Cyborg lawyer demands software source

Cyborg lawyer demands software source

Summary: Lawyer Karen Sandler's heart condition means she needs a pacemaker-defibrillator to avoid sudden death, so she has one simple question: what software does it run?

TOPICS: Legal, Open Source

Lawyer Karen Sandler's heart condition means she needs a pacemaker-defibrillator to avoid sudden death, so she has one simple question: what software does it run?

Karen Sandler

Yet it turns out that it's impossible for her to see and understand the technology that's being installed into her own body and upon which her life depends. Regulatory authorities don't see or review the software either.

She simply has to trust that the vendor is telling the truth and doing things right.

In this third of four daily podcasts from 2012 (LCA) in Ballarat, you'll hear Sandler discuss the real-world implications of this very personal software story.

How do we know the software works as advertised? How do we know it's secure? And what will happen if something goes wrong and the vendor tries to cover up the flaws, or if the vendor just goes bankrupt and the software stops being maintained?

Sandler also discusses legal cases where the prosecution's evidence was unreliable because it relied on software that turned out to be flawed — yet another practical reason to demand the source.

You'll also hear part two of our look at FreedomBox, a project to create a platform for privacy-enhancing social networks. Following on from yesterday's episode, FreedomBox Foundation board member and developer Bdale Garbee gives us a status update on the project's software stack.

There's also a conversation with Mary Gardiner and Valerie Aurora about the Ada Initiative, a project to increase the participation of women in open technology and culture. Also, Linux kernel developer "Rusty" Russell and geek-advocate Pia Waugh explain why the Ada Initiative and other work won Mary Gardiner this year's Rusty Wrench award for services to the Australian Linux community.

Running time: 42 minutes, 45 seconds

"Metal Free Software Song 2: This Time It's Personal" by Jono Bacon is based on the original "Free Software Song" by Richard Stallman, used under a Creative Commons Attribution ShareAlike licence.

Topics: Legal, Open Source


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • There are times OSS community borderline stupidity when it comes to promoting their religion.

    How do you know if a pacemaker works as advertised ? Really???

    I am generally happy with people giving away source. I'm am also happy with people who do not want to. It is their right.

    But when the community comes out with something like this - a pacemaker story, you really begin to wonder if they have lost the plot.

    Which reminds me, sometimes when the source is made available - the "community" doesn't want it or has little interest in it. Just look around many source code repositories. Projects are dead and haven't been touched simply due to lack of interest.

    It's not imported if you open source it or not. What is important is what you do with it. In this case - pace makers save lives. They are designed to work and work well for years. (I have a friend who has one.)
    Azizi Khan
    • I don't think you really understand the article or her point... I don't think she wants it open sourced so that she can tinker with it or so the open source community can create a fork or something...

      It's about audibility of the code, to ensure it does not contain errors in the code or security flaws, and so people can understand how it works. A drug cannot be sold or prescribed by doctors unless it is well documented and has passed a through review process, why should the software that runs a pace maker be any different?

      In short, before you go shooting off your mouth at people check that you understand what you are talking about first.
      • Sorry NeddyO, I understand the point of the article and her point, but I still agree with Fred9999. If she, or anyone else, does not like that the manufacturer will not let her see the software, then she can go find another pacemaker. Its a choice. If you can do better, then feel free and you can share your whatever information you want. The device is only "being installed into her own body" because she agreed to it. Its called free will. I applaud those who chose to open up their proprietary devices, but to suggest in any way that she has some right to have it opened is foolish. The only somewhat legitimate argument is that it may require more regulatory oversight. But, even then, the public doesn't get to see what is inside the box.
        • You may feel free to disagree but I for one am glad there are no "backyard" pacemakers yet. And I am glad no one is seriously entertaining this foolishness. The world is just waiting to see how pacemakers work! Really.
          Azizi Khan
  • I had a similar issue with a Japanese customer wanting an RCA for an issue. Turns out the JNI fibre-channel card (firmware+solaris device driver) had an issue, but we couldnt specify exactly what. They demanded the source code and code reviews to determine the actual error, before they could trust the product again.

    Eventually JNI gave us the source code for the fibre-channel driver + firmware. It was useless, no-one had the time or inclination to dedicate weeks/months of their lives to understand the software/firmware operation or how it implemented fibre channel.

    How would one detect an error? By visual code inspection?

    I noticed access to source code seems to be a panacea for all, but in reality only the dedicated few are willing to sit down and do the hard work to understand the source.
    • Exactly my point. Which is what NeddyO doesn't get. Who looks at at the code ? Who has time ? The only thing it accomplishes is probably some knock off Chinese pacemakers available in the grey market.

      Besides, are we implying that something AS IMPORTANT as a pacemaker doesn't get reviewed ? In all these years pacemakers been in existence - have we had ONE pacemaker with faulty software ?

      I think this is the exact problem with OS zealots that they keep barking up the wrong tree these days. Pure stupidity I say.
      Azizi Khan
      • fred9999: would you consider the potential for a third party to remotely deliver an electric shock to your heart to be "faulty software"?
        • Would you consider the billions of R&D dollars invested to ensure medical devices like this work as prescribed and approval of the certifications bodies. That's right boys and girls - devices like this ( and most medicines and drugs) are tested independently by authorities to ensure that they work as prescribed.

          What does the OS community require next ? The chemical compound in Viagra ?
          Azizi Khan
          • as DESCRIBED, also all FDA approved drugs must list active ingredients and show a number of testing trials and effects. that's not always the case, took them awhile to figure out how aspirin worked but they showed you the compound. i'm surprised u can work a computer fred, your ranting in these comments has no bases or merit.
      • > Besides, are we implying that something AS IMPORTANT as a pacemaker doesn't get reviewed ?

        Yes. The full keynote presentation had her explaining that the approval board in the USA basically lets the manufacturer test their own product; she also explains that it's already malfunctioned once. Other issues include some models (not hers) having unencrypted wireless control available at a good distance (feet+).

        She also attempted (unsuccesfully) for quite some time to get different manufacturers to reveal more information about their devices.

        See the full keynote here -
      • you must never have been to defcon... they crash pacemakers for breakfast. i'm not kidding.
  • wow you guys really hate this woman for wanting to understand or have a feeling of control or comfort for the thing that controls her life.
    • So manufacturers are obligated to every lawyer on earth with OCD ? Yes, I can see that being their core business. How about we ask Apple how their products work ?
      Azizi Khan
      • if apple makes a pacemaker, and has a contract with hospitals to use that pacemaker, then u are hit by a car and need one, you will ask for the source code too just to make sure someone running nmap locally doesn't find a "bug". this is an extreme example... but not to far off. simple request, if their hardware works then
        the software source shouldn't be a big deal
  • So why does the manufacturer not just explain how the software was created and validated? What do they have to lose? Just like with voting machines, there exists a public interest to know how these machines work. I doubt the software for this product is half as complicated as the above commenters think.
    Elwood Diverse
  • If you have ever heard of the software failure cases involving the Therac 25, you would be worried about software testing too. She is not asking for open sourcing the software. She is asking to validate the software. If you have software static analysis tools, like cppcheck, Coverity or the many other types of tools, you have a good starting point to find just the basic flaws. Not all software developers and test plans are created equal. If you're motivated with your life, you would be willing to make sure that the software is tested to work correctly too.
  • I do not want her (or anyone else) to have the source code to my ICD/pacemaker so some psychopath can write code to hack into it and control my heart! Ignorance is security here!

    These devices sustain life not control it. It is voluntary! You do not have to have it installed.

    Her fear, education as a lawyer, and short sightedness puts the rest of us at risk!
    • Just curious, how many of the people who gave a thumbs down to this post actually have one implanted? Or is this a philosophical argument for with no personal risk in it for you?
  • Linus' Law:'_Law

    Also the video of the keynote can be found here:
  • 1) When talking about a device whose purpose is to sustain ones life, one has the right to know its provenance even if they cannot personally understand it. This isn't "some OCD lawyer."

    2) The "just trust the authorities" argument lacks logical or moral standing of any sort. Move along folks, trust us completely, pay no attention to the man behind the curtain, nothing to see here.... except your own flatline. Had a friend who saw her own flatline...

    3) The easiest exploits to abuse are the ones that are common knowledge to the blackhat crowd, and a guarded secret to everyone else.

    4) Do you check the eggs at the store before you buy the carton? There are testing procedures in place. Laser-guided quality control mechanisms created by millions of dollars in engineering to make sure you never get a cracked one. That's why you just toss it in the basket on faith, because machines and humans are both flawless, guaranteeing you'll never purchase a cracked egg.

    5) It's a little late for her to simply put her pacemaker back on the shelf and start shopping for a new one.