Margaret Talbot has written an excellent New Yorker essay entitled, “The Rogue Experimenters,” which documents the growth of the D.I.Y.-bio movement. This refers to the organic, bottom-up, citizen science movement, or “leaderless do-ocracy” of tinkerers, as she notes. I highly recommend you check it out.

As I noted in my new book on Evasive Entrepreneurs and the Future of Governance, “DIY health services and medical devices are on the rise thanks to the combined power of open-source software, 3D printers, cloud computing, and digital platforms that allow information sharing between individuals with specific health needs. Average citizens are using these new technologies to modify their bodies and abilities, often beyond the confines of the law.”

Talbot discusses many of the same examples I discuss in my book, including:

• the Four Thieves Vinegar collective, which devised instructions for building its own version of the EpiPen;
• e-nable, an international collective of thirty thousand volunteers, designs and 3-D-prints prosthetic hands and arms (and which has, more recently, distributed more than fifty thousand face shields in more than twenty-five countries.);
• GenSpace and other community biohacking labs; and
• Open Insulin and Open Artificial Pancreas System.

I like the way Talbot compares these movements to the hacker and start-up culture of the Digital Revolution:

The D.I.Y.-bio movement, which emerged in the early two-thousands, seems almost evolutionarily adapted to its historical moment,” she argues. “It echoes aspects of startup culture, especially the early days of personal computing, with its garage-based origin stories. First came the hardware, then the software; now even the wetware of life can be created in people’s homes. D.I.Y. bio reflects popular skepticism about professional authority and gatekeeping, but it is not skeptical about learning or expertise.

She also quotes others on this point, like John Wilbanks, a health technologist at the research nonprofit Sage Bionetworks:

when new biotech companies fail, they tend to sell off their equipment for a discount, and community labs and biohackers scoop it up. Wilbanks told me, “D.I.Y. bio is very similar to the home-brew, hacker-club culture of the late seventies in Silicon Valley. If you’ve not gone on eBay to shop for a DNA sequencer that they can ship to you in twenty-four hours, check it out—there’s a massive secondary market.”

Perhaps the most interesting thing about this bottom-up citizen-science movement is that it run the political gamut. It includes “anarcho-libertarians” to those “steeped in social-justice activism,” Talbot says. But they are all generally unified by a commitment to the widespread dissemination of scientific knowledge and transparency in health-related matters. “D.I.Y. biologists often have a greater commitment than their professional counterparts do to making their work open to scrutiny—and available for free on the Internet,” Talbot notes.

“The D.I.Y.-bio ecosystem includes a lot of do-gooders, and many of them have been galvanized by the covid-19 crisis,” she also observes. Quite right. I discussed that fact in the launch essay for my book, “Evasive Entrepreneurialism and Technological Civil Disobedience in the Midst of a Pandemic.” I documented dozens of examples of various individuals and organizations rising up to meet the challenges posed by the pandemic. “Eventually, people take notice of how regulators and their rules encumber entrepreneurial activities, and they act to evade them when public welfare is undermined,” I argued. “Working around the system becomes inevitable when the permission society becomes so completely dysfunctional and counterproductive.” DIY health innovation has gone mainstream out of necessity.

Importantly, Talbot notes that when it comes to what counts as success for DIY health and biohacking, sometimes good enough is, well, good enough. On this point, she quotes Jon Schull, an e-nable (non-commercial 3D-printed prosthetics) co-founder, who says, “it doesn’t matter that e-nable hands aren’t state-of-the-art. The job of professional prostheses-makers, he said, is “to produce something really good, and if it’s merely better than nothing it’s not good enough”—but, in some circumstances, something is better than nothing.”

That is a crucial point understanding why this movement is so important: Working together in a spontaneous, bottom-up fashion, citizen scientists and tinkerers can act quickly to fill pressing public health needs. Of course, that is exactly what makes these same innovations potentially risky and has some people wondering about the wisdom of such efforts—and the potential need for more regulation.

I wish Talbott would have spent a bit more time diving into these ethical and legal questions. I really struggled with them when writing about all this stuff in my new book on evasive entrepreneurialism and technological civil disobedience. She does briefly discuss how some FDA regs might affect DIY bio movement, including efforts like Open Insulin.  “Even if Open Insulin begins producing a consistent product, it will have to overcome all kinds of regulatory obstacles to demonstrate safety and purity before taking it to market,” she notes. “Manufacturers of pharmacy-grade medications must provide the F.D.A. with reams of evidence that they can produce the substances with complete consistency, in sterile environments. Proving this level of proficiency can cost millions of dollars.” But Talbot does not spend much more time exploring what might happen next on this front if DIY efforts continue to expand.

“But what should the law say about people… who are creating their own specialized medical devices in an open-source, noncommercial fashion?” I ask in my new book.

I outlined three potential future scenarios for the movement:

1. DIY technologies go mainstream and become more commercialized.
2. biohacking remains decentralized but becomes more mainstream and professional without becoming fully commercial.
3. biohacking turn even more rogue or underground in nature as a form of guerrilla innovation that sometimes borders on neo-anarchism.

Regardless of the outcome, the ethical and regulatory issues will persist and grow as technological capabilities continue to grow more sophisticated, decentralized, and inexpensive. I argue in the book that it would be foolish for policymakers to think they can (or should) bottle up this movement altogether:

biohacking and decentralized medicine will expand for a simple reason: People care deeply about improving their health and abilities. They will take advantage of new technological capabilities that let them do so—especially when those capabilities are significantly cheaper than other options. To reiterate, that does not make these technologies safe or smart, but it does mean we will need a new approach to governance as evasive entrepreneurialism expands in this arena.

And then I continue on to note how improved risk education and awareness efforts might be one solution to the growing DIY bio movement.

Anyway, for more discussion on this, see pages 79-87 of my new book. I’ve also listed a few other essays down below that you might find interesting, including several penned by my former colleague Jordan Reimschisel.

Additional Reading:

• Andrea O’Sullivan & Adam Thierer, “3D Printers, Evasive Entrepreneurs and the Future of Tech Regulation,” The Bridge, August 1, 2018, https://www.mercatus.org/bridge/commentary/3d-printers-evasive-entrepreneurs-and-future-tech-regulation
• Jordan Reimschisel, “Biohackerspaces,” Medium, June 29, 2017, https://medium.com/@jordanreimschisel/biohackerspaces-b0cbde63c492
• Jordan Reimschisel, “Technology Could Enable Personal Medicine Whether We Like It Or Not,” Medium, August 10, 2017, https://medium.com/@jordanreimschisel/technology-could-enable-personal-medicine-whether-we-like-it-or-not-ce6e19b826fe
• Jordan Reimschisel, “Evolving Oversight of Digital Health,” Medium, June 21, 2018, https://medium.com/@jordanreimschisel/evolving-oversight-of-digital-health-d65199913503
• Adam D. Thierer and Adam Marcus, “Guns, Limbs, and Toys: What Future for 3D Printing?” Minnesota Journal of Law, Science & Technology, Vol. 17, No. 2, (2016), p. 805-854, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2795562

In a recent Senate Commerce Committee hearing on the Internet of Things, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) “announced legislation that would direct the National highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure our cars and protect drivers’ privacy.” Spurred by a recent report from his office (Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk) Markey argued that Americans “need the equivalent of seat belts and airbags to keep drivers and their information safe in the 21^st century.”

Among the many conclusions reached in the report, it says, “nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” This comes across as a tad tautological given that everything from smartphones and computers to large-scale power grids are prone to being hacked, yet the Markey-Blumenthal proposal would enforce a separate set of government-approved, and regulated, standards for privacy and security, displayed on every vehicle in the form of a “Cyber Dashboard” decal.

Leaving aside the irony of legislators attempting to dictate privacy standards, especially in the post-Snowden world, it would behoove legislators like Markey and Blumenthal to take a closer look at just what it is they are proposing and ask whether such a law is indeed necessary to protect consumers. For security in particular, there may be concerns that require redress, but if one looks at the report, it becomes apparent that it lacks a very important feature:: no specific examples of real car hacking are mentioned. The only examples illustrated in the report are described in brief detail:

An application was developed by a third party and released for Android devices that could integrate with a vehicle through the Bluetooth connection. A security analysis did not indicate any ability to introduce malicious code or steal data, but the manufacturer had the app removed from the Google Play store as a precautionary measure.

Great! The company solved the problem. What about the other instance cited in the report?

Some individuals have attempted to reprogram the onboard computers of vehicles to increase engine horsepower or torque through the use of “performance chips”. Some of these devices plug into the mandated onboard diagnostic port or directly into the under-the-hood electronics system.

So the only two examples of “car hacking” described in the Markey report are essentially duds. The first is a non-issue, since the company (1) determined there was little security risk involved and (2) removed the item from the market anyways, just to be sure. The second is, in a sense, hacking, but it is individual car owners doing it to their own cars. Neither of these cases appears to be sufficient grounds for imposing a set of arbitrary and, in many cases, capriciously anti-innovation approaches to privacy and data security in cars.

In the wake of the report’s release, this past Tuesday, March 10, General Motors, Toyota, and Ford were all hit with a nationwide class action lawsuit, alleging that the companies concealed “dangers posed by a lack of electronic security in a vast swath of vehicles.” Specifically, the lawsuit is aimed at the presence of controller area network (CAN) buses, which act as data hubs between the various electronic systems in a car. These systems are, indeed, susceptible to hacking, but no more than any personal computer that is connected to the Internet.

The trouble with this lawsuit, brought by the Stanley Law Group, is that it has not cited any specific harms that have occurred as a result of this “defect” (as a side note, saying a computer being susceptible to hacking constitutes a defect in design is the equivalent of saying an airplane that is susceptible to lightning strikes is fundamentally defective). Rather, the plaintiffs argue that “[w]e shouldn’t need to wait for a hacker or terrorist to prove exactly how dangerous this is before requiring car makers to fix the defect.”

As Adam Thierer and I pointed out in our 2014 paper, Removing Roadblocks to Intelligent Vehicles and Driverless Cars:

Manufacturers have powerful reputational incentives at stake here, which will encourage them to continuously improve the security of their systems. Companies like Chrysler and Ford are already looking into improving their telematics systems to better compartmentalize the ability of hackers to gain access to a car’s controller-area-network bus. Engineers are also working to solve security vulnerabilities by utilizing two-way data-verification schemes (the same systems at work when purchasing items online with a credit card), routing software installs and updates through remote servers to check and double-check for malware, adopting of routine security protocols like encrypting files with digital signatures, and other experimental treatments. (pg. 40-41)

It’s always easy to see the potential for abuse and harm with any new emerging technology, but optimism and fortitude in the face of the uncertain is what helps society, and individuals, grow and progress. Car hacking, while certainly a viable concern, is not so ubiquitous that it necessitates a heavy-handed regulatory approach. Rather, we should permit various standards to emerge and attempt to deal with possible harms. In this way, we can experiment to properly determine what approaches work and what do not. Federal standards imposed from on high assume that firms and individuals are not capable of working through these murky issues. We should be a bit more optimistic about the human capacity for ingenuity and adaptability.

To end on something of a more optimistic note, Tom Vanderbilt of Wired magazine gives keen insight into the reality of regulating based on hypothetical scenarios:

Every scenario you can spin out of computer error – what if the car drives the wrong way – already exists in analog form, in abundance. Yes, computer-guidance systems and the rest will require advances in technology, not to mention redundancy and higher standards of performance, but at least these are all feasible, and capable of quantifiable improvement. On the other hand, we’ll always have lousy drivers.

Additional Reading 

• Law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 17, 2014.
• “Don’t Hit the (Techno-)Panic Button on Connected Car Hacking & IoT Security,” February 10, 2015.
• “Don’t Slam the Brakes on Smart Cars,” December 1, 2014.
• “Intelligent Vehicles Could Save Lives,” November 25, 2014.
• Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)

Greg Elin (@gregelin) of the Sunlight Foundation schools you on government trasparency in under 5 minutes: