Sen. Charles Grassley, R-Iowa, is demanding information from the Food and Drug Administration about allegations that it monitored the email of employees who were whistle-blowers. / File photo / Getty Images
Allegations that the Food and Drug Administration monitored employees' personal emails have sparked a debate among legal experts and advocacy groups about electronic monitoring practices governmentwide.
Some argue that feds shouldn't expect privacy when conducting online activities on a government device or network. Others view online monitoring of employees' personal email as a breach of their Fourth Amendment rights, especially if agencies lack a compelling reason to do so.
Six current and former FDA employees filed a lawsuit Jan. 25 in U.S. District Court of Washington, claiming that top FDA managers monitored and seized emails from their personal Gmail and Yahoo! accounts for at least two years. Documents they obtained through the Freedom of Information Act and other means show that FDA began monitoring their electronic conversations in 2009 — after they expressed concerns to the incoming Obama administration that FDA had approved unsafe medical devices, according to the lawsuit."The biggest problem with what has occurred here is that they targeted whistle-blowers," said Stephen Kohn, executive director of the National Whistleblowers Center and attorney for the six employees. It would be acceptable, Kohn said, if FDA was engaged in basic monitoring of all employees to make sure people are not violating the law.
"I think the FDA went too far in its zeal to monitor these employees," said Scott Oswald, managing principal of The Employment Law Group law firm, which represents employees in work disputes. "Employers who access [and] retain emails or other electronic stored information from a third-party server risk violating an employee's privacy interest."
FDA fired two of the employees and did not renew contracts for two others. Two other employees still work at FDA.
The six people who filed the lawsuit are suing to ban all federal agencies from targeting whistle-blowers with selective electronic surveillance and monitoring.
Meanwhile, Sen. Charles Grassley, ranking Republican of the Senate Judiciary Committee, is demanding more information from FDA about the allegations.
In a letter to FDA Commissioner Margaret Hamburg, http://www.federaltimes.com/article/20120202/IT03/202020303/1001">Grassley sharply criticized the agency for its treatment of former FDA engineer Paul Hardy. Hardy is one of nine employees who expressed concerns to the incoming Obama administration and Congress that FDA had approved unsafe medical devices, the letter says.
"It's troubling to me to see your agency actively pursue the dismissal of an employee against the advice of the OSC [Office of Special Counsel]," Grassley wrote in the Jan. 31 letter. "FDA appears to have attempted to retaliate" against Hardy, he added.
"The federal government has a right to monitor what goes on on government computers," a Grassley aide said in an interview. "The circumstances under which and how they monitored is what we are calling into question."
Computer use policies
Most, if not all, federal agencies, including FDA, have policies that govern Internet, email and overall computer usage. FDA's electronic equipment policy allows employees to use government devices and systems for personal use, but warns that information created, stored or transmitted on a government device is public information, unless exempted by law. The policy also instructs office managers to monitor and review "all activities" using government electronic equipment and disclose the content of inappropriate documents.
FDA spokeswoman Erica Jefferson said the agency doesn't comment on pending or ongoing litigation.
At the General Services Administration, employees are told that they should "have no expectation of privacy" when using its computers: "All activity on GSA IT systems is subject to monitoring."
Supervisors can request to review employees' emails if there is a reason to suspect a security breach, misconduct or violations of other GSA policies. The electronic usage policy also warns that anyone, including system administrators and managers, caught snooping through people's emails without cause will be reprimanded or fired.
The National Credit Union Administration is also clear about how and when it monitors employees.
"We're running a transparent shop," said David Chow, the agency's acting chief information officer. "We are obligated to provide [employees] that information so that people know exactly what is going to be monitored."
Chow is working with union representatives to equip 900 of the agency's examiners with iPhones. He said employees must understand what the expectation is before they receive the device.
Mobile device management
Software known as mobile device management software allows agencies to track the sprawling usage of mobile devices and ensure that devices are in compliance with agency policies.
As more agencies allow employees to use their own smartphones and tablets for work, the definition of what is personal information can become blurred.
If employees co-mingle personal and government data, they shouldn't expect their emails to be private, said Chris Roberts, vice president of worldwide public sector for California-based Good Technology. The company created a software application that separates government or company data from an individual's personal data on their own mobile device.
Lewis Maltby, president of the National Workrights Institute, a research and advocacy organization, warns employees to be cautious when using government devices for personal matters.
"Think twice before sending anything sensitive over the company system, and then don't do it," Maltby said. "If the boss hasn't told you they are monitoring your emails, they just haven't gotten around to it or they're keeping it secret."
Maltby said agencies and companies monitor emails and online activities mainly for security reasons, to protect employees from harassment and to ensure secret or proprietary information is not being leaked.
Nancy Flynn, executive director of The ePolicy Institute, recommends that all organizations take advantage of their right to monitor.
"The employer has an obligation to protect the organization's assets and reputation and employees and [its] future," Flynn said. Flynn encourages agencies and companies to involve senior executives, human resources and IT directors, and a records management officer when creating electronic usage policies.
For many organizations, the monitoring process is automated, and the software can search emails for certain words or phrases, she said.
Deborah Galea, chief operating officer for Red Earth Software provides email monitoring capabilities to the public and private sector.
She said organizations usually monitor all employees to be consistent, as opposed to targeting specific groups. The only exception is for HR or administrative reasons.
Her advice to employees: "If it's something that they can't stand behind or would not want to see posted online for everyone to see, then they shouldn't send it."