The death of Tidbit and why it matters

The New Jersey Division of Consumer Affairs announced today that they had settled their complaint with the developers of “Tidbit”, a prototype piece of software developed by four MIT undergraduates as part of a hackathon. It’s about time. New Jersey made a boneheaded decisions to subpoena these students, and got what they deserved after wasting tens of thousands of dollars of taxpayer money: nothing.

Oh, the release from the state makes it sound like they’ve made a major step forward in consumer protection. But it’s worth unpacking what the Tidbit developers did, what they didn’t do, why New Jersey pursued the case, and why this matters, even though the case has now been settled.

What was Tidbit?

Tidbit was a prototype system and a thought experiment, designed to challenge the dominant model of supporting content providers online: targeted advertising. Instead of trying to capture your attention with an ad, with resulting revenue supporting the content provider, Tidbit captured spare cycles of your CPU and used them to mine bitcoins. While reading a story, your CPU would become part of the global pool of computers running SHA256 double round hash verification processes to verify and maintain the global transaction ledger, the blockchain, that makes bitcoin a non-duplicative currency. Close the window and you’d stop mining.

Would it have worked? Maybe not – mining bitcoins in the browser isn’t a very efficient process. (If you want to try it, read this article from Quartz, which includes a browser-based ap that allows you to mine. In the unlikely event that you mined a bitcoin, I suspect Quartz would own it through much the process Jeremy Rubin and his colleagues were proposing.) But it’s a very cool challenge to existing, problematic models that monetize your attention. In his blog post explaining the aftermath of the NJ subpoena, Jeremy explains that there were VCs interested in the idea and willing to fund further developments. Or perhaps Tidbit would have turned into a payment system using dedicated hardware, he speculates. We can’t know because the New Jersey subpoena led the students to stop all work on the project.

What Tidbit wasn’t was a system that hijacked people’s computers and forced them to mine bitcoins. The code Jeremy and colleagues released was a proof of concept which was not capable of actually mining bitcoins. New Jersey alleges that the Tidbit code was found running on three websites registered in New Jersey – Jeremy and his counsel note that the Tidbit code could not actually mine bitcoins, and was available online briefly. It’s possible to imagine scenarios where Tidbit’s code was downloaded and modified to hijack people’s computers, but it’s hard to see how that modified code could be blamed on Jeremy and his team.

So why did New Jersey take action against a student project?

New Jersey’s acting attorney general, insisting that his intention was not to stifle innovation, offered this reason for issuing the subpoena: “No website should tap into a person’s computer processing power without clearly notifying the person and giving them the chance to opt out – for example, by staying away from that website.”

It’s not hard to imagine scenarios in which unethical website operators run Tidbit-like scripts to hijack unsuspecting browsers into giving up CPU cycles. You don’t have to imagine – it happened. New Jersey prosecuted E-Sports Entertainment, which used malicious code to hijack 14,00 computers and use them to mine bitcoins. The company settled with the state for $1 million dollars. It’s possible that New Jersey thought Tidbit was heading down the same path and saw a chance to carry out a similar prosecution.

But there’s no evidence that the Tidbit team intended to hijack anyone’s system. In fact, the acting director of New Jersey’s consumer affairs director states clearly, in his press release about the settlement, “We do not believe Tidbit was created for the purpose of invading privacy.” (Indeed, New Jersey’s concerns seem to be about user autonomy.) Still, New Jersey subpoenaed the Tidbit team, and suggested that Rubin and others might face charges under the state’s Computer Related Offenses Act and Consumer Fraud Act, evidently because they believed “This potentially invasive software raised significant questions about user privacy and the ability to gain access to and potentially damage privately owned computers without the owners’ knowledge and consent.” Further, the press release states, “A New Jersey Division of Consumer Affairs investigation has found that, despite initial assertions by Tidbit’s developer, the software was used to gain access to computers owned by persons in New Jersey, without the computer owners’ knowledge or consent.” Rubin, in his post about the settlement, insists that a five minute inspection of his code by a competent investigator, would have determined that his code could not have been used in this way.

What happened once the subpoena was issued?

Faced with the possibility of serious fraud charges, Rubin and his team stopped working on the project and sought support from the Electronic Frontier Foundation, where Hanni Fakhoury led Tidbit’s defense. Fakhoury’s argument centered on the idea that the New Jersey AG was engaged in jurisdictional overreach, seeking information on a Massachusetts-based project based on the assertion that the tool had been downloaded and (mis)used in New Jersey. MIT faculty, graduate students and administration wrote to the New Jersey Attorney General raising concerns about the ways the New Jersey subpoena could harm innovation on university campuses around the country.

Judge Gary Furnari of the Essex County Superior Court declined the EFF’s motion to quash the subpoena, but expressed strong reservations and “serious concerns” that the state’s actions might discourage the development of new technologies. Judge Furnari expressed his opinion that
it appeared “the Tidbit program and other similar creative endeavors serve a useful and legitimate purpose” and had no inherent malicious intent.

Perhaps the judge’s caution led New Jersey to settle with Rubin and his colleagues. Despite the triumphal language of the New Jersey AG’s press release, Rubin and his team admitted no wrongdoing, paid no fine, and released a minimum of information (a total of two domain names). Basically, the settlement binds the students to obey the law, at the risk of a significant financial penalty… the situation they, and all other citizens, faced before New Jersey issued this subpoena.

Why does this matter?

First, it matters because Rubin and his colleagues went through a terrible experience. Once the team faced possible legal action, investors backed away from the project and the students were no longer willing to work on the project, fearing further complications. In addition to working through MIT’s notoriously demanding undergraduate curriculum, the students spent their “free time” working with the EFF and other lawyers, worried that their work on Tidbit would lead to fines and fraud charges. Their reward for thinking outside the box was a year-long trip through a Kafka-esque bureaucratic morass.

Second, it matters because New Jersey’s actions have likely chilled development along the lines Tidbit was exploring. Whether or not browser-based bitcoin mining was a viable replacement for advertising-supported content, New Jersey sent a signal that they might lash out at any technology that attempted to enlist a user’s machine in mining, even if the user consented to the exchange. Acting Attorney General Hoffman’s insistence that New Jersey is not trying to hobble innovation cannot be taken seriously, as the direct result of the state’s overreach was the death of the Tidbit project and the clear sign to other innovators that this line of thought was a dangerous one to follow.

Third, the Tidbit case matters because it revealed a situation most universities are ill-prepared to handle: the moment when an innovative project puts students into serious legal trouble. Much of our federal and state legislation around computer crime is so badly written and vague that any number of student projects could conceivably lead to criminal charges. My students routinely scrape websites to collect analyzable data sets – as we learned at tragic cost in the case of Aaron Swartz, an overzealous prosecutor can argue that this sort of data collection is theft on a massive scale.

What should universities do?

What should a university do if a project like Tidbit were created as a class project? (Tidbit was created at a non-MIT hackathon by MIT students.) What are the responsibilities of faculty and administrators if students get into legal trouble in the course of their educational work? Rubin sought the EFF’s support with guidance from the MIT general counsel, as the counsel represents the Institute, not students or faculty at the university. Colleagues and I were concerned that MIT had no direct way to support students in situations like Jeremy’s and brought our concerns to President Reif. He responded quickly and the Institute is working towards creating a new set of legal resources for students around the freedom to innovate. (I’ve been involved with the process, and can report that there’s been a great deal of progress, which I hope will be announced soon.)

Other universities need to start building strategies to defend their students… and soon. The combination of badly written computer crime laws and the spread of entrepreneurial culture to campuses suggests that more students will put forward ideas that lead towards legal challenges. Whether these are ideas designed to be explored solely within the classroom, or in the entrepreneurial/VC/startup space, I think it’s important for academic advisors to think about how we can protect and advise students on the legal challenges that may arise. As someone who teaches and advises students, I don’t want to encourage students to climb high without a legal safety net.

Furthermore, universities need to take the lead in protecting the freedom to innovate and combatting overbroad laws like the federal Computer Fraud and Abuse Act, and New Jersey’s Computer Related Offenses Act. As we encourage students to invent and create, we have a responsibility to ensure that they are operating in a legal environment that encourages creativity rather than shutting down promising lines of research before their impact is clear. We’re convening a discussion at MIT on this topic on October 10th and 11th, 2015. If you want to take part, please let me know via email or via the comment section of the blog.

For further reading on the Tidbit case, please see:

This entry was posted in Media Lab. Bookmark the permalink.

One Response to The death of Tidbit and why it matters

  1. Pingback: Legal Risks to Creative Innovation and Research at College: NJ Drops Its Investigation of MIT Students

Comments are closed.