Developers should know this truism from childhood: Always knock before entering. But they don’t. For developers of cryptominers – the little programs designed to mine cryptocurrencies such as Ethereum on your devices – the differences between knocking and just quietly barging in are huge.
If they don’t knock, and just quietly enter to go to work on unsuspecting computers, they can certainly succeed for a short time. However, there are very high odds that they will be identified as malware or potentially unwanted applications (PUA) and stopped in their tracks. If they do knock, and wait for your OK before harnessing your device’s computing power to mine cryptocurrencies, they just might not get that OK and will be shut down in their tracks.
This is a conundrum.
A cryptic bit of history
This is also precisely the problem faced by Coinhive.com. After they launched their first miner script, several websites such as torrent sites began using it as an alternative to ads. Instead of displaying ads, they would instead load this miner and run it for 30 seconds before allowing the user to access the content, and collect the revenue from mining instead of ads.
The problem is that while some websites made it perfectly clear that they were making revenue this way, others were doing it silently. For this reason, the script was blocked by several adblockers and most antivirus software. That’s why Coinhive released another opt-in version of their cryptomining script.
When loaded, it asks for the user’s consent before starting to mine:
However, not all people read or understood this pop-up warning. They clicked on “Allow for this session” and then they were surprised to find out their computer was slower, their devices were warming up, or their battery was being drained faster. So for these users, this script was PUA – a potentially unwanted application.
Why not just lock the door?