We are not ready for health hacking
Posted on 2017-01-30
A few years ago, Andy Greenberg, a writer for the mostly tech-oriented magazine WIRED, wrote a piece in which he presented two researchers, Charlie Miller and Chris Valasek, who were able to hack vehicles. Greenberg accepted to be the "victim" of a hack. In his article, he described the feeling of powerlessness he felt during the event, and later he elaborated on the potential dangers that could result if such hacks could occur.
In the fall of 2016, a distributed denial-of-service (DDoS) attack was directed at Dyn, a DNS provider (DNS is what allows a numerical-only IP address to be converted into a human-readable website URL). This meant that well-known sites and services (e.g. Twitter, Netflix) were not available during that time. It is currently believed and accepted that the attack was caused by infected network-enabled devices–also known as Internet of Things, or IoT–, such as printers, cameras, and other home devices.
Both the situations presented above could have been avoided. The vehicle hack was done thanks to a zero-day exploit, which means that the code produced by the car builders included a security flaw on release. The DDoS happened because the IoT devices were infected with a malware. While the former should have been handled ahead of time by the engineers that built the cars, the latter is generally believed to be the responsibility of the devices owners.
While these events can be inconvenient, even dangerous, they don't even compare to a potential upcoming threat: health hacking.
Are we cyborgs yet?
Amidst the science-fiction of the mid-20th century, the term cyborg appeared, referring mostly to a biological organism being enhanced by artificial components. Since then, there have been iconic stories and characters around that subject: many of Isaac Asimov's books, Philip K. Dick's novel "Do Androids Dream of Electric Sheep?"–popularized with the movie Blade Runner–, Robocop, The Terminator, The Borg from Star Trek. When you think of it for a moment, Luke Skywalker from Star Wars is also a cyborg, as his hand was replaced by a robotic one.
Like much of the science fiction world, we think those stories are only that, stories. However, during the 1990s, transhumanist artists started experimenting with their bodies. Stelarc had electronics control his body, even made some physical alterations. Orlan was famous for her performance art in which she was altering/improving her body, sometimes in front of a crowd. More recently, Neil Harbisson had an antenna added to his head so he can hear colors–converting one sense to another is known as synesthesia.
Most people would chalk that off to some weirdness that comes with being an artist. Then many must have been surprised when in 1998, British researcher Kevin Warwick decided to implant an RFID chip underneath his skin, "which was used to control doors, lights, heaters, and other computer-controlled devices based on his proximity."
These situations may seem alien to most of us, however when you think about it for a moment, what is a pacemaker if not a piece of electronics in your body? Those hearing aids that some of us have to help out hearing, how do they not make us cyborgs as well? And while we may argue whether or not we accept to label people that use those common devices as cyborgs, they do raise an issue that we cannot avoid anymore: How safe are these devices to their users? Who is responsible for maintaining the security of those devices? Are the users of such devices allowed to hack the code themselves? Are these devices the property of the users, or of the builders of the devices?
Nowadays, every startup and its offshoots want to create "smart" products. This trend lead to the creation of the Internet of Shit, a Twitter account that presents terrible ideas that were oftentimes produced. If you can read between the lines, many comments regarding those products are that they are security risks to the users; whether it's their data, their surroundings or their actual selves.
When engineers (civil, structural, electrical, etc.) want to create, there is a set of rules that they must follow. Want to build a bridge? Follow these safety regulations. Want to build a stove? Follow those safety regulations. Plumbers and electricians also have regulations to follow. Hell, a teacher of mine, artist Simon Laroche, once had to have his interactive installation/performance work inspected so it would follow, you guessed it, safety regulations.
So why is it that interactive products that can clearly cause harm–remember that car hacking I mentioned at the beginning of this article?–or other security issues (hijacking, user data mining, etc.) are not subject to those rules? In his article "Programmers: Stop Calling Yourselves Engineers", American philosopher Ian Bogost underlines that while many developers and programmers work in the "software engineering" field, there is not actually much that has to do with engineering in that field at the moment. In short, in order to bear the title of engineers, people have to follow standards and regulations. Those regulations are set to protect the public.
And therein lies the issue.
Who is responsible for setting laws and regulations?
However, just like in most countries of the western world, Canada has tried very hard to reduce size of the state–even harder during the decade during which Stephen Harper was Prime Minister of Canada. While that may seem like a worthwhile endeavour–e.g. reducing expenses–, it masks that when you make cutbacks, you usually tend to cut the high salaries. Oftentimes, although not always, those government employees with high salaries also are the ones with the most knowledge and skills. In order to make a valid assessment of a complex issue–like engineering regulations, or cyber-security–, a government needs its skilled employees. In a case where there are no more skilled employees, a government is only at the mercy of every lobby group.
A few years ago the RCMP arrested a man for modifying–also known as modding–a game console. For those who are not familiar with modding, it is basically a practice where one modifies the hardware that one owns in order to do change or extend the capabilities of the hardware. In the 20th century, this was also known as tinkering. The issue with the case of game consoles, is that some users would then be able to play illegally copied games. Some other users however, would simply improve the processing capacity of their machine, while others would mod their console simply so they could play games available only in other countries. Having a law that prevents such a modification has wider ramifications than intended. While it is logical for a product reseller to want to avoid piracy, there would be no reason to arrest someone if they only intended to improve their machine.
As a corollary, let's take the "right to repair electronics" movement that is currently growing. Some companies, the most known case being Apple, do not want anyone to modify their machines. In some cases, the user of the device does not actually ever own the device! In many cases, the modification of devices is indeed to pirate software in order to avoid paying for it. However, we must consider the right for the users to choose. If a user knows there is a zero-day exploit in his car operating system (OS), and if a law is in place that prevents updating his own car, a user is dependent on the company to issue a security fix. On the other hand, if a user has the right to choose to use something else, there may be an open source OS that actually resolves this issue, and thus the user no longer is dependent on the company's fix.
With all that in mind, let's come back to our pacemakers and our hearing aids. There are already some worries that pacemakers can be hacked. Now, imagine a not-too-far-in-the-future world where someone has a cybernetic replacement for a body part (an eye or an arm). Here are just a few questions that we and our lawmakers should already be thinking about:
- Is that implant secure?
- With our current laws, who is responsible for ensuring the security of that implant? Is it the person that has the device in his body? Or is it the company that created the device?
- Who is responsible for ensuring the latest updates are updated to the implant?
- Would the insurance company of the bearer blame the company who issued an update, or the device bearer that did not do the update, in the case of an issue?
- In case of a hack, what are the legal actions that a device-bearer could take?
- Would the device-bearer be allowed to hack their own device in order to fix or improve it?
- And if the device has been hacked by its owner, how does a public health system deal with such cases? Should we refuse help because they may have messed up their own health? But then, a public system still provides service to cigarette smokers, hard drug users, obese people, etc.
- In Canada, health is of provincial jurisdiction, how does that affect the implementation of laws and regulations around such technologies?
We are not ready for health hacking. We are not even discussing it, we are just blindly running towards that new gold rush that is the world of connected objects. We need to start discussing these potential issues, especially in a world where we are prolonging life as much as possible, and where the Baby Boomers will bring a wave of elderly people that may be the first victims of health hacking.