Coinhive Mining Incident

On January 20, 2022, the Supreme Court issued a verdict of not guilty in the Coinhive case. We sincerely thank everyone for their support throughout this process. — Japan Hacker Association (@JapanhackerA) January 20, 2022

Today, the most talked-about news in Japan's software development community is undoubtedly the "Coinhive Incident." This lawsuit arose because a website operator embedded mining scripts on their site, which would start mining when users visited the page. This action led to charges of "improper electromagnetic recording (obstruction of computer use)," sparking a series of legal proceedings.

The significance of this lawsuit for developers lies in the fact that we, as web developers, are often the ones who interact most directly with users. With just a domain and a server, anyone from around the world can freely browse the webpages we create, but this also comes with risks. The thought of having your own code unjustly deemed guilty is a terrifying prospect for any developer.

As developers tend to have higher educational qualifications and relatively higher incomes, they are typically law-abiding citizens without criminal records. It's unlikely they've ever considered the possibility of "running into court" or imagined being arrested and having their tools of trade confiscated. Additionally, facing police investigations and official statements can be overwhelming for those without experience, leading them to inadvertently provide self-incriminating statements, or mistakenly believing that if they just explain themselves well, the authorities will understand. Unfortunately, this often leads to situations where there's no way to clear their names, akin to trying to wash away guilt in the Yellow River. In Taiwan, one can meet with a lawyer during questioning, but in Japan, individuals must face police alone, greatly increasing the pressure. ¹

Even if ultimately found innocent, the mere process of attending court, consulting with lawyers, and bearing legal fees can impose significant financial and psychological burdens, profoundly impacting one's life.

---

Overview of the Incident

The individual in question operated a website with an average monthly traffic of about 30,000 visitors. They believed they could use embedded mining scripts as a revenue stream to cover operational costs. The service they used, Coinhive, provided mining scripts that would automatically execute when users visited the site.

To explain the mining principle briefly, when a transaction is sent, various miners must calculate whether to approve it, which involves solving mathematical problems requiring substantial computational power. Hence, upon successfully performing the calculations, miners receive a small portion of cryptocurrency as a reward. As long as one has a CPU, anyone can perform this calculation, allowing browser-executed JavaScript scripts to utilize user CPU resources for mining. However, compared to specialized mining rigs and GPUs, the returns from this method are minimal. According to the verdict, the individual only gained 800 yen in profits.

Subsequently, the individual was prosecuted by the public prosecutor. Initially acquitted in the first trial, they were found guilty in the second trial at the Tokyo High Court. Finally, today, the Supreme Court ruled in favor of the individual with a not guilty verdict ², with the judgment available online.

Although users were not informed in advance about the existence of the mining program, which contradicted their intent, the method of using users' computers without prior consent is similar to online advertising. "This falls within the socially acceptable range," all five judges unanimously agreed. The Supreme Court did not broadly permit such actions but limited its ruling to this specific case. If the intent was malicious, criminal responsibility could still apply.

Original text: Although the viewers were not informed in advance about the existence of such programs, which went against their intention, the method of utilizing users' computers to a certain degree without prior consent was deemed similar to online advertising. "It falls within the socially acceptable range," concluded the five judges unanimously. However, the Supreme Court did not generalize this behavior as acceptable but merely ruled not guilty in this incident. If the purpose is malicious, criminal liability might be questioned.

Excerpt from Nikkei News ³

Key Discussion Points

The crux of the entire legal battle revolved around the legitimacy of this action—specifically, whether it constituted "improper use" and violated "user intent" as defined under Article 168-2 of the Penal Code (improper electromagnetic recording, etc.) ⁴.

An improper directive is defined as giving an electronic record that does not align with the user's intent or causes actions contrary to their intent when using a computer.

While the law mentions "improper use," the definition of "improper use" cannot be judged solely based on the program's content; it must also consider the circumstances at the time of the event and its impact on users.

Regarding improper use, mining scripts might feel uncomfortable for the average user, as their CPU resources are being utilized without consent. However, the judgment pointed out that the defendant had reduced CPU usage, and it also noted that cases where users were not informed, such as with online ads, are similar. Therefore, while such actions may not be well-received, they did not cause actual loss to users or unlawfully acquire personal data; simply closing the tab would halt the mining process immediately.

From the perspective of violating "user intent," the defense argued that although users were not informed in advance about the mining script, services like Google Analytics and ads also typically operate without user consent. This behavior is widely accepted in web browsing, and thus mining scripts should fall within the recognized scope. If the verdict were based on "not informing the user," then every developer present would likely be guilty.

Supplementary Information

1. About the Coinhive Mining Script

The defendant initially sought to remove ads from their website and instead used the Coinhive mining script as a revenue source to maintain operational costs. A side note is that Coinhive had updated its script and terms of service to require user consent before mining. However, the defendant was unaware of this announcement and continued using the original mining script. They received a private message on Twitter suggesting the inclusion of user consent terms to avoid gray areas but ultimately found implementing user consent too cumbersome and removed the mining script altogether. (The script was in place for about a month and a half.)

2. Police Search and Interrogation

In February of the following year, the police contacted the defendant, and one day they raided their home, starting a search without providing any explanation and confiscated their phone and computer. During questioning, the police employed high-pressure tactics to compel the defendant to confess. ⁵ The prosecutor initially sought a 100,000 yen fine under a simplified indictment, but the defendant contested it, leading to a formal trial. However, considering transportation and legal fees, the total expenses were likely to exceed 100,000 yen.

The difference between simplified and formal trials is that in a simplified trial, the court only reviews the prosecutor's documents without holding additional hearings or allowing both parties to speak. Cases like overdue utility payments can conclude in just minutes. In contrast, formal trials involve actual court appearances, resembling courtroom dramas with back-and-forth arguments between the defense and prosecution, which require significantly more time.

3. Appeals and Opinions

In the second trial, the defendant was found guilty. However, to appeal to the Supreme Court, a "special appeal" was necessary. A significant hurdle is that the Supreme Court generally reviews only whether the law was applied correctly and does not re-examine the facts of the case or request further investigations.

To facilitate the appeal, the defendant and their defense lawyer gathered opinion statements from various engineers through the Japan Hacker Association (日本ハッカ協会) ⁶, attempting to persuade the Supreme Court to accept the case.

Conclusion

As web developers, we often experiment with new technologies to enhance our understanding and expertise. However, for most police officers, prosecutors, and judges, computers are not their area of expertise, and they may not fully grasp the intricacies, potentially labeling actions as "guilty" due to insufficient understanding. The general public may also hold guilty attitudes due to a lack of understanding of the underlying principles. Given the recent surge in cryptocurrency scams, it's likely that incidents of computer-related crimes will become increasingly common, with developers being the first to face the repercussions.

Most police officers, lawyers, and judges lack deep knowledge in this field, and the inherent complexity can create obstacles in legal proceedings. Additionally, during interrogations, police often misinterpret the defendant's technical explanations (such as confusing "head" with "header," etc.) ⁷. If developers are not in the right mindset, they can easily face overwhelming pressure. Moreover, a developer's honest and respectful attitude towards professionals can lead them to feel manipulated by the police during interrogations, resulting in records that work against them, making it incredibly difficult to reverse the situation later on. After reading the news, I believe it serves as an excellent opportunity for developers to reflect on how they would handle similar situations.

Postscript

After sharing this article in a frontend community ⁸, I was somewhat disappointed by some of the comments and reactions, but it also highlighted that this area is indeed a gray zone, prone to divergent opinions and controversies. Given that the discussion is rooted in legal perspectives, it often strays away from technical matters, serving as a valuable learning experience. Initially, I thought that as developers, most of us never considered the possibility of being approached by police or having to go to court. Since this incident is a hot topic in Japan, I felt it was worth sharing.

Comments like "this argument is disgusting" made me wonder if that's how you usually communicate with colleagues? Since the prevailing sentiment in the community was clear, further discussion became impossible and only devolved into a war of words, so I refrained from commenting further.

Some comments were quite insightful, approaching the issue from a user experience perspective, arguing that users should be informed about such behaviors. Others expressed concern about the potential impact or harm to internet culture.

Additionally, the original text and the judgment repeatedly mentioned that the defendant had actively reduced CPU usage to a level that users would not noticeably feel (the judgment stated 50%, which is still quite significant). Although there are no related data to support the actual operation, I believe assessing the impact is quite subjective. The judgment indicated that the impact was not significant; if we were to apply a general rule (like a CPU fan running wildly) to a special case (where the defendant did reduce CPU usage), that would be problematic.

Legal Perspective

I want to provide a legal perspective; some comments suggested, "Why isn't it a crime to mine using someone else's resources?" This raises several questions.

Firstly, both the original text and the judgment emphasized that not all mining is innocent; the ruling applies specifically to "this incident" and falls within socially acceptable boundaries. The text also noted that the defendant made adjustments to parameters to prevent excessive CPU usage. While mining scripts often have a negative perception, the question remains: should the degree of impact lead to criminal liability? This needs to be discussed on a case-by-case basis.

The defendant's initial intention was to remove ads and replace them with mining scripts to cover operational costs. By substituting ads with mining scripts, the operator benefits, which could lead to enhanced website funding and ultimately improve user experience—this approach can indirectly benefit users, making it a well-intentioned act. Although CPU usage increased, for me, this is a matter of proportionality. Therefore, whether or not a crime occurred should depend on intent, proportionality, circumstances, and actual impacts, rather than a blanket judgment simply based on the act of mining. The defendant did not profit significantly from mining.

Another issue is the ambiguity in legal definitions. In Japan, "improper electromagnetic recording," which includes "improper use" and "violation of user intent," features vague definitions that can lead to many disputes. Some believe such ambiguous laws can easily lead to abuse. This case dragged on for 3 to 4 years before reaching a conclusion, but for the average person, having a potential criminal label hanging over them for that long, along with doubts from colleagues and neighbors, can be torturous.

Comments also indicate that some developers need to strengthen their legal knowledge. It's essential to clearly define which laws are being violated and the elements of the crime to discuss it properly, rather than relying on one's "feelings" to determine guilt. Developers should indeed have a deeper understanding of the principles behind their work. Shouldn't we clarify specifications before developing features?

User Perspective

Some have suggested that any behavior not anticipated by users should be disclosed. While this is thoughtful, seeing countless websites with cookie consent dialogues makes me question whether this is truly what users want. When visiting a website, first being asked about cookies, then about ads, and finally about mining—if any of these are denied, access is restricted? Another thought is: does simply asking make it acceptable?

My blog has neither ads nor mining scripts because I believe the trade-offs to user experience are too significant. However, I do support advertising; many developers who run websites rely on ad revenue to keep them operational, which is why I don’t use AdBlock, and I even bought a YouTube Premium subscription to support creators.

Nevertheless, I personally dislike mining scripts. Even though we are now in an era of performance excess, allowing others to use CPU resources without consent is still unappealing. However, I believe it's crucial to differentiate between negative perceptions, moral judgments, and criminal liability. People often conflate these issues, as "death penalty" judgments don't require much thought.

I don't wish for mining scripts to become mainstream, but I welcome exploring new revenue models that allow websites to operate sustainably while providing a good user experience (like SocialFi, LikeCoin, Buy me a coffee, etc.). Developers should feel encouraged by this. As we navigate the front lines of the internet, our expertise enables us to see the essence of how things work rather than merely relying on feelings to judge.

Coinhive's shutdown partly reflects that this operational model is not very effective; aside from the excessive CPU resources it demands, its acceptance rate among typical users is low, and its mining efficiency is genuinely poor. Running a mining script through a browser and JavaScript environment (though reportedly Coinhive used WebAssembly) pales in comparison to setting up a dedicated mining rig or simply running ads, which are far more profitable.

Footnotes

1. To be precise, there are no legal provisions guaranteeing the right to meet with a lawyer during interrogation. However, in Taiwan, Article 34-2 of the Criminal Procedure Law states: "The defense counsel's access to or correspondence with defendants or suspects detained during investigations shall not be restricted." ↩

2. https://www.courts.go.jp/app/hanrei_jp/detail2?id=90869 ↩

3. https://www.nikkei.com/article/DGXZQOUE178IR0X10C22A1000000/ ↩

4. https://www.soumu.go.jp/main_sosiki/joho_tsusin/security_previous/kiso/k05_02.htm ↩

5. https://twitter.com/itm_nlab/status/1096620265633660928 ↩

6. https://www.hacker.or.jp/coinhiveopinion/ ↩

7. https://twitter.com/moritomoya/status/1090590741783445505 ↩

8. https://www.facebook.com/groups/f2e.tw/posts/4673733325997329/ ↩