Thousands of sleep apnea sufferers rely on a lone Australian CPAP hacker to stay healthy

An Australian developer named Mark Watkins painstakingly reverse-engineered the proprietary data generated by Continuous Positive Airway Pressure (CPAP) machines and created Sleepyhead, a free/open piece of software that has become the go-to tool for thousands of sleep apnea sufferers around the world who want to tune their machines to stay healthy.

CPAP machines can require extensive tinkering to deliver exactly the right amount of air to their users; too little air and the patient can become chronically oxygen-deprived, leading to very serious health risks including early mortality. Too much air pressure can also kill you.

CPAP machine manufacturers like Resmed scramble the data generated by the machines and expect patients to physically transport the data on SD cards to their doctors' offices, which doctors use to tune the machines. This process is slow, expensive, and cumbersome, and time-starved docs are unreliable CPAP mechanics (there is a real shortage of sleep specialists).

Enter Mark Watkins and Sleepytime, whose existence is spread by word of mouth on forums for apnea sufferers, and these communities help one another interpret the data generated by the machines and make small adjustments to dial in the right settings.

However, Sleepytime may be illegal. CPAP machines — like many other medical devices — use digital rights management (DRM) to restrict access to their internals, which are a mix of copyrighted software and uncopyrightable data. Section 1201 of the DMCA bans bypassing access controls for copyrighted works, for any purpose, on penalty of 5 year prison sentences and $500,000 fines (for a first offense!). Watkins is Australia, but unluckily for him, the US government insisted on similar copyright laws as a condition of the US-Australia Free Trade Agreement in 2004.

In 2015, the US Copyright Office granted an exemption to the DMCA that permits bypassing DRM in medical devices, including CPAP systems (the FDA filed comments in the docket saying they didn't oppose the exemption).

But appearances are deceiving. The DMCA is an exceptionally poorly drafted rule: not only does it allow medical device manufacturers to abuse copyright to limit patients' access to their own data, but the exemptions that might act to correct these abuses are extremely limited and don't mean what you might think they mean.

The Copyright Office takes the view that it can only grant "use" exemptions to DMCA 1201, but not "tools" exemptions. That means that if you somehow get ahold of Sleepytime, the Copyright Office generously allows you to use Sleepytime. But the Copyright Office can't make distributing or contributing to Sleepytime legal. By hosting Sleepytime, Github is exposed to both criminal and civil liability, and anyone who contributed bug-fixes to Sleepytime is likewise at risk. Giving a copy of Sleepytime to a friend is an offense, and charging them for it (for example, as part of home nursing services) is a felony.

Sleepytime is a perfect parable of the problems of late-stage capitalism: overworked doctors under commercial pressures contribute to an epidemic of underserved patients with potentially life-threatening conditions; the manufacturers who profit off of those patients spend engineering dollars to ensure that they can't help themselves (and that doctors have to pay for site licenses for their decoding software), and so tens of thousands of people around the world have to rely on the willingness of a single person to risk his freedom and finances to write public-spirited software to jailbreak them out of the manufacturer's walled garden.

Watkins started the SleepyHead project seven years ago because he was interested in the "forbidden secrets" of his CPAP machine's SD card. Since he first got started, SleepyHead has become a lifeline for the sleep apnea community.

"As time progressed, I became increasingly disgusted at how the CPAP industry is using and abusing people, and it became apparent there was a serious need for a freely available, data focused, all-in-one CPAP analysis tool," he said.

Why Sleep Apnea Patients Rely on a CPAP Machine Hacker [Jason Koebler/Motherboard]