The report, which caps a two-year probe, also criticizes the FDA for allowing lower-level officials to widen the surveillance from one suspected whistleblower to five colleagues without proper authorization or a clear policy on how long the monitoring could go on. Computer security employees carrying out the operation were given no legal guidance on whether they should limit the information they were collecting, the report says.
“The FDA failed not only to manage the monitoring program responsibly, but also to consider any potential legal limits on its authority to conduct surveillance of its employees,” says the report, which was prepared by staff members for Rep. Darrell Issa (R-
Calif.), the House oversight panel’s chairman, and Sen. Charles E. Grassley (Iowa), ranking Republican on the Senate Judiciary Committee.
The report reveals new details about the spying carried out on scientists who had shared their concerns about excessive radiation in FDA-approved medical devices with each other, members of Congress, journalists, their attorneys and offices that investigate government wrongdoing.
FDA spokeswoman Erica Jefferson said that many of the report’s findings “paint an incomplete picture of the matter . . . and an inaccurate understanding of current HHS and FDA policy.”
“The FDA did not target, intercept or prevent any communications to Congress or retaliate against [the scientists] for their complaints to Congress. HHS and FDA have robust protections in place for whistleblowers,” she said by e-mail. She noted that FDA employees are reminded when they log on to a government computer that they should have “no reasonable expectation of privacy” for data passing through or stored it the system.
The FDA and its parent agency, the Department of Health and Human Services, put a new written policy in place last year that clarifies the scope of employee monitoring. The agency acted in response to criticism of the monitoring program, first reported by The Washington Post.
Under that policy, any targeted surveillance must be approved by at least one senior agency official and requires a legal review from FDA lawyers. Any requests must be formally documented.
The policy still allows employees, like the scientists, to be monitored if the agency or a company it regulates believes that trade secrets may have been leaked to the public. “The FDA has a legal obligation to protect sensitive, confidential commercial information and trade secrets,” Jefferson said.
The report comes as the federal government struggles to allay concerns about intrusive surveillance by U.S. spy agencies and underscores fundamental concerns about technology outpacing policy and laws that govern its use.
The lawmakers said the surveillance highlights the need to determine whether other executive branch agencies have policies in place to ensure that employee monitoring is allowed only for appropriate purposes. The FDA surveillance is scheduled to be the subject of a hearing Wednesday before the House Committee on Oversight and Government Reform.
In a separate review of the surveillance released Tuesday night, the HHS inspector general’s office concluded that the FDA did not purposely target the scientists’ communications with Congress and others since the computer-monitoring software it used captured such a broad swath of information.
But the inspector general said the FDA had “failed to fully assess beforehand, and with the timely assistance of legal counsel, whether the scope of potentially intrusive monitoring” would follow laws that limit government searches and protect whistleblowers. The new monitoring policy addresses these concerns, the review said.
Congressional investigators said the FDA’s new policy would still fail to protect whistleblowers from sharing their concerns about government wrongdoing.
The FDA scientists worked in an office that reviews medical devices for cancer screening and other purposes. The FDA used information gathered during surveillance to justify firing or otherwise punishing all of the scientists, according to documents and the employees’ lawyers.
“Retaliatory motives and excessively intrusive monitoring schemes that capture legally protected communications, however, are inappropriate,” the report says. Disclosures by whistleblowers are protected by law, even if they are not substantiated.
The scientists are suing the FDA for violating their privacy and right to free speech.
“We hope that this report triggers a nationwide audit of all executive departments,” said Stephen M. Kohn, the lead attorney. “The chilling effect of targeted surveillance of whistleblowers cannot be overstated.”
After the FDA monitoring came to light, the government’s Office of Special Counsel warned federal agencies that spying on their employees violated the law if the intent was to retaliate against whistleblowers. The White House distributed the warning across the government.
The congressional report seems to show that no one in particular was responsible for authorizing the surveillance operation. In interviews conducted by investigators, agency officials said they did not know who was ultimately responsible, according to transcripts.
“There was no written authorization?” investigators asked Lori Davis, the agency’s chief information officer. “Not that I’m aware of, no,” she said.
Joseph Hoofnagle, who managed the incident response team for the FDA’s network security systems, said he received few instructions on the extent of monitoring the agency sought, according to transcripts included in the report.
“Over the course of [the monitoring], were you ever given any legal guidance about the limitations of surveillance or any legal considerations that would be relevant to using monitoring software?” investigators asked him.
“No,” he said.
“At FDA, was there ever any guidance?” he was asked.
“The only guidance I ever received was from law enforcement. . . . And it wasn’t from a legal perspective. It was just from an authority perspective of, you know, hi, I need you to do this.”