My pacemaker will not be tweeting just yet

June 2007:the Free Software Foundation (FSF) publish their third ‘discussion draft’ of their proposed new licence, the GPL version 3. Alongside this new draft is published a so-called ‘rationale’, which helpfully explain the changes made since the last draft. Originally the FSF had planned to require all forms of encrypted GPL software to be accompanied by appropriate decryption keys, to prevent device manufacturers from putting GPL software in their products but making it impossible to end users to modify it. Many people had complained about this however, saying that it undermined a lot of legitimate uses of cryptography on software code. The FSF responded by limiting the requirement only to ‘User Products’ in its next draft, and went to a lot of trouble to define this subset of GPL-containing items. In the rationale document(pdf), they commented:

We considered including medical devices for implantation in the human body in the User Product definition. We decided against this, however, because there may be legitimate health and safety regulations concerning inexpert and reckless modifications of medical devices. In any case, it will probably be necessary to convince medical device regulators to allow user-modifiable implantable medical devices. We plan to begin a campaign to address this issue.
Some commentators made fun of this aspiration. Ed Burnette of ZDNet commented:
This paragraph demonstrates both the pragmatism that is creeping into the FSF (concerns for ‘reckless modifications’) and the ‘tin-foil hat’ eccentricity that has always been a part of Stallman’s free software movement. If nothing else, the activities of the FSF and its colorful leader will continue to give us plenty to talk about in the years to come.
Well, years passed and there was little public evidence of this campaign… until this week. On Wednesday the Software Freedom Law Center (SFLC) published research which argues that the US Food and Drug Administration (FDA) should require all manufacturers of Implantable Medical Devices (IMDs) to publish the source to the code in their products. The paper cites many chilling examples of software reliability and security problems with IMDs:
While there has yet to be a documented incident in which the source code of a medical device was breached for malicious purposes, a 2008-study led by software engineer and security expert Kevin Fu proved that it is possible to interfere with an ICD (implantable cardioverter defibrillator) that had passed the FDA’s premarket approval process and been implanted in hundreds of thousands of patients. A team of researchers from three universities partially reverse-engineered the communications protocol of a 2003-model ICD and launched several radio-based software attacks from a short distance. Using low-cost, commercially available equipment to bypass the device programmer, the researchers were able to extract private data stored inside the ICD such as patients’ vital signs and medical history; “eavesdrop” on wireless communication with the device programmer; reprogram the therapy settings that detect and treat abnormal heart rhythms; and keep the device in “awake” mode in order to deplete its battery, which can only be replaced with invasive surgery.
In one experimental attack conducted in the study, researchers were able to disable the ICD to prevent it from delivering a life-saving shock and then direct the same device to deliver multiple shocks averaging 137.7 volts that would induce ventricular fibrillation in a patient. The study concluded that there were no “technological mechanisms in place to ensure that programmers can only be operated by authorized personnel.” Fu’s findings show that almost anyone could use store-bought tools to build a device that could “be easily miniaturized to the size of an iPhone and carried through a crowded mall or subway, sending its heart-attack command to random victims.”
Chilling stuff indeed. The paper goes on to argue that FOSS is inherently more secure than closed source, and that source code for IMDs ought to be available for all to see both for greater security and to avoid problems if a device manufacturer goes bankrupt and disappears.
This is not quite the campaign promised back in 2007, however. Notable by its absence is a call for IMDs to actually be user-modifiable:

Specifically, we call on the FDA to require manufacturers of life-critical IMDs to publish the source code of medical device software so the public and regulators can examine and evaluate it.

The paper uses the argument that FOSS is more secure to underpin a request for publication, not full FOSS-licensing. Presumably any errors detected in the code would have to be notified to the manufacturer for actual repair. This is, of course, not particularly surprising. Calling for the FDA to allow individuals to flash their pacemakers to tweet their heart rate would probably attract the same kind of ridicule that Ed Burnette engaged in three years ago. While some activists – including possibly Stallman himself – may regret this reticence, it is probably necessary in order for the request to be taken seriously.