1. Browser-based crypto mining and EU data
protection and privacy law:
a critical assessment and possible opportunities for
the monetisation for web services
Christopher F. Mondschein
Researcher at the European Centre on Privacy and Cybersecurity (ECPC),
Maastricht University
Blockchain International Scientific Conference, 11 March 2020, Edinburgh Napier University
2. 2
Browser-based Crypto Mining: the Good, the Bad and
the Ugly
Blockchain International Scientific Conference, 11 March 2020, Edinburgh Napier University
3. Browser-based Crypto Mining
PoW
X
X• Explanation: A user visits a website that deploys a
cryptocurrency miner. The computational power of the
end-user device is utilized to mine cryptocurrencies for
the benefit of the website or service that deploys the
miner.
• Examples: Coinhive, Crypto-Loot, CoinImp, Minr,
deepMiner, JSECoin and Coinhave, etc.
• Deployment: API (JavaScript, WebAssembly), CAPTHCA,
shortlinkservice.
• Prevalent cryptocurrency mined is Monero.
Blockchain International Scientific Conference, 11 March 2020, Edinburgh Napier University
4. EU Data Protection & Privacy Law
• Privacy and data protection are separate but intertwined fundamental rights in EU
law.
• GDPR: data protection – processing of personal data does browser mining entail
processing of personal data?
• ePrivacy Framework (Directive and proposed Regulation): protection of privacy of
end-user devices.
• ePrivacy Framework is lex specialis to GDPR: ‘(…) to particularize and to complement
(…)’.
• Article 5(3) ePD: Consent & prior information necessary; also applies to non-personal
data (‘storing of information, or the gaining of access to information already stored’)
• Article 8 ePR: ‘the use of processing and storage capabilities of terminal equipment
and the collection of information from end-users’ terminal equipment’.
Blockchain International Scientific Conference, 11 March 2020, Edinburgh Napier University
5. Consent and Information
Blockchain International Scientific Conference, 11 March 2020, Edinburgh Napier University
• Information for users:
- ‘clear and comprehensive information’ with reference to GDPR.
- identification of relevant actors (controller(s), processor(s), third parties who receive personal data),
purposes and legal bases, the rights of data subjects, the data transfers to non-EU/EEA states,
automated decision-making.
relevance of this information for browser mining since no personal data is processed? What
information should be provided?
• Valid consent under the ePD and ePR:
- freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he
or she, by a statement or by a clear affirmative action.
- Consent must be given prior to running of script.
- Demonstrating the collection of valid consent even if no processing of personal data? This would
result in the processing of personal data to be able to demonstrate consent.
Monetization methods for web services devoid of any interest in the person behind the device were not
envisioned by the legislator, creating legal uncertainty regarding the application of the law to browser mining
6. Monetization of Web Services & Tracking walls
• Tracking walls: making access to
media or services on websites
conditional upon accepting tracking.
• Supports programmatic
advertisement negative impact on
user privacy and protection of
personal data.
• The practice is contested in law but
sourrounded by legal uncertainty
(failure of ePR proposal, DPA
guidance, CJEU in Planet49).
Blockchain International Scientific Conference, 11 March 2020, Edinburgh Napier University
7. Browser Mining as an Alternative?
Blockchain International Scientific Conference, 11 March 2020, Edinburgh Napier University
• Tracking walls = zero-sum game: user privacy vs website
operator revenue.
• Prohibition of tracking walls, permitted only when browser
mining is an option.
• Proposed ePrivacy Regulation: option to include browser mining
as an alternative (prohibition of parallel use).
• Clarification in Regulation of cases were no personal data is
processed but there is still reliance on reference to GDPR for
information and consent.
8. Thank you for your attention!
c.mondschein@maastrichtuniversity.nl
linkedin.com/in/christophermondschein
www.maastrichtuniversity.nl/ecpc | twitter: @ecpcmaastricht
Blockchain International Scientific Conference, 11 March 2020, Edinburgh Napier University