Whistle-blowing Scientists (Trying To Prevent Dangerous Products From Reaching The Market) Sue FDA For Snooping On Their Personal Email Accounts

from the shameful-suppression dept

Last year, we wrote about the federal whistle-blowing act, which was designed to give protections to federal employees who blow the whistle on federal fraud and abuse. For reasons that still aren't clear, that bill was killed by a secret hold by either Senators Jon Kyl or Jeff Sessions. That fact only came out due to an amazing effort by the folks at On The Media, who kept hounding all 100 Senators to find out who would possibly kill such a bill. Recently, On The Media revisited the topic, noting that there was a new version of the bill. The report also talks about just how vindictive the government has been against whistleblowers. Even as President Obama has insisted that whistleblowers are important and should be protected, that's not what's happening in real life, with many getting stripped of their responsibility and demoted -- all for daring to point out waste, fraud and abuse. The worst example to date, remains the horrifying story of Thomas Drake, who was threatened with 35 years in jail in a bogus vindictive lawsuit against him, due to his blowing the whistle on a bogus NSA project.

More evidence of the insane lengths the federal government will go to against whistleblowers has been revealed in the form of a lawsuit from a group of FDA scientists and doctors. The group had been trying to blow the whistle on fraud and abuse in the FDA, in the form of approvals for medical devices that didn't actually meet health and safety standards. The scientists reached out to Congress to blow the whistle... and in response, the FDA started spying on their personal emails. Yes, it does appear that these scientists were accessing their personal Gmail accounts from work computers, and using them to work with Congressional staffers to craft their whistleblowing complaint, but does that give the FDA the right to spy on their personal communications? The doctors, via their lawsuit, believe the answer is no.

The FDA is defending its actions by claiming that this whistleblowing involved "improperly disclosed confidential business information about the devices," and it wanted an investigation of the doctors involved. That sounds ridiculous. Or, perhaps, all too typical. It seems clear that the FDA bosses just didn't like the fact that some folks there blew the whistle on what they were doing and took vindictive actions. This is exactly the kind of thing that a Whistle Blower Act should protect. That it doesn't do so already is really a shame.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 6:30am

    dont think 'took vindictive actions' is the right term. maybe appropriate would be better? after all, they were trying to do something good

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Robert Doyle (profile), Feb 2nd, 2012 @ 6:35am

    It is just sad that there is even the need for whistleblowers. What ever happened to just trying to do the right thing? You can get paid for doing good things as well as bad things - but so many people prefer to do the wrong things.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    MAJikMARCer (profile), Feb 2nd, 2012 @ 6:42am

    it does appear that these scientists were accessing their personal Gmail accounts from work computers


    As a former network admin I had to deal with this fine line quite a bit, but I also believe there is a fair amount of precedent stating that the company owns the network and thus can 'snoop' on any traffic on that network.

    Additionally it would be good to get a look at the employee policy manual. Many companies explicitly state that employees have not expectation of privacy while using company computers/networks. Maybe that won't stand up in court, but that alone could thwart them.

    I support what these whistle-blowers are doing, but they should have used their personal computers/mobile devices, not work computers.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    fb39ca4, Feb 2nd, 2012 @ 6:44am

    Note to whistleblowers: Use a VPN!

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 6:51am

    Re:

    I was just going to say this, thank you.

    Every company I worked at had these policies, though few ever acted upon them (at least not that I am aware).

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Dave, Feb 2nd, 2012 @ 6:52am

    Company Time

    I kind of have to agree that this sounds like a matter of using company resources, during company time, when these days you really can't assume that what you do online at work is private.

    Email, Facebook, forums, browsing habits... all that's going through corporate networks and firewalls. Doing anything "secret" at work just sounds like they're trying to get caught.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    A Guy (profile), Feb 2nd, 2012 @ 6:54am

    Re:

    Or just use a personal smartphone/laptop at work

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Skeptical Cynic (profile), Feb 2nd, 2012 @ 7:12am

    Re:

    As a Sys Admin of many years I have had to deal with this issue a lot. The question I have is HOW were they monitoring it? Gmail is a secure site.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    MAJikMARCer (profile), Feb 2nd, 2012 @ 7:17am

    Re: Re:

    That is a good point, cracking the packets collected on their network is one thing, but cracking the Google account itself is not legal, regardless of where the emails were written.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 7:19am

    Every government computer system has a warning when you log on that all activity conducted on that system is subject to monitoring. You have to agree to it to continue.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 7:23am

    Re:

    Except that the agreement doesn't mean anything until it is tested in the courts. Many websites, computers systems, and software come with agreements and clicking accept doesn't automatically make all the terms in those agreements legal.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    crade (profile), Feb 2nd, 2012 @ 7:27am

    Re:

    Yeah, if you are using your work computer and network, expect it to be spied on. They don't turn the spybots off when you access gmail. But then they gotta get the evidence of wrongdoing from the work computer to the public somehow right? :)

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    GunSheep (profile), Feb 2nd, 2012 @ 7:28am

    Re:

    Sometimes doing the bad things pays better. And depending on how bad it is sometimes you can get the government to bail you out afterwards....

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    crade (profile), Feb 2nd, 2012 @ 7:31am

    Re: Re:

    heh, those agreements things are hilarious. You might has well say putting on my socks means I have agreed to your demands.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 7:37am

    Re:

    Marked as funny.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 7:40am

    Re: Re: Re:

    Wait, you put on your socks this morning? Really? Then that means you agreed to pay me a million dollars. Now pay up.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 7:41am

    Re:

    Actually, if they're using gmail, they're already making use of https (at least, last I checked, that was the default for gmail now).

    The problem may not be snooping on the network, but rather a keylogger or screen scraper installed on their work computer. If that's the case, then a VPN wouldn't help anyway.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 7:45am

    Definition

    Whistleblower

    "improperly disclosed confidential business information about the devices,"

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Rekrul, Feb 2nd, 2012 @ 7:53am

    The FDA is defending its actions by claiming that this whistleblowing involved "improperly disclosed confidential business information about the devices," and it wanted an investigation of the doctors involved.

    So whistleblowing is fine, as long as you only use publicly available information to do it?

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 8:08am

    maybe the IT department likes to add their own CAs and do some man in the middle-ing. How does that one stack up to the "they own the network" edict?

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    Skeptical Cynic (profile), Feb 2nd, 2012 @ 8:16am

    Re: Re:

    And it might not be legal.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    New Mexico Mark, Feb 2nd, 2012 @ 8:34am

    Re: Re:

    It is pretty straightforward to monitor SSL (https) using man-in-the-middle with a local organizational cert. Basically any 443 connection is encrypted to/from the workstation and the trusted monitoring device, then encrypted to/from the monitoring device and the originally requested site. This is done by having a local trusted cert on the workstations.

    Since the organization owns/administers the local workstations, this isn't considered a broken chain of trust. The ethics of what is done with that information are an entirely different matter, and here there be dragons.

    Are employees specifically aware of this capability? (I would suggest the standard "we can monitor anything" message is insufficient given the expectation that https connections are encrypted and reasonably secure.) Are exceptions made for banking sites and such? If not, how will the information gathered be secured? Tons of other issues are raised to the point that some organizations find it easier to just block https and be done with it.

    If the organization somehow obtained and was using the employee's gmail password without the employee's knowledge, that violates plenty of laws, and any organization taking that approach could (rightly) be in deep doo-doo.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Robert Doyle (profile), Feb 2nd, 2012 @ 8:37am

    Re: Re:

    I'm willing to bet there is a clause in there somewhere about anything you do it work is not considered private and if you expect that you must level the premises... 198...what year was it again?

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    hmm (profile), Feb 2nd, 2012 @ 8:39am

    well

    Why else do you think the president, the senate and congress are doing everything they can to stop whistleblowers?

    Because as you clear corruption from lower levels, people are free to start whistleblowing on higher lvl massive (and slightly illegal) payments that businesses have been paying for years to ensure they get government contracts......

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    LazDude2012 (profile), Feb 2nd, 2012 @ 9:28am

    Re: Re: Re: Re:

    Good job. Now, sue people who didn't put on socks for milions of dollars.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 9:29am

    More evidence of the insane lengths the federal government will go to against whistleblowers has been revealed in the form of a lawsuit from a group of FDA scientists and doctors. The group had been trying to blow the whistle on fraud and abuse in the FDA, in the form of approvals for medical devices that didn't actually meet health and safety standards.

    So, doctors who try to prevent illness (which should be all of them) are now considered a liability by the current medical system? I guess that makes sense, from an amoral pill-pusher's point of view.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    doughless (profile), Feb 2nd, 2012 @ 9:34am

    Re: Re: Re:

    My company actually issues organizational certs to all of our workstations. Even with the "man-in-the-middle" attack you describe, a savvy employee could still possibly catch this one (since as you said, it is still a valid chain of trust), and I occasionally double-check certificates of websites I visit to make sure they are signed by an external certificate authority. To the best of my knowledge, my company hasn't turned on any https monitoring yet, even though they definitely can.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 11:27am

    This happens more than we would like. Back in 1998 three scientists tried to warn the public about identified risks in growth hormones given to cattle.

    http://www.cjfe.org/resources/features/dr-shiv-chopra-dr-margaret-haydon-and-dr-g%C3%A9ra rd-lambert-2011-integrity-award

    They were ultimately dismissed for insubordination.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    gorehound (profile), Feb 2nd, 2012 @ 11:39am

    Move good research to Europe where there is a Country who would gladly welcome you.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 12:28pm

    Re:

    It is easier to be bad.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Forrest, Feb 2nd, 2012 @ 12:50pm

    How they did it

    The linked WaPo article gives more info. If I understood it correctly, software was installed on their computers to periodically take screenshots of their monitors and save them to a sekrit network directory.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    A Guy (profile), Feb 2nd, 2012 @ 1:06pm

    Re: Re: Re:

    Nah, if you use your equipment and your internet connection, they cannot monitor it without violating various laws.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    ltlw0lf (profile), Feb 2nd, 2012 @ 1:46pm

    Re: Re:

    Or just use a personal smartphone/laptop at work

    Many, if not most, government agencies outlaw or discourage the use of personal laptops while at the government facilities. Smartphones are prohibited in any sensitive areas as well. There are some facilities where employees are told to leave their smartphones and other personal devices in their cars.

    Then again, the warning banner specifically says that they can monitor everything done on their systems. Best bet would be to drive your car outside of the fence and use your smartphone there, or use your laptop/desktop at home.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Feb 2nd, 2012 @ 8:46pm

    Re: Re: Re: Re:

    It would be simple to ensure no sanctioned devices can obtain an IP address on a computer network. Also, it would be extremely unlikely for them to not have a signed IT agreement for each employee that stated no foreign devices on the network.

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    A Guy (profile), Feb 4th, 2012 @ 3:26pm

    Re: Re: Re: Re: Re:

    If you are using their network, then you are not using your own internet connection.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This