Over the past several months the Cyberlaw Clinic has been working with medical device researchers Hugo Campos, Jay Radcliffe, Karen Sandler, and Ben West, in a proceeding before the Copyright Office regarding the anticircumvention laws created in the Digital Millennium Copyright Act. Here’s what we’ve been doing, and why we’re doing it.
The Clinic has written about this proceeding twice before, but as a quick review: our clients each study the safety, security, and effectiveness of medical devices. Some look at the devices from a system design perspective, analyzing the hardware and software of the devices for misconfigurations or vulnerabilities. Others look at the devices as they are applied to a particular patient’s care, and help patients retrieve important information off the devices that the device otherwise would not share, or would only make available through periodic checkups with doctors once every several months. Their research has helped patients and doctors better tailor care, the public understand the nature of medical device risks, and regulatory agencies like FDA improve government oversight of devices.
The good news is that their research is having an impact: manufacturers have responded to concerns raised by independent device researchers by improving the security of devices through use of technologies like encryption. The bad news is that the use of encryption and other “technological protection measures” (to use the term of art from copyright law) on these devices means that this research is now at times regulated by copyright’s anticircumvention laws. These laws state that no person may circumvent a technological protection measure protecting a copyrighted work (e.g., by decrypting an encrypted work) without permission from the copyright owner, unless their circumvention is covered by one of seven statutory exceptions, none of which exactly cover the types of research here.
Once every three years, however, the Library of Congress and Copyright Office conduct a rulemaking to determine whether other temporary exemptions should be granted, in cases where otherwise-lawful uses of copyrighted works are substantially affected by the anticircumvention laws. In the past, this rulemaking has been used to ensure that visually impaired readers can circumvent the controls on eBooks to allow the books to be read aloud, that teachers and students can circumvent the encryption on DVDs for media studies projects, and that cell phones can be “jailbroken” to allow an owner to use the phone on a different carrier’s network. When the proceeding began again last fall, the Clinic petitioned for an exemption to help make sure that medical device research and patient access to data would be protected as part of the next round of exemptions.
In our petition filed in November and initial comment filed in February, we described how researchers access and analyze the source code and data outputs of devices — both in general and as they relate to an individual’s care — and the impact their research has had on device design, use, and governance. The comments also detailed how this research is currently protected under the law (and does not infringe any copyrights in medical device software or outputs), and how anticircumvention laws now jeopardize current and future research.
In March, opponents to exemption had a chance to respond. A few different industry organizations and researchers raised concerns about the proposed exemption. (Those opposition comments are available here.) In early May, the Clinic filed a reply comment, responding to their concerns. The comment notes that research of this nature has been done for several years, and while the opponents raised abstract concerns about safety and effectiveness of such research, they failed to cite a single case where such research risked human life or public safety. In fact, they instead demonstrated the value of this research, by repeatedly citing to independent research conducted by coalition members in their opposition comment, and in admitting that the industry has changed its practices after issues were raised by independent research.
Later in May, I had the chance to travel to Washington with one of our clients, Ben West, to participate in roundtable hearings held by the Copyright Office as part of this proceeding. Ben and I discussed the details of the proposed exemption with several members of the Copyright Office, along with fellow proponents Laura Moy from New America Foundation’s Open Technology Institute and Sherwin Siy from Public Knowledge. The transcript of that hearing is available here, and Prof. Rebecca Tushnet has provided a summary of what was discussed at the hearing.
After the hearing, the Copyright Office sent us a letter asking for our clients’ input on whether the exemption should include a requirement that a researcher must disclose any issues they find with a medical device to the device’s manufacturer, before telling others. This appears to come out of discussions from two of the other proposed anticircumvention exemptions, where computer researchers are more likely to uncover vulnerabilities that, at least theoretically, could be exploited by bad actors. (As one of our clients has demonstrated, there are such vulnerabilities in medical devices, too, but to date there has been no recorded incident of a vulnerability being exploited outside of a controlled setting.)
The Clinic responded to that letter yesterday, noting that both law and reason counsel against such a requirement in this case. As the letter notes, researchers typically disclose issues to manufacturers as part of their process, but there are very good reasons why researchers in certain cases may instead choose to inform other researchers, government regulators, doctors, patients, or the public first or instead of telling the manufacturer. Furthermore, the First Amendment protects the right of a researcher to decide where and to whom they will share information. Were the Copyright Office to impose a requirement here that a researcher could only benefit from the exemption if they revealed their research to manufacturers, this conditioning of a government benefit based on a limitation of speech rights would be unconstitutional. At heart, the decision on where to share computer security research is an ethical, and not a legal, one, and ethics do not necessarily dictate that a researcher inform a manufacturer first in all cases.
This is likely the last filing the Clinic will make in this proceeding. Under this rulemaking’s procedure, the Copyright Office will now solicit the views of the Department of Commerce’s National Telecommunications and Information Administration, and then make a formal recommendation to the Librarian of Congress, who will then issue a final rule granting or rejecting our proposed exemption. We expect that rule to come later this year. We could not have done this without the hard work of several Cyberlaw Clinic students and interns, including Sarah Baugh (HLS ’16), Jonathan Diaz (HLS ’16), Evita Grant (HLS ’16), Megan Michaels (HLS ’16), Joo-Young Rognile (HLS ’15), Michael Rosenbloom (Columbia Law ’17), and Shudan Shen (HLS ’16).
Andy Sellars is a Clinical Fellow at the Cyberlaw Clinic and the Corydon B. Dunham First Amendment Fellow at Harvard Law School.