Wednesday, July 6, 2011

If There Were a DEA and FDA For the Software Industry

[Note: Aaron Agostini responded critically to this post at his blog, A Polite Gunfight.]

Imagine if, long ago, we established not only an FDA for drugs, but also a parallel agency for software. The software industry's FDA would exist in order to protect computer users from bad programs - harmful, or low quality - and would require central approval of every single program writter. Of course this would produce grumbling for software engineers who just want to make a living, but the arrangement would indeed allow software-FDA to stop nasty malware before it made it onto the market.

Unfortunately, software-FDA then becomes inconsistent and over-conservative - always more reasons to say no than yes - and hurts computer users in the long run by decreasing the number and quality of programs available to them. For example: programs released back in the 1980s, even if they slowed your computer down and crashed all the time, would be allowed to remain by an unspoken grandfather agreement (too messy to recall them or investigate them now!) The old-school software makers would certainly not rock this boat, and the newer software companies wouldn't speak out for fear that they would be punished by software-FDA. The rules that you had to follow when developing software would be so byzantine that software companies would have to hire their own legal experts, who are expensive and say "No" a lot to developers' plans. Needless to say, it would be very hard for small software companies to survive, and software would cost more for consumers.

Above: A well-meaning officer from software-FDA confiscates a computer running Linux. Consumers don't understand it well enough and may harm themselves. Software-FDA also needs to protect the public from possible QC problems with open source software.

Meanwhile, new programs would be scrutinized even for infrequent damage, i.e. to one out of a thousand computers, and if the programmers couldn't explain exactly how the programs worked in every situation, they wouldn't be allowed to sell them. (Nobody knows how the old programs work, but they're still allowed to be sold; and certainly nobody is allowed to make an informed choice about the acceptable risk to them. The software consuming public doesn't understand enough to make these decisions.) Investors in new software companies are scared off by any program that shows real innovation, and the number of programs released per year starts to drop. Finally, the software-FDA does allow computer technicians to sell programs to consumers for uses other than for what the programs are specifically approved to do - even though software-FDA clearly doesn't trust these same technicians to evaluate whether the programs should be on the market in the first place. But people get used to this crazy inconsistency, so hardly anyone says anything.

And there would be a whole other government agency (the software-DEA), for the worst programs of all. There are certain programs, software-DEA says, that are SO BAD that they don't trust ANYBODY to use them responsibly - consumers OR computer technicians - so they put people in jail for buying and using them. Software-DEA even puts people in jail when these programs harm only the consumers' own computers, by their own consent. In fact software-DEA keeps putting people in jail even when some of the programs have been conclusively shown by computer scientists NOT to harm their computers. Not surprisingly, a black market will form around these programs, some of which are fun to use and pretty safe, and software-DEA will say, completely bass-ackwards, this proves these programs are bad, and must be kept illegal.


Aaron said...

A link-back, followed by razor sharp commentary.

Also, how's med school?

Michael Caton said...

Thanks for taking the time to record respond here to my post. I would leave this at your blog but I'm having trouble with Disqus so I'll put it here for now and re-post at yours if I figure it out. First and foremost, in the sense that it's an argument at all, it's definitely not an argument against all centralized regulation of either pharmaceuticals or software. In fact I would even say that pharma SHOULD be held to a higher standard to accord with our values, since we're dealing more directly with human life and suffering. We need something like the FDA.

The main point was that the process at FDA is internally inconsistent and its net effect on patients actually does not accord with our values. The first problem is that FDA takes an almost-zero-acceptable risk approach, vs. a risk-benefit approach that many people would be at least as happy with. The effect of this is fewer new drugs, which I don't think even very pro-regulatory people would argue; the disagreement comes from whether over- or under-conservatism leads to more net harm. To give a concrete example: the last drug I worked on before med school was pulled from the market because it caused a fatal disease at a rate of about 1 in 2500 when taken long-term. Not good – but many of the patients and physicians I spoke to said that was a risk they would have been willing to take. This alone seems deplorable, but imagine the impact on future research and marketed drugs from this class, in terms of the patients that will have to wait for help. So as a solution, instead of trying to push risk to zero (which we never can), why not create a structure where we make sure people give informed consent for their risk-benefit scenario?

The second example is the apparent grandfather clause that older drugs have. Acetaminophen often causes liver damage and (more amazingly) we still really don't know how it does most of what it does; it would never get through FDA today (so why is it still on the market? Inertia. But given the empirical safety data, I'm still comfortable taking it) Which leads to the next question – what else are we missing out on because FDA decided neither we nor our docs weren't up to making our own risk-benefit decisions? In this sense FDA is actually more overreaching than a parallel software regulatory body would be, based on something you pointed out about the cloud. A nasty program I write might infect your computer or compromise your bank, whereas some nasty antibody I sign off to be injected with based on limited data might end up killing me, but affects me and only me. And as an aside, an almost unavoidable distortion introduced by any regulatory agency is that they're run by people, with loyalties to other people and to countries. There is always lots of grumbling about the old boy network at regulatory agencies (not just FDA; there is always interchange between industry and government, just like FAA, just like FCC) and its effect on drug approvals, as well as the extra scrutiny that these agencies tend to give submissions from outside their borders.

And I hope I don't have to convince anybody on any blog that the DEA schedule is just plain stupid and has nothing to do with reality. At least make marijuana lower than schedule 1 for crying out loud.

Aaron said...


The Disqus issue was/is on my end, let me know if it's working now.

I do absolutely agree that the current FDA standards approach doesn't allow people to make decisions on what is the best of two less than perfect outcomes. The drug you mentioned, for instance, clearly takes the doctor and the patient out of the equation on what is the best outcome for the patient. Because the illness was natural, it gets a preference over what side effects the drug had. I agree that is not a good outcome at all.

Unfortunately, given the litigious environment that the US is in, I don't know exactly how to go about improving the system. The first higher risk drug that causes issues where the company falls back on the "They knew the risks" argument would face tremendous blow back. Health is something people are very emotional about, and I do think people have a love/hate relationship with Pharma (and medicine in general). Deep down, people think they "shouldn't" be sick, and that drugs should just "work" and make them "better". For years, I thought that if people only knew how much progress could be made if things could be more relaxed, they'd be up for reform. These days, though, I think the status quo that we have is what people want; it limits the chance that they can take a drug or have a procedure that makes them worse.

Though I'm a bit confused on how injecting botulism into people's faces became so routine. Once something gets any sort of FDA approval, it can be used for off-label uses that are covered out of pocket?

Michael Caton said...

Conversation moved over to