Sophos Cloud Optix
Six scientists and doctors filed a lawsuit against the U.S. Food and Drug Administration last week, charging the agency with secretly monitoring personal email accounts after the group warned Congress and the White House that the FDA was approving medical devices they considered risky to patients.
According to news reports, the FDA is accused of prying into the plaintiffs’ personal Gmail accounts, which they accessed from government computers, over the course of two years.
The emails and memos in question were compiled by the law firm representing the plaintiffs on behalf of the National Whistleblower Center and are available here via The Washington Post.
The suit alleges that the surveillance led to the harassment or dismissal of all six FDA employees who all worked in the agency’s Office of Device Evaluation – an office devoted to reviewing cancer screening devices.
Beginning in 2007, the plaintiffs complained internally that the agency had approved, or was about to approve, at least a dozen radiological devices whose effectiveness was not proved and that posed risks to millions of patients. They went on to bring their concerns to Congress, the White House and the Health and Human Services Inspector General.
Here are the problems the FDA employees found with the devices, as summarized from the Washington Post article:
- Three of the devices risked missing signs of breast cancer.
- One device risked falsely diagnosing osteoporosis, leading to unnecessary treatments.
- One ultrasound device could malfunction while monitoring pregnant women in labor, risking harm to the foetus.
- Several devices for colon cancer screening used such heavy doses of radiation that they risked causing cancer in otherwise healthy people.
- The doctors and scientists were concerned about a computer-aided imaging device that searched for signs of breast cancer. A team of experts recommended against approval three times, with middle managers agreeing each time. After the third rejection, a senior manager approved of the device.
At issue, of course, is the question of whether employees should have any expectation of privacy when using work computers. The agency’s computers explicitly warn users that they should have “no reasonable expectation of privacy” for data passing through or stored on the systems and that it may be intercepted at any time for any lawful government purpose.
The definition of what’s a lawful purpose, though, is far from settled. Civil liberties groups such as The Constitution Project have said that employers should have the right to spy on employees mainly in the case of serious breaches, such as suspected watching or transmittal of child pornography.
Whistleblowing communications, since they’re conducted in the public interest, deserve a higher standard of protection from employer surveillance, they say.
The government’s line: If the whistleblowers wanted to prevent prying eyes, they should have used their own computers. At least one of the plaintiffs didn’t have her own computer, however.
It’s a sticky wicket. The courts need to step in and provide much more granular guidance on what suspicions merit employer surveillance.
If we lump all employee communications under the rubric of “liable to being monitored”, we run the risk of silencing those brave enough to challenge employers who conduct business in an illegal or immoral manner.
Regardless of whose computers whistleblowers use, their communications deserve protection. Speaking out on behalf of the public good should surpass employers’ rights to monitor and control that speech.
Spy image credit: Shutterstock
From my way of thinking there is much evidence of insider abuse or just inadvertent activity that threatens organizations. This could be data loss or theft, poor work quality, errors causing a regulatory migraine – the list goes on.
It's essential for a company or government organization to have insight into what is taking place. No different than "This call is being recorded for quality assurance". When it's all said and done, the organization is liable if an employee leaks customer records through his Gmail account or sends them a USB drive – and so on.
The poll (at the time I viewed it) showed 2:1 against "snooping." Bad choice of word for a poll: heavy negative association. I suspect employees would more likely be against being monitored whereas employers are more likely to be in favor.
I've been monitored for ten years. Aware of it; used to it – even welcome it. I've been able to get work restored lost in a PC crash or inadvertently deleted. Plus, I do my job well and have no problem with my activity being monitored. In fact, it has resulted in some good suggestions as well as positive recognition.
When people will learn that what is on digital form is open for every one at every moment. I you need to communicate informations, do it from your computer or tablet and with an email name which can not be associate with your real personality. The best buy a very cheap laptop that in case you can loose it in a compactor. Email are free and all around the world, Choose an email who doesn't come under the law of your government. It make difficulter to get them if an administration want it legally.
I don't think what you are saying what you mean. Like is Gmail open to all? Can data be spied on while it's connection is being checked? I don't think you think about these type of things happening with your e-mail. You stat that once it's on a digital forum it's open to everyone. Is my private Gmail on a digital forum? I hope not! No access is a better choice. If they have a legitimate reason, let them get a warrant, period!
Automated monitoring of email communication is a *must* for corporations wanting to prevent data leakage.
What other way is there to prevent it if not by scanning every single email message sent or received by all mailboxes and users?
However, I don't think that a human being needs to be reading other people's emails unless there is some cause for an investigation.
In regard to reading email only when there is probable cause, from a practical point of view no one has time to do so. Behavioral alerts are widely used to provides a heads up.
This could be alert words dealing with data leakage (either inadvertent or malicious), words such as "formula" or a the use of a highly restricted password or when files in a particular folder are accessed or sent by email or to a USB.
I recall one company who used alerts for the word "resume" and some job site URLs. They were concerned about employees leaving the company. And sure enough a good salesperson was job hunting, only for more money. They realized she was underpaid, increased it; voila, everyone happy.
Johann made an excellent point when he said, "don't expect privacy at work." The adage comes to mind: Whatever you do, do it with the expectation it will be on the front page of paper. Think I'll take a look at today's paper.
As far as I'm concerned, while you are on my clock, your time is mine. You shouldn't be doing anything personal on company time. That's what your breaks are for. Anything you do on company time or using company resources is subject to monitoring. Period.
I'm not that strict with my employees as I prefer to hire people who I can trust not to screw around, but that is not always possible in large companies. That being said, don't expect privacy at work.
On that note, though, this is a grey area as what the employees were doing was in fact work related. The issue here is not whether or not the emails should have been monitored (they should have been), but that there should not have been retribution.
The main lesson here is that any traffic going through the Internet is fair game, unless the traffic is encrypted between trusted endpoints.
Every company I've worked for in the last ten years has monitored what employees do ON COMPANY COMPUTERS, up to and including having key-logging software installed that captured every word I typed in every application, and has also had blocking software installed to keep employees off of social networking sites, shopping sites, porn sites, and so forth.
Companies HAVE to do this to protect themselves from theft – spending large amounts of time on personal e-mail, social networking and chatting, web-surfing etc while you're on the clock not only affects productivity but is considered a form of theft – as well as from viruses and other malware.
Using a company computer to send personal e-mails and expecting them to be private is just plain foolish. If you want privacy, use your home or personal computer, your private smartphone, computers at a public library, etc.
There are several issues at work here. First is an employer's Incidental Use policy. Next is the undeniable right of the employer to monitor all use of their own systems, from the keyboard out to anywhere. Even encrypted traffic from the company desk or virtual office desk is not exempt and can easily be monitored *in the clear* legally. Add the fact of use of government systems and the presumption of any entitlement to privacy or security is very naive.
Whether I think employers are going too far in their monitoring policy or not is immaterial to the actual experience. I have NO expectation of privacy or security if I am using an employer's systems to, for example, check my bank balance. This is accepted under Incidental Use policies, but NOT private or secure.
Legislation cannot cure this issue and existing law only provides recourse under the law, not prevention of privacy or security violation. Simple reality.
I suppose it might be interesting to turn this into yet another "Should there be snooping?" debate, but that completely misses the central issue here…namely, whether some FDA employees who had objections to the agency's approval of devices they considered unsafe should have been harassed and terminated for doing what they were hired to do in the first place.
Something rotten going on there; IOW, politics as usual…(sigh)
Those "problems" noted above can be said of almost 100% of all medical devices or drugs on the planet. They are all based on statistics: if the device or drug has a reasonable success rate in a subset of the population, without introducing new risks greater than the benefits, it should be aproved.
As the adage goes: let not perfect be the enemy of better.
As far as the monitoring goes: if the FDA clearly states in one of its policies that all uses of its computers are subject to monitoring, then there is no expectation of privacy.