The code was discovered when a tech-savvy visitor to the Afro Voice / The New Age (the web domain is still www.thenewage.co.za) noticed that his laptop had slowed down markedly. And when he investigated he discovered crypto currency mining script inserted into the website’s code that was using his computer to secretly “mine” a crypto currency called Monero.
Crypto currency miners are rewarded with digital coins when one or more computers run by them help to solve complicated mathematical problems. And the more computers involved, the faster the problem is solved and the more coins are awarded. The software on the Afro Voice’s website is called Coinhive and uses the Central Processing Unit (CPU) of the computer of visitors to perform the functions needed to mine coins.
On Friday Gary Naidoo, senior General Manager for Afro Voice, emphatically denied that they had added the code to their website.
“I am not aware of this at all and we will definitely do something about it. I am meeting with our in-house website people today and will urgently raise it with them,” he said.
A few hours later mining was no longer happening.
The Afro Voice site is built with WordPress and this particular mining software is a plug-in that can be simply switched on or off. Wayback Machine, which archives earlier versions of web pages, shows the mining code was not in place on May 14, but was there on 22 May, the next time the site was archived. It was still in place on Friday, 1 June, before being removed, meaning it was active for at least 11 days. The publisher of Afro Voice, as do most online publishers, indirectly covers itself for such eventualities, as is clear in their Terms and Conditions .
Besides slowing down computers, crypto-currency mining also consumes huge amounts of electricity. In South Africa the cost of mining a single coin is $5,948 but with the current value of a Bitcoin at $7,566 on 1 June, it is still a profitable venture – especially if someone else is paying for the electricity consumed.
The developers of Coinhive pitch it as a new and innovative way for online publishers to generate revenue, as more and more people install ad blockers. But they say that this should be with the full knowledge and consent of the owners of the computers being used for mining. The revenue raised from the mined coins is shared 30-70 between Coinhive and the websites running it.
Some publishers are honest and upfront about what they are doing. For example, when an ad blocker is detected on the computer of a visitor to the US online publishers Salon, a pop-up is generated with the option of turning off their ad blocker. Alternatively, Salon offers an advert-free browsing experience if visitors grant them permission to use their unused computer power to mine crypto coins while they are on the site.
But secretly inserting the code into a website without the owners’ permission is an increasing problem in the United States – and will inevitably become more common in SA.
Last year crypto hackers hijacked the website of PolitiFact, a highly credible US political fact-checking website, and used visitors’ computers to mine crypto currency for them. The hack was discovered by security researcher Troy Mursch, who alerted PolitiFact after he noticed that visiting the site caused his computer’s CPU to run at its maximum capacity.
But sometimes the offenders are the websites themselves, with some secretly adding the script to their website without disclosing this to users or giving them the option to opt in or out.
The Pirate Bay, a torrenting service, was also bust for secretly running crypto mining software. They then asked users whether they preferred an ads-free experience or crypto currency mining – and surprisingly many people were open to the mining idea.
Justin McCarthy, a media and tech commentator, says there are both legal and ethical issues involved in using someone else’s computer to mine crypto currencies without their permission.
“It is uncharted territory and complicated. I believe that it may constitute a criminal offence if not clearly declared by the publisher.”
He also believes that it may breach new privacy laws like POPI in South Africa and the European Union’s even more stringent GDPR laws. But it would be impossible to prove without a major digital forensic audit that the website had added the programme, rather than falling victim to cryptojacking, he says.
McCarthy believes that it is can be an effective and legitimate revenue generator for publishers “as long as they are transparent in disclosing what they are doing”. Website owners must also make it simple for someone to opt in or out, he adds.
But ultimately, the onus is on the owner of a computer to protect themselves against unwanted invasions of their privacy, says McCarthy. As with your sexual health it is on you to take precautions to safeguard your online health.
What steps can you take to protect yourself?
Raymond Joseph is a Cape Town-based freelance journalist and media trainer; Schalk Venter works as a front-end developer for OpenUp, a Cape Town-based civic tech organisation.
Blink-182's Tom Delonge quit the group so he could focus on researching the existence of aliens.