On January 20, 2022, the Coinhive case was overturned and declared not guilty by the Supreme Court. I deeply appreciate everyone's support.
— Japan Hacker Association (@JapanhackerA) January 20, 2022
Today, the most popular news in the Japanese software development community is the "Coinhive case." The lawsuit was brought against website operators who placed mining scripts on their websites, which would start mining when users visited the web pages. This action was prosecuted under the charge of "illegally interfering with electromagnetic records (obstruction of computer use)" and led to a series of legal proceedings.
The significance of this case for developers is that we, as web developers, are the ones who interact most closely with users. With a domain and a server, anyone around the world can freely browse the web pages we write. However, this freedom also comes with risks. As developers, it is terrifying to have our own code inexplicably judged as guilty.
Developers generally have higher education and relatively higher incomes. They usually abide by the law and have no criminal record. They have never considered the option of going to court or imagined being arrested and having their livelihood confiscated by the police. Additionally, facing police investigations and statements, inexperienced individuals are prone to nervousness and may make self-incriminating statements or believe that as long as they explain well, the police will understand. In the end, they may find themselves in a difficult situation. In Taiwan, during questioning, they can meet with a lawyer and make statements together, but in Japan, they have to face the police alone, which adds even more pressure.1
Although the final verdict was not guilty, the process of going to court - consulting lawyers, defense costs, etc. - the financial and mental costs are enough to have a significant impact on one's life.
Summary of the Case
The person involved operated a website with approximately 30,000 monthly visitors. They believed they could use a mining script as a source of income to cover the expenses of running the website. They used a service called Coinhive, which provided mining scripts. Website operators only needed to insert the script into their web pages, and it would automatically execute when users visited the pages.
Here, let me briefly explain the principle of mining. When a transaction is sent, miners need to start calculating whether to approve the transaction, and this calculation involves a significant amount of computational power. So as long as the calculation is successful, miners can receive a small amount of virtual currency as a reward. Anyone with a CPU can perform this calculation, so executing a browser's JavaScript script can utilize the user's CPU resources for mining. Of course, compared to professional mining machines and GPUs, this method can only achieve minimal returns. According to the court's description, the person involved only earned 800 yen in profit.
The person involved was subsequently prosecuted by the prosecutor. They were initially found not guilty in the first trial but found guilty in the second trial at the Tokyo High Court. Finally, today, the Supreme Court ruled them not guilty2, and the court's decision can be found online.
Although users were not informed in advance about the existence of the mining program, this point violates the user's intention. However, similar to online advertisements that execute scripts without prior consent, it was concluded that this falls within the "socially acceptable range." The opinions of the five judges were unanimous. The Supreme Court does not generally allow such behavior but only in this specific case. If the purpose is malicious, criminal responsibility still applies.
Excerpt from Nikkei Shimbun3
Key Points of Discussion
The main focus of the litigation was the legitimacy of this behavior, specifically whether it constituted "improper use" and violated the "user's intention" (Article 168-2 of the Penal Code)4.
"Electromagnetic records that give instructions that are not in line with the user's intentions or give instructions that violate the user's intentions when using a computer."
Although the law states "improper use," the definition of improper use cannot be solely determined based on the content of the program. Instead, it should be judged based on the circumstances of the incident and the impact on the users.
Regarding the issue of improper use, mining scripts may make the general public uncomfortable as their CPU resources are used without their knowledge. However, according to the court's decision (referring to the previous excerpt), the defendant intentionally reduced the CPU usage, and the court also mentioned cases where users were not informed, such as online advertisements. Therefore, although this behavior may not be well-received, it did not cause actual losses to users or unlawfully obtain their personal information. Users could simply close the browser tab to stop the mining.
Furthermore, from the perspective of violating the "user's intention," the defense argued that although users were not informed in advance about the mining script, similar behaviors such as Google Analytics and advertisements are also executed without user consent. In web browsing, this is generally accepted behavior, so mining scripts should also fall within an acceptable range. If being found guilty simply because of "failure to inform the user," then every developer present would be guilty.
Additional Information
1. About the Coinhive Mining Script
Initially, the defendant wanted to remove advertisements from their website and replace them with a mining script to generate income to cover the expenses of running the website. There was an incident where Coinhive had updated their script and terms of service to require "user consent" before mining. However, the defendant was not aware of this announcement and continued to use the original mining script. The defendant also received private messages on Twitter advising them to add user consent clauses to avoid any gray areas, but eventually, the defendant found the implementation of user consent too troublesome and decided to remove the mining script (after running it for one and a half months).
2. Police Searches and Statements
In February of the following year, the defendant was contacted by the police, and one day they conducted a sudden search of the defendant's home without any explanation and confiscated their mobile phone and computer. During questioning, the police used high-pressure tactics to demand the defendant's reflection5. Initially, the prosecutor proposed a summary procedure with a fine of 100,000 yen (referred to as "ryakushiki kiso" in Japanese), but the defendant disagreed, resulting in a formal trial. However, considering transportation and legal fees, the total cost would likely exceed 100,000 yen.
The difference between a summary procedure and a formal trial is that in a summary procedure, the court only reviews the prosecutor's documents without holding additional hearings or allowing both sides to speak. For clear-cut cases like utility bill collection, it can be concluded in a matter of tens of minutes. In a formal trial, on the other hand, the court proceedings resemble those seen in Japanese dramas, with back-and-forth arguments between defense attorneys (or prosecutors), and it takes more time to complete.
3. Appeals and Expert Opinions
The defendant was initially found guilty in the second trial. However, to continue appealing to the Supreme Court, it required an "extraordinary appeal." One significant challenge is that the Supreme Court usually only reviews the legality of the application of the law and does not reexamine the case itself or allow for further investigations.
To facilitate a successful appeal, the defendant and defense lawyers collected opinions from engineers from all sides through the Japan Hacker Association (日本ハッカ協会)6, attempting to persuade the Supreme Court to accept the case.
Conclusion
As web developers, we strive to explore new technologies and enhance our understanding and expertise. However, for most police officers, prosecutors, and judges, computers are not their area of expertise, and they may not possess all the knowledge. They may mistakenly label something as "guilty" due to their limited understanding. Similarly, the general public may hold a guilty attitude due to a lack of understanding. The increasing number of virtual currency scams in recent times also indicates that computer-related crimes will only continue to rise, and as developers, we are at the forefront.
Police officers, lawyers, and judges mostly lack understanding in this area, and the lack of expertise in this field can create obstacles during legal proceedings. Even during statements, the police often misunderstand the defendant's technical explanations (such as confusing "head" and "header"7). If developers have a negative mindset, they are prone to collapse. Additionally, with an honest and respectful attitude, developers are more likely to be led by the police during questioning and make statements that are not favorable to themselves, making it even more challenging to reverse the situation. After reading the news, I believe it is a good opportunity for developers to consider how to handle such situations if they encounter them.
Afterword
After sharing this article in a frontend community8, some of the comments and reactions were quite disappointing, but it also helped me understand that this area is indeed a gray area, prone to differences in opinions and controversies. Moreover, discussing it from a legal perspective in a technical community can easily lose focus, leading to a war of words. Therefore, I did not continue commenting.
There were a few good comments that approached the issue from a user experience perspective, believing that actions like this should be disclosed. Some people think that the concern about this behavior lies in the impact or harm it may have on internet culture.
Also, the article and court decision mentioned several times that the defendant actively reduced CPU usage to a level that users would not noticeably feel (the court document described it as 50%, which is still quite significant). Although there is no related data to support the actual impact, I believe the significance of this matter is subjective. The court's opinion was that it did not have a significant impact. If we forcefully apply general principles (CPU fan running at full speed) to specific cases (the defendant actively reduced CPU usage), then there is nothing I can do about it.
Legal Perspective
I would like to provide some additional information from a legal perspective. Some comments mentioned, "Why isn't using someone else's resources to mine for profit considered a crime?" This actually points out several issues.
First, in the original article and court decision, it was mentioned that not all mining is considered not guilty. It was concluded that the behavior fell within the "socially acceptable range" in this specific case. The article also mentioned that the defendant intentionally adjusted the parameters to reduce CPU usage. Yes, mining scripts generally have a negative impression, but whether it constitutes criminal responsibility depends on the intention, proportionality, the circumstances at the time, and the actual impact, rather than simply firing at the mention of mining. The defendant did not mine for significant profits.
Another issue is the definition in the law. In Japan's "illegally interfering with electromagnetic records (obstruction of computer use)," the definition is quite ambiguous, such as "improper use" and "violation of the user's intention." These are relatively unclear definitions, leading to many controversies. Some people believe that such ambiguous laws can easily lead to abuse. From this, we can also understand the impact. The trial lasted for three to four years before finally reaching a verdict. However, for an ordinary person, being suspected of a crime for three to four years brings questioning from colleagues, neighbors, and the scrutiny of people around them. These are all tormenting experiences.
From the comments, it is evident that some developers need to enhance their legal knowledge. It is necessary to define clearly which crime is committed and the elements that constitute it before discussing. It should not be based solely on personal "feelings" to judge guilt, especially since developers should have a deeper understanding of the underlying principles. Shouldn't we clarify the spec when developing a feature?
User Perspective
Some people mentioned that any behavior not expected by the user should be disclosed. Although this is considerate, seeing numerous websites with cookie consent dialogs raises doubts about whether this is what users want. Opening a website and being asked about cookies, then advertisements, and mining. If the answer is no, then access to the website is denied? Another thought is, is it sufficient to ask?
Although my blog does not have any advertisements or mining scripts because I believe the sacrifice in user experience is significant, I support advertisements. Many developers who create websites for free rely on advertising revenue to sustain their operations. Therefore, I do not use AdBlock, and I also purchased YouTube Premium to support creators and enjoy ad-free content.
However, I also dislike mining scripts. Although we are now in an era of excess computing power, allowing others to freely use CPU resources still feels unpleasant. But one important thing I believe is that the negative perception, moral judgment, and whether it constitutes a crime should be considered separately. People tend to lump them together, as the "death penalty" does not require much thought.
I do not want mining scripts to become mainstream, but being able to move away from online advertisements and explore new revenue models that can sustain website operations while providing a good user experience is a positive development (such as SocialFi, LikeCoin, Buy me a coffee, etc.). As developers, we should feel happy about it. We, at the forefront of the internet, have the ability to understand the essence of how things work, rather than relying solely on feelings for judgment.
The closure of Coinhive also indicates that this method was not very effective. In addition to consuming excessive CPU resources, the general acceptance among users was low. Furthermore, the efficiency of mining through browser-based execution and JavaScript's execution environment (although I heard Coinhive used WebAssembly) is far inferior to dedicated mining machines or simply displaying advertisements for better earnings.
Footnotes
-
More precisely, there is no legal provision guaranteeing the right for the accused to meet with a lawyer. However, in Taiwan, Article 34-2 of the Code of Criminal Procedure stipulates: "The defense counsel may meet or exchange letters with the accused or the suspect during the investigation or arrest, and this right shall not be restricted." ↩
-
https://www.nikkei.com/article/DGXZQOUE178IR0X10C22A1000000/ ↩
-
https://www.soumu.go.jp/main_sosiki/joho_tsusin/security_previous/kiso/k05_02.htm ↩
-
https://www.facebook.com/groups/f2e.tw/posts/4673733325997329/ ↩