Rattled by the shocking shooting rampage at Fort Hood, Texas, in 2009 and the embarrassing WikiLeaks scandal the following year, the White House on Nov. 21 called on all agencies to install programs to detect and deter insider threats.
The White House directs agencies to enlist technology to monitor employees’ computer activities and to ask federal employees to look for and report anomalous behaviors exhibited by their colleagues.
What could possibly go wrong? Plenty.
At a time when federal employees’ job satisfaction has been driven into decline by an extended pay freeze, shrinking staffs, increasing workloads and ad hominem attacks from politicians, this move to increase security looms as a significant and complex workplace issue.
The specific guidelines and standards for carrying out the insider threat policy put forward by the White House were not made public. It is important that they not be too vague, so as to leave much to local interpretation. Left in the wrong hands, the rules could:
Threaten individual liberties and privacy.
Break down trust in the workplace, as employees are encouraged to identify anomalous behavior.
Encourage latent discrimination against people with unusual religious, political or other beliefs, as well as against whistle-blowers or others upset over workplace rules or decisions.
In fact, given the increasing tide of employee disgruntlement, even that could be misinterpreted by a boss, well-meaning or otherwise, as a potential risk or threat.
The rules leave unanswered how decisions will be made — and who will make them — when determining who rates more rigorous monitoring or investigation, and when that is necessary.
Worse, it’s unclear what is to become of information gathered about employees during such monitoring, who should have access to it, and for how long it is to be kept.
For an example of how such a policy might be abused by vindictive supervisors, and what can happen afterward, look no further than the Food and Drug Administration. FDA employed monitoring software to capture the keystrokes of a half-dozen current and former employees in 2009 after they alleged that the agency approved unsafe medical devices.
In the process, the whistle-blowers’ passwords, personal emails and other privileged and protected communications were captured, collected and published online. The case is now under investigation by the Office of Special Counsel and the inspector general’s office, and the employees have sued FDA in federal court.
That’s an extreme case, but rules must be made to specifically guard against any kind of abuse, extreme or otherwise.
As agencies roll out their insider threat programs, it is imperative that clear rules, full transparency, effective training and rigorous oversight be at the heart of each, and that all be measured against one set of legal standards.
Before any of these policies are put in place, employees must be fully informed about how far employee monitoring will go and what steps they can take to protect their private communications and activities from intrusion by their employers. They must also know how their legitimate privacy expectations will be safeguarded, and how grievances will be heard.
So far, the answers to such questions remain far from clear.