EFF to FDA: the DMCA turns medical implants into time-bombs

The Electronic Frontier Foundation just filed comments with the FDA in its embedded device cybersecurity docket, warning the agency that manufacturers have abused the Digital Millennium Copyright Act, threatening security researchers with lawsuits if they came forward with embarrassing news about defects in the manufacturers' products.

Under section 1201 of the DMCA, it's an offense to remove or tamper with digital locks that control access to copyrighted works. Originally, this was used to force people to spend more on their entertainment products (for example, it's used to force you to buy the movies you own on DVDs again if you want to watch them on your mobile devices). But increasingly, manufacturers from every sector have used these locks and the law that protects them to lock in customers and charge more for consumables, parts, service and features — from phones to thermostats to cars to tractors, to medical implants.

These companies then get to use the DMCA to threaten competitors and anyone who demonstrates flaws in their products — meaning that those flaws take longer to come to light and get fixed.

Congress really needs to address this, but don't hold your breath. Getting sensible copyright policy out of Congress is not something you'd want to literally bet your life on.

In the meantime, the FDA has another option: it already attaches a lot of conditions to the certification process for medical devices. It should add one more: a binding promise not to invoke the DMCA to attack security researchers.

The covenant is designed to be narrow. In essence vendors are simply promising not to use copyright law to prevent security or safety research. It says nothing about a vendor's other rights (e.g. patent, trade secrets, contracts), leaving intact all the traditional mechanisms that Congress has granted to companies to protect their investments. In an analysis of 50 court cases that invoked Section 1201 of the DMCA, we found that 47 of the complaints invoked a legal theory other than anti-circumvention liability; of the remaining three, two were criminal complaints and one was dismissed.

In other words, 100 percent of the substantive civil complaints under the DMCA could continue under a different legal theory; the covenant only covers "bare circumvention" without any additional conduct that gives rise to a complaint. This covenant would limit only those very unusual claims.

It would be irresponsible to plan a national medical device policy on the assumption that everything will go right. The post-market reporting of mistakes and prevention of market abuses are every bit as important to public safety as ensuring that things work well in the first place. By safeguarding patients, users, competitors and security researchers through post-market reporting procedures, the FDA will complement its commitment to excellence in initial manufacture with an
equally important commitment to excellence in graceful failure modes.

Pacemakers and Piracy: The Unintended Consequences of the DMCA for Medical Implants

of Cybersecurity in Medical Devices;
Draft Guidance for Industry and Food and Drug Administration Staff

(Image: Herzschrittmacher auf Roentgenbild, Sunzi99, CC-BY)