We are happy to report that the Library of Congress has approved of exemptions to the DMCA’s anti-circumvention provisions in order to protect independent medical device safety and security research and patient access to data. This announcement comes after a year of litigating this issue before the Copyright Office. You can review all of our prior coverage and the filings of the case at our page about the 2015 Anticircumvention Rulemaking. I wanted to take time to review the decision, and reflect briefly on the process of the DMCA rulemaking.
The Cyberlaw Clinic represented a coalition of medical device researchers – Hugo Campos, Jay Radcliffe, Karen Sandler, and Ben West – who study the safety, security, and effectiveness of implanted medical devices. Some of our clients study this by analyzing the software of medical devices for vulnerabilities or flaws, and others look specifically to how patients can protect themselves by getting more timely access to medical data. Through a petition, initial comment, reply comment, and two subsequent letters, the Clinic articulated why such research is vital to ensuring patient health and safety, does not seriously risk piracy or infringement, and should be allowed to continue as medical device manufacturers begin to employ encryption and other “technological protection measures” that implicate anticircumvention law.
At the recommendation of the Copyright Office and the Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Library decided to split our proposed exemption into two pieces – those accessing software to do security testing, and patients accessing their own data – and consider each separately. In the end they granted both parts of the exemption, though not without some important caveats and qualifications.