Right-to-Repair: Building Back Worse

“The unintended consequence of the Copyright Office’s ruling [on the right-to-repair] is that what was once an illegal activity that was hard to track is now a legal activity that is hard to track and increases threats not only to patient safety but to patient privacy.”

right-to-repair - https://depositphotos.com/83286010/stock-photo-problem-risk-danger.htmlA recent recommendation by the U.S. Copyright Office allowing for the bypassing of technological protection measures (TPMs) in medical devices for purposes of repair, maintenance and service has been adopted and immediately put into effect. This is bad news for patient safety.

At a time when we’re loudly and publicly debating the relative merits of the Build Back Better Act, the U.S. Copyright Office’s announcement, deep inside the Federal Register and written in very user unfriendly dense government jargon, landed not with a bang, but with a whimper. On purpose. Hiding in plain sight. This terrible ruling offered without a comment period or any other appeals mechanism, will have a profoundly negative impact on America’s public health.

What it boils down to is an exemption to the Digital Millennium Copyright Act  (DMCA) regarding medical devices. In keeping with the traditional bureaucratic trick of obfuscation by omission, the ruling allows for “bypassing” cybersecurity measures so that anyone can hack into secure medical devices for only “repair” purposes. Alas, the obvious problem is that one person’s hack for repair is a less scrupulous person’s hack for more nefarious purposes. There are no special ways to “hack for repair.” This absurd and ill-considered rule basically allows anyone to hack for any reason and claim it was for repair.

Why shouldn’t anyone be allowed to repair anything? Well, for starters, medical devices are highly sophisticated and precise technologies. Consider the medical devices that determine whether or not you’re COVID-19 positive. Scheduled repair and recalibration to ensure accuracy is regular and crucial. Expert knowledge is required. Do you really want hackers (such as those in the aggressive employ of terrorist groups) to have access to these devices?

“Facts,” as John Adams reminds us, “are pesky things.” Hacking is a covert activity, meaning our theoretically empowered watchdog regulators (such as those at the under-funded and under-staffed Food and Drug Administration) will have no advance knowledge or awareness of these activities until something goes catastrophically wrong. Similarly, manufacturers won’t have any visibility into who is accessing their devices or for what purposes. As per the FDA, ““Designing devices to limit access only to privileged device users (“privileged access”) is a key component of ensuring a secure medical device.”

Danger, Will Robinson. Danger.

Previously, if a “hacker” sought to bypass the cybersecurity measures built into in a medical device to access servicing materials, the manufacturer would have had recourse under the DMCA. The new Copyright Office ruling eliminates this fail-safe mechanism, in essence declaring “open season” for medical device hacking.

There is no such thing as a small breach of the Hoover Dam, a small malfunction in airplane landing gear, or a slight miscalibration in an MRI machine. Will independent servicing organizations stay within the limits of this new exemption? How will highly qualified (and strictly regulated) manufacturers know when their security mechanisms are breached? Straying beyond the limits of “repair” could very well result in installing new software, changing system configurations, etc. These activities raise real and relevant patient safety and cybersecurity concerns for FDA-regulated medical devices.

The unintended consequence of the Copyright Office’s ruling is that what was once an illegal activity that was hard to track is now a legal activity that is hard to track and increases threats not only to patient safety but to patient privacy. When you hack into a device – legally or not – you can also access (theoretically protected and private) patient information. Now it’s’ all accessible to any hacker – responsible or otherwise – and legal.

Enhancing “right-to-repair” may sound good to some, but the practical reality is that it facilitates a very real risk to the public health. And that’s unacceptable.

Image Source: Deposit Photos
Image ID:83286010
Copyright:iqoncept 

Share

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Join the Discussion

5 comments so far.

  • [Avatar for Anon]
    Anon
    January 7, 2022 10:30 am

    GGB,

    I respect your efforts, but will note that you may want to go one step deeper into the view that ANY type of blocking access (no matter the business reason) is a restraint on copying, and that Fair Use — as properly understood — is not an exception to copyright protection, but instead is merely a noted limitation to the extent copyright protection exists in the first place.

    The act then of preventing access to something that the public has every right to access and copy (if but only for the CHANCE of Fair Use) is an act by the content holder that goes beyond their granted legal right of Copyright.

    I fully “get” that the content holder would prefer to not have to chase down and prove a case in every instance that Fair Use did not apply (it is eminently a much more efficient Business Model). But the bottom line point is that the Business Model does NOT rule the nature of the Constitutionally derived right.

    This issue has been unfolding for a very long time — well before “digital goods” became more and more prevalent, with the Business Model power of Big Media having a very outsized capture of the legislative process. The fact of the matter that the ‘modern era’ is HEAVILY a digital-goods era, does not mean that Business Model should supplant the fundamentals of Copyright – and those fundamentals include limitations on Copyright.

    This too is an area of IP law that does draw distinctions between the spheres of protection (from the same Constitutional clause) based on the aspects being protected.

    The aspect of expression and the aspect of utility draw some very distinct legal differences.

  • [Avatar for Gay Gordon-Byrne]
    Gay Gordon-Byrne
    January 7, 2022 09:00 am

    I am the Executive Director of the Digital Right to Repair Coalition and I’ve heard all of these arguments ad nauseum since 2013. Those that disagree are welcome to contact me directly at info@repair.org for discussion.

    The fundamental disconnect in this essay is the lack of discussion about copyright law and the role that Congress set up for the Librarian in the DMCA of 1998. Under the DMCA it is legal for equipment owners to backup and restore all licensed software for purposes of repair. The DMCA does not differentiate between product types or industries. Copyrights are legal protections for authors of creative content, not secrets. For example — one can buy a book, read it, sell it, tear out pages, quote sections of it but not make copies. Therefore the DMCA recognized that software licenses, under the protections of copyright law, would ban the making of backup copies without an exemption from the USCO. This is why the Congress intended for an exemption process which has now recognized that hospitals need to be able to share service information in order to properly support their mission.

    The specific problem for medical equipment owners, such as hospitals, is that over time OEMs have created their own interpretations of Section 1201 of the DMCA that were written to protect the content industry from literal content piracy to prevent the fair use of exiting repair and service materials. The USCO has carefully reviewed all claims about the extent of piracy for medical equipment service materials and found there is no Copyright reason to block the use of these materials.

    So nothing has changed other than removing the peril of a copyright infringement lawsuit against a hospital from using the exact same materials which the FDA and CMS require hospitals to use in maintenance and repair of their equipment.

    Patients are not harmed when repair materials are used as intended. Lack of access to OEM original parts, tools, diagnostics, and firmware is itself an impediment to the safe operation of equipment – a fact which state legislators have noted and are weighing how to mandate information availability under general business law.

  • [Avatar for Anon]
    Anon
    January 6, 2022 02:12 pm

    Shockingly, I find myself not only in agreement with TFCFM, but in agreement with the apparent driving rationale.

  • [Avatar for TFCFM]
    TFCFM
    January 6, 2022 11:13 am

    Article: “This absurd and ill-considered rule basically allows anyone to hack for any reason and claim it was for repair.

    This assertion appears to defy reality.

    Does the author REALLY believe that a judge or a jury is going to let a person not clearly affiliated with or employed by a medical institution or practitioner using a medical device to get off the hook for alterations to the device, merely by uttering the word “repair”? Hogwash.

    “Patient safety” (which the author pretends to promote) will be equally served, whether the person liable for a faulty alteration is the manufacturer of a device or its user (indeed, the latter will often be easier for patients to identify, find, and drag into court).

    Device manufacturers who want to hike profits by charging fees “per-use” of their devices may suffer, but they aren’t quite so potentially-sympathetic a victim as “patient safety,” are they?

    Eliminating the charge-per-use toll booth will lower the cost of medical care and cause device makers to compete on the basis of what they deliver (i.e., a useful device), rather than on the basis of how many times they can obstruct re-use of an already-sold device.

  • [Avatar for Anon]
    Anon
    January 6, 2022 10:17 am

    My major problem with this article is that it attempts to use the cloak of “safety” as an obfuscation of the fact that ANY such “bypassing of technological protection measures (TPMs)” is an affront to the nature of Fair Use to begin with.

    The type of IP protection at point is one in which the subject of the IP protection is not to be controlled at the source and that source ‘deciding’ (based on its views) what others may or may not do.

    This caters (improperly – clearly in my opinion) to fostering a continued Business Practice as opposed to any actual intellectual property concept.

    If one has to “break in” in the first place to obtain something that even merely just MAY be used freely in cases of Fair Use, then the subject item has already been more constrained than what the intellectual property laws envision.

    Such is nothing more than established entities — for their business purposes — altering the concepts of intellectual protection. Note that I fully “get” and understand the business reasons for doing so. But just like — exactly like — the patent equivalent of Efficient Infringement, understanding the business perspective does not and cannot change the proper intellectual property viewpoint.