posted by
Dopefish
on Monday February 17 2014, @02:00PM
from the government-should-mind-their-own-business dept.
mattie_p writes "MIT students won a hackathon last November with a non-functioning demo of Tidbit. The concept is to replace web advertising revenue with a tiny amount of Bitcoin mining on the user's browser. Out of the blue, the students were hit by a subpoena from the New Jersey Attorney General demanding that the founders 'turn over sensitive information including source codes, hosting websites, and all of the Bitcoin wallet addresses associated with Tidbit.'
At first MIT council referred the students to legal assistance from the EFF, who quickly came to their defense. Now there is a petition going around requesting the MIT administration support the students directly. Parallels are being drawn to Aaron Swartz, possibly because one of the authors of the recent petition is Prof. Hal Ableson, although details of the two cases have very little in common.
MIT President Reif has now come out strongly in support of the students--and in favor of academic freedom from interference by government."
This discussion has been archived.
No new comments can be posted.
I hadn't heard of Tidbit before. It sounds like a really good idea: a non-obnoxious way of generating revenue from web-traffic at a negligible cost to visitors.
Can anyone else explain what's going on with this case? The article doesn't say much about why the Tidbit folks are being subpoenaed, except that "out-of-state authorities... were concerned Tidbit may have breached the security of people's computers through unauthorized access." Why on earth would they think that?
Starting Score:
1
point
Moderation
+1
Interesting=1,
Total=1
Extra 'Interesting' Modifier
0
Total Score:
2
(Score: 3, Informative) by isaac on Monday February 17 2014, @02:23PM
Can anyone else explain what's going on with this case? The article doesn't say much about why the Tidbit folks are being subpoenaed, except that "out-of-state authorities... were concerned Tidbit may have breached the security of people's computers through unauthorized access." Why on earth would they think that?
FTA: "'[New Jersey] recently used consumer protection laws to secure a $1 million settlement from a gambling website that turned its users’ computers into a botnet to mine for Bitcoins without the users’ knowledge,' wrote Fakhoury. 'It appears the state suspects Tidbit of something similar here, despite the fact Tidbit’s code was only a proof of concept that could not mine for Bitcoins, and despite the fact Tidbit was clearly not planning to develop code that mined without a user’s knowledge and consent.'"
Someone got wind of Tidbit in the NJ AG's office and smelled another potential settlement.
(Score: 1, Insightful) by Anonymous Coward on Monday February 17 2014, @02:27PM
by Anonymous Coward
on Monday February 17 2014, @02:27PM (#723)
The problem is that in the long run, it's not a negligible cost. It's a process that consumes data, CPU and/or GPU cycles and electricity. I don't know how much resources it consumes when compared to a webpage displaying ads, but the trend should not be to replace one resource sipper (or sucker) with another.
If your page has 1000 users per day that can mine at 5Mhash/s (assuming CPU mining, tidbit uses an asm.js miner), you have a hash rate of 5Ghash/s per day. Let every user mine for 10 seconds and according to you have 5.20USD of revenue.
According to this article [forbes.com], it looks like the ARPU (average revenue per user) goal is around $2. If $5.20 is the daily revenue, $1.90 would be your ARPU ($5.20 * 365 days / 1000 users). Seems like a viable alternative if your calculations are anywhere near correct.
It seems that right now, their implementation is fairly inefficient (1 penny per 24 hours run [venturebeat.com]). They are apparently planning on tapping into WebGL in order to move to GPU processing.
Websites have get income somehow or they will eventually go lights out. Hosting, maintenance, and electrcity are not free. Ads have been the dominate way but unless increased costs are significant I could see the majority of users preferring computing networks like Tidbit.
(Score: 2, Insightful) by Anonymous Coward on Monday February 17 2014, @02:56PM
by Anonymous Coward
on Monday February 17 2014, @02:56PM (#752)
Hi, same AC here (I tried to make an account but no password has been emailed yet).
I understand the costs associated with running a website. But the issue is the hidden fee that the visitor is forced to pay, either through ads, by mining for virtual currency or by sending spam (the next logical step). It seems like a very inefficient way to make money: you provide content, but have to use a complex system to get paid for the content. Ads have to be created, electricity has to be used to mine for virtual currency, data has to be used to transfer all of this - all at the cost to the visitor. Why not just charge the visitor a fee and be done with it? Why hide the fee behind a complicated system? Do we really need a middle man - or several - to achieve this?
I could see a site charging a fee as an option that disables ads and mining but not as the only option. In most cases if you create a site that has fees as its only way of membership, someone else will probably come along with a nearly equivalent "free" version that a majority of potential users will go to instead. It is a lot easier to get people to try/use something when it is "free".
After factoring in the immense amount of third party support you have to rely on for payments, yes, ads and mining ARE simpler. In one case, say you use PayPal. Well, PayPay needs datacenters, they need to work with credit card companies, they need to clear transactions and chargebacks, and that's just before you integrate it into your site. Then you need to trust it won't fail, or screw you over. Any third party service comes with this caveat, and payments are a big one. See "The Cloud" for reference on how that goes.
Ads can be served off a single host, with no interaction or legal snafus from handling customer data. Finally, bitcoin mining pushes the complexity to an individual user, with none of the issues of storing personally identifiable information. The actual volume of code to be run for mining could be far smaller than that for payments, and depending on the ad system, less than that.
(Score: 1, Informative) by Anonymous Coward on Monday February 17 2014, @07:38PM
by Anonymous Coward
on Monday February 17 2014, @07:38PM (#985)
Perhaps you are unfamiliar with PCI-DSS regulations which require QUARTERLY independent security audits by a PCI Council "qualified independent scan vendor" if you handle personally identifiable information. Otherwise, the credit card companies will cut you off. That pretty much means anyone smaller than a large business is outsourcing their payments to someone else. That itself is a can of worms.
Websites have get income somehow or they will eventually go lights out. Hosting, maintenance, and electrcity are not free. Ads have been the dominate way but unless increased costs are significant I could see the majority of users preferring computing networks like Tidbit.
Maybe the world-wide-web Internet was designed wrong and a peering model is a better approach.
They can't mine if you don't have their website open. How are they going to increase the time? Hulu is designed to strong arm you into watching the ads or not recieve the rest of the video. I doubt most text-based content websites could get away with something similar for very long.
(Score: 4, Insightful) by cx on Monday February 17 2014, @03:39PM
by cx (239) on Monday February 17 2014, @03:39PM (#782)
Fully agree. The law of diminishing returns sets in pretty fast and then it is an ugly race to the bottom. But even more important, letting random sites run cpu heavy js is more uncomfortable than seeing an ad or two. I just wouldn't visit such a site (without noScript anyway).
Web is diverging to two poles for a long time; free-for-all-ad-and-malware-infested-stuff and gated-gardens (money or other-wise). What can't be monetized (or supported by other means, like business sites) and doesn't have a strong community will die. And that's ok.
Actually Hulu only had 15 second commercials because that was all advertisers were willing to pay for on the as yet unproven site. There were also only a handful of advertisers at the time. You would see the same ad numerous times during a viewing opposed to multiple different ads today. Once it got traction advertisers were stepping up and Hulu increased the duration and frequency accordingly.
I don't think this is a very serious concern. Just as there are diminishing returns as a site increases the number of advertisements it pushes on visitors, so also will there be diminishing returns when a site increases the amount of computing power it consumes. When people reach their pain threshold, they'll take steps to limit the pain--either by going elsewhere or by blocking the mining script. It's up to site owners to find the sweet spot that is profitable without being intolerable to visitors. The slope may be slippery, but it's not endless.
Isn't the real question here whether the pain of energy loss is worse than the pain of dealing with advertisements? I can imagine all kinds of circumstances when I'd prefer give to up CPU cycles/battery life than have my time or screen space wasted.
(Score: 2, Interesting) by cx on Monday February 17 2014, @06:00PM
by cx (239) on Monday February 17 2014, @06:00PM (#904)
I don't think this is a very serious concern.
Respectfully, I disagree. We already have very limited capability to limit what particular site/application can do, without going to trouble of router/dns level control. There are also cases where denying behavior application/site doesn't really need breaks the functionality (my way or the highway). In other words, you are technically not in a position to say 'It is ok for you to mine bitcoins as I read your article, but only that. Don't send out spam, don't talk to random services, don't do ANYTHING else.'
Situation where it is considered normal that every random site you visit runs random CPU-heavy code on your machine is not something I'd be looking forward to. Yes, it is already happening now that a stupid page requires 5 megs of js across 10 domains, and I actively avoid such sites; once everyone starts doing it I will not have such luxury.
Perhaps it's time to incorporate mining ASICs into our general purpose computers? =P (Yeah, I know that game has come and gone with the rise of specialty hardware.) Hrm, Coincellerator Inside...
I'm not sure I understand what you mean. The mining scripts under discussion use Javascript and are subject to exactly the same privileges and restrictions that already exist for Javascript in the browser. Tidbit doesn't change what a site can do with your computer at all. Or am I missing something?
(Score: 2, Interesting) by cx on Monday February 17 2014, @09:37PM
by cx (239) on Monday February 17 2014, @09:37PM (#1099)
Script mine_coins.js might do that at some point in time on a site A. However, that might change. Unless you inspect the script every time you load it, you won't know now, will you?
So we have a script that does something which has to be communicated back to the site (otherwise how do they get the results of the work). But it might communicate it to another site (cause they use different domain for computation results processing, to 'streamline the process'). Tomorrow it will be upgraded to communicate with multiple other machines (in order to more efficiently process the workload, yadda, yadda). Call me paranoid but that spells botnet to me.
Now security. First, it is easier to hide nefarious stuff in 5 (10? 50?) megs of math heavy code than in a two page straightforward DOM manipulation library. Second, even if we consider your machine is protected from rooting/snooping by whatever sandbox the browser of your choice implements, it doesn't protect the rest of the world from actions originating from your machine. Third, considering heavy CPU load normal when you browse the net is a great incentive for malicious people to replace legit scripts on servers you access with something else. Today every time my computer slows down for no obvious reason, I go through running processes to find the culprit and then check what that process(es) talk to. But if every site I visit ramps up my CPU load significantly, I will get used to it. Mining bitcoins? Participating in DDOS? Cracking passwords? I wouldn't know unless I check every time.
Isn't this what script blockers are for? If the mining script is too invasive, then more users will use script blockers and the return per user drops.
It seems to me that this is basically the same situation as ads with malware. The higher the incidence rate of malware, the less people actually see ads. This means that ad companies have some incentive to keep their 'product' clean.
I think this is where we've gone wrong with both computers and the Internet. It's my computer and I don't have an easy way to show what choices I want to make when I visit a website. There are no negotiations. There's a lot of my-way-or-the-highway attitude. A lot of times, there is no way to even suggest things to a website about what I'd like.
Sometimes I want ads. Sometimes I don't. If I want ads, there's no way to specify what kinds of ads (jpg vs flash or car vs food) that I want.
I never want ads. And I don't negotiate, either, so on that front it is my way or the highway. I will stop going to a website if they try to force me to look at ads. This is something I end up doing occasionally and to be honest, I don't feel as though anything of value has been lost on my end.
(Score: 0) by Anonymous Coward on Monday February 17 2014, @06:47PM
by Anonymous Coward
on Monday February 17 2014, @06:47PM (#937)
the cost for the visitor, in electricity bill, is much higher than the revenue the site gets though. It would be interesting to see a calculation of how much is spent in resources and money per generated revenue for this, but also for normal advertising damaged websites: to cover the cost of sending 10kb, how many kb is sent?
I bet it quite depressing to read though, just like when 1/3 of it is used up to extract the oil... only this time it is 95%?
(Score: 2, Interesting) by furiousoyster on Monday February 17 2014, @02:17PM
I hadn't heard of Tidbit before. It sounds like a really good idea: a non-obnoxious way of generating revenue from web-traffic at a negligible cost to visitors.
Can anyone else explain what's going on with this case? The article doesn't say much about why the Tidbit folks are being subpoenaed, except that "out-of-state authorities ... were concerned Tidbit may have breached the security of people's computers through unauthorized access." Why on earth would they think that?
(Score: 3, Informative) by isaac on Monday February 17 2014, @02:23PM
FTA: "'[New Jersey] recently used consumer protection laws to secure a $1 million settlement from a gambling website that turned its users’ computers into a botnet to mine for Bitcoins without the users’ knowledge,' wrote Fakhoury. 'It appears the state suspects Tidbit of something similar here, despite the fact Tidbit’s code was only a proof of concept that could not mine for Bitcoins, and despite the fact Tidbit was clearly not planning to develop code that mined without a user’s knowledge and consent.'"
Someone got wind of Tidbit in the NJ AG's office and smelled another potential settlement.
(Score: 1) by isaac on Monday February 17 2014, @02:26PM
Blech, smartpostrophes pasted in look like garbage - and the "Slow Down Cowboy" threshold is a bit aggressive.
(Score: 1) by Wodan on Monday February 17 2014, @02:29PM
Guess the utf-8 support isn't entirely there yet, but at least they're trying!
(Score: 2, Insightful) by weilawei on Monday February 17 2014, @07:09PM
(Score: 1, Insightful) by Anonymous Coward on Monday February 17 2014, @02:27PM
The problem is that in the long run, it's not a negligible cost. It's a process that consumes data, CPU and/or GPU cycles and electricity. I don't know how much resources it consumes when compared to a webpage displaying ads, but the trend should not be to replace one resource sipper (or sucker) with another.
(Score: 1) by dilbert on Monday February 17 2014, @02:31PM
In slashdot beta, javascript mine you!
(Score: 2, Informative) by bopal on Monday February 17 2014, @02:44PM
If your page has 1000 users per day that can mine at 5Mhash/s (assuming CPU mining, tidbit uses an asm.js miner),
you have a hash rate of 5Ghash/s per day. Let every user mine for 10 seconds and according to you have 5.20USD of revenue.
(Score: 2, Interesting) by githaron on Monday February 17 2014, @02:51PM
Out of curiosity, does anyone how out much 1000 users are likely to net per day on average using ads?
(Score: 5, Informative) by githaron on Monday February 17 2014, @03:14PM
(Score: 2, Informative) by githaron on Monday February 17 2014, @03:23PM
It seems that right now, their implementation is fairly inefficient (1 penny per 24 hours run [venturebeat.com]). They are apparently planning on tapping into WebGL in order to move to GPU processing.
(Score: 2) by githaron on Monday February 17 2014, @02:47PM
Websites have get income somehow or they will eventually go lights out. Hosting, maintenance, and electrcity are not free. Ads have been the dominate way but unless increased costs are significant I could see the majority of users preferring computing networks like Tidbit.
(Score: 2, Insightful) by Anonymous Coward on Monday February 17 2014, @02:56PM
Hi, same AC here (I tried to make an account but no password has been emailed yet).
I understand the costs associated with running a website. But the issue is the hidden fee that the visitor is forced to pay, either through ads, by mining for virtual currency or by sending spam (the next logical step). It seems like a very inefficient way to make money: you provide content, but have to use a complex system to get paid for the content. Ads have to be created, electricity has to be used to mine for virtual currency, data has to be used to transfer all of this - all at the cost to the visitor. Why not just charge the visitor a fee and be done with it? Why hide the fee behind a complicated system? Do we really need a middle man - or several - to achieve this?
(Score: 2, Insightful) by githaron on Monday February 17 2014, @03:04PM
I could see a site charging a fee as an option that disables ads and mining but not as the only option. In most cases if you create a site that has fees as its only way of membership, someone else will probably come along with a nearly equivalent "free" version that a majority of potential users will go to instead. It is a lot easier to get people to try/use something when it is "free".
(Score: 1) by furiousoyster on Monday February 17 2014, @03:34PM
You make it sound like paying a fee is less complex or cumbersome than looking at an ad or running some virtual currency mining scripts. It's not.
(Score: 1) by weilawei on Monday February 17 2014, @07:29PM
Ads can be served off a single host, with no interaction or legal snafus from handling customer data. Finally, bitcoin mining pushes the complexity to an individual user, with none of the issues of storing personally identifiable information. The actual volume of code to be run for mining could be far smaller than that for payments, and depending on the ad system, less than that.
(Score: 1, Informative) by Anonymous Coward on Monday February 17 2014, @07:38PM
(Score: 2, Interesting) by internetguy on Monday February 17 2014, @03:13PM
Websites have get income somehow or they will eventually go lights out. Hosting, maintenance, and electrcity are not free. Ads have been the dominate way but unless increased costs are significant I could see the majority of users preferring computing networks like Tidbit.
Maybe the world-wide-web Internet was designed wrong and a peering model is a better approach.
Sig: I must be new here.
(Score: 1) by githaron on Monday February 17 2014, @03:26PM
Explain.
(Score: 3, Insightful) by tibman on Monday February 17 2014, @02:56PM
It is certainly interesting though. Given the choice, would you take 10 seconds of cpu usage or lose a small part of screen space?
SN won't survive on lurkers alone. Write comments.
(Score: 5, Insightful) by dilbert on Monday February 17 2014, @03:07PM
The problem is that they'll never be satisfied with just 10 seconds of CPU time. Next week it will be 11 seconds, and next year 30+.
I remember when Hulu first started, they had 15 second commercials 2-3 times a show, now it's usually 120+ seconds 4-5 times a show.
Where does the slippery slope take over? Unless the user can determine how many seconds to allow, the system is broken.
(Score: 2, Insightful) by githaron on Monday February 17 2014, @03:34PM
They can't mine if you don't have their website open. How are they going to increase the time? Hulu is designed to strong arm you into watching the ads or not recieve the rest of the video. I doubt most text-based content websites could get away with something similar for very long.
(Score: 4, Insightful) by cx on Monday February 17 2014, @03:39PM
Fully agree. The law of diminishing returns sets in pretty fast and then it is an ugly race to the bottom.
But even more important, letting random sites run cpu heavy js is more uncomfortable than seeing an ad or two. I just wouldn't visit such a site (without noScript anyway).
Web is diverging to two poles for a long time; free-for-all-ad-and-malware-infested-stuff and gated-gardens (money or other-wise). What can't be monetized (or supported by other means, like business sites) and doesn't have a strong community will die. And that's ok.
Participate or consume, the choice is upon you.
- cx -
(Score: 2, Informative) by ArhcAngel on Monday February 17 2014, @04:19PM
Actually Hulu only had 15 second commercials because that was all advertisers were willing to pay for on the as yet unproven site. There were also only a handful of advertisers at the time. You would see the same ad numerous times during a viewing opposed to multiple different ads today. Once it got traction advertisers were stepping up and Hulu increased the duration and frequency accordingly.
(Score: 1) by furiousoyster on Monday February 17 2014, @05:02PM
I don't think this is a very serious concern. Just as there are diminishing returns as a site increases the number of advertisements it pushes on visitors, so also will there be diminishing returns when a site increases the amount of computing power it consumes. When people reach their pain threshold, they'll take steps to limit the pain--either by going elsewhere or by blocking the mining script. It's up to site owners to find the sweet spot that is profitable without being intolerable to visitors. The slope may be slippery, but it's not endless.
Isn't the real question here whether the pain of energy loss is worse than the pain of dealing with advertisements? I can imagine all kinds of circumstances when I'd prefer give to up CPU cycles/battery life than have my time or screen space wasted.
(Score: 2, Interesting) by cx on Monday February 17 2014, @06:00PM
Respectfully, I disagree. We already have very limited capability to limit what particular site/application can do, without going to trouble of router/dns level control. There are also cases where denying behavior application/site doesn't really need breaks the functionality (my way or the highway). In other words, you are technically not in a position to say 'It is ok for you to mine bitcoins as I read your article, but only that. Don't send out spam, don't talk to random services, don't do ANYTHING else.'
Situation where it is considered normal that every random site you visit runs random CPU-heavy code on your machine is not something I'd be looking forward to. Yes, it is already happening now that a stupid page requires 5 megs of js across 10 domains, and I actively avoid such sites; once everyone starts doing it I will not have such luxury.
(Score: 2, Funny) by weilawei on Monday February 17 2014, @07:56PM
(Score: 1) by furiousoyster on Monday February 17 2014, @08:12PM
I'm not sure I understand what you mean. The mining scripts under discussion use Javascript and are subject to exactly the same privileges and restrictions that already exist for Javascript in the browser. Tidbit doesn't change what a site can do with your computer at all. Or am I missing something?
(Score: 2, Interesting) by cx on Monday February 17 2014, @09:37PM
Script mine_coins.js might do that at some point in time on a site A. However, that might change. Unless you inspect the script every time you load it, you won't know now, will you?
So we have a script that does something which has to be communicated back to the site (otherwise how do they get the results of the work). But it might communicate it to another site (cause they use different domain for computation results processing, to 'streamline the process'). Tomorrow it will be upgraded to communicate with multiple other machines (in order to more efficiently process the workload, yadda, yadda). Call me paranoid but that spells botnet to me.
Now security.
First, it is easier to hide nefarious stuff in 5 (10? 50?) megs of math heavy code than in a two page straightforward DOM manipulation library.
Second, even if we consider your machine is protected from rooting/snooping by whatever sandbox the browser of your choice implements, it doesn't protect the rest of the world from actions originating from your machine.
Third, considering heavy CPU load normal when you browse the net is a great incentive for malicious people to replace legit scripts on servers you access with something else. Today every time my computer slows down for no obvious reason, I go through running processes to find the culprit and then check what that process(es) talk to. But if every site I visit ramps up my CPU load significantly, I will get used to it. Mining bitcoins? Participating in DDOS? Cracking passwords? I wouldn't know unless I check every time.
(Score: 2) by NovelUserName on Monday February 17 2014, @05:23PM
Isn't this what script blockers are for? If the mining script is too invasive, then more users will use script blockers and the return per user drops.
It seems to me that this is basically the same situation as ads with malware. The higher the incidence rate of malware, the less people actually see ads. This means that ad companies have some incentive to keep their 'product' clean.
Cheers
(Score: 4, Insightful) by Common Joe on Monday February 17 2014, @05:29PM
I think this is where we've gone wrong with both computers and the Internet. It's my computer and I don't have an easy way to show what choices I want to make when I visit a website. There are no negotiations. There's a lot of my-way-or-the-highway attitude. A lot of times, there is no way to even suggest things to a website about what I'd like.
Sometimes I want ads. Sometimes I don't. If I want ads, there's no way to specify what kinds of ads (jpg vs flash or car vs food) that I want.
(Score: 1) by tibman on Monday February 17 2014, @05:54PM
Slashdot (is it allowed to say that word?) was the first site i've ever seen that made advertisements optional. It is still the only site i know of.
SN won't survive on lurkers alone. Write comments.
(Score: 2, Interesting) by No Respect on Tuesday February 18 2014, @01:18AM
I never want ads. And I don't negotiate, either, so on that front it is my way or the highway. I will stop going to a website if they try to force me to look at ads. This is something I end up doing occasionally and to be honest, I don't feel as though anything of value has been lost on my end.
(Score: 0) by Anonymous Coward on Monday February 17 2014, @06:47PM
the cost for the visitor, in electricity bill, is much higher than the revenue the site gets though. It would be interesting to see a calculation of how much is spent in resources and money per generated revenue for this, but also for normal advertising damaged websites: to cover the cost of sending 10kb, how many kb is sent?
I bet it quite depressing to read though, just like when 1/3 of it is used up to extract the oil... only this time it is 95%?