Rubin v. NJ (Tidbit):

The Resolution

Free at last.

I’m excited to share the news that the New Jersey Attorney General has dropped the investigation into Tidbit — a proof of concept application I created as an undergraduate at MIT. As an Electrical Engineering and Computer Science student who just finished a grueling semester last week, I’m relieved to no longer have this hanging over my head!

While I am personally relieved, I’m also sad that my ‘showdown’ with the State of New Jersey went so far in the first place. I want to be sure that future tinkerers and MIT undergraduates will never have a similar experience.

As the Superior Court of New Jersey clearly stated in response to our motion to quash (hence we are the Plaintiff, the state is the Defendant):

The Court has serious concerns that the Defendant, with this investigation, may be acting to discourage creative and “cutting edge” new technology. From the evidence before the Court, it appears that the Tidbit program and other similar creative endeavors serve a useful and legitimate purpose. There is nothing presented to the Court that evidences an inherently improper or malicious intend or design by Plaintiff. Rather, Tidbits appears to be an instrumentality or tool that has great potential for positive utility.

Before I talk about the adverse impacts of the New Jersey Attorney General’s prosecutorial actions, I want to explain what Tidbit was and what we hoped to achieve. Tidbit’s design hoped to eliminate the need for advertising on websites, also eliminating the incentives for websites to violate their users’ privacy to make advertisements more lucrative. To do this, if a site installed our plugin, when you visited their site, the plugin could use spare processing power to mine digital currency to pay for the content. The benefit to the end user is it increases privacy and reduces the amount of annoying ads. This was of course, in theory. We never produced fully functioning code.

We thought that eliminating advertisements was a very noble goal. Many web services companies collect massive amounts of data about their users to make them more valuable targets for advertisers. This targeted advertising is the model employed by giants like Google, Facebook, and Amazon. It boils down to a process by which corporations optimally “infect the minds” of the viewer into viewing a brand favorably or making a purchase. Often times, users are not even aware of the data that these companies are collecting and how advanced the machine learning algorithms. The most striking example of this to me, is Target’s ability to predict pregnancies and advertise to women who were not yet aware that they were pregnant. To me, these practices are not morally ambiguous; they are unethical. Furthermore, the establishment of these datasets constitutes a large security and privacy risk as many of these institutions face a variety of attacks to get their users private information. Something like Tidbit would provide a mechanism for directly incentivizing websites without having to violate users privacy. But with the onus and threat posed by the subpoena, our team was not able to bring this vision to fruition.

Presently, another company is planning to utilize consumer devices to mine Bitcoin. The recently launched startup, 21 Inc., has raised $116 Million Dollars to date. Had we not stopped operations due to the burden of fighting the subpoena, who knows! Perhaps we would have been able to capitalize on our first-mover advantage; raising even a tenth of that sum would have been very substantial — before the subpoena hit we were talking to lots of excited investors and major companies with hundreds of millions of users that expressed interest in our technology being adapted for them. While mining directly in the browser wasn’t a long-term strategy, we were talking about developing ASIC hardware for this purpose.

While missing out on the “what could have been” is certainly disappointing, at least there is no longer the threat of legal action. There are some good and bad parts of the settlement. Although I am unhappy with how it reads at a glance — it seems like a defeat — under closer inspection, you can see that New Jersey’s ‘victory’ is Pyrrhic at best.

No Fine

The $25,000 fine does not have to be paid, and would only be paid in the event we violate NJ law with the Tidbit code. Furthermore, New Jersey has to give us 30 days notice and the chance to come into compliance, making it extremely unlikely we would ever be subject to paying it.

This provision for notice seems to me to be how New Jersey should have dealt with Tidbit in the first place. A friendly inquiry and a nudge to be sensitive to user policy would have been appropriate and sufficient for a student project.

Indeed, we would likely have never needed such a nudge; days after the hackathon (and well before the subpoena!) we reduced our Proof of Concept to only a Google Analytics link and attached a loud red banner to our site warning users to not install it on their site.

Minimal Release of Information

The settlement required us to hand over records. We handed over almost nothing. Whereas the original subpoena made a broad request to get a lot of our data and source code, the only data we were obligated to turn over as a part of this deal was, “a list of all New Jersey-based websites utilizing the Tidbit Code”. This was a grand total of two domain names. While I was unhappy to have to give any records at all, this seemed to be a minimally impactful compromise.

No Admission of Guilt

Although the agreement says numerous times that the Division has found us to have violated these statutes, and their press release tells a similar story, in the agreement we admit to no wrongdoing whatsoever. Specifically:

Neither the fact of, nor any provision contained in this Consent Order shall constitute, or be construed as … an admission by Respondent that any of his acts or practices described in or prohibited by this Consent Order are unfair or deceptive or violate the CFA and/or the CROA.

I’d be very interested to learn more about the state of NJ’s technical review program! It should have been obvious that we were engaging in none of the violations they allege to have found — with even a 5-minute glance at our client side code by an expert.

Reflections

The state of New Jersey’s active focus on protecting its consumers is commendable; we live in a world where there are many scams which try to fleece profits from the vulnerable. However their reaction to Tidbit has been overly harsh and their adherence to their fallacious understanding of new technology, has not resulted in a protected consumer; the New Jersey consumer has lost the opportunity to receive free or subsidized online services in exchange for spare computational resources that they might have no other means of utilizing. The amount of damage done to the New Jersey taxpayer by the cost of the state’s continued pursuit of the Tidbit case was greater than any damages Tidbit would have ever caused (it’s hard to beat zero).

I am often asked, “why do you think they are still going after this?” It is not possible that they truly found us to have violated the law as they so claimed. Rather, it felt like this was being treated as a training exercise for some Junior prosecutor to gain experience. To me, this is a very upsetting reason that they might have had to pursue. I am a human being, not a lesson. The amount of stress my teammates (Carolyn Zhang, Kevin King, Oliver Song) and I had felt is incalculable. The damage cause by the chilling effect on innovation that the subpoena dealt to the MIT community, and the world, is also incalculable. I hope that time, efforts to establish stronger protections for students and entrepreneurs, and the strong will of the community will heal this damage. No one else should ever have to lose the time and energy I and my colleagues have lost in fighting for our freedom to innovate.

I would also like to thank everyone who supported us throughout the process.

The Electronic Frontier Foundation, and our Lawyers there, Hanni Fakhoury, Nate Cardozo, and Frank Corrado. The EFF is a bedrock of support for the tech community and led us through this entire process. You can support the EFF’s ability to represent cases like mine at https://supporters.eff.org/donate

To my family for their continued support, especially to my Uncle David Wexler, who gave us guidance throughout the process, especially in the early stages before we were in contact with the EFF.

To Joi Ito and Ethan Zuckerman for their reassurances and mentorship throughout the process. I’d also like to thank Hal Abelson and Nathan Matias for organizing and writing the petition for MIT to support us.

To the MIT Administration for their accommodations and commitment to establishing mechanisms to prevent future situations like this.

To my friends, with their immense amounts of support and dealing with my sailor-mouthed angry rants.

Lastly, to the MIT community and tech community at large for the outpourings of support the entire way.

Thank you,

Jeremy Rubin