TL;DR: It was a battle between us, the enginners who advocate for technology advancements, and the police. And we won.
On March 2018, after raiding his home and some interrogations (some of which was criticized - see later), the Kanagawa Police in Japan charged a web designer (@moro_is on Twitter) for violating the Penal Code. For violating Article 168-3, titled "Acquisition of Electronic or Magnetic Records Containing Unauthorized Commands".
The program in question was one line of HTML tag, that loaded the Coinhive script, a cryptominer. The summary court sentenced him to fine of 100,000 yen - around $940. He could just pay the fine, like many others who got prosecuted for the same "crime". But he instead contacted the lawyer - on March 29th. He had about 2 weeks to object to the summary court's decision and request a formal trial.
The news spread quickly - and many people expressed their concerns on how this could go badly. While cryptominers are considered malicious by most people today, back then it was seen as an alternative to advertisements. How can a JavaScript program become malicious - malicious enough to be caught by the police - when it's just consuming a bit of CPU and doing nothing else?
Coinhive is, or was, a cryptominer script that could be embedded on websites. The visitors' browsers will run the JavaScript program, which will mine cryptocurrency Monero. 70% of the mined cryptocurrencies went to the website owners. However, he only made about $8, and he wasn't even allowed to draw out that tiny money.
Coinhive was used in many websites worldwide, most notably UNICEF Australia, which used mined cryptocurrencies to help poor children around the world. However, Coinhive was shut down in March 2019.
Coinhive program could be configured to set a throttle. In this case the value was 0.5 (50%).
The 2011 amendments to the Penal Code defined "Electronic or Magnetic Records Containing Unauthorized Commands"(不正指令電磁的記録) - basically a malicious program - as "electronic or magnetic records that give unauthorized commands to prevent a computer from performing functions in line with the user's intention or have it perform functions against the user's intention". Article 168-2 prohibits creation and execution of such programs, while Article 168-3 prohibits storing such programs. In this case the web designer was prosecuted for storing.
A person who, without legitimate grounds, acquires or stores records including electronic or magnetic records set forth in the items of paragraph (1) of the preceding Article for the purpose referred to in the same paragraph is punished by imprisonment for not more than 2 years or a fine of not more than 300,000 yen.
The requirement was these three:
- It must "prevent a computer from performing functions in line with the user's intention or have it perform functions against the user's intention" (the "unintentionality" requirement; 反意図性)
- It must be "unauthorized". (the "unauthorized" requirement; 不正性)
- The person must store the program for the purposes of executing on others' computers. (the "purpose of execution"; 供用目的)
These all must be met for the act to be a crime.
There were multiple interpretations of the requirements. The "Dai Konmentaru", a well-known Kommentar for the Penal Code, interpreted that programs that harm the trust (see below) will satisfy the "unintentionality" requirement. For the "unauthorized" requirement, the book interpreted it as an exceptional case for programs that run without the user's intention but is acceptable by the general public. Thus, only some of the programs that run in an unintended way will meet the "unintentionality" requirement - if the offense does not harm the trust, it's not punishable. Watanabe Takuya, an associate professor of University of Tsukuba, says the two requirements should be considered as one. Okabe Takatoshi, a research associate of Hokkaido University, says the law was intended to regulate only certain actions that are also illegal under the Convention on Cybercrime.
Finally, it's worth mentioning the characteristics of these rules. It was not made to punish people who disturbed someone else's computer usage. The law protects our trust to computer programs. Thus, a program that performs operations against the user's intention can be considered "not unauthorized" if such programs' behaviors are acceptable by the general public.
The web designer put Coinhive on his blog for a week between October 30th, 2017, and November 8th. He was caught by the police, who raided his house, seized his computers and interrogated him. He brought a mic and recorded the process. In Japan, the confessions and other statements are first written into a paper, which then the police officer reads aloud. While the suspect can order it to be rewritten saying it does not match their words, but they do not release until they agree. Some of the ridiculous comments by the police include "you loaded it in <head> so that you gain money on every page, right?" - JavaScript code is usually loaded in <head>, and the police officer didn't know <head> is just for non-visual contents.
The summary court decided the case should be handled by the Yokohama District Court. Three judges heard the case, instead of the usual one. This included questions to the web designer and the witness Takagi Hiromitsu (who is well-known in this field). In May 2018 to January 2019, there have been many so-called "Pretrial Arrangement Proceedings", where the lawyer could explain the program in question to judges, and could approve or disapprove certain evidences. This included Google translated Coinhive ToS and a report by an organization JC3, which incorrectly set the throttle to 100%. They approved some of them. The lawyers tried to use the recording as an evidence, but the prosecutors didn't like that idea.
On March 27th, 2019, the court judged the program met the "unintentionality" requirement but did not satisfy the "unauthorized" requirement and acquitted him. The sentence included some important words, about the Coinhive's potential - that it could actually benefit the visitors, since the profit can be used by the website owner to maintain the website. It also mentioned the overall negative effects of Coinhive was comparable to normal ads. Shortly after that the prosecutors appealed.
The prosecutors of course appealed the decision to the Tokyo High Court. During that time, the prosecutors did another whoopsie; they wrote in a document that the web designer stored the Coinhive cryptominer script itself. He stored the <script> tag, but not the code. Of course it was fixed later. The Hackers Association received more than 10 million yen in total as donations to be used for legal expenses.
The High Court judged on February 7th, 2020, that he was guilty - and sentenced him to fine of 100,000 yen (just like the summary court). The sentence was based on the following arguments:
- it was unnecessary for browsing;
- the viewers do not benefit from the program;
- the viewers are not given opportunities to know and reject use of such programs;
- the website owner attempted to gain profit by using someone else's computer without consent.
Which is a very concerning interpretation for many programmers. The court also dismissed the argument that the effect was barely noticeable by the visitors. Are advertisements now illegal, because it's unnecessary, doesn't benefit users, the users cannot block them through the website, and the website owners gain profit from them? What about analytics service? Easter eggs? The interpretation was just bizarre.
Supreme Court must hear the case if the sentence is unconstitutional or violates the Supreme Court precedents. Since the law was quite young, there aren't any Supreme Court precedents to refer to. Still, they had to somehow get the court to accept their appeal. They argued that 1) programs are protected by Article 21 of the Constitution protecting free speech, and 2) the law was ambiguous and violated the "due process clause" of Article 31.
The lawyers also asked programmers for their opinions. It's a common practice to attach written opinions to the documents describing reasons for appeal. The lawyer attached 52 written opinions - 47 from programmers, and 7 from legal experts.
Nearly two years passed. And there was a surprise. The court decided to hear an oral argument. Which is very rare - most of the appeals get rejected without an oral argument. The law requires the court to hear that if they need to change the High Court decision. It was very clear "something" good was going on.
The date was December 9th, 2021. People lined up in the entrance of the Supreme Court. The lawyer pointed out the constitutional problems of the article, as well as the interpretational and procedural problems. The prosecutors argued how this was unacceptable - it was cryptojacking, the witness Takagi Hiromitsu used MacBook Pro while normal viewers use old slow laptops, the cryptocurrency mining is unethical and caused graphics card price to go boom, etc. It seemed like half of the arguments were to the cryptocurrency and Coinhive service itself. And finally, the biggest facepalm moment:
"Coinhive is written in a programming language normally invisible to users."
Oh no. Will JavaScript become illegal? Do we have to amend HTML spec to make <script> renderable?
It was at 3PM, on January 20th, 2022. The 1st Petty Bench of the Supreme Court, led by the lawyer and legal expert Yamaguchi Atsushi, read the sentence.
To reverse the High Court sentence. And instead of remitting the case back to the High Court, they did another unordinary thing; they supported the District Court decision and acquitted the web designer. Remember, it was just 100,000 yen. But he decided to fight - fight for the future of Japanese programmers. It was an unanimous decision, 5-0. The bench was composed of 2 lawyers (Yamaguchi and Oka Masaaki), 2 occupational judges (Yasunami Ryosuke and Miyama Takuya), and 1 prosecutor (Sakai Toru). Yamaguchi was one of the people who helped the amendment of the Penal Code in 2011. The prosecutor Sakai did not object to, or even write his own opinion in the sentence. It was clear that this sentence's meaning was "this should never be a crime", rather than "the law should be amended to make it a crime".
The court acknowledged that the program satisfied the "unintentionality" requirement, but denied the "unauthorized" requirement. The court also judged mining itself is not socially unacceptable, and created a new interpretation for the Penal Code: They denied all three of the previously mentioned interpretations, and mentioned in the sentence that
- "Unintentionality" requirement is satisfied if the actual behavior of a program differs from one perceived by the general users, and to decide what the perceived behavior is, the court must take into account not only the behavior but also the name, description, expected usage, etc. of the program; and
- "Unauthorized" requirement is satisfied if the program is unacceptable by the general public, and to decide what program is unacceptable, the court must take into account not only the behavior but also the extent of the effects to the computer's functionality and processing and the expected usage of the program.
Unlike "Dai Konmentaru", the Supreme Court did not treat the "unauthorized" requirement as an exceptional clause - they are two independent things to consider. This tightened the requirement from "illegal unless acceptable" to "illegal if unacceptable", which is really important.
While they quickly rejected the arguments on constitutional issues, they reversed the decision for the wrong interpretation of the law. "Not reversing the decision would clearly be contrary to justice", the sentence said.
The web designer won the case. Well, everyone, really. Because it was all about how the Penal Code could restrict someone's ability to code. It could've gone as badly as "every script needs a consent". People have been charged for an infinite alert(1) loop under the same law. The Supreme Court's interpretation will protect future programmers.
It has been 10 years since the Winny copyright infringement case - where an author of an anonymous peer-to-peer network program was prosecuted for copyright infringement. That Supreme Court decision on December 19th, 2011, also acquitted the author. There have been many cases where the police did not understand the technology and charged innocent people. In Librahack case in 2010, a programmer was arrested for making a web crawler because it (unintentionally) caused denial-of-service condition on a poorly designed library search system. That program accessed the service one at a time, with 1 second interval. While the programmer was not prosecuted, the police was criticized for lack of proper research. In Wizard Bible case, a hacker was prosecuted and sentenced 500,000 yen of fine for sharing a TCP-based shell on a security research forum. Hyogo Prefecture Police charged several people for linking to a website with for(;;) alert(1). And many others were charged for Coinhive - while some were not prosecuted, many others were. Those people have paid a fine. It's likely they'll request a retrial, although not guaranteed.
The United Nations is drafting a new version of the Convention on Cybercrime. I hope Japan will improve its laws on cybersecurity research and the Penal Code - not just to punish a criminal; but also to promote coding in this digital society.