Your medical data: misappropriated by health-tech companies, off-limits to you

Backchannel's package on medical data and the health-tech industry profiles three people who were able to shake loose their own data and make real improvements in their lives with it: Marie Moe, who discovered that the reason she was having terrifying cardiac episodes was out-of-date firmware on her pacemaker; Steven Keating, who created a website with exquisitely detailed data on his brain tumor, including a gene-sequence that had to be run a second time because the first scan wasn't approved for "commercial" use, which included publishing it on his own site; and Annie Kuehl, whose advocacy eventually revealed the fact that doctors had suspected all along that her sick baby had a rare genetic disorder, which she only learned about after years of agonizing victim-blaming and terrifying seizures.

The conundrum is made worse by the fact that insurers, data-miners, and commercial tech giants are routinely given access to the data that is denied to patients, while patients themselves can't choose to donate their own data to public-interest, open access research efforts. Identity thieves and other criminals also routinely access this data, because medical practices, insurers and other aggregators are every bit as prone to leaks as the DNC, OPM and Ashley Madison are.

The use of DRM in medical implants complicates things further: because section 1201 of the DMCA has been used to sue and criminally prosecute people who bypassed DRM for legal purposes (say, to give patients the data collected from their own bodies by the medical implants they have to pay for and rely on to keep them alive), researchers are afraid to delve into this realm, and when they do, they are afraid to publish what they learn.

Last autumn, the US Copyright Office granted a limited exemption to jailbreak medical implants for security research purposes, but this exemption is grossly inadequate. It only covers the act of bypassing DRM, but not making or sharing tools or information needed to bypass the DRM (each researcher must make her own DRM-breaking tool and cannot share it with other researchers, making it impossible to replicate her experiments). It has to be renewed every three years. It only covers US researchers, not researchers in all the countries around the world where the US Trade Rep has successfully exported laws like DMCA 1201 — so researchers for multinationals could jeopardize their employers' foreign holdings by publishing work in the USA.

Last month, the Electronic Frontier Foundation filed a federal lawsuit to invalidate section 1201 of the DMCA; the suit was filed just weeks after the ACLU filed suit to challenge the constitutionality of the Computer Fraud and Abuse Act, which has been used to jail researchers who discovered mass privacy-leaking defects in online services (the CFAA defines hacking as "exceeding authorization" on a remote system; prosecutors argued that since the service's terms of service banned security researchers from investigating their integrity, the researchers had exceeded their authorization).

"Property" is a terrible framework for understanding personal information — it's led to a situation where people aren't allowed to know what's going on in their own bodies, and where corporations can use anti-theft laws to attack scientists, security researchers, and the people whose bodies generated the data the corporations have turned into crown jewels.

We need a drastic, urgent rethink of this: our networked health future will only serve us well if it arrives with privacy protection for patients, transparency for security researchers, and universal access for scientists working in the public interest.

That last option is where Wilbanks, Ball, Steven Keating (read about Steven's data heroics here) and many others see the truly transformative possibility of data liberation. Democratizing the data means that no doctor or hospital or jealous scientist or greedy pharmaceutical company can keep it locked away. It is put into the hands of the people, who can contribute it to any project they choose. In this beautiful future, data flows freely between us all, a vast and glimmering sea of information that scientists can dip into at will. Today's big-data projects include hundreds of thousands of people, maybe a million at most. That's chump change. A future of free data could provide orders of magnitude more, millions of observations on hundreds of millions of people. With this bounty of data, network effects kick in. We will start to see things that were always invisible before: New connections, new ways to treat and cure, the answers to a thousand vexing medical questions that will never be answered by those who keep the data locked up.

If the visionaries get their way, soon you won't have to be a programmer, a lawyer, or a programmer-lawyer to get your data; you won't have to be desperate or stubborn. It'll be your natural right.

The people at Get My Health Data are pushing us all to get our medical records; people like Ball and Wilbanks are seeding the open-data movement in research; others are challenging the law. Beyond them is a groundswell of people of all kinds — hackers and patients and policy nerds and enlightened doctors; bureaucrats and self-quantifiers and parents who see the possibility, and are fed up with the way things work now. "We can empower people, and make them realize that they do have a right and a responsibility toward themselves," says Campos. "That is what is changing."

Our Medical Data Must Become Free
[K McGowan/Backchannel]

(Image: Señor Salme)