EFF Challenges New Jersey Subpoena Issued to MIT Student Bitcoin Developers
As the popularity of Bitcoins has increased, government officials are concerned about criminal activity associated with the virtual currency. But a recent subpoena issued by the New Jersey Division of Consumer Affairs to 19-year-old Bitcoin developer and MIT student Jeremy Rubin goes too far, and we're fighting back by moving to quash it.
Rubin and some other MIT classmates developed a computer code called Tidbit for the Node Knockout Hackathon in November 2013. Tidbit uses a client's computer to mine for Bitcoins as an alternative to website advertising: in exchange for removing ads from a website, a user would give some CPU cycles to mine for Bitcoins instead. Tidbit was clearly presented as a proof of concept, with the developers making clear the code was configured not to mine for Bitcoins. That's because in addition to refining the code, they needed to work out the legal details, like drafting a terms of service, and the ethical details, like making sure there was a way for users to opt-in to the service so their computers weren't being used to mine Bitcoins without their knowledge. Tidbit won the Node Knockout award for innovation and the students thought they were on their way to continuing with their project.
But in December, the New Jersey Division of Consumer Affairs issued a subpoena to Rubin, requesting he turn over Tidbit's past and current source code, as well as other documents and agreements with any third parties. It also issued 27 interrogatories -- formal written questions -- requesting additional documents and ordering Rubin to turn over information like the names and identities of all Bitcoin wallet addresses associated with Tidbit, a list of all websites running Tidbit's code and the name of anybody whose computer mined for Bitcoins through the use of Tidbit, although Tidbit's code was not configured to mine for Bitcoins.
Tidbit asked us for help and we agreed to represent Rubin and Tidbit. We explained to the New Jersey Attorney General that Tidbit's code as configured was incapable of mining for Bitcoins, meaning it could not provide much of the information requested in the subpoena. Plus, New Jersey had no jurisdiction to issue a subpoena to Rubin, who lived in Massachusetts, or Tidbit, which had no connections to New Jersey at all; the server housing the code is not located in New Jersey and Tidbit didn't do anything to target New Jersey users specifically. When the state still insisted Tidbit comply with the subpoena, we moved to quash it in New Jersey state court with the help of attorney Frank Corrado.
We've raised three arguments why the subpoena should be quashed. First, New Jersey's attempt to use state law to regulate Internet activity occurring outside of its borders violates the Dormant Commerce Clause. When it comes to software freely available and accessible anywhere on the Internet, states have to be very careful to only regulate conduct that occurs within its geographical borders. New Jersey is doing more than just investigating local websites or code stored in the state. Instead, its investigation suggests an attempt to target out-of-state conduct, a power the Constitution specifically reserves for Congress.
Second, since neither Tidbit or Rubin have sufficient contacts with New Jersey, the state cannot exercise personal jurisdiction over either. Rubin is not a New Jersey resident and Tidbit's source code is not stored in the state. While New Jersey can certainly exercise personal jurisdiction over local websites or individuals in New Jersey with sufficient contacts to the state, it cannot do that here with Rubin or Tidbit.
Finally, we explain that if the subpoena is allowed to stand, Rubin should be granted immunity from prosecution for any code or documents he is required to turn over and for any answers to interrogatories he must give. Both the Fifth Amendment and New Jersey state law prohibit the government from compelling someone to testify against themselves. The state has already made clear it believes Rubin and Tidbit are in violation of New Jersey's Consumer Fraud Act. The state recently used consumer protection laws to secure a $1 million settlement from a gambling website that turned its users' computers into a botnet to mine for Bitcoins without the users' knowledge. It appears the state suspects Tidbit of something similar here, despite the fact Tidbit's code was only a proof of concept that could not mine for Bitcoins, and despite the fact Tidbit was clearly not planning to develop code that mined without a user's knowledge and consent.
Some of the interrogatories also suggest that New Jersey believes Rubin and Tidbit are in violation of criminal hacking laws. One interrogatory asks Rubin to provide a list of all instances where Tidbit and websites using the code "accessed consumer computers without express written authorization or accessed consumer computers beyond what was authorized." That language comes from New Jersey's computer fraud act, which, in turn, is modeled after the federal Computer Fraud and Abuse Act. Since the subpoena is clearly demanding Rubin incriminate himself by opening himself to both civil and criminal liability, the privilege against self incrimination applies and he should be given immunity if ordered to comply with the subpoena.
We've seen firsthand the power imbalance when the government zealously pursues young innovators at MIT with harsh laws. New Jersey absolutely has a right to investigate fraudulent consumer practices within the state, but burdening out-of-state college students with broad subpoenas—and suggesting Tidbit is liable for activity beyond its control—isn't the way to do that.
The court should set a hearing sometime at the end of February where we're hopeful the subpoena will be quashed.