseudonym for a still unidentified person or group of people who released a whitepaper in 2008 describing blockchain and its implementation in Bitcoin—blockchain technology has given rise to a rapidly growing market for so-called “cryptocurrencies.” Bitcoin has become the largest and most popular cryptocurrency, but because of its public ledger and reliance on the SHA-256 hashing algorithm it does have some drawbacks. For instance, the creation of application-specific integrated chips (ASICs) for performing SHA-256 hashes at very high speed and efficiency has tended to centralize the mining of Bitcoin to large-scale mining operations—a result contrary to the original conception of Bitcoin as a truly decentralized currency. Because of the way that Bitcoin works—from a computing perspective—a variety of other cryptocurrencies have emerged that are designed to accomplish privacy objectives that Bitcoin cannot satisfy and/or maintain mining decentralization. Specifically, currencies like Monero have been designed to be fungible, untraceable, and decentralized in ways that Bitcoin cannot. These features of Monero are driven by a combination of obfuscating transactions, utilizing ASIC-resistant hashing algorithms, and varying block size to control the growth rate of the currency units (XMR). The next section provides a more detailed explanation of these features and provides context for the developments that led to cryptojacking as discussed in Subsection C.
- Blockchain, Bitcoin and Monero
Bitcoin was the first, and remains the largest, cryptocurrency. Recent analysis suggests that the total value of the Bitcoin market is more than $100,000,000,000. Bitcoin’s rapid growth has sparked the development of many of other cryptocurrencies that tend to meet specific objectives that Bitcoin currently does not meet. Therefore, in order to better understand the development of the industry Bitcoin created, and the currencies that followed, it is important to have a basic understanding of how Bitcoin works—starting with the blockchain.
Blockchain is the distributed ledger technology (DLT) behind most popular cryptocurrencies and moves away from the centralized attempts at creating a digital currency that predated Bitcoin. Instead of having one “master” copy of the ledger recording the transactions of Bitcoin, many copies of the ledger are stored across a large number of “nodes.” Each node has its own copy of the ledger, and each node updates its copy of the ledger whenever a new block is added. “Miners” verify the transactions between “addresses” on the blockchain and distribute that information across the network to the various nodes. Collections of verified transactions are then grouped into “blocks.” Each ledger is composed of all previous “blocks” that have been recorded, and they are updated intermittently as new blocks are irreversibly appended onto a copy of the ledger—hence the name “blockchain.” To prevent the creation of false blocks, miners compete to solve a hashing algorithm based puzzle, with the winner getting to append a new block to the chain and collect some Bitcoin as a reward. Competition between miners, and the investment of resources into trying to solve the cryptographic puzzle, allows for the blockchain to remain “trustless” because there is no centralized authority verifying transactions. This requirement is called “Proof of Work” and, while the particular hashing algorithm being used varies between currencies, most cryptocurrencies rely upon a similar Proof of Work model. For a more in depth explanation of blockchain and how Proof of Work is important to how most cryptocurrencies work, very informative guides and articles (that formed the basis for this section) can be found at Blockgeeks Inc. and Coin Central.
Focusing back on Bitcoin, it uses a public blockchain and relies upon the SHA-256 algorithm for its Proof of Work implementation. This creates two important features about Bitcoin that have driven the creation of other cryptocurrencies. First, while the identity behind an address recorded on the blockchain may be anonymous, the blockchain publically discloses where every bitcoin has been—which means they can become “tainted” when involved in known illegal transactions. Second, the SHA-256 algorithm has a relatively low memory requirement for performing a hash which makes it cost-effective to produce ASICs for performing hashes very quickly and more efficiently than can be done with CPUs or GPUs that most consumers might have. So, bitcoins are not fungible, and most of the “mining power” for Bitcoin has become concentrated in a relatively small number of “mining pools” that utilize thousands of ASIC-based miners. This concentration of mining power not only creates a barrier to entry for new market participants, but also fuels the race for performing hashes faster and faster using ASICs—which creates an increasing demand for electricity. This “hash rate” competition creates problems for those that want a more private and decentralized currency, and also for those who are concerned about the environmental costs of cryptocurrency mining.
This is where a currency like Monero comes into play. Monero uses a variety of additional encryption and obfuscation technologies to make each transaction anonymous and each Monero “ticket” fungible. The Proof of Work function for Monero is also different from Bitcoin. It currently utilizes the Cryptonight hashing algorithm that is designed to require more memory per hash and thus be cost-prohibitive to the development of ASICs. The people behind Monero have even threatened to change the algorithm used in response to ASIC development. While this does not solve the problem of increasing energy use by miners, as Monero still uses a competitive Proof of Work model, it does mean that it is less difficult for miners to compete using CPUs rather than ASICs or high-end GPUs. As will be discussed in the next section, it is these features of Monero combined with the concept of having people “donate” some of their spare computing power to process large amounts of computations that create the basis for cryptojacking.
- Tidbit and Coinhive
As noted on Coinhive’s FAQ, it is the use of the memory-intensive Cryptonight algorithm by Monero that makes browser-based mining technologically feasible. Moreover, because Monero tickets are fungible, there is no way to quarantine or “taint” the currency as can be done with Bitcoin. Cryptojacking has evolved into a variety of different forms, but the technology behind a cryptocurrency like Monero is what makes such a phenomenon possible. Now that the technological background has been covered, the next section looks to the legal and regulatory issues surrounding cryptojacking.
- Legal and Ethical Issues
- Cryptojacking under the Computer Fraud and Abuse Act (CFAA)
The federal statute that creates both civil and criminal penalties for “computer hacking” is the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. Under the CFAA, it is punishable to “exceed authorized access” to a protected computer. The term, “protected computer” has been very broadly interpreted, and covers essentially all computers connected to the internet. While there has been some disagreement amongst the courts regarding the interpretation of “access” to a computer, the Department of Justice’s (DOJ) guidance suggests that cryptojacking would likely be an offense under the CFAA. Notably, the DOJ contends that under §§ 1030(a)(5) and 1030(c)(4)(A)(i)(VI) damage to a protected computer may result from the appropriation of the computer’s resources by malicious code—and the latter subsection covers “malware” of the type that might not cause enough damage in a single instance to trigger felony liability but affects more than 10 protected computers in a year.
There are also state law claims covering unauthorized access and “computer trespass” in various forms that would likely cover cryptojacking. All 50 states have enacted at least some form of law criminalizing this type of activity, so there is broad coverage throughout the US criminalizing or creating civil liability for cryptojacking. There has already been a legal dispute over Tibit in New Jersey that implicated both state criminal statutes and the CFAA that targeted the creators of Tidbit after it was discovered to have been implemented on several websites without the creator’s knowledge. Although the dispute was resolved with a consent order that prevented the case from exploring the merits of the investigation thoroughly, it serves as a good example of how cryptojacking may be illegal under both state and federal laws.
Despite the DOJ’s guidance and the Tidbit example, there are still unanswered questions surrounding the legality of cryptojacking. As discussed above, Tidbit was intended to provide website creators with an alternative means of generating revenue through paid advertising. Coinhive has released an alternative source for their browser-based mining snippet called AuthedMine that enforces a user “opt-in” to gain consent before beginning to mine using the visitor’s computer. While it remains possible to use Coinhive without notifying a visitor to a website running the script, there are certainly means of gaining authorization for browser-based mining that would appear to prevent any illegality. Assuming, of course, that the “opt-in” is presented in such a way as to not be misrepresenting the process to which the visitor is consenting. The sufficiency of the disclosures made during the “opt-in” process will likely eventually be litigated, and there may be additional consumer protection law implications based on the “opt-in” process.
Thus, from a legal standpoint, it appears that cryptojacking will likely fall within the scope of the CFAA. Even though the damages—additional power usage and appropriated computational resources—may be small for any one visitor, virtually any browser-based mining script would only be feasible if implemented on a site likely to affect more than 10 computers in a year. Moreover, this type of mining relies upon the use of a cryptocurrency that can be cost-effectively mined using CPUs, like Monero. Because the technology behind such currencies is in a constant state of competition for hashing power as a result of the “Proof of Work” model that most cryptocurrencies utilize, cryptojacking may become a thing of the past simply because it cannot compete with more efficient ways to mine currency. Popular ad-blocker browser extensions and crypto-mining script specific extensions like NoCoin are also likely to make cryptojacking less profitable and thus less frequently attempted. So, it is possible that all of the legal questions surrounding cryptojacking will never be fully explored because changes in technology might render browser-based mining obsolete before the law ever catches up.
- Ethical Concerns and Regulatory Issues
As the examples of Tidbit and AuthedMine demonstrate, there is a legitimate use for browser-based mining scripts as an alternative to monetized advertising. But, looking specifically to AuthedMine, there are some unresolved ethical and regulatory issues facing legitimate implementations of its script. Specifically, AuthedMine allows for the mining of Monero—and this is only feasible because of the way Monero works. The use of the Cryptonight algorithm helps to keep Monero decentralized, but several other technologies keep Monero anonymous. Utilizing technologies like RingCT, transactions in Monero are untraceable in ways that Bitcoin never could be. This level of privacy regarding Monero transactions makes it a prime candidate for illicit use on the dark web. And, the fungible nature of Monero tickets prevents any distinction between legitimately transacted tickets and those used in illicit transactions like drug deals or ransomware attacks. To some extent, the seemingly ethical use of properly implemented AuthedMine may lend legitimacy to a cryptocurrency that has become a favored means of conducting illegal business anonymously. Facing problems like the opioid crisis and human sex trafficking, the pressure for regulatory measures to go after a currency like Monero is increasing. There is an inherent tension between the freedom offered by a decentralized and anonymous currency like Monero and the potential for that currency to be used in unethical ways. Either technology will provide new solutions to these problems, or regulatory bodies will fight a continuing struggle to catch up with the ever-changing cryptocurrency market.
Cryptojacking is a fine example of how new technologies present both beneficial uses and the potential for harmful use. And, in some ways, cryptojacking is unique because it is dependent on decentralizing and privacy-enhancing technologies behind cryptocurrencies and uncertainties in the legal/regulatory frameworks surrounding the internet. It is the intersection of hardware development, cryptography, decentralization, and the law that makes it hard to predict how cryptojacking will continue to evolve. However, given the current state of the art, it appears that cryptojacking will continue to be a cybersecurity threat for the foreseeable future.