Whistle-blowing Scientists (Trying To Prevent Dangerous Products From Reaching The Market) Sue FDA For Snooping On Their Personal Email Accounts
from the shameful-suppression dept
Last year, we wrote about the federal whistle-blowing act, which was designed to give protections to federal employees who blow the whistle on federal fraud and abuse. For reasons that still aren’t clear, that bill was killed by a secret hold by either Senators Jon Kyl or Jeff Sessions. That fact only came out due to an amazing effort by the folks at On The Media, who kept hounding all 100 Senators to find out who would possibly kill such a bill. Recently, On The Media revisited the topic, noting that there was a new version of the bill. The report also talks about just how vindictive the government has been against whistleblowers. Even as President Obama has insisted that whistleblowers are important and should be protected, that’s not what’s happening in real life, with many getting stripped of their responsibility and demoted — all for daring to point out waste, fraud and abuse. The worst example to date, remains the horrifying story of Thomas Drake, who was threatened with 35 years in jail in a bogus vindictive lawsuit against him, due to his blowing the whistle on a bogus NSA project.
More evidence of the insane lengths the federal government will go to against whistleblowers has been revealed in the form of a lawsuit from a group of FDA scientists and doctors. The group had been trying to blow the whistle on fraud and abuse in the FDA, in the form of approvals for medical devices that didn’t actually meet health and safety standards. The scientists reached out to Congress to blow the whistle… and in response, the FDA started spying on their personal emails. Yes, it does appear that these scientists were accessing their personal Gmail accounts from work computers, and using them to work with Congressional staffers to craft their whistleblowing complaint, but does that give the FDA the right to spy on their personal communications? The doctors, via their lawsuit, believe the answer is no.
The FDA is defending its actions by claiming that this whistleblowing involved “improperly disclosed confidential business information about the devices,” and it wanted an investigation of the doctors involved. That sounds ridiculous. Or, perhaps, all too typical. It seems clear that the FDA bosses just didn’t like the fact that some folks there blew the whistle on what they were doing and took vindictive actions. This is exactly the kind of thing that a Whistle Blower Act should protect. That it doesn’t do so already is really a shame.
Filed Under: email, fda, free speech, privacy, safety, whistleblowing
Comments on “Whistle-blowing Scientists (Trying To Prevent Dangerous Products From Reaching The Market) Sue FDA For Snooping On Their Personal Email Accounts”
dont think ‘took vindictive actions’ is the right term. maybe appropriate would be better? after all, they were trying to do something good
Re: Re:
Marked as funny.
It is just sad that there is even the need for whistleblowers. What ever happened to just trying to do the right thing? You can get paid for doing good things as well as bad things – but so many people prefer to do the wrong things.
Re: Re:
Sometimes doing the bad things pays better. And depending on how bad it is sometimes you can get the government to bail you out afterwards….
Re: Re:
It is easier to be bad.
As a former network admin I had to deal with this fine line quite a bit, but I also believe there is a fair amount of precedent stating that the company owns the network and thus can ‘snoop’ on any traffic on that network.
Additionally it would be good to get a look at the employee policy manual. Many companies explicitly state that employees have not expectation of privacy while using company computers/networks. Maybe that won’t stand up in court, but that alone could thwart them.
I support what these whistle-blowers are doing, but they should have used their personal computers/mobile devices, not work computers.
Re: Re:
I was just going to say this, thank you.
Every company I worked at had these policies, though few ever acted upon them (at least not that I am aware).
Re: Re:
As a Sys Admin of many years I have had to deal with this issue a lot. The question I have is HOW were they monitoring it? Gmail is a secure site.
Re: Re: Re:
That is a good point, cracking the packets collected on their network is one thing, but cracking the Google account itself is not legal, regardless of where the emails were written.
Re: Re: Re:
It is pretty straightforward to monitor SSL (https) using man-in-the-middle with a local organizational cert. Basically any 443 connection is encrypted to/from the workstation and the trusted monitoring device, then encrypted to/from the monitoring device and the originally requested site. This is done by having a local trusted cert on the workstations.
Since the organization owns/administers the local workstations, this isn’t considered a broken chain of trust. The ethics of what is done with that information are an entirely different matter, and here there be dragons.
Are employees specifically aware of this capability? (I would suggest the standard “we can monitor anything” message is insufficient given the expectation that https connections are encrypted and reasonably secure.) Are exceptions made for banking sites and such? If not, how will the information gathered be secured? Tons of other issues are raised to the point that some organizations find it easier to just block https and be done with it.
If the organization somehow obtained and was using the employee’s gmail password without the employee’s knowledge, that violates plenty of laws, and any organization taking that approach could (rightly) be in deep doo-doo.
Re: Re: Re: Re:
My company actually issues organizational certs to all of our workstations. Even with the “man-in-the-middle” attack you describe, a savvy employee could still possibly catch this one (since as you said, it is still a valid chain of trust), and I occasionally double-check certificates of websites I visit to make sure they are signed by an external certificate authority. To the best of my knowledge, my company hasn’t turned on any https monitoring yet, even though they definitely can.
Re: Re: How they did it
The linked WaPo article gives more info. If I understood it correctly, software was installed on their computers to periodically take screenshots of their monitors and save them to a sekrit network directory.
Re: Re:
Yeah, if you are using your work computer and network, expect it to be spied on. They don’t turn the spybots off when you access gmail. But then they gotta get the evidence of wrongdoing from the work computer to the public somehow right? 🙂
Note to whistleblowers: Use a VPN!
Re: Re:
Or just use a personal smartphone/laptop at work
Re: Re: Re:
I’m willing to bet there is a clause in there somewhere about anything you do it work is not considered private and if you expect that you must level the premises… 198…what year was it again?
Re: Re: Re: Re:
Nah, if you use your equipment and your internet connection, they cannot monitor it without violating various laws.
Re: Re: Re:2 Re:
It would be simple to ensure no sanctioned devices can obtain an IP address on a computer network. Also, it would be extremely unlikely for them to not have a signed IT agreement for each employee that stated no foreign devices on the network.
Re: Re: Re:3 Re:
If you are using their network, then you are not using your own internet connection.
Re: Re: Re:
Or just use a personal smartphone/laptop at work
Many, if not most, government agencies outlaw or discourage the use of personal laptops while at the government facilities. Smartphones are prohibited in any sensitive areas as well. There are some facilities where employees are told to leave their smartphones and other personal devices in their cars.
Then again, the warning banner specifically says that they can monitor everything done on their systems. Best bet would be to drive your car outside of the fence and use your smartphone there, or use your laptop/desktop at home.
Re: Re:
Actually, if they’re using gmail, they’re already making use of https (at least, last I checked, that was the default for gmail now).
The problem may not be snooping on the network, but rather a keylogger or screen scraper installed on their work computer. If that’s the case, then a VPN wouldn’t help anyway.
Re: Re: Re:
And it might not be legal.
Company Time
I kind of have to agree that this sounds like a matter of using company resources, during company time, when these days you really can’t assume that what you do online at work is private.
Email, Facebook, forums, browsing habits… all that’s going through corporate networks and firewalls. Doing anything “secret” at work just sounds like they’re trying to get caught.
Every government computer system has a warning when you log on that all activity conducted on that system is subject to monitoring. You have to agree to it to continue.
Re: Re:
Except that the agreement doesn’t mean anything until it is tested in the courts. Many websites, computers systems, and software come with agreements and clicking accept doesn’t automatically make all the terms in those agreements legal.
Re: Re: Re:
heh, those agreements things are hilarious. You might has well say putting on my socks means I have agreed to your demands.
Re: Re: Re: Re:
Wait, you put on your socks this morning? Really? Then that means you agreed to pay me a million dollars. Now pay up.
Re: Re: Re:2 Re:
Good job. Now, sue people who didn’t put on socks for milions of dollars.
Definition
Whistleblower
“improperly disclosed confidential business information about the devices,”
The FDA is defending its actions by claiming that this whistleblowing involved “improperly disclosed confidential business information about the devices,” and it wanted an investigation of the doctors involved.
So whistleblowing is fine, as long as you only use publicly available information to do it?
maybe the IT department likes to add their own CAs and do some man in the middle-ing. How does that one stack up to the “they own the network” edict?
well
Why else do you think the president, the senate and congress are doing everything they can to stop whistleblowers?
Because as you clear corruption from lower levels, people are free to start whistleblowing on higher lvl massive (and slightly illegal) payments that businesses have been paying for years to ensure they get government contracts……
More evidence of the insane lengths the federal government will go to against whistleblowers has been revealed in the form of a lawsuit from a group of FDA scientists and doctors. The group had been trying to blow the whistle on fraud and abuse in the FDA, in the form of approvals for medical devices that didn’t actually meet health and safety standards.
So, doctors who try to prevent illness (which should be all of them) are now considered a liability by the current medical system? I guess that makes sense, from an amoral pill-pusher’s point of view.
This happens more than we would like. Back in 1998 three scientists tried to warn the public about identified risks in growth hormones given to cattle.
http://www.cjfe.org/resources/features/dr-shiv-chopra-dr-margaret-haydon-and-dr-g%C3%A9rard-lambert-2011-integrity-award
They were ultimately dismissed for insubordination.
Move good research to Europe where there is a Country who would gladly welcome you.