February 10, 2012 at 5:36 pm #152856
Dorothy Ramienski AmatucciParticipant
The Food and Drug Administration recently admitted that it monitored the personal emails of some of its employees. The Washington Post reports that the agency said it was concerned that employees were leaking confidential information out to the general public.
About two years ago, some FDA employees said they had worries about unsafe medical equipment and took their concerns to Congress. Last month, the Post broke the story that the FDA had, in fact, monitored Gmail communications between this group of doctors, who had concerns about medical devices that were not safe or effective.
The agency said it started looking at employee’s emails in 2010, but the Post says it has evidence the surveillance started as early as January of 2009.
House Oversight and Government Reform Committee Chairman Darrell Issa (R-Calif.) sent a letter to the FDA on Thursday, saying such behavior is against the law.
The FDA has a warning that pops up when a user logs on stipulating that there is no expectation of privacy regarding any data that passes through — or is stored on — its system.
In his letter, the Congressman charges that the FDA was in the wrong because retaliation against whistleblowers is illegal.
What do you think? Should your agency be able to look at your personal email if you log on at work? Or is this stepping over the line?
February 10, 2012 at 9:13 pm #152916
I believe it is stepping over the line. That is the purpose of it being called PERSONAL email. If they have a right to go into your personal email then they will try to have a right to go into your personal bank account, cellphone records, etc…
February 13, 2012 at 3:55 am #152914
I’m on the fence with this one. While I don’t particularly agree that you should check your personal email at work, I don’t believe that agencies should have the authority to look at employee’s personal email either. If companies/agencies are worried about their employees leaking information (or even lack of productivity), then they should take other cautions. I, personally, work at Verizon Wireless and they restrict certain websites for that specific purpose. We are unable to access outside email accounts, most social media sites like Facebook or Twitter, employment search engines (like Monster or CareerBuilder), and the like. Initially I thought these restraints were a bit extreme, but knowing that I could access these features through my phone or tablet if necessary is reassuring.
February 13, 2012 at 1:18 pm #152912
Perspective from a former Defense Department CIO: monitoring of all traffic coming into and out of DoD facilities has been going on for more than a decade. If you do it – no matter what “it” is – on a government network, it’s fair game. There’s a banner posted to that effect on the computer screen of very DoD employee when they log in. All empoloyees consent to monitoring. Few facilities have the manpower to watch everything real time, but Internet activity does get filtered and recorded for up to a year in some cases (maybe more in some special areas).
If you give the command some reason to suspect an issue (eg set off an alarm on the intrusion detection system by sending/receiving a classified code word or visiting a child pornography site), security folks will likely be going through all traffic generated by you for months. Intrusion detection systems don’t distinguish between what traffic is official and what is personal. They just watch all traffic as it flows in and out of the network.
Like it or not, that’s reality. My advice is if you want to send/recieve personal email, do it from home or start with the assumption that it is being monitored and recorded.
February 13, 2012 at 1:43 pm #152910
It seems to me that a system designed to protect people and state secrets was abused in the FDA case mentioned above. While I do not condone this kind of abuse, I do understand how it could very easily happen. More than one time and at risk to my career, I have personally refused to allow access to this information flow because I had concerns it would be used to mount witch hunts.
Integrity is critically important. With access comes responsibility. My concern is that FDA leadership and employees allowed themselves to be tempted into spying on their own people – extending beyond safety / security into politics. It looks to me like they used their security system to hide wrong doing and manipulate the information environment. This is really ugly stuff.
February 13, 2012 at 2:05 pm #152908
This is not a comment on the FDA situation but a general observation. If you use a work computer, especially when you work for the government, and they tell you explicitly and clearly and repeatedly that nothing you do on that computer system is private, you can’t expect privacy. Use your own computer for personal stuff, or be aware that using a work computer means that your communication is not private. All opinions my own as always.
February 13, 2012 at 2:41 pm #152906
The spillover question is “Can/should government agencies monitor teleworkers personal use of their own computer equipment at home?” If an agency allows telework, will they also insist on being able to install monitoring software on the employees personal equipment in order to ensure compliance with government regulations during work hours? If they do not, will the agency them be at least partially liable for any inappropriate web browsing or messaging during official time? Probably not legally but an interesting question to answer when something goes wrong and the press comes looking for a scapegoat. If the agency does monitor, will the employee have any expectation of privacy during non official time and how will they know if the agency is monitoring them during evening and weekend hours?
February 13, 2012 at 4:02 pm #152904
Certainly one of the concerns alluded to is the impact that such monitoring can have on employee trust and morale, which should not be treated lightly. That’s as much a matter of how something is done/monitored as it is what is done/monitored. Being up front about the fact that one will be monitored is one means of establishing appropriate expectations between employer and employee, but that can also be perceived as a little heavy-handed if the grounds and terms for such monitoring seem unreasonable on the face of it.
All my surface mail at work (with the exception of internal stuff like pay stubs) gets opened up and resealed before I receive it, even things like newsletters and publications from other government agencies. On the other hand, I know this is happening to everybody and not targetting me specifically (a quick glance across everybody else’s mailbox copnfirms this). Plus, the envelope closed back up with a piece of tape shows me that it has happened, and happened consistently, so there is little sense I am being specifically and clandestinely observed for any reason. With e-mail, that obvious presence doesn’t occur so monitoring can happen without one’s knowledge, which I think is a sticking point.
Some workplaces maintain several separate e-mail systems/servers, one for work internal to the organization and one for contact with the “outside world”. That’s one solution. Of course, that doesn’t stop anybody monitoring that e-mail with the outside world.
Whatever approach is adopted by the employer, it should conform to all other existing guards and laws concerning invasion of privacy. People can’t just tap your phone, they can hang around your bathroom window, they can’t ask the bank how much money you have, and they can’t open your mail. I suppose all of those things can be over-ridden if there is sufficient grounds to obtain the necessary warrants, but it can’t just be something the employer does because they feel like it.
February 13, 2012 at 4:31 pm #152902
When I worked for the New York State Education Department we had a lot of these types of warnings on the computers. I was fine with it because I didn’t do much personal stuff on it and it wasn’t my computer. I don’t, however, think any employers should go around looking for trouble where it isn’t and making workers uncomfortable. It seems like that is what the FDA may have been doing.
February 13, 2012 at 4:52 pm #152900
Preston G. BakerParticipant
NYC agencies block access to personal e-mail accounts so employees simply do not have access. As such this approach basically eliminates this as an issue here!
February 13, 2012 at 4:54 pm #152898
Dannielle, the “rule” has always been as you explained. It’s really dead simple, and, IMHO, a non-issue. Keep official business that uses employer resources separate from personal. Use a different account that you only access away from work, and if you have to, use your company/cloud account for official business.
February 13, 2012 at 4:59 pm #152896
That’s certainly a tougher issue to deal with, but I’d think the basic rule is the same. Use employer equipment and resources ONLY for official work. Let them monitor, inspect as they please. Use your own equipment and resources for personal use.
This works IF the employer is supplying the equipment for telework, something they “should” be doing as a matter of fairness, AND for security. In fact, I’d think it’s essential employers do that particularly since telework employees will likely be using the employer’s network from home, and there’s a lot of security issues that should not be left to be the responsiblity of the telework employee.
The only tough issue is the actual online ramp to the internet, which would probably be shared for both employer and personal use by most telework employees. If, however, different computers are used for personal and work, not a problem. Monitor the work computer, if it’s essential. Never monitor the personal equipment.
February 13, 2012 at 5:53 pm #152894
Um, that’s can’t hang around your bathroom window, folks….can’t, not can.
February 13, 2012 at 6:05 pm #152892
This was in Albany so I was still able to access my personal e-mail, I just usually didn’t. The policy in Albany may be the same now as in NYC though, it’s been 2 years since I interned there (realizing it’s already been two years puts a knot in my stomach).
February 13, 2012 at 7:08 pm #152890
Ebony Scurry, PHR, GCDF-IParticipant
I agree with you here David.
Even though federal employees consent to monitoring, it should not translate into that monitoring being without strings of expectations for civility and need attached.
I have a sense that people are becoming increasingly sensitive to their personal information and will only tolerate so much without due reason. I will be watching this FDA case closely; I anticipate that the outcome will eventually impact most other federal agencies.
February 13, 2012 at 7:27 pm #152888
If one describes at work in a government office; As others have said you should have no expectation of privacy and probably one should NOT be looking at your PERSONAL email.. Where it gets somewhat sticky(and this situation is arising more and more) how does the agency and the individual user deal with using the same device for accessing government data and your personal data, and the teleworker/ROWE enabled worker?
February 14, 2012 at 2:02 pm #152886
Dorothy Ramienski AmatucciParticipant
This is an EXCELLENT point and thanks for bringing it up. I think, as more agencies (and organizations — both public and private) move to telework and ROWE, the lines between personal and work time on the computer are going to continue to blur. I think this is something that everyone is going to need to be aware of in the near future.
February 14, 2012 at 2:46 pm #152884
The problem is that many agencies expect employees to provide their own hardware if they choose to telework. Instead of issuing laptops to take home and instructing employees to only use the laptop for official business, they are issuing SecurId tokens and telling employees to log in remotely using their personal systems. Personally, I would be willing to invest a certain amount of my own money (upto $750) in a work only laptop that could be physically separated from my personal equipment in order to telework. Unfortunately, my agency has a requirment that teleworkers agree to allow physical inspection of their home office by supervisors. So I will not be teleworking anytime soon.
February 14, 2012 at 3:03 pm #152882
If someone is stupid – yes, stupid – enough to log on to their personal e-mail account on their work computer, then they should assume every click and keystroke is being monitored. As an employee, I don’t own my work computer. The owner of my computer is – and should be – allowed to monitor any-and-everything that happens on its hard drive.
If someone were to come to my home office and use my personal computer, there’s no reason I couldn’t review the web history to see which sites they visited. If they don’t want me to see what they did online, then they should use their own computer.
I agree that the actions of the FDA were a bit smarmy, but the employees in question could have avoided the entire situation by signing on their home computer in their home office.
February 14, 2012 at 3:50 pm #152880
Preston G. BakerParticipant
The unsettling part of the FDA story is that some of the employees were harassed and/or terminated, and six of them are now suing the agency. They had a lot of compelling evidence that the dangers of mammography were being covered up, and that a Congressional hearing was overdue. While roughly 15 percent of women in their 40’s detect breast cancer through mammography, many other women experience false positives, anxiety, and unnecessary biopsies as a result of the test, according to their data. A full decade ago, a Danish study published in The Lancet also concluded that previous research showing a benefit of mammograms was flawed and that widespread mammogram screening is unjustified.
February 14, 2012 at 8:00 pm #152878
One question. Why does Verizon allow you to bring your phone or tablet to work? You could just as easily leak information using those tools.
February 14, 2012 at 8:09 pm #152876
Is it really that simple? What about an agency that allows remote access, but the employee has to use personal equipment? What about personal cellphones used for official purposes?
I am not sure we can make blanket ascertains that personal and work are separate anymore.
I do agree that if the employee has to click on a user agreement that states nothing is private then he or she is warning.
February 14, 2012 at 8:13 pm #152874
Peter, this would probably depend on the end user agreement signed by the employee. I think we are seeing a situation where technology is out pacing the law.
February 14, 2012 at 8:18 pm #152872
I don’t know what the FDA agreement actually says, but if the FDA user agreement stipulates that the user has no expectation of privacy and that all data the passes through the FDA system is subject to inspection or monitoring. Well, then the FDA has the right to access personal bank account, cellphone records, and any other records if you access them on FDA systems.
February 14, 2012 at 8:33 pm #152870
The FDA has access to medical data, personal data, trade secrets, and other types sensitive data. So the FDA has to have the ability to monitor whether data is being leaked to the public. Whistle blowers are one thing. But would we feel different if an FDA employee leaked information about a drug to drug maker’s competitor? Would we feel different if an FDA employee leaked information about patients in a new drug trial?
Now should employers monitor an employee’s personal e-mail account? Probably not. But if you do your better have a good reason. Or perhaps managers and employers should think about the work environment they are creating.
One final note on Rep. Issa ascertian, if protecting whistle blower are so important, why are we prosecuting Bradley Manning? After all he leaked sensitive data that was of public interest and importance.
February 15, 2012 at 1:46 am #152868
We have the obligatory ‘we can see anything you do’ warning on our computers. We call it our ‘am hate mail’…not that it’s hate mail per se but an annoying box you have to click through. We are allowed some personal use of work computers, the main caveat being ‘don’t cost money, don’t shirk your work, don’t do anything ‘bad” (ie wanna type up a letter during your break, fine, just don’t print it out and don’t take all day doing it, and if your letter happens to be a death threat if the police ask for a copy we’ll happily hand it over)
Rumor has it that our IT dept would love to block yahoo, hotmail etc….but a few too many people at the top like having hte ability to check theirs so we all get it.
Work is work. You want it to be private, do it at home (presuming you have no spyware on your home puter). they pay for the equipment and internet connection, they get to monitor what goes over it and lay down rules how to use it. The same way McDonalds can block adult sites if they want to, or Starbucks can block sites at their stores.
Blocking content in general is one thing……’spying’ on your employees in the case above? Kinda suggests to me that there are some serious issues going on beyond simple use of govt. machinery in an inappropriate way. It suggests a level of control freak + insecurity + fear + some serious issues. It hints at the potential for a John Grissom Novel conspiracy theory.
February 15, 2012 at 6:11 pm #152866
I understand things have gotten grey in terms of using personal equipment for business. I have considerable problems with the notion that an employer can require an employee to use their own technology for work purposes, but that’s a side issue.
I think that personal equipment is personal equipment. It should not be monitored, just because an agency is unable to, or unwilling to provide the essential tools for work. It reminds me of using a personal vehicle for work, which is not uncommon.
I can see an agency that provides a vehicle for work to check that vehicle for pretty much whatever it wants…proper care, evidence of drug use, whatever. However, if an employee uses THEIR own vehicle, it should be hands off.
Employers pay for the right to monitor and examine. Private property is still private property, and if it has mixed use, it still belongs to the employee. I know there are still grey areas that might crop up, but perhaps this is the best one can do.
Or are there flaws I’m missing?
February 15, 2012 at 9:21 pm #152864
Wow! They really require being able to inspect your home office? That seems to me a little pointless considering you could just work from the kitchen if you wanted to, and have an office just for show. I just fail to see the benefit of checking the home office, and I think it could be discriminatory. What if someone wants to telecommute but doesn’t have an approved home office because there is no room in their house for one?
February 15, 2012 at 9:48 pm #152862
I’d be interested in seeing what happens when, and if this kind of agreement is challenged in a court. User agreements don’t necessarily survive these challenges, and I have a sneaky feeling this is one that would not. Kind of scary if it did.
February 15, 2012 at 9:50 pm #152860
I’ve never been one to be overly concerned about reasonable efforts by an employer to ensure their equipment isn’t being misused, since I don’t feel threatened, if I haven’t done anything wrong, but this is way over the line. And exactly what’s the point? And what CAN they inspect? My washroom?
February 16, 2012 at 2:13 am #152858
This is where the good ethics of your average employee come into play. Most people play by the rules and don’t abuse so even while the employer can have the ‘right’ to dig into things, they don’t usually need to.
And when they do need to that person’s ‘crimes’ often become the focus and the defense of ‘you had no right to snoop into the computer you bought me to work on to find those 89 pornographic photos I downloaded over your network’ ends up not holding water.
The focus becomes so much on the crime that the methods get glossed over.
So as long as most employees don’t ‘ask’ to be snooped into, most employers can either pretend that they don’t or they actually don’t snoop, and the rules never get challenged.
You must be logged in to reply to this topic.