Earlier this year, government surveillance discussions were given fresh fuel as six former Food and Drug Administration (FDA) scientists filed suit against the agency for allegedly monitoring their personal email accounts. Now a new expose authored by Washington Post correspondent Lisa Rein has revealed that the FDA is likely one of several federal offices employing such tactics, with more than just emails in the crosshairs.
Containing employee leaks
According to the Wall Street Journal, FDA officials recently confirmed that email monitoring began in early 2010 after proprietary information regarding commercial medical devices had been leaked to several media outlets. The initial surveillance campaign was focused on one particularly vocal scientist in the agency's radiological department who some officials criticized for having a record of not approving certain device types – potentially to the detriment of innovation. The former employee's legal team, however, contends that many of his colleagues held similar views and worried that the agency may be lacking due diligence in its approval processes.
FDA officials defended the merits of the monitoring practice, according to the Journal, on the grounds that several companies had filed formal complaints suggesting that their own expectations of privacy had been violated as a result of the unauthorized disclosures made to the media. Nevertheless, data privacy advocates insist that the FDA's stance speaks to the federal government's continued lack of understanding in how to responsibly handle whistleblowers.
To shed more light on the controversy, Rein decided to trace the monitoring program back to its roots and research the technology being used. What she found was a software suite capable of doing much more than gather employee emails. In fact, administrators could potentially be using it to intercept social media posts, capture screenshots, keyword-search hard drives, retrieve files and even track employee keystrokes.
"Government workers have long known their bosses can look over their shoulder to monitor their computer activity," Rein wrote. "But now, prompted by the WikiLeaks scandal and concerns over unauthorized disclosures, the government is secretly capturing a far richer, more granular picture of their communications, in real time."
According to the Government Accountability Project, what's most worrisome is the increasingly blurry line between what constitutes personal and professional tasks. The original FDA leak was retroactively discovered via monitoring of the scientists' Gmail and Yahoo accounts when accessed from agency computers. But considering the long hours kept by most federal workers, keeping all personal communications off government machines simply isn't feasible. As a result, sensitive messages such as medical appointment scheduling or parent-teacher correspondence could inadvertently find its way under the eye of government administrators.
Using personal devices may not be a viable workaround either. As Rein noted, federal IT teams are starting to govern agency's data and networks in the same way as their hardware. That means personal email accessed via an employee-owned device could still be monitoring activity if it is being supported by agency bandwidth.
In addition to the FDA, both the Transportation Security Administration and the Federal Maritime Commission have had their employee monitoring practices placed under congressional review. But at the same time, according to Rein, other agencies such as the Department of Defense insist that they are well out ahead of these developments and have a number of employee safeguards in place.
As it stands, it is still up to each agency to dictate its policies and perimeter of internal surveillance initiatives. But in an interview with the FDA's software supplier, Rein learned that it is unlikely to see any constriction of monitoring plans. Without this covert intelligence, few agencies believe they can gain an accurate perspective on employee habits and the risks they may be presenting.
Data Security News from SimplySecurity.com by Trend Micro