Editor’s Note: For another view on employee monitoring, see CRE’s TPSAC website here.
From: Federal Times
When employee monitoring goes too far
By NICOLE BLAKE JOHNSON
Recent revelations that the Food and Drug Administration and possibly other agencies are aggressively monitoring and storing employees’ private emails and online activities have sparked debate over whether agencies can and should spy on their employees.
FDA employed sophisticated spying software that can record virtually everything an employee does at his workstation. By capturing an employee’s keystrokes, however, FDA gained access to email passwords, bank account information and even legally protected communications. Eventually, some 80,000 pages of information FDA collected on some employees ended up in the possession of a contractor — Quality Associates Inc. of Fulton, Md. — which posted the information online.
Sen. Charles Grassley, R-Iowa, ranking member of the Senate Judiciary Committee, has called on the Health and Human Services Department inspector general and the Office of Special Counsel to investigate if FDA broke the law by extensively monitoring the activities of whistle-blowers.
The matter is pending in the U.S. District Court of Washington and at OSC, which launched an investigation to determine whether FDA broke personnel rules.
Grassley is also demanding answers from FDA officials on how far the agency’s monitoring program went and whether other agencies — including the Department of Homeland Security, Internal Revenue Service, Consumer Products Safety Commission, Agriculture Department, Environmental Protection Agency and National Institutes of Health — are doing the same. Those agencies all have business relationships with Quality Associates.
Six current and former FDA whistle-blowers filed a lawsuit in January claiming that top FDA managers monitored and seized emails from their personal email accounts after they expressed concerns to the incoming Obama administration that FDA had approved unsafe medical devices.
“Would you want the boss who was about to fire you having access to your bank accounts and password?” said Stephen Kohn, executive director of the National Whistleblowers Center, who represents the FDA employees.
In a July 17 floor speech, Grassley said FDA clearly went too far.
“This massive campaign of spying was not just an invasion of privacy; it was specifically designed to intercept communications that are protected by law,” he said. “The FDA knew that contacts between whistle-blowers and the Office of Special Counsel are privileged and confidential. But the James Bond wannabes at the FDA just didn’t care.”
FDA fired two of the whistle-blower employees and did not renew contracts for two others. Two other employees still work at FDA. One employee, who was fired in April for disclosing confidential information, was temporarily reappointed with pay through July 31, according to a July 13 letter to Grassley from Jeanne Ireland, FDA’s assistant commissioner for legislation.
Grassley is demanding the identity of the FDA official who authorized the monitoring and an explanation of evidence that appears to show that FDA specifically targeted congressional communication with the whistle-blowers for monitoring. Grassley also is pressing FDA for answers on its relationship with Quality Associates and why FDA told the company the 80,000 documents collected by the agency’s monitoring software were neither classified nor sensitive and did not contain personally identifiable information.
No clear guidance
In separate letters last month, Grassley asked leaders of DHS, IRS, the Consumer Products Safety Commission, Agriculture, EPA and NIH for details on their employee monitoring programs and policies.
There is no clear guidance for agency managers on how and when to monitor and collect employees’ online activities and correspondence, nor is there clear guidance on what constitutes the boundaries of employee monitoring.
Charles Coe, the Education Department’s assistant inspector general for information technology audits and computer crime investigations, defines the boundary between what is acceptable and what goes too far this way: “If you’re talking about selectively targeting individuals, and you don’t have any allegations of wrongdoing, because you just want to do it, obviously that is just way out of bounds.”
However, monitoring more broadly for the purpose of network security is acceptable, said Coe, who also chairs a Council of Inspectors General on Integrity and Efficiency subcommittee.
An interagency task force will address the issue of employee monitoring when it releases recommendations for how agencies across government can identify and defend against insider threats.
As agencies look to keep a tight grasp on sensitive information and guard against leaks, and as monitoring tools get more sophisticated, the topic has become a hot one among federal managers.
The Transportation Security Administration, for example, plans to purchase software that monitors employees’ keystrokes, emails and other online activities. Reps. Bennie Thompson, D-Miss, and Sheila Jackson Lee, D-Texas, urged TSA in a June 25 letter not to snoop on whistler-blower communications with other federal entities.
In a response letter, TSA Administrator John Pistole said the software would provide TSA with forensic evidence for investigations should an employee ever be identified as a potential insider threat to TSA’s mission.
Monitoring practices by agency
Despite the lack of clear guidance on the subject, agencies have a right to monitor how employees use government computers and what information is being shared on their networks, said Kristin Alden, partner at Alden Law Group, a Washington-based firm that specializes in federal employment law.
“Federal employees can’t expect any privacy on their work computers,” Alden said. “They should assume their agency can see every email they send and every Web page they access through their work computer.”
However, agencies such as FDA send conflicting messages when employees are told they could be monitored yet are allowed to use their government computers for limited personal use, Alden said.
“Conflicting instructions of this type might raise a reasonable expectation of privacy on a work computer,” she said. “If the agency violates that privacy, it could be illegal.”
A federal safety specialist, who asked not to be named, said he feels employees at his agency are monitored more than what’s routinely necessary.
“Unless a person has provided cause to warrant such continuous monitoring, it should be curtailed,” the employee said in an email. For people who warrant monitoring, agencies should notify them if the monitoring goes beyond a routine keyword search for certain phrases that could alert agencies to national security risks, he said.
The safety specialist also asked whether anyone is monitoring agencies to ensure their practices are not overreaching.
Some federal employees told Federal Times they believe the government should be able to monitor their computers all the time and those computers should be used for government purposes only.
But the lines dividing personal and work-related use of computers are sure to be blurred further as more agencies allow employees to use their personal smartphones and tablet computers for work. As that happens, employees will increasingly have to agree to usage agreements, some of which allow their agencies to install third-party software that manages security settings on those devices. In some cases, employees will have to agree to turn over their devices to respond to discovery requests.
As at other agencies, FDA issues an alert to employees when they log on to their government computers that they have no reasonable expectation of privacy and that the government may monitor or intercept any communications on their computers at any time.
However, monitoring at FDA is done infrequently, said FDA spokeswoman Erica Jefferson.
FDA began monitoring five employees in 2010 following a New York Times article that raised concerns about the safety of medical imaging devices and exposed attempts by FDA managers to approve an application by General Electric that agency scientists had rejected.
A month later, GE Healthcare Inc. wrote to FDA alleging that confidential trade secrets had been leaked. Within days of receiving the letter, FDA began monitoring one of the scientists quoted in the Times article and was able to identify and monitor four other employees believed to have illegally disclosed confidential information about medical devices under FDA review.
“Anytime management decides to treat some employees or groups of employees differently, management is asking for some kind of grievance, EEO [equal employment opportunity] complaint or other allegation by employees,” said Joseph Kaplan, founding principal at Passman & Kaplan law firm.
Kaplan, whose firm has represented federal employees accused of misusing government computers, said if monitoring leads to a legal dispute, an agency should be prepared to justify why an employee was singled out for monitoring. If the monitoring was targeted, the agency may have to show what prompted the monitoring, provide supporting evidence and show why it believes the employee was violating agency rules, he said.
The Office of Special Counsel in June warned that agencies could be reprimanded for targeting whistle-blowers and monitoring emails that report wrongdoing.
In the memo, Special Counsel Carolyn Lerner said that targeting for surveillance emails between whistle-blowers and OSC or inspectors general is “highly problematic.” Agencies that deliberately target whistle-blowers’ submissions or draft submissions to OSC or IGs could be accused of retaliating against the employees, Lerner said.
While agencies have a right to monitor employee emails and business conducted on government-issued devices, “federal law also protects the ability of workers to exercise their legal rights to disclose wrongdoing without fear of retaliation,” Lerner said.
She also urged agencies to ensure their electronic monitoring policies do not interfere with or deter employees from reporting fraud, waste and abuse.
“If you’re casting a broad fishing net and collecting everything, that’s one thing,” OSC spokeswoman Ann O’Hanlon said in an interview. “It’s what you do with the information that would determine whether or not something has gone too far.”
How far is too far?
Tens of thousands of documents collected by FDA reveal that the agency intercepted and indexed communications that employees had with OSC, legal advisers and other entities, said Kohn, who had not seen most of the documents until a July New York Times article revealed they were accessible online.
“By looking at the documents, we can see what they were spying on and then what actions they took as they saw documents,” Kohn said.
FDA’s Jefferson said the agency did not authorize the public release of any documents by Quality Associates and that it’s looking into the matter. But in a July 17 letter to Grassley, Quality Associates CEO Paul Swidersky said the FDA documents were posted on a file-sharing website May 3 at the request of FDA. Swidersky said Google found the files online.
“If the government continues these [types of] operations, you’re going to see more of this,” Kohn said in reference to the data leak.
“It’s a risk inherent in any type of surveillance program,” he said. An agency’s ability to inadvertently or intentionally collect feds’ personal medical and financial data accessed on their computers and the passwords used to retrieve that data is a risk to privacy.
Collecting employees’ electronic communications runs afoul when an agency intends to target protected categories of data, such as communications with the Equal Employment Opportunity Commission, OSC and inspectors general, Kohn said. The agency runs afoul if it views data that is protected, and it’s even more egregious if that data is disseminated to others who shouldn’t have access.
FDA’s Jefferson said the agency “did not impede or interfere with any employee communication to members of Congress, their staff or the press or with any congressional investigation.”
The agency also said that data was collected without regard to the identity of the people whom the scientists emailed.
But the ordeal has negatively affected employee morale and raised deep concerns about agency management practices, Colleen Kelley, president of the National Treasury Employees Union, said in a statement. “For example, some employees voiced to NTEU their reluctance to report wrongdoing, for fear of retaliation.”
NTEU represents FDA’s bargaining-unit employees, including scientists.
In a July 17 email to FDA employees, Commissioner Margaret Hamburg explained that the FDA chose to monitor select employees to determine if confidential information was being leaked and that FDA has worked to foster a culture where differing opinions on product approvals can be expressed freely.
“We do not take lightly the decision to monitor government computers,” Hamburg said.
Leave a Reply