Today I had a chance to meet with the incredible Karen Sandler. She is the executive director of the GNOME Foundation, an attorney, and former general counsel of the Software Freedom Law Center. She also has a heart condition that could cause her to suddenly die at anytime. But don’t worry, said her doctor, it’s easily controlled with a pacemaker defibrillator! And that’s where the story gets really interesting.
Karen was not content with becoming a cyborg without first knowing what the device being put onto her heart was capable of. And for Karen, that means having access to the source code and becoming intimately familiar with the devices software and hardware. But this was not so easy. When she asked her doctor what it was running, he kindly responded “oh you can definitely run while wearing it!” Trying again, she explained she meant what software it was running. Her doctor, now aware of the request but definitely puzzled said, you’re in luck! We have a rep from Medtronic (the maker of the device) here today and I bet he could answer your question! He could not. In fact he had never been asked that question before.
But for Karen this made no sense. Why would she trust a device that is plugged directly into her heart if she can’t even see the code? How could she? With even a small malfunction, she could die.
She tried contacting the various manufacturers and hospitals associated with the device, but all she got was confusion, dropped calls, dead ends, and probably the worst, she got called a conspiracy theorist. But as she researched deeper and deeper it became very clear this was actually a major problem.
The Software Engineering Institute estimates that for every 100 lines of code in the world, there is 1 bug on average. What’s worse is medical devices have a history of scary realities. Some insulin pumps have over/under medicated patients based on software bugs, viruses, poor calibration, poor UX, or faulty servicing, and the same was apparently true for pacemakers. In fact there are even forums, called zap forums, for people to discuss pacemaker malfunctions that have caused some patients to be “zapped” incorrectly. The cases vary, but these are scary realities for sure.
Also many of the newer devices transmit wirelessly with little security. In fact one man, named Barnaby Jack, was apparently able to hack into pacemakers using nothing but his cellphone and effectively could kill people sitting around him. He unfortunately died very young, but he exposed many security flaws in medical and financial devices like ATMs and even pacemakers and his work is helping us understand these problems today.
“Security through obscurity just doesn’t work” says Karen, “just because we can’t see the source code of software doesn’t mean it’s not vulnerable to attack, viruses, or bugs.” Free and open source software however gives the user the ability to independently assess the system and its risks, enables bugs to be patched more easily and quickly, and removes the dependence on a single party…
When something goes wrong we’re relying on the med device company to admit there’s a problem, fix the software, dispatch the update, and ensure it’s tested and controlled.
This is why Karen joined the GNOME project and why she works so hard to create a fully open sourced world. As she puts it, “Free and open source software is a cornerstone of ethical technology, it’s not the only part, but it’s the first step.”
I asked Karen what she thought about the fact that the bad people in this world love open source because they can more easily explore and find vulnerabilities, and she brilliantly responded that the bad people will always try and get into your source code anyway, but the good ones may not. Open source gives the advantage to the good ones. To the hobbyists, idealists, and concerned citizens that act as a community to ensure these products function smoothly.
Read more about Karen and the GNOME project here: http://blogs.gnome.org/gnomg/