“Don't Mess With My Heart Device, I'll Do It Myself"
Marie MoeKaren M. Sandler
Karen: Hello Marie, my fellow cyborg! Would you please give a brief introduction to who you are and what you do?
Marie: It is a pleasure to meet you Karen! I have a pacemaker implant, due to my condition called heartblock, where the signal that makes the heart muscle contract is blocked on the way from the sinus node, and never reaches the ventricles of my heart. The pacemaker is correcting this by monitoring my heart and giving a small electrical stimulus to the heart muscle to make it contract. I am totally dependent on my device, since every single heartbeat is generated by the implant.
I found out about the heartblock 7 years ago, when I suddenly passed out one morning, due to my heart taking a pause. At the time I was getting ready to go to work at the national computer emergency response team in Norway. I was working with incident response, responding to cyberattacks against computer systems in the national critical infrastructure of Norway. On a daily basis I was working with cybercrime, and digital espionage cases, and then I suddenly got told by the doctors that I needed a pacemaker implant, essentially a computer inside my body, to stay alive.
After spending a week in hospital hooked up to a heart monitor where I could see my pulse getting slower and slower, I had a quick and easy surgery where the pacemaker was implanted in my chest. I was back to work again the next week. Naturally, I started thinking about the cyber security of my device. Today I am working as a security researcher at the independent research institute SINTEF, and as an associate professor at the Norwegian University of Science and Technology. I am doing research on security of medical devices, and supervising master students on the topic.
You are actually one of the people that inspired me to find the courage to talk publicly about depending on a medical implant to stay alive, and at the same time not trust the security of my device. When I was asked by a friend and colleague in the security incident response community to do my first keynote talk on the subject I hesitated to accept the offer. I think I spent about two months before I decided to do it, and during this time I watched one of your talks online, that really touched me. I could see how powerful it was to the audience, using yourself as an example the way you did in that talk. I had been worried about looking like a victim on stage talking about my vulnerabilities, but you showed me that it could be empowering, and incredibly impactful.
Could you tell me about your path to decide to start working on and talking publicly about this topic?
Karen: I too was working in a related field when I found out about my own medical condition. I have Hypertrophic Cardiomyopathy. My heart is in places three times as thick as a normal person’s heart (so I get to make jokes about having a big heart). While I’ve largely been asymptomatic, I’m at a very high risk of sudden death from the disorder. To deal with this, I have a pacemaker/defibrillator implanted, which mostly acts as a monitor so that if I do have a life-threatening heart rhythm, my device will shock me into a normal rhythm. As a lawyer and someone who used to code a lot, I started researching the safety and efficacy of these devices. I reviewed the U.S. Food and Drug Administration’s oversight over these devices and also filed some Freedom of Information Act Requests too. Reviewing this material made me understand that the oversight and regulation of the software on medical devices was very poor. I found that we have the worst of both worlds on most medical devices – no real security on these devices (like any kind of password protection, encryption, etc.) but also, all of these devices are proprietary software that cannot be reviewed, tested or improved easily by third parties.
When I was pregnant a few years ago, my heart was palpitating. This is completely normal, and in fact about a quarter of all women have palpitations when pregnant. For me though, my defibrillator thought my heart was in a dangerous rhythm and shocked me twice. The only way to deal with this problem was to take more drugs to slow my heart rate down – so much that I had trouble walking up a flight of stairs at times. This really brought home to me how important the issues around having control of our critical technology are. Anyone can see that the medical device manufacturers have no malicious sentiment – it’s a nightmare for those companies if pregnant women get shocked. But only 15% of the people who get these devices are under the age of 65. Fewer than half of all of these devices go to women. So the number of people who are pregnant and have these devices is truly tiny. It made me realize that my use case was simply not one that had been anticipated when the device had been designed and programmed. It made me ask what other use cases aren’t the manufacturers of our critical technology anticipating? And what will we do when we have failures down the road?
My device is supposed to last me another 10 to 15 years. That’s a long time. Will the manufacturer still be in business in 5 years? What if other fundamental things change in my life or in the technological landscape that will affect my device? The only way we can be really safe as a society is if we are able to not only audit the code on these devices to make sure that they’re safe but also to ultimately have control over them.
I was hesitant to talk publicly about my own condition too. At first I was avoiding it, and I published my first paper on the topic without mentioning the fact that I was a patient. I shared the paper on one of the patient support forums that I lurked on, and folks there said that I was just trying to scare them and that I didn’t know what it was like to have to rely on one of these devices for my life. When I did start talking about my own experiences I found that it was a way to contextualize these otherwise abstract dangers in our technology. I’m so glad my talk helped you feel comfortable sharing your own experiences too!
Now I run the Software Freedom Conservancy, supporting free and open source alternatives to proprietary software and focusing on critical ethical issues around our technology and software freedom.
Karen: Why do you call yourself a cyborg? When did you start? Has calling yourself a cyborg changed the way you view your work?
Marie: I never really knew about cyborgism before I got my pacemaker. I was first introduced to it by an artist that took photos of me at the Chaos Communication Congress in Hamburg in 2015. He was creating an art project with portraits of cyborgs.
I started reading up on the cyborg movement, and at first I thought that this is really weird. But then I slowly started identifying myself with it, especially when being contacted by other cyborgs after my talks, and having really interesting and meaningful conversations.
I don’t know if it has changed my work, maybe it has changed the way I see myself as a stronger person due to the implant? I don’t think of myself as someone with an illness or a flaw. I feel proud of having this implant and using it in my work, in a way making it a feature, not a bug. Also, I think calling myself a cyborg sounds kinda cool!
Karen: That’s how I feel. I was so depressed when I was told I needed the ICD. Then one day it occurred to me that I’d be a cyborg and suddenly it felt like a much more empowering decision. When I got my first defibrillator in 2008 I had a cyborg becoming party the night before my surgery and I’ve never looked back!
It heartens me that there’s another young(ish!) person with an implanted cardiac device who understands the issues I’ve been focusing on and advocating for. I love that we’re bringing our complimentary skill sets to the same problem. Having an unusual condition and being so far outside the expected use case for my device has made me fully appreciate the group of security researchers who are working in this space, almost all of them cyborgs themselves. However, we have been barely coordinated and in fact are only talking directly for the first time in the context of this interview. Do you think there’s an opportunity for a Cyborg Collective? Should we talk more? What do you think the biggest issues are that we as a group need to tackle?
Marie: I’m already part of the grassroots organization “I am the cavalry”, which is a group of security researchers and others that care deeply about securing computer systems that may impact human life. This has given me a really valuable contact network for my research, and opened up opportunities for advocating for the cause. The idea of a Cyborg Collective sounds very interesting, if it was focused on security research maybe we could organize this with the Biohacking village at Defcon, or with the “I am the cavalry” sidetrack at Bsides Las Vegas? I would love to meet up in real life with more of my fellow cyborg hackers and security advocates! There are many challenges ahead in my opinion, like software transparency, security patching, vulnerability disclosure and collaboration between industry and researchers.
Karen: This sounds great. I have been wanting to organize a Cyborg Summit and these sound like perfect ideas for co-location. Which reminds me of something else I wanted to ask you: have you ever considered becoming a voluntary cyborg?
Marie: Do you mean adding more implants to my body voluntarily? I’m not very into body modification, except for getting more tattoos! But I’m a technology geek, and maybe I’d consider implanting a chip just for fun, or for research purposes. I’m very serious about not messing with my own heart implant though, when I do the lab testing. I am depending on it with my life, after all.
Karen: Yes, that’s exactly what I mean. Some of the people who are very active in the Cyborg movement strongly distinguish people who have embedded technology in their bodies due to a medical need, like us, and those who choose to embrace a new state of existing by adding voluntary body modifications and enhancements. I also have never been that into body modification but I find some of the new technologies to be fascinating – like an implantable chip that buzzes when you face north, for example. I think it’s inevitable that we’ll see more of this in the future. I just hope we, the cyborgs, the patients and consumers have ultimate control over what’s in our bodies, either directly or more realistically for many of us through professionals we can hire for that purpose. In many ways it’s more of a societal issue than a personal one, though the ultimate implications are deeply personal. I agree completely with you in that I don’t want to mess with my own heart device, I just want to make sure that my device has adequate security on it and that I’m able to choose whatever medical professionals I want to help me make sure my device is right for me. I shouldn’t be locked into any one company or any particular doctor. If I find out my device needs to be changed to reflect a new situation or vulnerability I want to make sure I don’t have to rely on a manufacturer to first admit that there’s a problem and then wait for them to get around to fixing it. Their priorities may not be my priorities.
So it will not surprise you to hear that I completely agree with statements that you’ve made about patients having the best judgement for their own cases. What kind of feedback have you gotten from the medical community about your advocacy and research?
Marie: Like you, I have also got blamed for causing anxiety amongst patients with my research. I think this is unfair critique, as I have always been very careful when talking to the media, to not contribute to sensationalist articles spreading fear, uncertainty and doubt. I have only presented the facts. I think patients have a right to know how their device is functioning. I respect that not every patient has the strong urge to know all the details, like myself, but keeping patients intentionally in the dark about critical vulnerabilities like some companies have done in the past is simply unethical, and infuriating. It makes me angry, and fuels my passion for advocacy and research.
I want to thank you for the great work you did leading up to the DMCA exemption for security research on medical devices. Can you tell me the story about this process?
Karen: The DMCA is the Digital Millennium Copyright Act in the United States, which makes it illegal to go around technical measures put in place to lock down copyrighted material, regardless if the ultimate use of the material would be allowed under copyright law. There is a review process that happens every 3 years, under which the Library of Congress and the Copyright Office consider and grant exemptions they determine appropriate. I worked with the Harvard Cyberlaw Clinic and a few other medical device security experts to seek an exemption for research on medical devices. We at the Software Freedom Conservancy also successfully applied for an exemption for smartTVs. As the devices we have in our homes and rely on every day are connected to third parties, we must confront the fact that we are surrounding ourselves with surveillance equipment that we have little ability to monitor or refine to our personal needs. We are literally living in a Big Brother environment where our TVs are spying on us and sending transcripts of our conversations to third parties. We are expected to accept agreements that no one could take the time to read and understand in the ordinary course of their lives, so there’s no substantive consent. Without the DMCA exception there, it could be a crime to tinker with your own TV in your own living room. I’m glad we and others were able to get critical exemptions in place from the DMCA so that we have a chance of even just understanding what’s happening under the hood of the technology we rely on.
Marie: How do you imagine the future for us cyborgs that are living with medical implants?
Karen: As time passes and diagnostic technology and implantable devices get better and cheaper, more and more of us will discover we should get implants. That will include people with a variety of skills and interests, from a variety of backgrounds and ages. Just as you have applied your hacker skills to this issue and I have focused my techie lawyer ones, there will be many more talented people who have a firsthand interest in how things work out for us cyborgs. Already the number of people in the population with implanted medical devices is growing at an amazing rate. In the time I’ve been a cyborg I’ve been so excited to see new people come in and bring their own perspective and advocacy to the field. I think this bodes extremely well for our future. While I’ve been dismayed to see our society doubling down on proprietary software and incorporating so much unnecessary and often careless connectivity into our lives, I know that more and more people are beginning to understand why this is so problematic.
Marie: I agree, I think having an implant of some sort will become more common than not having an implant, and that we will be able to live longer and have more fulfilling lives with the help of technology.When I was a kid in the early 80s I can remember we used to sit in the back seat of the car without wearing seat belts. Cars did not come with passenger seat belts as standard equipment until it was required by law in most countries during the 80s and 90s.Today it is almost unthinkable, and certainly not allowed, to not secure your child in the car while driving. As more people become cyborgs, it will be evident that building-in cyber security to the implants is a necessity, since hacking could threaten human lives. If manufacturers and vendors don’t have the incentives to do this, as seems to be the case today, a solution to the problem will be regulatory requirements.Work is already being done in this area by many, and I too think that the future is looking bright for solutions and a better understanding of the issues we both have been bringing into the light.
“Don't Mess With My Heart Device, I'll Do It Myself" was originally published in Modified: Living as a cyborg. Edited by Chris Hables Gray, the collection of first person accounts dwells on what it means to be and know yourself as a cyborg. The contributors range from the famous Donna Haraway to an anonymous soldier who writes about his relationship to his tank. Almost everyone is a cyborg of some sort. If you are vaccinated you are the most common type, and if you have an experimental brain implant to control your computer you are among the most rare. It is more important to know what kind of cyborg you are, than if you are. Since human-machine relations are becoming more intimate every day, this is just the beginning. This book’s many different viewpoints help us think about this sea change in human-machine technology.
Feature image by Michael J. Ermarth