The U.S. Food and Drug Administration is under fire by Congress for monitoring the personal email accounts of agency scientists, but government-contract records show it’s not the only agency that’s taken steps to spy on its workers.
Government-contract records show that the U.S. Department of Veterans Affairs (V.A.) purchased spy software from the same company that supplied the FDA’s computer monitoring program, according to the database USAspending.gov. A V.A. spokeswoman said the contract was issued in 2008 by a regional division of the Veterans Integrated Service Network that covers parts of six states in the Northeast, but she was not immediately able to say how the program was being used.
The Drug Enforcement Administration (DEA) also has purchased the software. Agency spokeswoman Dawn Dearden said via email it is used “for law enforcement purposes, not for monitoring employee communication.”
However, the program is specifically marketed to employers and parents as a way to “monitor your children or employees from anywhere.” Dearden also said DEA employees “are aware that communications through and matters stored on official equipment can be monitored and reviewed.”
The key legal issue for all the agencies, the one that’s landed the FDA in the hot seat, is how far managers can go when monitoring employee computer use without compromising protected whistleblower activity.
The issue has the potential to be a minefield. Americans are increasingly mixing work and personal uses on office computers and cellphones, and courts are still deciding where to draw the line between employee privacy and employer snooping.
In the highest-profile case, six former FDA scientists have sued the agency, alleging that the government violated their privacy rights, and that they were fired in retaliation for raising concerns about the agency’s approval of medical imaging devices. The FDA says they were fired for disclosing confidential information. Senator Chuck Grassley (R-Iowa) has taken the lead in Congress, demanding to know the name of the FDA lawyer who authorized the surveillance.
Grassley’s investigators, after hearing of the V.A. and DEA purchases of the software from The National Law Journal, said they would likely expand their inquiry into how and why those agencies use it, Grassley spokeswoman Jill Gerber said. Grassley’s staff is focusing on whether the monitoring is excessive, being used for a legitimate purpose and complies with privacy and stored-communications laws.
Dearden said the DEA “is aware of protections afforded to whistleblowers and does not monitor or check for that kind of activity.”
Still, the idea that government agencies may secretly monitor everything employees do online has raised the hackles of those who advocate for whistleblowers. “If the FDA is allowed to spy on, intimidate or retaliate against its employees, it raises concerns about any agency’s ability to do the same thing,” said Aaron Colangelo, an attorney with the Natural Resources Defense Council, which has asked the U.S. District Court for the District of Columbia to participate as an amicus party on behalf of the scientists. “It undermines public health, environmental protection and workers’ rights. There’s a real risk of chilling protected activity.”
But Arnold & Porter partner Daniel Kracov, who represents companies before the FDA, counters that it’s also imperative that federal employees don’t disclose confidential information. “If [agencies] don’t police that, it’s a critical problem for industry,” he said. “There’s a legitimate public policy reason to protect this information. It protects innovation.”
According to government records, the FDA, DEA and V.A. within the last five years all bought software from SpectorSoft Corp., a Vero Beach, Fla.-based company that on its website describes itself as providing “PC/Internet monitoring and surveillance products” for users including the government. The “eBlaster” software purchased by the DEA in 2011 for $8,692, for example, boasts it will “immediately go to work by automatically recording EVERYTHING your children and employees do online” including all keystrokes typed, websites visited, both sides of chats and instant messages, online searches and emails sent and received.
The contracts database shows the V.A. in 2011 spent $3,161 on the “Spector” program (“records every detail of what they do on the computer”), as well as $140 in 2008 for “two additional licenses for monitoring software.” The underlying contract for the 2008 licenses is not listed. A V.A. spokeswoman said the 2008 contract is for a network of 10 V.A. medical centers and 43 community-based outpatient clinics that serve veterans in 104 counties throughout Pennsylvania, West Virginia, Delaware, New Jersey, and parts of New York and Ohio. The spokeswoman said she was unable to add details regarding why these outpatient clinics might need the spying software, or what its exact uses have been.
According to the database, the FDA’s parent agency, the Department of Health and Human Services (HHS), spent $100 in 2007 for “renewal of support/upgrades” for the software and $295 in 2011, but available records don’t distinguish the original purchase from the agency’s other commercial software buys.
Lawyers agree that agency managers can legally monitor how employees use their government computers — at least to some extent. The FDA, for example, is explicit in its warning when computer users log on that they have no expectation of privacy. “At any time, and for any lawful government purpose, the government may monitor, intercept, and search and seize any communication or data transiting or stored on this information system,” the warning states.
The question is: How does an agency make sure it’s not also interfering or retaliating against whistleblower activity? Courts have held that whistleblowing by public employees constitutes protected speech under the First Amendment, and that agencies may not fire workers for expressing concerns about waste, fraud, abuse, mismanagement or public safety.
Colleen Kelley, president of the National Treasury Employees Union, which represents 150,000 federal workers, including those at the FDA, said via email that the repercussions of the spying program go beyond strict whistleblowing activity.
“The actions of agency management have negatively impacted employee morale and resulted in significant concerns about agency management practices,” Kelley wrote. “For example, in light of what has happened at FDA, some employees voiced to [the union] their reluctance to report wrongdoing, for fear of retaliation.”
Kelley said the union was unaware of other agencies using comparable software to monitor their employees.
PRIVACY GRAY AREA
Aside from whistleblowing, there is a big gray area of workplace privacy rights that courts are still trying to sort out, according to Alan Butler, appellate advocacy counsel for the Electronic Privacy Information Center. For instance, can employees have a reasonable expectation of privacy if they use a work cellphone to send an email to their spouse using a personal account?
In the U.S. Supreme Court case City of Ontario, Cal. v. Quon, the Center filed an amicus brief arguing that the government should have limits on what it can collect, since work devices such as smartphones collect and store an enormous amount of personal data unrelated to workplace activities, such as location data on the weekends. The case was about pagers, and the court refused to consider broader issues because technology, and how it’s used, was still developing.
Increasingly, electronic devices have multiple uses and are being used for a mixture of personal and professional reasons, so employees act as if they expect some degree of privacy, Butler said. “You can’t look at a device and say, ‘That’s your work phone, or that’s your personal phone,’ ” he said. “It’s just dangerous [for the government] to assume nothing is private, when individuals’ actions show that’s not what they expect.”
In the FDA case, Grassley demanded to know which attorney at the agency gave legal justification for the surveillance program. He said he will be forwarding information to the Department of Justice, along with other investigative agencies, to see if the FDA broke the law by targeting and retaliating against whistleblowers.
Grassley said in a letter to the FDA this month that his office has been told that an attorney was consulted about the legal viability of an FDA surveillance campaign and issued a memo detailing his or her conclusions. Grassley’s letter did not give any clue as to how his office received information on the memo, or identify which specific attorney authored it.
The FDA told Grassley this month that the surveillance program began in 2010, when Ralph Tyler was FDA chief counsel. Tyler, now a partner at Venable, did not return multiple calls seeking comment.
Such a memo could have come from lawyers at any level in the FDA or HHS, according to Peter Barton Hutt, senior counsel to Covington & Burling and former FDA chief counsel. “It could have been all of the above or any of the above. There is no hierarchical structure that determines who may say what,” he said. “This could have been with consultation from general counsel of the department, it could have been with consultation with FDA chief counsel, could have been only in consultation with the associate chief counsel.”
On July 14, a New York Times story detailed how the FDA’s initial surveillance operation against several of its scientists eventually morphed into a broader effort to stifle critics of the agency, including outside scientists, journalists and members of Congress. One of the congressional offices the whistleblowers had sent emails to was Grassley’s.
“It is evident from the documents I have obtained that FDA did in fact target communications with Congress for monitoring and then took adverse personnel actions against FDA whistleblowers who were communicating with Congress,” Grassley said. “FDA’s misconduct cannot be ignored.”
The Office of Special Counsel, an independent federal agency that investigates whistleblower-reprisal allegations, weighed in on the legal issue in June. “While lawful agency monitoring of employee communications serves legitimate purposes, federal law also protects the ability of workers to exercise their legal rights to disclose wrongdoing without fear of retaliation,” Special Counsel Carolyn Lerner wrote.
The letter, distributed to government agencies, called monitoring “highly problematic” especially when deliberately targeting an employee’s emails or computer files “simply because the employee made a protected disclosure.”
FDA spokeswoman Erica Jefferson, when asked for comment on the letter and the lawyer who authored it, said only that the agency was looking into Grassley’s letter. The HHS public affairs office referred all questions to Jefferson.
Grassley’s office concedes that an agency might have a legitimate need to monitor employee computer and email use, spokeswoman Gerber said in an email — take for instance the infamous U.S. Securities and Exchange Commission employee who spent hours each day watching pornography on his work computer.
“My colleagues are very interested in the DEA and V.A. use of the monitoring software,” Gerber said. “We likely will make some inquiries.”