As regular readers of this blog will know, free software has an importance that extends way beyond the world of software. But for most people, it's hard to understand why software freedom is really that important. So this new report “Killed by Code: Software Transparency in Implantable Medical Devices” from the Software Freedom Law Center (SFLC) provides a handy opportunity to get the message across:
Software is an integral component of a range of devices that perform critical, lifesaving functions and basic daily tasks. As patients grow more reliant on computerized devices, the dependability of software is a life-or-death issue. The need to address software vulnerability is especially pressing for Implantable Medical Devices (IMDs), which are commonly used by millions of patients to treat chronic heart conditions, epilepsy, diabetes, obesity, and even depression.
The software on these devices performs life-sustaining functions such as cardiac pacing and defibrillation, drug delivery, and insulin administration. It is also responsible for monitoring, recording and storing private patient information, communicating wirelessly with other computers, and responding to changes in doctors’ orders.
The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled.
That's bad enough, but it gets worse:
In 2008, the Supreme Court of the United States’ ruling in Riegel v. Medtronic, Inc. made people with IMDs even more vulnerable to negligence on the part of device manufacturers. Following a wave of high-profile recalls of defective IMDs in 2005, the Court’s decision prohibited patients harmed by defects in FDA-approved devices from seeking damages against manufacturers in state court and eliminated the only consumer safeguard protecting patients from potentially fatal IMD malfunctions: product liability lawsuits. Prevented from recovering compensation from IMD-manufacturers for injuries, lost wages, or health expenses in the wake of device failures, people with chronic medical conditions are now faced with a stark choice: trust manufacturers entirely or risk their lives by opting against life-saving treatment.
The SFLC suggests an obvious (to the free software world, at least) approach:
We at the Software Freedom Law Center (SFLC) propose an unexplored solution to the software liability issues that are increasingly pressing as the population of IMD-users grows--requiring medical device manufacturers to make IMD source-code publicly auditable.
This is a shrewd move, since no one is likely to argue against simple requirements that improve the safety of these medical devices. Any manufacturer that refused might reasonably be seen as having something to hide – and of caring little for the well-being of its customers.
But what's really clever here is that there is a general principle involved: that software with the ability to harm as well as help us in the physical world needs to be open to scrutiny to minimise safety issues. Medical devices may be the most extreme manifestation of this, but with the move of embedded software into planes, cars and other large and not-so-large devices with potentially lethal side-effects, the need to inspect software there too becomes increasingly urgent.
As the worlds of digital and analogue become intertwined, so the fundamental idea behind free software – that people have a right to see what this stuff is doing – becomes not a theoretical matter of ethics, but a practical, quotidian necessity if we are to avoid the situation where bad code leads to the ultimate Blue Screen of Death - ours.