Jan 30, 2012 (11:01 AM EST)
FDA Spied On Employee Personal Emails, Lawsuit Alleges

Read the Original Article at InformationWeek

Top 10 Government Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Government Stories Of 2010
The Food and Drug Administration peered into the personal Yahoo Mail and Gmail accounts of agency employees and contractors who were acting as whistleblowers, and might have disciplined or fired those employees based on information gleaned from the emails, according to a newly filed complaint and a number of government documents.

A lawsuit brought by six current and former scientists and doctors who worked with or for the FDA seeks, among other things, an injunction to prevent the agency from reading employees' private communications, and claims that the government by its actions violated the First, Fourth, and Fifth Amendments of the Constitution. The scientists and doctors seek to back those claims with, among other evidence, documents received through Freedom of Information Act requests and subsequently posted online.

Although the FDA warns computer users that they "have no reasonable expectation of privacy" and that "at any time, the government may monitor, intercept, and search and seize and communication or data" on the computer, the lawsuit alleges that the FDA had no right to monitor the doctors' and scientists' communications.

[ The FDA attempts to regulate mobile medical apps. See Should Mobile Medical Apps Require FDA Approval?. ]

Monitoring of employee email has long been a touchy subject. Laws such as the Electronic Communications Privacy Act give employers leeway to monitor employees' emails under certain conditions, and cases about email monitoring date back more than a decade.

Laws prevent federal employees from disclosing confidential information, but also protect communications with Congress. However, in a 2009 email, then-Congressional staffer Joanne Royce told one of the scientists bringing suit that "it's a debatable legal question" whether "even confidential and confidential business info submitted to Congress is legal."

The scientists and doctors had complained that FDA senior managers had coerced experts to modify their reviews, conclusions and recommendations. For example, they indicated that certain breast cancer detection devices were being approved despite flawed science and over the objections of some within the agency.

Documents that the scientists and doctors procured via Freedom of Information Act requests indicate that, shortly after the whistleblowers complained to Congress and the Obama Transition Team alleging problems with the FDA's review process and retaliation against whistleblowers, the FDA intercepted emails and other documents, even taking screenshots of employees' computers.

Some of the employees were subsequently disciplined or fired. In notices of proposed removal or discipline of the whistleblowers, the government singled out emails sent from government accounts to personal accounts and emails sent to non-government third parties, rather than the emails sent to Congress.

According to the lawsuit, the FDA installed spyware on the computers that allowed it to take real-time screen shots without the whistleblowers' knowledge. Among the emails that were intercepted were draft complaints and other material that the whistleblowers claim consisted of privileged attorney-client communications.

The lawsuit and the documents indicate that the FDA began referring to the whistleblowers--not all of whom are represented in the suit--as the "FDA Nine" or "FDA 9." According to the lawsuit, the FDA created a computerized file folder called "FDA 9" with separate folders containing information on each of the whistleblowers.

Heightened concern that users could inadvertently expose or leak--or purposely steal--an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. An Insider Threat Reality Check, a special retrospective of recent news coverage, takes a look at how organizations are handling the threat--and what users are really up to. (Free registration required.)