What Is Pomegranate? – The Investigation and Interview

in #gridcoin7 years ago

Some users in the Gridcoin community have wondered who or what Pomegranate is because its two BOINC CPIDs have larger magnitudes than any other individual as of the writing of this article.

"Pomegranate" in this article refers to the following two CPIDs:

Before we begin, we, @dutch and @deltik, would like to apologize for jumping the gun on releasing conclusions to our findings without having obtained comment from the organization behind Pomegranate, Charity Engine. This was poor investigative reporting on our part.

We have since had a conference call with the founder of Charity Engine to address the concerns about Pomegranate.

Below in this article, we present only the facts from our investigation with no added sensationalization, speculation, opinions, commentary, analyses, or conclusions. Charity Engine did provide us with some proprietary or confidential information, which we have excluded from this article. We welcome the community to do what they want with the information provided.


Timeline

  • On 13 August 2017, PrimeGrid sent Pomegranate 5000 GRC.
  • On 21 August 2017, Pomegranate minted the 999998th Gridcoin block. @jringo announced that Pomegranate won the Gridcoin one millionth block commemorative coin.
  • Two days after minting the block, Pomegranate as @pomegranatepool commented on @jringo's article asking how to claim the coin. @jringo and his team, including @dutch, proceeded to verify Pomegranate's identity via the Gridcoin blockchain so that Pomegranate could claim the commemorative coin.
  • @jringo's team confirmed that a user called "pomegranatepool1" on the Gridcoin Slack channel controlled the Pomegranate wallet.
  • On 28 August 2017, Pomegranate refunded PrimeGrid 2100 GRC.
  • On 30 August 2017, Pomegranate refunded PrimeGrid 1700 GRC.
  • In the month after minting the 999998th block, Pomegranate grew rapidly and amassed a magnitude greater than twice that of the largest individual Gridcoin user.
  • We began trying to find out who Pomegranate was in early September 2017. @dutch tried to contact pomegranatepool1 for more information but received no response.
  • On 11 September 2017, multiple Gridcoin community leaders had a meeting with some concerned users, including us. The users were concerned that Pomegranate's growth may have been too fast to be an individual or a pool of voluntary users like GRCPool.com.
  • A Gridcoin community leader was able to get in contact with Pomegranate and reported to the meeting members that Pomegranate was a private company that wished to remain anonymous. This community leader declined to reveal any more information about the private company.
  • A BOINC project admin informed the meeting members that Pomegranate was exclusively running BOINC 7.0.80.
  • Pomegranate's hosts were not hidden on a different BOINC project called VGTU project@Home. This allowed us to see that Pomegranate was running BOINC 7.0.80 exclusively on that project, too.
  • Another BOINC project, SRBase, discovered that some results were corrupt because of a bug with BOINC 7.0.80 and publicly asked those users to upgrade BOINC.
  • We determined that BOINC never released a version 7.0.x release beyond version 7.0.65. Our Internet search revealed that the only software that matched BOINC 7.0.80 was Charity Engine 7.0.80. Search result samples: 1, 2
  • We attempted to find a copy of Charity Engine 7.0.80, but the only download of the Charity Engine software that we could find was version 7.0.76, which could be downloaded after registering on the Charity Engine website.
  • Should I Remove It? revealed that the majority of their users chose to remove Charity Engine and that the overall sentiment was negative, which led us to look into why that was.
  • An analysis by Spyware Techie found that Charity Engine was bundled with other software.
  • Our further Internet searches uncovered some press coverage of Charity Engine as a company but no testimonials of the Charity Engine software.
  • Instead, our Internet searches for "Charity Engine," specifically the software, uncovered uninstall instructions, questions about what the software is, computer performance complaints, and infected computer help. Samples:
  • On 08 December 2017, the first Pomegranate pool sent 14,994.73021000 GRC to the new, second Pomegranate pool.
  • On 10 December 2017, we discovered the second Pomegranate pool and were alarmed by the second pool's growth. We chose to publicize our findings as soon as possible.
    • @deltik wrote customized letters to all of the projects that Pomegranate was involved in to present the findings and suspicions drawn from the findings. In the conclusion of each letter, @deltik advised the projects to make their own determination on the appropriate action to take.
    • @dutch wrote the initial public-facing Steemit article, currently titled "Investigating the Pomegranate Network Mining Gridcoin". That article was updated on 17 December 2017 following feedback from Charity Engine.

Q&A

The Gridcoin community posed questions to Charity Engine in the hopes of understanding what made their network legitimate and ethical. The answers that Charity Engine provided are reproduced in this section.

What is an example of an ad that leads to a Charity Engine 7.0.80 download? Despite a greater than 99% acquisition through ads, our searching has turned up nothing.

Charity Engine informed us that the advertisements that they run are through software bundling providers. They said that all software bundling plans are strictly opt-in, meaning when the bundle installer is running, the user must agree to the installation of Charity Engine.

They also said that they do not have the choice of what software they are bundled with. As they did not choose the bundling packages, they did not have an example ad to show us during our meeting with them.

Charity Engine 7.0.80 reports its own release date as 07 March 2014 (source). Why did it take so long to announce an upcoming update on 12 December 2017?

Charity Engine explained that there has not been a need to update the software because the BOINC tasks that it was running were being completed as expected.

The details of the upcoming version are confidential.

Why hasn't there been an update the last 3½ years since the severe vulnerability CVE-2013-2298, which affects Charity Engine 7.0.80?

We were the first to inform Charity Engine of CVE-2013-2298. They have taken note of this as a bug report.

We have seen that Charity Engine 7.0.80 users exclusively run Microsoft Windows but not Windows 10, and the hardware tends to be older or obsolete. Why does the typical Charity Engine user profile look like this?

Regarding the lack of Windows 10, Charity Engine explained that it is a bug with the operating system reporting functionality of Charity Engine 7.0.80: Windows 10 gets reported as Windows 8.1 or an earlier version.

As for the older hardware, Charity Engine said their target users are not tech-savvy, so they install Charity Engine as part of an opt-in software bundle without minding what kind of hardware they are running.

Another independent investigation found that Charity Engine is bundled with other programs and may be installed without the users noticing. Can you walk us through the installation flow of a Charity Engine software bundle?

Charity Engine reported that they do not have control over how their software is bundled, so they did not have a sample bundle to show us.

Why is Pomegranate called Pomegranate?

Charity Engine said that they intentionally chose a name unrelated to themselves so that Gridcoin users would not fear a network takeover by the large compute capacity of Charity Engine.

On 12 December 2017, why did you rename the second Pomegranate pool from "pomegranate2" to "PSVR-1075" and then later rename it back to "pomegranate2"?

The Charity Engine representative we met with said he was unsure because his developer made the change. He postulated that it was a mistake on the developer's part.

We expect to see a lot of active users if there are over 460,000 hosts in 2016, but the Charity Engine forum is almost dead. Where is the community talking about Charity Engine?

Charity Engine explained that the vast majority of their users do not care about what happens on Charity Engine after the software is installed. They figure that the users just trust that the software does what it needs to do.

We asked for additional information about how the users relate to the prize drawings featured on Charity Engine's website. Charity Engine replied that the vast majority of their users do not care to check out the prize drawings (or even sign up to the Charity Engine website) despite installing the Charity Engine software. They are content knowing they are helping the scientific community at no cost to themselves.

Beyond that, the Charity Engine founder emphasized that his primary goal for Charity Engine was to contribute to scientific BOINC projects. The donations to charity are an added bonus, and there is little interest in the prize drawing system.

Why aren't people talking about Charity Engine? There is hardly a peep about Charity Engine on social media.

Charity Engine admitted that their social media campaigns have been a complete let-down. We were able to find ample evidence to support this. Their blog has a story on the social media failure.

To reiterate, Charity Engine reported that the vast majority of their users merely install the software and let it run.

When users like our test account or this guy try to do work for Charity Engine 7.0.76 (the public version), we get what appears to be a dummy task taking up "0.0001 CPU" and using very little CPU. Why can't we voluntarily contribute to Charity Engine through the client?

Charity Engine informed us that they have a large amount of unused capacity. They provided multiple reasons why, paraphrased below:

  • When looking for projects to add idle compute resources to, they must vet the projects to ensure that the projects are compatible.
  • They contact BOINC projects before adding their compute resources to ensure that the BOINC servers can handle the load of the potentially tens of thousands of hosts that can contribute to the desired projects.
  • A historically incompatible project example was Rosetta@home. The project's tasks consumed too much RAM, which slowed down users' computers. As a result, many users uninstalled Charity Engine.
  • If Charity Engine donated their large compute power to BOINC projects in Lithuania, the project admins would have to pay a hefty gift tax, so Charity Engine opted not to donate large amounts of compute to Lithuania based projects.
  • The user turnover rate increases when more compute resources are used. To sustain their current turnover rate of 0.75% per day, Charity Engine must constantly feed marketing spending on bundled software packages to get new installs, therefore maintaining their user base.

Since Charity Engine, like BOINC, cannot update itself, how will the users who just leave Charity Engine 7.0.80 running update to the upcoming new release?

The plan that Charity Engine described works as follows: When the new version is released to bundled software distributors, it will replace the constantly overturning old versions. Charity Engine estimates that 90% of existing users today will have been replaced by new users in roughy six months.

Why did Pomegranate participate in yoyo@home, a project that requires strong authenticators? This means that the Pomegranate account password on yoyo@home was being deployed to some users' computers.

Charity Engine did not provide an answer to this question; however at the time of writing, Pomegranate has practically stopped earning credit on yoyo@home.

PrimeGrid (address S6RimEgrEar84vQpsmVAVFbGkxfJ4i2sec) provided funds to get Pomegranate started. What is PrimeGrid's role in Pomegranate?

Charity Engine explained that Rytis from PrimeGrid had two Gridcoin wallets and mistakenly sent Pomegranate the GRC from the PrimeGrid Gridcoin donations instead of Rytis's personal balance of GRC.

PrimeGrid consequently was the project with the least return from Pomegranate despite providing the initial wallet funds. Why is Pomegranate not contributing compute power to PrimeGrid?

Charity Engine said that they did contribute a significant amount of custom work for PrimeGrid but greatly reduced their contributions to avoid the possibility of subjecting PrimeGrid to a Lithuanian gift tax.

Can you provide your earnings reports and charity donations so that we can verify your 33-33-33 income distribution claim?

Charity Engine said that this is something they can look into doing moving forward.

(Thanks to @guk for this question) From July to August 2014, Charity Engine added about 125,000 new users to Rosetta@home, which had about 25,000 users at the time. Although Rosetta@home's user count increased fivefold, BOINCstats recorded no substantial change in the rate of issued credit around August 2014. Why is that?

Charity Engine did not have a solid explanation for this discrepancy. They speculated that there is a reporting error to BOINCstats for Charity Engine's contributions to Rosetta@home.


We consider this article to bring our investigation to a close.

If you have any further questions about the investigative process, you are invited to contact @deltik or @dutch on Steemit, Reddit or Slack. For other questions about Charity Engine or Pomegranate, Charity Engine can be contacted through their website.


Thanks for reading!

Regards,

Deltik and Dutch

Sort:  

The fact is, a lot of people want it that way - install, click "I Agree" and you are contributing to science. They don't want to setup BOINC, much less Gridcoin. Regarding Gridcoin profits, CE can easily put another line in their EULA, like "all digital assets created in the process belong to CE". Very few people would care.

Mark echoed this sentiment during the conference call. He said users only cared that they were doing something to help science, and did not want the rest of the details. They don't even bother to sign up for the prize draw.

They could add "to jefpatat". I would care 😉

Excellent follow up.

I think a conversation still needs to be had, particularly in the GRC and BOINC community. I can't seem to shake this thought:

Before Gridcoin, CE is fine -- more compute for science. Now that there is money involved, there are much deeper ethical questions to answer, so:

Should a third party middleman entity (charity engine) profit off the processing power of others, particularly the vulnerable and less technically inclined?

No need to answer right away, but store this one in the back of your minds and let's see what comes.

Well done Deltik and Dutch!

I still don't have a great feeling about CE... When I read about their users, it seems that a lot of them run the software without really being aware of it. As CE claims, all of the users have actively agreed to running the software, but to me, there is a difference between clicking a checkbox once and understanding that the PC is going to run energy hungry tasks (costs) and therefore maybe shorten its lifetime (costs).

Charity Engine explained that the vast majority of their users do not care about what happens on Charity Engine after the software is installed.

This sounds to me like they think "oh, I can contribute to science for free", tick the box and forget about it immediately afterwards. The fact that it is not really for free and someone is profiting on their expenses bothers me.

I have to think about my parents and what they would do in such a situation. They are both pretty illiterate when it comes to computers. I could imagine them downloading CE because they think they do something good. What happens afterwards is that their laptop runs hot, is noisy, runs slower and fails to do the work they need it to do. This results in them calling me and me sitting there, thinking that this old machine is just too old and might need replacement (I would never think about some software running tasks in the background...). Finally, they buy a new laptop to replace the old one that would have just worked fine and I inherit less money.

Seriously... This can cost nerves and money for people who have done nothing wrong and can't really help themselves. That to me is not really fair and while it might not be illegal, is at least immoral.

If I am completely wrong and CE causes no difference in performance at all, correct me please! But I don't think I am...

There is "consent" and then there is "informed consent".

Charity Engine may get the former but they don't get the latter. This is why I have stated that I think that their distribution methods are unethical.

Particularly when BOINC offers (or soon will offer with David Anderson's TBD project funded by the NSF) a simple alternative that will pay that user directly (should Gridcoin develop a similar simplified UX GUI).

Install Ubuntu instead of crappy M$ Windows ;) No slowing down, no bundled software, no Charity Engines...

Or windows 10. Which apparently reports as 8.1? That's the first time I hear about that and we develop windows sw.

It does sound familiar to me. Not a Windows dev though.

Seems like we typed out similar ideas at the same time! ;)

Considering you tried to get into contact with this organization multiple times and didn't get any real engagement until you called them a botnet, I wouldn't really call you prior work "poor investigative reporting on our part".

The lack of information they can provide about their user base and how their software is distributed honestly raises my suspicions of them. You don't make a product and then not know how people get it or what they think of it, that's just bad business.

What bothers me most is the fog about how the software is spread. Every company that lives of software, as in the end product, not as in the development of it, tries to have a very good understanding of the audience, their requirements and the feedback. None of this seems to be well defined. To summarize I understand it this way: our audience doesn't really care what/when/why/how they install and don't really bother what the result of the installation is or how they can use it. They're also are 100% happy with it and don't report any issues. At the same time they are not that happy to give positive feedback or spread the word.

My opinion is solely based on what I read here. But being in SW development for 20+ years this sounds strange.

I find it all very confusing.

Unfortuntely the people they target are the ones that just click through installers without actually understanding what it is telling them, the people that just want the software they thought they were installing and don't realise the consequences of all the bundled crap they get.

For me it's a predatory business practice little better than all the other spyware and malware that gets bundled except this uses some donations to charity to give it a veneer of respectability.

Using the following excuses shouldn't absolve the company of any responsibility either, it's their software and they pay for the distribution.

"They also said that they do not have the choice of what software they are bundled with."
"Charity Engine reported that they do not have control over how their software is bundled"

The fact their attempts to get people to activly download the software through more regular advertising and social media (which would require at least some engagement from the user) have failed, that 99% of the users come from these "bundles" and their user turnover is 6 months tell me that most people when they become informed of the consequences don't want to be involved.

As I understand it, people are meant to join CE for the randomly paid out money. It's meant to be like a lottery, you either get 1000$ or nothing at all.
However, if people don't even sign up to the website after downloading, how does CE pay them out if they win? Or might they not be in for the reward and not even know about it? Why did they join then?
It seems that all those people are pretty much not knowing what they are downloading and what they are doing it for...

If the installers do not offer signup features then apparently only 1% (those who do not run 7.0.80) are eligible for the rewards.

Thank you Deltik and Dutch!

As a quite ideological Gridcoiner, this matter concerned me the moment I had read about it. One follow up question:

How did they explain or behave themselves regarding of why they are using and distributing Charity Engine in the first place? As they state themselves that it benefits of users unaware or incapable, why do they continue spreading it, especially over bundles? This seems an awkward, not to say malicious choice.

Of course one can argue about opt-in adware being ethical correct, but then one also has to argue about capability of informed choices etc.. And then there is the monetarisation, and the "Idea of Gridcoin" matter. Hmpf, difficult!

Charity Engine did explain this one. They said that their target audience is intentionally the less tech-savvy, as this is where a lot of untapped potential compute power can be found. The BOINC community has a fairly limited supply compared to the all the average computer users who wouldn't think to go to BOINC.

as this is where a lot of untapped potential compute power can be found.

Oh dear, if this is their motivation, I would go for malicious as they profit with 33% from that work. If they would not take any money out of this it would be another matter, but since they do...

If they cant disclose the prize draws or charity donations, then something is seriously wrong. I did look into CE myself a few years ago, but Gridcoin seemed to have more potential, for once, I was right :)

CE gained a lot of points in my book with this interview. However, I'd still like to see an actual installation bundle before I'm fully convinced. Given how often people just hammer Next and don't uncheck opt-out installations I'd be surprised if this many people check and accept the CE installation. But then, I'm very rarely right so all might be good here.

As far as botnets go it seems pretty harmless and legalish.

Very confused about pomegranate.....😕😕😕😕
But i love pomegranate as a fruit....😜

As I commented in the other thread, this behavior will only get worse over time. I think there will have to be a reckoning with how gridcoin rewards are distributed for things to be any different.

What is really alarming is that the top project (TN-Grid) that CE is dominating (mag ~1400) is not accepting new users!
Why is this project in the whitelist?
How can a project have preferences about who does the computation?

They do accept new users but you need to use the invitation code which is mentioned on the frontpage.

Thank you for conducting the investigation!
Please help me understand how the collected finds are being used? From what i understood they did not provide this information? IMO a non-for profit organization should have no problem disclosing their financial information. In that case it would be ok for them to keep part of the revenue to cover their operational expenses, they can also have a marketing, innovation, etc. budgets. But if they keep any profit beyond their expenses, they are for profit organization. In that case it seem to fraudulently pocket money from unsuspecting users.
Thoughts?
I think we should demand their financial information, at least about the revenue generated from mining GRC and how it's used. This will clarify a lot of things and will help us to decide on the next steps.
(sorry writing on mobile)

If this or relevant information has already been provided and i missed that, please point me in the right direction on where i can learn more about it.

Charity Engine is run by The Worldwide Computer Company Limited, previously known as Midday Caller Limited. This is a for-profit company.

From the article, this question was posed:

Can you provide your earnings reports and charity donations so that we can verify your 33-33-33 income distribution claim?

Charity Engine said that this is something they can look into doing moving forward.


If you have questions for Charity Engine, you can contact them through their website.