Is The Pirate Bay’s In-Browser Cryptocurrency Mining Better Than Its Crappy Ads?

The modern internet runs on advertisements. Arguably the two most powerful companies in Silicon Valley—Facebook and Google—make billions of dollars in revenue each year almost exclusively by selling customer data to advertising firms. Although these products are nominally free, their users are actually paying in lost privacy.

Over the weekend, the torrent site Pirate Bay conducted an experiment to see if it could replace the advertisements that keep the site afloat with a new monetization scheme: Using visitors' browsers to mine cryptocurrency.

Although the Pirate Bay is perhaps the freest of free services on the internet, it has operating costs like any other website. Historically, these costs have been supported through ad revenue and donations, but as the Pirate Bay admins detailed in a blog post, "we really want to get rid of all the ads."

It makes sense. The Pirate Bay isn't exactly known for its tasteful and legitimate advertisements, which are often laced with malware. In fact, it was the Pirate Bay's terrible advertisements that prompted its co-founder Peter Sunde to argue that the site should be left to die after it was taken offline following a raid of its servers.

"I've not been a fan of what TPB has become," Sunde wrote in a 2014 blog post. "The site was ugly, full of bugs, old code and old design. It never changed for one thing—the ads. More and more ads [were] filling the site, and somehow when it felt unimaginable to make these ads more distasteful they ended up even worse.

Three years later, the Pirate Bay's solution was to embed the code for a cryptocurrency miner called Coin Hive in the footer of the site. The code used a portion of the visitor's CPU power to mine the privacy-oriented cryptocurrency Monero while the user was on the website.

The miner could be blocked using a regular ad blocker or by disabling JavaScript, but at the time of this writing, the miner was no longer operating. According to TorrentFreak, a source from the Pirate Bay said the miner was only being tested for a few days as a possible replacement for ad revenue. The source did not clarify whether the miner will be used again in the future.

Nevertheless, the Pirate Bay mining experiment raises an interesting question: Should cryptocurrency mining replace advertisements as a way to cover a website's operating costs?

The idea of using the distributed computing power of an internet service's users to mine cryptocurrency is by no means new. Botnets have been used to hijack Internet of Things devices to use their processing power to mine Bitcoin several times in the past, and BitTorrent infamously used its app to mine for Litecoin on users' computers without really informing users it was doing so.

In 2013, a group of MIT students created a code called TidBit that would allow websites to generate revenue by using visitor's processing power to mine for Bitcoin, a project that was shut down by court order. According to the ruling, using a person's CPU power to mine cryptocurrencies without consent is considered gaining access to that person's computer.

More recently, security researchers have been reporting an uptick in malicious advertisements that are used to mine cryptocurrencies within a web browser. Since advertisements that use a person's processing power without their consent are banned from legitimate ad distribution networks, these 'malvertisements' are distributed by buying user traffic and directing it to a website that hosts the advertisement with the malicious mining script.

In all of these cases, the primary issue is consent from the user. Obviously, hijacking IoT devices for a botnet usually isn't done with permission and neither is injecting malware into a device. But to download and run BitTorrent, users had to agree to a terms of service. A clause in this terms of service said that the software can make use of a computer's unused processing power and users would have to opt out of installing the mining software, but these details were buried in the terms of service that few users ever take the time to read.

In this respect, the Pirate Bay's scheme was relatively more transparent. Rather than trying to bury its cryptomining plans in a wordy terms of service agreement, the code for the miner was clearly visible at the bottom of the site. The code was still pretty easy to miss, but the uptick in a visitor's CPU usage wasn't.

The Pirate Bay blog post on its decision to implement a miner claims "a small typo" in the miner's code initially made it so that the miner would use all of a visitor's unclaimed processing power. This was soon fixed so that the miner would only use 20 to 30 percent of a visitor's CPU power and run only in the tabs in which the Pirate Bay website was open. Still, a 20-30 percent increase in CPU usage could cause a user's computer to slow to a crawl or crash.

In short, if distributed mining schemes aren't properly implemented by allowing users to opt in and informing them just how much processing power will be used, it could have serious negative effects for a site's visitors.

What is uncertain is whether the cryptomining scheme would have been enough to cover the website's costs or replace revenue from advertising. A 2014 report from McAfee, for instance, found that it was nearly impossible to turn a profit using botnets to mine for Bitcoin. That same year, the consumer advocacy group Digital Citizens Alliance published a report that claimed that leading torrent sites like Pirate Bay generate upwards of $4 million per year from advertising revenue.

As seen in the Pirate Bay subreddit and official forum, not all users were happy about the new scheme, but many saw it as an improvement over advertisements. The one complaint uniting users, however, was that the Pirate Bay admins could have been more forthcoming about the miner.

Although the Pirate Bay's mining scheme did come off a little shady, even 'legitimate' advertising schemes can run afoul of users. In 2015, for instance, it was revealed that Facebook used a long-lasting cookie to track web browsing habits that could then be sold to advertisers—even if you weren't a registered user on Facebook. Moreover, advertisements can give a platform to unsavory organizations, as the recent Facebook debacle over selling ads to Russian interests during the 2016 elections goes to show.

Assuming that user consent is obtained, the issue ultimately boils down to whether internet users would prefer to pay for free web services with their privacy, or a few more cycles on their CPU. But no matter what, there's no such thing as a free lunch on the internet.