On Friday, the Cyberlaw Clinic filed a comment on behalf of a coalition of medical device researchers in the Library of Congress’s triennial rulemaking regarding the Digital Millennium Copyright Act’s anticircumvention provisions. As we noted in the blog post from when the Clinic filed an initial petition in this rulemaking, every three years the Librarian of Congress, at the recommendation of the Register of Copyrights, considers exemptions to the general law against circumventing technological measures that prevent the public from accessing copyrighted works. These exemptions are granted in cases where the law against circumventing technological measures around copyrighted works unduly prevents the public from making lawful uses of those works. (For more on anti-circumvention law, see the Chilling Effects FAQ.)
The Clinic filed a public comment on behalf of researchers Hugo Campos, Jay Radcliffe, Karen Sandler, and Benjamin West, who each study the security and effectiveness of implantable medical devices, including pacemakers, cardioverter defibrillators, insulin pumps, and continuous glucose monitors. This research sometimes requires researchers to reverse engineer these devices in order to study their source code and outputs. The petition was filed to make sure these researchers are allowed to do this even when the device manufacturers encrypt, password-protect, or require proprietary tools in order to access this information.
As this comment notes, independent research into the safety, security, and effectiveness of implantable medical devices is vital for preventing potential malicious intrusion and detecting latent design failures. Increasing patient access to their own device data can also promote overall health. For example, independent researchers in the past have shown how pacemakers can be susceptible to attacks from radio transmitters and how to fix it, how similar vulnerabilities exist with insulin pumps, and how greater patient access to device information can help improve therapy and treatment. Research like this has lead the U.S. Government Accountability Office to urge the Food and Drug Administration to devote more resources to studying the safety and security of devices, and the FDA in turn has begun examining the security of devices more critically as part of its approval process. As devices increasingly adopt encryption, an exemption is necessary to ensure this research continues.
The comment is available here, and was drafted by Clinical Fellow Andy Sellars with the help of Cyberlaw Clinic students Sarah Baugh, Evita Grant, Megan Michaels, Joo-Young Rognile, and Shudan Shen. Opposition comments to the proposed exemption are due in late March, with a third round of comments in May. All comments will appear on the Copyright Office’s website.