Whistle-blowing Scientists (Trying To Prevent Dangerous Products From Reaching The Market) Sue FDA For Snooping On Their Personal Email Accounts

from the shameful-suppression dept

Thu, Feb 2nd 2012 6:23am — Mike Masnick

Last year, we wrote about the federal whistle-blowing act, which was designed to give protections to federal employees who blow the whistle on federal fraud and abuse. For reasons that still aren't clear, that bill was killed by a secret hold by either Senators Jon Kyl or Jeff Sessions. That fact only came out due to an amazing effort by the folks at On The Media, who kept hounding all 100 Senators to find out who would possibly kill such a bill. Recently, On The Media revisited the topic, noting that there was a new version of the bill. The report also talks about just how vindictive the government has been against whistleblowers. Even as President Obama has insisted that whistleblowers are important and should be protected, that's not what's happening in real life, with many getting stripped of their responsibility and demoted -- all for daring to point out waste, fraud and abuse. The worst example to date, remains the horrifying story of Thomas Drake, who was threatened with 35 years in jail in a bogus vindictive lawsuit against him, due to his blowing the whistle on a bogus NSA project.

More evidence of the insane lengths the federal government will go to against whistleblowers has been revealed in the form of a lawsuit from a group of FDA scientists and doctors. The group had been trying to blow the whistle on fraud and abuse in the FDA, in the form of approvals for medical devices that didn't actually meet health and safety standards. The scientists reached out to Congress to blow the whistle... and in response, the FDA started spying on their personal emails. Yes, it does appear that these scientists were accessing their personal Gmail accounts from work computers, and using them to work with Congressional staffers to craft their whistleblowing complaint, but does that give the FDA the right to spy on their personal communications? The doctors, via their lawsuit, believe the answer is no.

The FDA is defending its actions by claiming that this whistleblowing involved "improperly disclosed confidential business information about the devices," and it wanted an investigation of the doctors involved. That sounds ridiculous. Or, perhaps, all too typical. It seems clear that the FDA bosses just didn't like the fact that some folks there blew the whistle on what they were doing and took vindictive actions. This is exactly the kind of thing that a Whistle Blower Act should protect. That it doesn't do so already is really a shame.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: email, fda, free speech, privacy, safety, whistleblowing

35 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 2 Feb 2012 @ 6:30am

dont think 'took vindictive actions' is the right term. maybe appropriate would be better? after all, they were trying to do something good
[ link to this | view in chronology ]
- Anonymous Coward, 2 Feb 2012 @ 7:37am
  
  Re:
  Marked as funny.
  [ link to this | view in chronology ]
Robert Doyle (profile), 2 Feb 2012 @ 6:35am

It is just sad that there is even the need for whistleblowers. What ever happened to just trying to do the right thing? You can get paid for doing good things as well as bad things - but so many people prefer to do the wrong things.
[ link to this | view in chronology ]
- GunSheep (profile), 2 Feb 2012 @ 7:28am
  
  Re:
  Sometimes doing the bad things pays better. And depending on how bad it is sometimes you can get the government to bail you out afterwards....
  [ link to this | view in chronology ]
- Anonymous Coward, 2 Feb 2012 @ 12:28pm
  
  Re:
  It is easier to be bad.
  [ link to this | view in chronology ]
MAJikMARCer (profile), 2 Feb 2012 @ 6:42am

it does appear that these scientists were accessing their personal Gmail accounts from work computers

As a former network admin I had to deal with this fine line quite a bit, but I also believe there is a fair amount of precedent stating that the company owns the network and thus can 'snoop' on any traffic on that network.

Additionally it would be good to get a look at the employee policy manual. Many companies explicitly state that employees have not expectation of privacy while using company computers/networks. Maybe that won't stand up in court, but that alone could thwart them.

I support what these whistle-blowers are doing, but they should have used their personal computers/mobile devices, not work computers.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Feb 2012 @ 6:51am
  
  Re:
  I was just going to say this, thank you.
  
  Every company I worked at had these policies, though few ever acted upon them (at least not that I am aware).
  [ link to this | view in chronology ]
- Skeptical Cynic (profile), 2 Feb 2012 @ 7:12am
  
  Re:
  As a Sys Admin of many years I have had to deal with this issue a lot. The question I have is HOW were they monitoring it? Gmail is a secure site.
  [ link to this | view in chronology ]
  - MAJikMARCer (profile), 2 Feb 2012 @ 7:17am
    
    Re: Re:
    That is a good point, cracking the packets collected on their network is one thing, but cracking the Google account itself is not legal, regardless of where the emails were written.
    [ link to this | view in chronology ]
  - New Mexico Mark, 2 Feb 2012 @ 8:34am
    
    Re: Re:
    It is pretty straightforward to monitor SSL (https) using man-in-the-middle with a local organizational cert. Basically any 443 connection is encrypted to/from the workstation and the trusted monitoring device, then encrypted to/from the monitoring device and the originally requested site. This is done by having a local trusted cert on the workstations.
    
    Since the organization owns/administers the local workstations, this isn't considered a broken chain of trust. The ethics of what is done with that information are an entirely different matter, and here there be dragons.
    
    Are employees specifically aware of this capability? (I would suggest the standard "we can monitor anything" message is insufficient given the expectation that https connections are encrypted and reasonably secure.) Are exceptions made for banking sites and such? If not, how will the information gathered be secured? Tons of other issues are raised to the point that some organizations find it easier to just block https and be done with it.
    
    If the organization somehow obtained and was using the employee's gmail password without the employee's knowledge, that violates plenty of laws, and any organization taking that approach could (rightly) be in deep doo-doo.
    [ link to this | view in chronology ]
    - doughless (profile), 2 Feb 2012 @ 9:34am
      
      Re: Re: Re:
      My company actually issues organizational certs to all of our workstations. Even with the "man-in-the-middle" attack you describe, a savvy employee could still possibly catch this one (since as you said, it is still a valid chain of trust), and I occasionally double-check certificates of websites I visit to make sure they are signed by an external certificate authority. To the best of my knowledge, my company hasn't turned on any https monitoring yet, even though they definitely can.
      [ link to this | view in chronology ]
  - Forrest, 2 Feb 2012 @ 12:50pm
    
    How they did it
    The linked WaPo article gives more info. If I understood it correctly, software was installed on their computers to periodically take screenshots of their monitors and save them to a sekrit network directory.
    [ link to this | view in chronology ]
- crade (profile), 2 Feb 2012 @ 7:27am
  
  Re:
  Yeah, if you are using your work computer and network, expect it to be spied on. They don't turn the spybots off when you access gmail. But then they gotta get the evidence of wrongdoing from the work computer to the public somehow right? :)
  [ link to this | view in chronology ]
fb39ca4, 2 Feb 2012 @ 6:44am

Note to whistleblowers: Use a VPN!
[ link to this | view in chronology ]
- A Guy (profile), 2 Feb 2012 @ 6:54am
  
  Re:
  Or just use a personal smartphone/laptop at work
  [ link to this | view in chronology ]
  - Robert Doyle (profile), 2 Feb 2012 @ 8:37am
    
    Re: Re:
    I'm willing to bet there is a clause in there somewhere about anything you do it work is not considered private and if you expect that you must level the premises... 198...what year was it again?
    [ link to this | view in chronology ]
    - A Guy (profile), 2 Feb 2012 @ 1:06pm
      
      Re: Re: Re:
      Nah, if you use your equipment and your internet connection, they cannot monitor it without violating various laws.
      [ link to this | view in chronology ]
      - Anonymous Coward, 2 Feb 2012 @ 8:46pm
        
        Re: Re: Re: Re:
        It would be simple to ensure no sanctioned devices can obtain an IP address on a computer network. Also, it would be extremely unlikely for them to not have a signed IT agreement for each employee that stated no foreign devices on the network.
        [ link to this | view in chronology ]
        
        A Guy (profile), 4 Feb 2012 @ 3:26pm
        
        Re: Re: Re: Re: Re:
        If you are using their network, then you are not using your own internet connection.
        [ link to this | view in chronology ]
  - ltlw0lf (profile), 2 Feb 2012 @ 1:46pm
    
    Re: Re:
    Or just use a personal smartphone/laptop at work
    
    Many, if not most, government agencies outlaw or discourage the use of personal laptops while at the government facilities. Smartphones are prohibited in any sensitive areas as well. There are some facilities where employees are told to leave their smartphones and other personal devices in their cars.
    
    Then again, the warning banner specifically says that they can monitor everything done on their systems. Best bet would be to drive your car outside of the fence and use your smartphone there, or use your laptop/desktop at home.
    [ link to this | view in chronology ]
- Anonymous Coward, 2 Feb 2012 @ 7:41am
  
  Re:
  Actually, if they're using gmail, they're already making use of https (at least, last I checked, that was the default for gmail now).
  
  The problem may not be snooping on the network, but rather a keylogger or screen scraper installed on their work computer. If that's the case, then a VPN wouldn't help anyway.
  [ link to this | view in chronology ]
  - Skeptical Cynic (profile), 2 Feb 2012 @ 8:16am
    
    Re: Re:
    And it might not be legal.
    [ link to this | view in chronology ]
Dave, 2 Feb 2012 @ 6:52am

Company Time
I kind of have to agree that this sounds like a matter of using company resources, during company time, when these days you really can't assume that what you do online at work is private.

Email, Facebook, forums, browsing habits... all that's going through corporate networks and firewalls. Doing anything "secret" at work just sounds like they're trying to get caught.
[ link to this | view in chronology ]
Anonymous Coward, 2 Feb 2012 @ 7:19am

Every government computer system has a warning when you log on that all activity conducted on that system is subject to monitoring. You have to agree to it to continue.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Feb 2012 @ 7:23am
  
  Re:
  Except that the agreement doesn't mean anything until it is tested in the courts. Many websites, computers systems, and software come with agreements and clicking accept doesn't automatically make all the terms in those agreements legal.
  [ link to this | view in chronology ]
  - crade (profile), 2 Feb 2012 @ 7:31am
    
    Re: Re:
    heh, those agreements things are hilarious. You might has well say putting on my socks means I have agreed to your demands.
    [ link to this | view in chronology ]
    - Anonymous Coward, 2 Feb 2012 @ 7:40am
      
      Re: Re: Re:
      Wait, you put on your socks this morning? Really? Then that means you agreed to pay me a million dollars. Now pay up.
      [ link to this | view in chronology ]
      - LazDude2012 (profile), 2 Feb 2012 @ 9:28am
        
        Re: Re: Re: Re:
        Good job. Now, sue people who didn't put on socks for milions of dollars.
        [ link to this | view in chronology ]
Anonymous Coward, 2 Feb 2012 @ 7:45am

Definition

Whistleblower

"improperly disclosed confidential business information about the devices,"
[ link to this | view in chronology ]
Rekrul, 2 Feb 2012 @ 7:53am

The FDA is defending its actions by claiming that this whistleblowing involved "improperly disclosed confidential business information about the devices," and it wanted an investigation of the doctors involved.

So whistleblowing is fine, as long as you only use publicly available information to do it?
[ link to this | view in chronology ]
Anonymous Coward, 2 Feb 2012 @ 8:08am

maybe the IT department likes to add their own CAs and do some man in the middle-ing. How does that one stack up to the "they own the network" edict?
[ link to this | view in chronology ]
hmm (profile), 2 Feb 2012 @ 8:39am

well
Why else do you think the president, the senate and congress are doing everything they can to stop whistleblowers?

Because as you clear corruption from lower levels, people are free to start whistleblowing on higher lvl massive (and slightly illegal) payments that businesses have been paying for years to ensure they get government contracts......
[ link to this | view in chronology ]
Anonymous Coward, 2 Feb 2012 @ 9:29am

More evidence of the insane lengths the federal government will go to against whistleblowers has been revealed in the form of a lawsuit from a group of FDA scientists and doctors. The group had been trying to blow the whistle on fraud and abuse in the FDA, in the form of approvals for medical devices that didn't actually meet health and safety standards.

So, doctors who try to prevent illness (which should be all of them) are now considered a liability by the current medical system? I guess that makes sense, from an amoral pill-pusher's point of view.
[ link to this | view in chronology ]
Anonymous Coward, 2 Feb 2012 @ 11:27am

This happens more than we would like. Back in 1998 three scientists tried to warn the public about identified risks in growth hormones given to cattle.

http://www.cjfe.org/resources/features/dr-shiv-chopra-dr-margaret-haydon-and-dr-g%C3%A9ra rd-lambert-2011-integrity-award

They were ultimately dismissed for insubordination.
[ link to this | view in chronology ]
gorehound (profile), 2 Feb 2012 @ 11:39am

Move good research to Europe where there is a Country who would gladly welcome you.
[ link to this | view in chronology ]