Code running in the background of the website of the Afro Voice newspaper, the renamed former Gupta-owned The New Age, which hijacked unwitting visitors’ computers to mine cryptocurrency, has been deactivated.
Cryptocurrency miners are rewarded with digital coins when one or more computers run by them help to solve complicated mathematical problems. And the more computers involved, the faster the problem is solved and the more coins are awarded. The software on the Afro Voice’s website is called Coinhive and uses the Central Processing Unit (CPU) of the computer of visitors to perform the functions needed to mine coins.
Gary Naidoo, senior general manager for Afro Voice, emphatically denied that they had added the code to their website.
“I am not aware of this at all and we will definitely do something about it. I am meeting with our in-house website people today and will urgently raise it with them,” he said.
A few hours later mining was no longer happening.
The Afro Voice site is built with WordPress and this particular mining software is a plug-in that can be simply switched on or off. Wayback Machine, which archives earlier versions of web pages, shows the mining code was not in place on 14 May, but was there on 22 May, the next time the site was archived. It was still in place on Friday, 1 June, before being removed, meaning it was active for at least 11 days. The publisher of Afro Voice, as do most online publishers, indirectly covers itself for such eventualities, as is clear in their Terms and Conditions .
Besides slowing down computers, crypto-currency mining also consumes huge amounts of electricity. In South Africa the cost of mining a single coin is $5,948 but with the current value of a Bitcoin at $7,566 on 1 June, it is still a profitable venture – especially if someone else is paying for the electricity consumed.
The developers of Coinhive pitch it as a new and innovative way for online publishers to generate revenue, as more and more people install ad blockers. But they say that this should be with the full knowledge and consent of the owners of the computers being used for mining. The revenue raised from the mined coins is shared 30-70 between Coinhive and the websites running it.
Some publishers are honest and upfront about what they are doing. For example, when an ad blocker is detected on the computer of a visitor to the US online publishers Salon, a pop-up is generated with the option of turning off their ad blocker. Alternatively, Salon offers an advert-free browsing experience if visitors grant them permission to use their unused computer power to mine crypto coins while they are on the site.
But secretly inserting the code into a website without the owners’ permission is an increasing problem in the United States – and will inevitably become more common in SA.
Last year crypto hackers hijacked the website of PolitiFact, a highly credible US political fact-checking website, and used visitors’ computers to mine cryptocurrency for them. The hack was discovered by security researcher Troy Mursch, who alerted PolitiFact after he noticed that visiting the site caused his computer’s CPU to run at its maximum capacity.
But sometimes the offenders are the websites themselves, with some secretly adding the script to their website without disclosing this to users or giving them the option to opt in or out.
Ad free or crypto mining?
The Pirate Bay, a torrenting service, was also bust for secretly running crypto mining software. They then asked users whether they preferred an ads-free experience or cryptocurrency mining – and surprisingly many people were open to the mining idea.
Justin McCarthy, a media and tech commentator, says there are both legal and ethical issues involved in using someone else’s computer to mine crypto currencies without their permission.
“It is uncharted territory and complicated. I believe that it may constitute a criminal offence if not clearly declared by the publisher.”
He also believes that it may breach new privacy laws like POPI in South Africa and the European Union’s even more stringent GDPR laws. But it would be impossible to prove without a major digital forensic audit that the website had added the programme, rather than falling victim to cryptojacking, he says.
McCarthy believes that it is can be an effective and legitimate revenue generator for publishers “as long as they are transparent in disclosing what they are doing”. Website owners must also make it simple for someone to opt in or out, he adds.
But ultimately, the onus is on the owner of a computer to protect themselves against unwanted invasions of their privacy, says McCarthy. As with your sexual health it is on you to take precautions to safeguard your online health.
What steps can you take to protect yourself?
- For a start, read the T&Cs before just accepting them when you sign up for a new app or programme for your computer and decide if it’s worth it;
- Download a free browser extension like No Coin for Firefox or for Chrome, depending which browser you use;
- This blog has some good advice on how to check if a website is mining crypto currencies, and how to stop them;
- Protect your online privacy by blocking unwanted trackers by installing Privacy Badger for Chrome or for Firefox.
This story was first published by Daily Maverick, and is republished with the permission of the editor.
Raymond Joseph is a Cape Town-based freelance journalist and media trainer; Schalk Venter works as a front-end developer for OpenUp, a Cape Town-based civic tech organisation.