Tell Congress to Protect Our Personal InformationLearn More About Unauthorized Access to Data
With the new anticircumvention rules from the Library of Congress, it’s now legal under copyright law for patients to bypass digital locks on their medical devices so they can access the data stored on them. That’s significant progress for people like Ben West (who not only develops software to get patients’ glucose monitors to talk to their devices, but also uses it on his own) and Hugo Campos (who wants to keep getting data off of his implanted heart monitor). It’s a moment worth celebrating.
Two Years of Safety
But it will last only a relative moment; unless there are changes to the law, Ben, Hugo, and other patients will have to find representation again (this time, they had volunteer legal representation from Andy Sellars and his team at the Berkman Center) and make their case from scratch, going up against a major medical device manufacturers, some of those combined companies’ trade associations, and the National Association of Manufacturers.
That process needs to be completed three years from now, and if past rulemakings are any indication, that gives them about two years of access to their data while they don’t have to worry (as much) about being liable under copyright law.
Much Less Worry, but Still Some (Weird Loopholes in the Rules)
I say they don’t have to worry as much because the exemptions that they won from the anticircumvention laws are narrowed in a couple of odd ways.
The first is that patients can only access data that the device was transmitting wirelessly anyway. The reason for this restriction was that manufacturers, in opposing the exemption, included among their arguments the idea that gathering data off of devices could drain the devices’ batteries. They raised the specter of an implanted cardioverter defibrillator being “interrogated” by its user so often that it would have to be replaced sooner than its normal lifecycle.
Of course, not every device needs even minor surgery to replace a battery. A glucose monitor, for instance, is going to be on a patient’s belt or in her pocket. It typically requires a AAA battery and maybe a screwdriver if it starts to run low on power.
Nevertheless, the Copyright Office recommended, and the Library agreed, that this was enough of a concern that it should limit the kinds of access patients should get to passive monitoring. After all, it seems that that covers most of the data that patients want.
Why limit that to wireless, though? Plugging a cable in to a device shouldn’t take more power than receiving a radio transmission. It’s an odd limitation that doesn’t seem to do much good, and can shut out certain uses. The way this is written, if a patient reads data from their device off a wireless transmission, that’s ok, but if they get the same data by plugging a USB cable in to it, they could be violating copyright law.
This bizarre loophole seems like the sort of thing that could easily be resolved with a better understanding of how the devices are used—an understanding that the Copyright Office doesn’t have, and didn’t have the time to acquire, between juggling debates about 27 different types of uses, and all their proponents and opponents.
Getting Help to Get Your Data (Is Nightscout in Trouble?)
Not all of the limitations on the exemption are matters of getting details wrong, though. A much bigger problem is the question of who gets to use the exemption. The rules seem say that patients can circumvent locks to access their own data, but that they can’t ask others to do that for them.
The reason given for this is that the Library only has the power to let people circumvent digital barriers—other parts of the law still keep people from selling tools or services that let people make those circumventions. In other words, the Library can grant people the power to pick locks, but it doesn’t let people sell lockpicks or lockpicking services, as it were.
But this shouldn’t be a bar to the patient himself getting technical help in accessing his device. Whether or not a project like Nightscout (which gives diabetes patients better access to their own data) could get in trouble for providing the means for others to circumvent, or if a hacker could be sued or prosecuted for helping a friend or acquaintance to circumvent, that friend with the medical device shouldn’t herself be breaking the law.
This is exactly what’s happened with cell phone unlocking. When the Library and Copyright Office refused to renew the cell phone unlocking exemption in 2012, Congress stepped in with a law that reversed that decision and also made it clear that consumers could not only unlock themselves, but also could direct others to unlock for them. The law itself doesn’t say that it’s changing the contours of the DMCA, or acknowledge any tension with the provisions against providing goods and services. In other words, I don’t think that it’s necessary to have Congress pass a whole law just so that someone with every legal right to unlock a device can get the technical help he needs to do so. Apparently, the Copyright Office disagrees.
Copyright Violations Piling On
One other thing about the exemption is that, in order to qualify for it, you have to not be violating any other laws. This is actually a little weird. If someone is breaking another law, they’re already breaking that law. Conditioning this exemption on them not breaking another law just means that if they mess up and violate some FDA regulation, they’re now on the hook for both that violation and a copyright violation.
This is particularly weird because, in a lot of cases, only certain people can sue someone for breaking the law—usually, the person who was harmed, or the government. In this case, though, someone violating some other law is likely hurting the patient—but with this particular framework for exemptions, now a copyright holder—like the device manufacturer—has a right to sue. In a sense, this lets copyright law act as a way of expanding and increasing liability for other laws—something that it really isn’t meant to do.
If this all sounds a bit ungrateful—after all, didn’t we get an exemption we were asking for—it’s because the fact that we have to get an exemption in the first place is so ludicrous. It’s one reason that the DMCA itself is the source of so many problems.
There’s a host of ways to fix that. One is to obviate a lot of the requests in the first place—by making it clear that circumventions for uses that don’t infringe copyright aren’t breaking the law. That’s it, no need for an exemption process. That’s the idea behind the Unlocking Technology Act.
There’s also proposals to make the rulemaking process simpler, by allowing exemptions granted in the past a presumption that they’ll continue in the future. That’s the idea behind the Breaking Down Barriers to Innovation Act. That not only reduces the burden on people requesting exemptions, it also could reduce the amount of arguments the Copyright Office has to wade through in each rulemaking, giving it more time to look deeper into unresolved issues, and preventing errors in details like the “wired/wireless” distinction here.
But there are other fixes that are possible, too. If the Copyright Office and the Library don’t believe that granting users an exemption also lets those users get someone to help them with the technical details, maybe Congress needs to say so, just like it did with cell phone unlocking. That way, at least patients don’t need to become hackers in the next year and change before being able to actually use the exemption they won.
So yes, it’s a good thing the exemption was granted. But no, that doesn’t make the problems go away. There’s more to be done, and more we all can do to make sure that happens. Stay tuned for that.
Contact your representative in Congress here to tell them it’s time to revise Section 1201 of the DMCA.
See what consumer advocates are saying about DMCA reform here.
Check out our latest podcast on the Section 1201 exemption process results here.
Image credit: Wikimedia Commons user David-i98