We are happy to report that the Library of Congress has approved of exemptions to the DMCA’s anti-circumvention provisions in order to protect independent medical device safety and security research and patient access to data. This announcement comes after a year of litigating this issue before the Copyright Office. You can review all of our prior coverage and the filings of the case at our page about the 2015 Anticircumvention Rulemaking. I wanted to take time to review the decision, and reflect briefly on the process of the DMCA rulemaking.
The Cyberlaw Clinic represented a coalition of medical device researchers – Hugo Campos, Jay Radcliffe, Karen Sandler, and Ben West – who study the safety, security, and effectiveness of implanted medical devices. Some of our clients study this by analyzing the software of medical devices for vulnerabilities or flaws, and others look specifically to how patients can protect themselves by getting more timely access to medical data. Through a petition, initial comment, reply comment, and two subsequent letters, the Clinic articulated why such research is vital to ensuring patient health and safety, does not seriously risk piracy or infringement, and should be allowed to continue as medical device manufacturers begin to employ encryption and other “technological protection measures” that implicate anticircumvention law.
At the recommendation of the Copyright Office and the Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Library decided to split our proposed exemption into two pieces – those accessing software to do security testing, and patients accessing their own data – and consider each separately. In the end they granted both parts of the exemption, though not without some important caveats and qualifications.
Medical Device Security Research
From the Register of Copyright’s recommendation to the Librarian of Congress, the Copyright Office said the following about medical device security research:
Based on the entirety of the record and as set forth below, the Register concludes that proponents have demonstrated that good-faith testing for and the identification, disclosure and correction of malfunctions, security flaws and vulnerabilities in copyrighted computer programs have been hindered by TPMs that protect those programs. The Register further concludes that the existing permanent exemptions in section 1201 do not cover the full range of proposed security research activities, many of which proponents have established are likely be noninfringing. […] The Register finds that the overall record supports proponents’ claim that accessing and reproducing computer programs for purposes of facilitating good-faith security research and identification of defects are likely to be fair uses of the programs under section 107.
Importantly, the Copyright Office rejected the argument made by some opponents to this exemption that protection of independent research was unnecessary because medical device companies at times directly allow for research of their devices:
Although opponents have shown that significant independent research is taking place through the cooperation of copyright owners and manufacturers, proponents convincingly argue that adverse effects persist despite the existence of authorized research. For example, there is substantial evidence that the DMCA prohibition continues to discourage academic institutions and government entities from funding critical security research due to uncertainty about the legality of the circumvention that may be involved. Furthermore, the record establishes that there are significant shortcomings to pursuing research in concert with software developers and product manufacturers, who may have reason to delay publication of research results or prevent public disclosure of vulnerabilities.
The Copyright Office also rejected the argument that exemptions should not be granted due to the reputational harm they may cause to manufacturers:
Although opponents assert that granting the exemption could erode the public’s confidence in the safety and security of products that are found to be flawed, this is not a harm that the Register is comfortable crediting in this context. Such an adverse effect is not truly a copyright concern; it is more fairly traceable to the existence of security defects in computer programs rather than security researchers’ access to those programs.
As noted above, there were important limitations imposed by the Library of Congress on this exemption. The most significant of limitation is a one-year delay in its going into effect. This was done, according to the Library’s final rule, in order to “give other parts of the government sufficient opportunity to respond” to the exemption. This particular limitation is noteworthy for a few reasons. First, as the NTIA noted in its letter, it is not clear that the Library has the authority to delay the issuance of a rule in this way. Second, based on the discussions of many in the rulemaking, there is strong reason to believe that the FDA and other regulatory agencies were not even aware of the DMCA and its limitations on circumvention for research, and thus it would be incorrect to assume that they were using the law as a safeguard against unwanted research.
The final wording of the exemption allows for circumvention of protection measures on:
(i) Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986, as amended and codified in title 18, United States Code; and provided, however, that, except as to voting machines, such circumvention is initiated no earlier than 12 months after the effective date of this regulation, and the device or machine is one of the following:
(A) A device or machine primarily designed for use by individual consumers (including voting machines);
(B) A motorized land vehicle; or
(C) A medical device designed for whole or partial implantation in patients or a corresponding personal monitoring system, that is not and will not be used by patients or for patient care.
(ii) For purposes of this exemption, “good-faith security research” means accessing a computer program solely for purposes of good- faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.
Patient Access to Medical Device Data
On the patient access to data side of our exemption, the Library of Congress framed the problem our clients sought to address in the final rule accordingly:
Many modern implanted medical devices, such as pacemakers, implantable cardioverter defibrillators, insulin pumps and continuous glucose monitors, measure and record data about physiological developments taking place within the body, and communicate that data wirelessly to a corresponding personal monitoring system. Some personal monitoring systems, in turn, transmit data to a hospital or monitoring company, and ultimately to the patient’s physician. Increasingly, these transmissions of data are protected by TPMs, including encryption schemes. [The Medical Device Research Coalition] requested an exemption that would allow a patient, or persons acting on behalf of the patient, to circumvent TPMs on these transmissions so that the patient is able to access the data generated by his or her own medical device and any corresponding personal monitoring system, without the need to visit a hospital or doctor’s office.
The NTIA said the following in its letter to the Copyright Office concerning the rulemaking in support of our exemption:
Having analyzed the record, NTIA is persuaded that designating a class of works that would allow a patient and his or her doctor to have greater access to the patient’s medical data will not adversely affect the market value of the copyrighted software that runs the medical devices. There is no market for medical device software divorced from the device itself, nor is the software a replacement for the device, so this exemption would not harm the copyrighted software’s value. NTIA is also persuaded that granting this exemption would provide relief from the harm that proponents have demonstrated. Proponents state they are harmed because they are unable to see and react to data collected by medical devices (e.g., glucose spikes, heart rate drops) in real time. NTIA agrees with proponents that making a patient wait for a medical appointment to access his or her own medical data is not a sufficient alternative to circumvention, because that is not a practical way to see medical data changes in real time. For example, if a patient receives a report at the doctor’s office showing a glucose spike three weeks ago at a certain time, the patient will likely not remember what happened at that moment, and will be unable to take remedial action in order to prevent that kind of spike from repeating.
The Copyright Office generally agreed with the NTIA in support of our exemption, though with specific limitations placed on it to the interception of passive transmissions of data out of concerns about what repeated access to the device may do to battery life. (As we noted in our reply comment, such battery issues are unsubstantiated by the opponents outside of times when a patient continually accesses a device, and do not apply at all to insulin pumps and continuous glucose monitors, which often use standard, replaceable batteries.) The Copyright Office and Library of Congress also refused to include language the Clinic proposed to have the exemption be “at the direction” of patients to “undertaken by a patient,” out of concerns that the broader language may implicate the anti-trafficking provisions of anticircumvention law that are not subject to this exemption.
The final rule with respect to patient access to data allows for circumvention of technological measures on:
Literary works consisting of compilations of data generated by medical devices that are wholly or partially implanted in the body or by their corresponding personal monitoring systems, where such circumvention is undertaken by a patient for the sole purpose of lawfully accessing the data generated by his or her own device or monitoring system and does not constitute a violation of applicable law, including without limitation the Health Insurance Portability and Accountability Act of 1996, the Computer Fraud and Abuse Act of 1986 or regulations of the Food and Drug Administration, and is accomplished through the passive monitoring of wireless transmissions that are already being produced by such device or monitoring system.
Beyond the specific exemptions the Clinic argued for here, the Copyright Office and NTIA also spent considerable time discussing how much other policy considerations – such as patient health and safety – should be implicated in a rulemaking that is ostensibly focused on copyright and piracy. As the NTIA put it:
While there have long been proposed exemptions that implicated issues unrelated to copyright law, the sixth triennial rulemaking has stood out for its extensive discussions of matters with no or at best a very tenuous nexus to copyright protection. Parties have, in this proceeding, raised concerns about medical device safety, vehicle emissions standards, best practices in software vulnerability disclosure, and other issues that are not contemplated in copyright law. […] NTIA urges the Copyright Office against interpreting the statute in a way that would require it to develop expertise in every area of policy that participants may cite on the record. Although Congress clearly included [§ 1201(a)(1)(C)(v)] to enable consideration of issues not otherwise enumerated, the deliberative process should not deviate too far afield from copyright policy concerns.
The Copyright Office expressed similar concerns, though ultimately rejected the NTIA’s more strict proposed limitation to the Office’s authority:
The policy concerns reflected in the [security research exemption proposals] and in the forceful responses thereto, are substantial ones that are more properly debated in the halls of Congress—or at least the halls of other federal agencies. […] The rules that should govern such research hardly seem the province of copyright, since the considerations of how safely to encourage such investigation are fairly far afield from copyright’s core purpose of promoting the creation and dissemination of creative works. Rather, the rules that should govern are best considered by those responsible for our national security and for regulating the consumer products and services at issue.
The concerns of regulatory creep in the anticircumvention rulemaking have been around since its inception nearly twenty years ago, but have arisen with newfound vigor in this last rulemaking cycle. The dangers of an overbroad view of the DMCA are now extensively documented; as a recent U.C. Berkeley study highlighted, overbroad use of the DMCA has been one of the main threats to independent research in the technology space. This threat is only augmented by the Copyright Office’s desire to not only embrace this breadth, but use it in determining whether and how exemptions should be granted. A remarkable number of limitations and qualifications were placed on many of the exemptions granted in this proceeding, for reasons that have little to do with copyright or piracy.
Some in Congress have argued for reexamination of this procedure in light of its complexity, ambiguity, and lack of clear direction. The Breaking Down Barriers to Innovation Act, for example, would shift the burden of proof in the proceeding, focus the inquiry more directly on copyright, and allow exemptions to automatically carry over to the next cycle unless challenged. The Unlocking Technology Act goes even further, and removes all liability for circumvention unless it is done to facilitate infringement – exactly what the WIPO Copyright Treaty requires for anticircumvention law, and nothing more. No doubt other proposals will also be raised as the voluminous documentation of the rulemaking is examined and considered over the next several days and weeks.
While the Clinic is quite happy that it was able to persuade the NTIA, Copyright Office, and Library of Congress to grant this exemption and secure this victory for our clients, it was not without tremendous effort. The work spanned a full calendar year, and involved the help of seven different Clinic students and interns during that time – Sarah Baugh (HLS ’16), Jonathan Diaz (HLS ’16), Evita Grant (HLS ’16), Megan Michaels (HLS ’16), Joo-Young Rognile (HLS ’15), Michael Rosenbloom (Columbia Law ’17), and Shudan Shen (HLS ’16). And for all of that time and extensive record building, the opponents to the exemption never once were able to show how this sort of research would violate copyright law, or risk greater piracy of medical devices. That fact alone should have ended this inquiry before it began.