Tell Congress to Protect Our Personal InformationLearn More About Unauthorized Access to Data
We're taking part in Copyright Week, a series of actions and discussions supporting key principles that should guide copyright policy. Every day this week, various groups are taking on different elements of the law, and addressing what's at stake, and what we need to do to make sure that copyright promotes creativity and innovation.
My mother’s heart may have literally skipped a beat last week, but she waited four days to find out.
The delay is strange, because her heart is constantly being monitored; for the past two years she has had implanted in her chest a device that serves as pacemaker and emergency defibrillator. If her heart begins to beat too quickly or too slowly, the pacemaker will send electrical currents to her heart to keep it on rhythm. If that fails to work, the defibrillator shocks her more violently, resetting her heart and allowing her to live. This is exactly the same process you see dramatized with medics holding paddles to a patient’s chest and yelling, "Clear!" The major difference is that this all occurs within her ribcage.
These shocks have happened a handful of times over the past two years that she has had the device installed. The device has thus kept her alive since its implantation a number of times. Although she has undergone several rounds of surgery to prevent these irregularities from happening again, she will have the device, or a successor to it, in her body for the rest of her life, ready to send its small pacing signals, or its body-shaking jolt, as necessary.
The Device Also Collects Data
Those electrical signals and shocks are controlled by a suite of sensors that are a part of the device. They monitor her heart rhythms and activate when needed. They also make recordings of these signals generated by her heart and the nerves connected to it, so that they, or her doctor, can make diagnoses based upon them.
Those recordings are stored on the device itself. When my mother comes within range of a base station device on her bedside table, that data is transferred to the base station, and then later transmitted to a monitoring company. Diagnosticians at that company look at the data, and if it shows she’s had a defibrillation, they’ll call her doctor. Otherwise, she knows nothing about what the implanted sensors have recorded and transmitted until her next checkup, when the doctors "interrogate" the device.
She also has the option of pressing a button on the device, which sends a signal to the company to take a look at the recent readings. If they decide there’s a noteworthy event in that data, they’ll call her doctor, who presumably will call her to come in for a further appointment. Each time that happens, she gets charged $140.
This brings me to last week, when she was packing up some things around the house, and felt her heartbeat go irregular. Worried that the surgeries hadn’t fixed the problem, she wanted to figure out what was going on, and had an appointment for this week. She got the results yesterday.
But She Can’t Access That Data
As it turns out, the device didn't pick up a skipped beat from last week, but over the course of the past three months, it's detected a number of occasions of mild tachycardia—a slightly elevated heart rate. Now she's engaged in the complicated process of trying to retrace her steps to figure out why that might have happened four times on December 4th, 3 times on December 14th, and seven times on January 7th, along with a host of other scattered dates. There’s no reason she should have to wait this long to discover those irregularities and retrace her steps.
The device that contains this data is implanted within her body, and wirelessly transmits that data to another device in her home. If she had had access to the device as it was recording and transmitting, she could better figure out if there was something she was doing on those particular days that triggered the tachycardia. But she doesn’t have access to the device and can’t directly see the data. The data goes through two other parties before she can even see it—for a fee, and on their schedule. So even if the sensors have detected and stored an irregularity, that information remains secret unless she's willing to pay and can make an appointment.
This is the same situation faced by another cardiac patient named Hugo Campos. In this TEDx talk, he talks about how he—an obsessive quantifier of his life's habits—lacks the ability to know what the machine inside his chest is seeing and doing. Although Hugo, like all of us, has technology available in his phone and other consumer devices to track how much he eats, drinks, sleeps, and exercises, he can't do the same thing with the device that keeps his heart going.
There's a host of reasons why this is the case. Manufacturers are tight-lipped about giving people access to the data and to the machines that would let them get that data. They raise questions about competitors accessing their proprietary systems. They sometimes mention security reasons (though a number of researchers say that the existing security is poor—a real problem if attackers can access what the patients can't). And, since we've seen it abused so often before, there's the question of copyright, and the anti-circumvention provisions of the Digital Millennium Copyright Act.
Though the factual data itself being sent from the device to the base station (and from there to the monitoring service) shouldn't be covered by copyright, the software running on the implants, in the base station, and in the machines at the monitoring service's and doctors' offices likely is. Getting around any access control measures to access that copyrighted software potentially violates the DMCA. We've seen device makers trying to use the DMCA to keep people from unlocking their phones, turning their videogame consoles into more general-purpose computers, or even using generic printer toner cartridges.
So naturally, Hugo and others are worried that the same overbroad law might stand in the way of them getting at the critical data that's being generated by his heart, beat by beat, stored in the devices in his body and in his home, and using it in realtime to adjust his life to keep his heart on an even keel.
That's why he, along with other researchers and patients with other software-controlled medical devices (including insulin pumps), is applying for an exemption to the DMCA, to make sure that they don't get sued simply for accessing the data that's keeping him alive. With the help of the Berkman Center's Cyberlaw Clinic, the Library of Congress and Copyright Office will be considering this request over the course of this year.
I hope it works. Getting access to that data can provide immediate benefits to a number of patients, and those patients can share the information with their own providers, families, and devices in ways that can help them manage their conditions throughout their lives. Of course, the exemption process occurs every three years, and has to be re-applied for anew each time. In the absence of more permanent reforms, that means that even if they succeed, they'll have to do this again three years from now, as the cycle of rulemaking thuds on, year after year.
Device image credit: Flickr user n28ive1