The Limits of Harvesting Users Online

The state of New Jersey recently announced a $1 million settlement with E-Sports Entertainment, LLC over allegations that the company installed malware on its customers’ computers. The Attorney General claimed that E-Sports’ software allowed the company to use its customer’s computers to mine for Bitcoins without the user’s knowledge, generating thousands of dollars in Bitcoin value for E-Sports (and no value for the users) after numerous reports of unusually high CPU usage by their customers.  E-Sports released a statement apologizing and clarifying that this was the behavior of a rogue programmer. They also announced that they are donating the value of the bitcoins ($3,713) to the American Cancer Society plus doubling the donation from their own funds.

There were multiple components to the New Jersey case, including a privacy count regarding monitoring of users’ computer even when they were offline. However, the Bitcoin aspect of the complaint is extremely prescient, as there seems to be a burgeoning trend of government regulators looking more seriously at Bitcoin.

I worked as a technical expert on this case with the New Jersey Attorney General’s office and, in my opinion, this settlement raises bigger questions about the limitations on how companies can extract value from their customers. While we seem to have accepted that data collection for behavioral advertising is a necessary part of the online economy, using customers’ computers to mine for Bitcoin without consent seems to go a shade too far. Maybe because it highlights the direct monetary gain companies are able to extract from users which was something that was previously hard for privacy experts to make salient in the realm of adverting. The key question it presents: how far can companies go in leveraging customer’s data and systems for their own gain, without their knowledge?

How does your computer generate money?

There are circumstances where it is entirely obvious that a company is making money from you; for example, when you shop online and elect to pay a company for their goods or services. But even in this situation, your personal computer does a lot of the work when you visit a company’s website, contributing to the financial gain of the company in non-obvious ways. The website you visit is an amalgamation of images and code stored on multiple servers that are called up and assembled by your computer. The companies might argue this is no different than you using your own gas to drive to a store, but in some ways it is more like having to build a store yourself and then shop in it. Obviously it does not cost nearly the same amount to assemble a website as it does to build a brick-and-mortar store, and users are probably willing to accept these incidental costs for the convenience of online shopping, but this establishes the basis of a relationship where third parties use your computer to generate revenue. (I’ve testified about the use of customer’s systems for the Ohio Attorney General and the question of whether rendering a website contributes to having a nexus in the state.)

The online ad-industry is one well-known example of how a third-party makes money when you use your computer. This industry uses personal computers as a conduit through which they monetize clicks, taps, and scrolls to the tune of $20 billion, none of which is paid directly by users. The online advertising industry generates revenue by using cookies and other tracking software to deliver tailored ad content to users. Money changes hands between the companies who are advertising and the firms that serve the ads and the only active role users play in this process is to open their computer and browse the web. This business model is the bread-and-butter of the Internet. Advertising firms are constantly working on new ways to monetize online behavior at no cost to consumers. (For a discussion of the cost of “free” content, review “The Price of ‘Free’: Accounting for the Cost of the Internet’s Most Popular Price.”) And all innovation in this field relies on users’ personal computers doing some of the work, including generating the websites and the subsequent data-trails used to fuel the industry. Some users buy faster, shinier computers that compensate for the power needed to run the additional code, spending more money on machines. But the role they play in this process is perhaps not intuitive for users, since the money changes hands a few times along the way. Bitcoin mining reveals a more direct financial relationship between users’ activity and money.

How do Bitcoins come into play?

Bitcoin mining is a complicated mathematical process, but the most important aspect for this conversation is that the algorithm requires large amounts of computing power to crunch. One way to increase your computing power is to have additional computer join your mining pool, allowing you to utilize their computer’s processors. In the case New Jersey brought against E-Sports,, a developer took advantage of his access to customers’ computers without their knowledge or consent to mine for Bitcoins.

There are even a few sites that have began to offer code that anyone can embed on their website which will force visitors’ computers to join a mining pool, lending their computing power toward helping to mine Bitcoin on the website’s behalf.  Some even claim that actually a better way to monetize websites than ad serving. The adoption of these revenue-generating strategies seems to be limited and the legality is unclear, but the New Jersey case suggests this an issue worth tracking.

Using your visitors’ computers to mine for Bitcoin is based on the same relationship as online ad-delivery: user’s resources enable the company to reap financial rewards. In most cases, the actual cost to a user as a result of their computer running this code might be relatively small (the negligible electricity to run the computer or delay it takes to render the website for example), but amassed over millions of computers it is possible for companies to generate huge amounts of revenue, much like advertising.

The Takeaway:

This is not a comprehensive discussion of the ways in which users are monetized. But cases like this one highlight the underlying financial relationships we assume when we use technology in everyday life. In general the extent to which your personal computer can be used to generate money for a third-party without consent is not yet well understood or addressed by the current regulatory structure. As such, we should be mindful to ask what limits, if any, should be place on software or websites in their constant quest for funds.

UPDATE 12/01/2013: Looks like ESEA wasn’t the only one. There’s another company embedding hidden Bitcoin miners in their software.