A New Jersey Division of Consumer Affairs investigation has found that, despite initial assertions by Tidbit’s developer, the software was used to gain access to computers owned by persons in New Jersey, without the computer owners’ knowledge or consent.

The Division further found that the developer of Tidbit offered and provided the software to web developers without reviewing their privacy policies, and without having any control, compliance, or review mechanism in place. The Division alleges that these actions constituted violations of New Jersey’s Computer Related Offenses Act and Consumer Fraud Act.

“Our intent is not to stifle innovation or discourage entrepreneurs,” Acting Attorney General John J. Hoffman said. “But innovations that affect consumers must operate in compliance with the law. No website should tap into a person’s computer processing power without clearly notifying the person and giving them the chance to opt out – for example, by staying away from that website.”

Pursuant to the Consent Order announced today, Tidbit’s developer is prohibited from accessing or attempting to access New Jerseyans’ computers without clearly and conspicuously notifying the owners and obtaining their verifiable consent. The Consent Order also includes a $25,000 monetary settlement that shall be suspended and automatically vacated within two years, provided the software developer complies with the settlement terms.

“We do not believe Tidbit was created for the purpose of invading privacy,” Division of Consumer Affairs Acting Director Steve Lee said. “However, this potentially invasive software raised significant questions about user privacy and the ability to gain access to and potentially damage privately owned computers without the owners’ knowledge and consent. As privacy threats become more and more sophisticated, State law requires us to protect the interests and safety of New Jersey consumers.”

Bitcoins are generated or “mined” through the solving of highly complex algorithms, a process that requires significant amounts of computer processing power. When a computer is used to mine Bitcoins, its available processing power becomes limited. The process also may shorten a computer’s life span and create increased electricity costs.

Jeremy Rubin, a Massachusetts resident, offered Tidbit to website developers as a way to “monetize without ads” and “let your visitors help you mine Bitcoins,” according to Tidbit’s website. Rather than show ads to consumers, and earn money by selling space to advertisers, websites that use Tidbit would earn money by taking over part of the processing power of computers that visited those sites, and by using those computers to mine for Bitcoins. Any Bitcoins thus generated would presumably benefit the web developer and/or Tidbit, not the owners of affected computers.

Web developers seeking to use Tidbit were directed by Tidbit’s website to submit their email address, the ID code for their Bitcoin electronic “wallet,” and a password. The web developer would then receive a portion of Tidbit code with the instruction, “Paste this (code) at the bottom of your HTML page, and your visitors will start mining Bitcoins for you!” along with a dashboard stating, “Here’s how much you’ve made so far with Tidbit.”

In court filings, Rubin’s attorney stated that Tidbit was merely a “proof of concept” and not a fully functioning program. However, a New Jersey Division of Consumer Affairs investigator in November 2013 found that the Tidbit code was present and active on at least three websites that were registered and located in New Jersey. The Division also has found that the Tidbit code had accessed the computers of persons in New Jersey without their knowledge or consent.

Acting Attorney General Hoffman and Acting Director Lee acknowledged that Rubin voluntarily cooperated with the State’s investigation, and provided the Division with a list of all New Jersey-based websites that used the Tidbit code. In addition, Rubin has shut down the Tidbit website.

The Division of Consumer Affairs enforces the New Jersey Consumer Fraud Act, New Jersey Computer-Related Offenses Act, and other laws that protect New Jerseyans against identity theft, unlawful invasions of privacy, and other computer-related violations.

The Division’s “Cyber Safe NJ” website, at www.nj.gov/lps/ca2/cybersafe, includes important consumer protection information on “The Basics of Cyber Safety,” “Preventing Identity Theft,” and “Controlling Your Privacy.”

Deputy Attorney General Glenn T. Graham, assigned to the Division of Law’s Consumer Fraud Prosecution Unit, along with Deputy Attorney Elliott M. Siebers and former Deputy Attorney General Edward J. Mullins III, assigned to the Government and Healthcare Fraud Unit, represented the State in this matter.

Investigator Brian Morgenstern, assigned to the Division of Consumer Affairs’ Cyber Fraud Unit, conducted this investigation.

Consumers who believe they have been cheated or scammed by a business, or suspect any other form of consumer abuse, can file a complaint with the State Division of Consumer Affairs by visiting its website or by calling 1-800-242-5846 (toll free within New Jersey) or 973-504-6200.

####