In the Public Interest....
July 15, 2012 6:05 AM   Subscribe

Earlier this year, six scientists and doctors filed a lawsuit against the US Food and Drug Administration alleging that the FDA had secretly monitored their personal e-mail accounts after they (legally) warned Congress that the "agency was approving medical devices that they believed posed unacceptable risks to patients." The agency said it had done so to "investigate allegations that the employees had leaked confidential information to the public." At the time, the FDA indicated their computer monitoring was limited to five scientists. But now, the New York Times is reporting that "what began as a narrow investigation" "quickly grew in mid-2010 into a much broader campaign to counter outside critics of the agency’s medical review process.". posted by zarq (29 comments total) 16 users marked this as a favorite
 
"The agency, using so-called spy software designed to help employers monitor workers, captured screen images from the government laptops of the five scientists as they were being used at work or at home. The software tracked their keystrokes, intercepted their personal e-mails, copied the documents on their personal thumb drives and even followed their messages line by line as they were being drafted, the documents show."

And let's not leave out the manner in which these documents came to light, per the NYT (emphasis mine):

"The documents captured in the surveillance effort — including confidential letters to at least a half-dozen Congressional offices and oversight committees, drafts of legal filings and grievances, and personal e-mails — were posted on a public Web site, apparently by mistake, by a private document-handling contractor that works for the F.D.A."
posted by MonkeyToes at 6:21 AM on July 15, 2012 [9 favorites]


Now of course everybody wants to see what is that they were saying. Wikileaks me that!
posted by elpapacito at 6:25 AM on July 15, 2012


If the FDA is a branch of the US government, and therefore is actually representing the people and their interests in these matters (none of which are foreign policy or military in nature), then how on earth can they have confidential information which the public absolutely cannot know about?

This culture of secrecy is stupid, and should stop. Unless someone can explain to me exactly what is so goddamned important that the FDA keep secret about its review process, I really think that the best solution here would be complete transparency on behalf of this agency which is tasked with making food and medicine safe and effective for the public at large.
posted by hippybear at 6:33 AM on July 15, 2012 [25 favorites]


For the same reason the IRS doesn't make your tax returns public: In the course of doing their job, an agency can come into posession of information that those who supply it (individuals or corporations) want or need to keep confidential.
posted by NotMyselfRightNow at 6:38 AM on July 15, 2012 [5 favorites]


Five years ago:

"We had that really smart guy in IT write up documentation of all of the processes. Let's fire him and everyone else making more that 50k/yr who doesn't have an MBA, and hire a bunch of contract labor to do their jobs..."

And yet, I know there's a handful of penny-pinching-dollar-grabbing suits at the FDA who will fire that contractor because he obviously screwed up. It has nothing to do with the fact he's under qualified for the 10 different jobs they have him scrambling around doing.
posted by Bathtub Bobsled at 6:47 AM on July 15, 2012 [6 favorites]


Not defending the FDA at all, because I think that monitoring employee communications is sleazy and evil, except for extremely rare cases, but one must always, always, assume that if you are using an employer-provided computer, that your communications are being read, and this goes double for the government. In fact, I was told this directly when I was working for the government as part of training, if I remember correctly.
posted by empath at 7:17 AM on July 15, 2012 [6 favorites]


Empath, I agree with you. While I find it personally repulsive that the monitoring occurred, they did sign up for the possibility when they started working for the government. However, using that power for evil takes it to a whole new level of icky and offensive. Manufacturer confidentiality should never be rated more important than patient safety. Plus, I still can't quite wrap my head around how they recommended someone be fired for expressing reasonable concern! Ugh!
posted by mismatched at 7:25 AM on July 15, 2012


Looks like they got an OSC investigation. OSC has been so great since Obama took over. Its finally a real agency with real teeth. I've had significant success there of late getting them to listen.
posted by Ironmouth at 7:30 AM on July 15, 2012 [1 favorite]


So not to be too off-topic here, but this "contractor" is probably working with the Times or they'd have been named in the article, right? Being contracted to spy on employees is one thing, but posting this info online is obviously a significant misstep and I was surprised to see the name of the company omitted (though it's quite possible someone is busy selling stock right now though). It's also interesting that this wasn't some sinister/insider IT job, but just the deployment of some off-the-shelf commercial product (which was far cheaper than I thought it would be).
posted by antonymous at 7:40 AM on July 15, 2012 [1 favorite]


The crux of the matter:
While federal agencies have broad discretion to monitor their employees’ computer use, the F.D.A. program may have crossed legal lines by grabbing and analyzing confidential information that is specifically protected under the law, including attorney-client communications, whistle-blower complaints to Congress and workplace grievances filed with the government.

Other administration officials were so concerned to learn of the F.D.A. operation that the White House Office of Management and Budget sent a governmentwide memo last month emphasizing that while the internal monitoring of employee communications was allowed, it could not be used under the law to intimidate whistle-blowers. Any monitoring must be done in ways that “do not interfere with or chill employees’ use of appropriate channels to disclose wrongdoing,” the memo said.
Yes, you can monitor employee activity on employer-owned hardware. No, that doesn't exempt the employer from other legal restrictions.
posted by muddgirl at 7:58 AM on July 15, 2012 [10 favorites]


Muddgirl, thanks for posting that key detail. I was sitting here sympathizing with the employees but thinking about how employers are doing this kind of thing but completely forgot about the legal whistleblower issue. Damn, now I have to read the whole article!
posted by etaoin at 8:19 AM on July 15, 2012 [1 favorite]


Are employers legally required to tell you if there is any possibility that your communications may be monitored?
posted by orme at 8:50 AM on July 15, 2012 [1 favorite]


I'm old enough to remember when this sort of behavior (enemies' lists, communications interception) was "Nixonian" and that was a negative adjective that was considered a bit chilling. Now, especially with the post 9/11 culture of "secrecy or the terrorists will win", it seems like the new normal.
posted by immlass at 8:57 AM on July 15, 2012 [2 favorites]


Unless someone can explain to me exactly what is so goddamned important that the FDA keep secret about its review process,

Leaving aside regulatory capture and so on, the FDA does have to provide some level of secrecy in its review process to protect trade secrets. From the last link:
Much of the material the F.D.A. was eager to protect centered on trade secrets submitted by drug and medical device manufacturers seeking approval for products. Particular issues were raised by a March 2010 article in The New York Times that examined the safety concerns about imaging devices and quoted two agency scientists who would come under surveillance, Dr. Robert C. Smith and Dr. Julian Nicholas.

[...]

Lawyers for GE Healthcare charged that the 2010 article in The Times — written by Gardiner Harris, who would be placed first on the surveillance program’s list of “media outlet actors” — included proprietary information about their imaging devices that may have been improperly leaked by F.D.A. employees.
posted by notyou at 8:57 AM on July 15, 2012 [1 favorite]


When you work for the man, you have to assume that everything you do is subject to scrutiny, on or off the clock, especially if you get money or equipment for said work.
posted by Renoroc at 9:43 AM on July 15, 2012


They also collected e-mail conversations with congress people. It might be legal to do that, but getting caught doing it isn't smart.
posted by rdr at 9:47 AM on July 15, 2012 [1 favorite]


It may not be legal, either. Monitoring employee communications is not a matter of "Its our equipment, so we can." It depends on the circumstances and jurisdiction. Always check with Legal before rummaging around in someone's account. Unless its really, really important, they'll usually say no.
posted by Slap*Happy at 10:04 AM on July 15, 2012 [1 favorite]


It might be legal to do that, but getting caught doing it isn't smart.

As I found out in one of my cases, this touches on the enumerated first amendment right to petition your representatives for grievances.
posted by Ironmouth at 10:05 AM on July 15, 2012 [2 favorites]


Don't use your work computers for personal communications. This includes your work-issued laptop.

As for legal, it's been hashed out numerous times. It's completely legal for your employer, whether it's a government agency or your a private company to monitor your communications. They don't need a reason, they don't need probable cause, and they don't need to differentiate between your "personal" communications and work related communications.

This isn't "post 9-11" erosion of your rights, either. This has always been the position of the law and the courts. It has simply become more visible and relevant as electronic devices and computers have helped us blur the lines - erase the lines - between work and personal life.
posted by Xoebe at 11:17 AM on July 15, 2012


Xoebe - that's not really accurate. There are some legal nuances in play here.
posted by -harlequin- at 1:12 PM on July 15, 2012


They don't need a reason, they don't need probable cause, and they don't need to differentiate between your "personal" communications and work related communications.

I don't know the law on this, but from what I've been reading in the articles posted above and elsewhere it seems that there are limits. Or at least people are asserting that some of what the FDA was doing was illegal because it ran up against specific rights given by whistleblower legislation and the communications with elected represented. So the right is not absolute(?).

I can't recall right now, but were *all* the computers monitored ones provided by the FDA?
posted by lesbiassparrow at 1:12 PM on July 15, 2012


communications with with elected *representatives*
posted by lesbiassparrow at 1:14 PM on July 15, 2012


Unless someone can explain to me exactly what is so goddamned important that the FDA keep secret about its review process, I really think that the best solution here would be complete transparency on behalf of this agency which is tasked with making food and medicine safe and effective for the public at large.

Given the shoestring budget the FDA works on, I can see a certain logic in believing that the more someone who wants to game the system knows about the process, the easier it is for them to game the system. That said, Bruce Schneier calls this approach "security by obscurity" and notes that you can get away with it occasionally, but if you try to depend on it you are going to wind up getting screwed. Hard.
posted by Kid Charlemagne at 1:44 PM on July 15, 2012


This isn't "post 9-11" erosion of your rights, either.

It has nothing to do with your legal rights. We accept now that it's normal that our bosses might monitor our communications where 25 years ago, we would have met the idea that our bosses might be wiretapping our company phones all the time without our knowledge with something a little more than a collective "meh" and "you should have gone out and used a pay phone".

Part of that is technological--privacy expectations haven't expanded along with our options for communications--but part of that is "you have no privacy, get used to it", which is a social change. The fact that the employer may not have been legally in the wrong doesn't make the whole situation, particularly the enemies' lists part, any less creepy.

(And that's aside from the regulatory capture aspects of this story, which are also disturbing. Hi, these medical devices are unsafe and don't do anything useful BUT we're going to overrule our actual scientists and approve them anyhow! I'd love to see some research on the careers/career expectations of the administrators involved in the overruling and the investigations, not to mention their financial connections to the companies they're regulating.)
posted by immlass at 1:49 PM on July 15, 2012 [2 favorites]


As for legal, it's been hashed out numerous times. It's completely legal for your employer, whether it's a government agency or your a private company to monitor your communications. They don't need a reason, they don't need probable cause, and they don't need to differentiate between your "personal" communications and work related communications.

Doing it to investigate and harass whistle-blowers is a much more complicated situation. There are very specific laws related to retaliation against whistle-blowers in the federal government, and the legality of this spying is going to hinge on these details. Intercepting attorney-client emails, communication to members of congress, and the filing of personnel grievances is a pretty serious matter.

Moreover, whether legal or not, this is simply plain wrong, and certainly leads to a chilling effect on those who may be concerned enough about patient safety to come forward in the future.
posted by zachlipton at 3:04 PM on July 15, 2012 [1 favorite]


They don't need a reason, they don't need probable cause, and they don't need to differentiate between your "personal" communications and work related communications.

Ummm... no? Where did you get this information? Let's use this hypothetical: Next generation firewalls allow you to set up a "man in the middle" to monitor SSH communications coming and going. When used by a fingerprinting tool to monitor for malicious traffic signatures, or as part of a DLP system, it can be useful. You can intercept pretty much anything - the user knows they have to accept an untrusted cert to access stuff from work, and once they're shown how to do it, they won't think twice about it.

What would happen if you went a step further and sniffed an employee accessing their bank account online during their lunch break, and peeked to see if they received any large deposits from a competitor lately?

A shit storm of legal repercussions, that's what.
posted by Slap*Happy at 6:48 PM on July 15, 2012 [1 favorite]


Leaving aside regulatory capture and so on, the FDA does have to provide some level of secrecy in its review process to protect trade secrets

At some point, the FDA needed to cease working in the public interest and begin working for the benefit of a handful of GE shareholders, specifically by spying on government employees who were exposing unsafe products.

When was this executive cabinet tasked with this mission, and by whom?

We have an administration that by all objective measures is the most secretive in American history, pursuing legal and extralegal vendettas against whistleblowers. The scope of this operation cannot be explained by mere coincidence.

As an American citizen, I'm less concerned with protecting trade secrets and more interested in who paid off and/or ordered the higher-ups at the FDA to shut down exposure of information damaging to a large, multinational corporation.
posted by Blazecock Pileon at 12:26 AM on July 16, 2012 [1 favorite]


When was this executive cabinet tasked with this mission, and by whom?

The FDA is not a cabinet-level position, it falls under HHS. If I'm reading this article correctly, the HHS IG is actually not in support of the FDA in this case:
The HHS inspector general’s office, which oversees FDA operations, declined to pursue an investigation, finding no evidence of criminal conduct. It also said that the doctors and scientists had a legal right to air their concerns to Congress or journalists.
We have an administration that by all objective measures is the most secretive in American history, pursuing legal and extralegal vendettas against whistleblowers. The scope of this operation cannot be explained by mere coincidence.

Again, the FDA seems to have gone a bit rogue here. From the notes for the memos:
A top FDA official tried twice to convince the agency's inspector general to bring charges against the whistleblowers. The second attempt was based on the intercepted e-mails. The inspector general declined to pursue a case.
Also, the NYT article points out that the FDA is under investigation by the GAO and OSC.

As an American citizen, I'm less concerned with protecting trade secrets and more interested in who paid off and/or ordered the higher-ups at the FDA to shut down exposure of information damaging to a large, multinational corporation.

Perhaps it was the higher-ups at the FDA dancing to the tune of the corporate interests. If the articles posted are correct, then FDA's parent Department, the administration's auditing and investigation division, and the WH legal team all seem to be siding with the scientists, not the FDA.
posted by zombieflanders at 7:04 AM on July 16, 2012 [4 favorites]


Let's use this hypothetical: Next generation firewalls allow you to set up a "man in the middle" to monitor SSH communications coming and going. When used by a fingerprinting tool to monitor for malicious traffic signatures, or as part of a DLP system, it can be useful. You can intercept pretty much anything - the user knows they have to accept an untrusted cert to access stuff from work, and once they're shown how to do it, they won't think twice about it.

Not a hypothetical sadly. Many of the deep packet inspection systems do exactly this to monitor SSL/TLS web traffic. The users don't even have to accept an untrusted cert: the company just pre-installs the cert on employee machines as part of the system image. SSL is only as good as the certificate chain, and the certificate chain sucks.
posted by zachlipton at 10:08 AM on July 18, 2012 [1 favorite]


« Older The heat goes on   |   Get Out Of My Dreams, Get Into My University Press Newer »


This thread has been archived and is closed to new comments