Posted on

The Ethics of Javascript Mining

javascript cryptocurrency mining

On-face most would agree that using someone’s hardware resources for personal gain without their knowledge or consent is unethical. In fact, that is the general definition of malware.

Much has been written1 about the rising trend of web developers deploying mining scripts in websites. This practice dates back to 2011, but the practice is expanding rapidly because of mining pools like CoinHive2. Simply put, a JavaScript miner is JavaScript code embedded and hidden within a webpage, that “borrows” (or steals) some of your CPU’s processing power to mine a light-weight cryptocurrency like Dash or Monero. JavaScript mining joins a website visitor’s CPU to a mining pool (a large cluster of other CPU’s working in unison), to increase the hashrate (mining power) of their pool. Mining pools generally divide up the take evenly among each pool member minus a percentage fee that goes to the pool’s administrator. Even though each visitor only contributes a tiny amount to the pool, the sum value of each micro mining session adds up quickly to thousands, if not hundreds of thousands, of dollars.

Because JavaScript mining is hidden, it is very easy for a shadier operator to deploy this practice sans consent of visitors.

So far this sounds pretty sketchy, right? Well, there are two additional considerations. First, the mining operation ceases as soon as the webpage is closed because nothing is installed on the user’s machine. This makes it unlike spyware, adware, and or a virus. Additionally, the processing power borrowed is limited enough (usually a max of 10%) that a user surfing the web shouldn’t notice much of a difference. After all, if the script used 100% of your CPU, your computer would crash and therefore stop mining.

Because JavaScript mining is hidden, it is very easy for a shadier operator to deploy this practice sans consent of visitors. Some websites like Salon.com give visitors the option to view ads or have their browser used to contribute to a mining pool. The profit-potential of JavaScript miners being what it is, it is not rare for hackers to engage in “crypto jacking” (schemes where hackers steal computer resources to mine) by embedding a miner into a vulnerable website without the knowledge or consent of the site owner. In a sense both the crypto jacked version and an intentional deployment of a script miner without the consent of the visitor or site owner respectively, could be considered a no-harm, no-foul scenario. No viruses or other malware installed, and no long-term negative impacts result. But…If I go on vacation and a stranger borrows my car without my permission, even if they return it in pristine condition, I will still be upset. This scenario is not entirely unlike the rising trend of mining scripts deployed in web pages.

what’s unethical on planet Earth is not the same as what’s unethical on planet Internet.

 

Consent is often a prior question to material harm, or rather making use of someone else’s property without their consent is material harm. In this case, script mining is clearly unethical, but what’s unethical on planet Earth is not the same as what’s unethical on planet Internet. The Internet is governed by corporatized norms tacitly supported by a user-base that is desensitized to or ignorant of the monetization privacy violations. The Internet makes Mos Eisley seem like a monastery.

If we consider the widespread and regular use of tracking cookies where website operators can monitor our web usage even after we close their webpage for an untold duration, and then use that information to cyberstalk us and tailor more ads to us, one might wonder why tracking cookies are OK but unauthorized script miners aren’t.

What would be grounds for a restraining order in the real world is a daily occurrence for every single internet user.

 

Tracking cookies shouldn’t be a normalized element of our everyday lives, but they are. Imagine going to a mall and having an associate at Macy’s follow you to the food court just to see what you order, follow you into the parking lot to see what kind of car you drive, into your home to see whether you’ve outgrown Ikea’s Malm collection, listen to you talk to your partner in order to forecast when you’ll need a diamond ring, and finally to watch you sleep just to find out what thread count of sheets you prefer. What would be grounds for a restraining order in the real world, or the plot of Netflix’s You, is a daily occurrence for every single internet user.

Collectively, internet users have been conditioned to accept that it is OK for us all to be the victims of a perpetual non-consensual cyberstalking campaign.

 

Many websites do ask for your consent to use tracking cookies and in the EU, it is a legal requirement. In the US, it is entirely voluntary. In fact, the only reason websites often inform you of their data collection practices is so that their content can be made available to EU citizens. Collectively, internet users have been conditioned to accept that it is OK for us all to be the victims of a perpetual non-consensual cyberstalking campaign.

Then, there is the issue of intrusive advertising. The average American sees between 4,000 and 10,000 digital ads per day3. We have all opened a web page and gotten two sentences into reading something before an ad for the Chevy Cruze starts blaring and blocking the screen. We click the x that was supposed to make it all go away, immediately another banner appears to remind us we can save 15% by switching to Geico. When exactly did we all collectively agree to be hit with loud advertisements when we open a web page? Some websites do have terms and conditions that they count on you not reading, but by-and-large simply clicking a link after a Google search does not indicate we consent to be advertised to by the host of the URL, any more than asking a store employee to direct you to soap grants them permission to spray you in the face with a confetti cannon.

Ultimately, either other people misappropriating our personal computers and mobile devices for monetary gain absent our consent is completely unethical and both unauthorized script miners and tracking cookies should be banned while online advertisement should be significantly curbed, or consent abuse is not a substantial harm, and we should evaluate these revenue streams in terms of the harms they create.

…web traffic that is traced just to advertisements can increase your data usage by anything from 10-50%.

 

Those ads that pop up, without our consent use system resources and use our data allotments. Xfinity’s standard home internet plan offers users one terabyte of data, and for most families that is more than enough. Going over that limit results in an overage, though they do provide unlimited data for a significantly higher premium. Bandwidth is not free. These content providers are stealing your bandwidth without express consent. You pay for your bandwidth and someone else choosing to use it to make money without your consent, still represents theft of your system resources. These ads tax your GPU and your RAM as well. Again, a for-profit enterprise is using your system resources for their own financial gain, without clear prior consent. The only time they ask for your consent is if they catch you trying to “steal” from them through the use of an ad blocker.

Some studies have shown that web traffic that is traced just to advertisements can increase your data usage by anything from 10-50%.4 This means that while I am streaming The Good Place at home, I am paying NBC’s parent company (Comcast/Xfinity) for my home internet and my cable subscription so I can watch NBC’s ads which use the bandwidth I am buying from Comcast. If 15 out of every 60 minutes of streaming are ads, that’s a 33% increase in bandwidth usage. Put another way; I am paying Comcast for the privilege of being advertised to and will be penalized if their ads cause me to use more data than I otherwise would…suddenly, script mining seems comparatively benign, and I am beginning to suspect I am an idiot.

Inherently unethical or not, perhaps script-mining is the key to an internet free from intrusive ads.

 

In a script mining scheme, the worst possible outcomes are that your system runs slower while the web page is open and more of your data will be used than you intended. This can be resolved by closing the web page. Tracking cookies require several more clicks to remove and let’s be real, watching ads and having videos autoplay whenever you try to read an article suck. It is intrusive, and part of a massive corporate ecosystem designed to suck your hard-earned resources away from you. The Internet dangles the carrot of infinite knowledge and connectedness, and the path there is brought to you by Gillette or KFC. Obviously digital content providers deserve to be compensated for their work, but as with all business dealings, it is not too much to ask for the terms of the agreement to be negotiated in advance. We need to denormalize privacy violations and be clear that the implied consent that visiting a website means we accept being advertised to is a sham. Yes, JavaScript mining without consent is unethical, but it pales in comparison to the perpetual ad machine that consumes our bandwidth and possibly our souls (jury’s still out). Inherently unethical or not, perhaps script-mining is the key to an Internet free from intrusive ads.

We should all celebrate the prospect of a post-ad revenue era of the Internet…

 

Isn’t this whataboutism? Well, yes. Cookies, intrusive or forced ads, and JavaScript miners that operate without clear consent are unethical. However, out on the digital frontier where right and wrong are informed not by an evaluation of harm, but rather corporate normativity, JavaScript miners are preferable to cookies and data-hungry advertisement. If script miners are giving us a glimpse of a future where the internet is free from the tyranny of ad revenue, perhaps script miners should be celebrated. We should all celebrate the prospect of a post-ad revenue era of the Internet.

Updates: As of 4/20/2019 Coinhive will no longer be able to support JavaScript mining. JavaScript miners will still exist but will require more know-how on the part of the user.

Sources:

1https://www.mycryptopedia.com/crypto-mining-scripts/

2https://www.symantec.com/blogs/threat-intelligence/browser-mining-cryptocurrency

3https://www.redcrowmarketing.com/2015/09/10/many-ads-see-one-day/

4 https://www.businessinsider.com/enders-analysis-ad-blocker-study-finds-ads-take-up-79-of-mobile-data-transfer-2016-3

[Total: 4   Average: 5/5]