Correction: An earlier version of this article incorrectly stated that SpectorSoft says it has sold its best-selling product to dozens of federal agencies. The company says it does not disclose information about its clients. Federal contracting data, however, show that SpectorSoft has multiple government contracts for its monitoring software. This version has been corrected.
When the Food and Drug Administration started spying on a group of agency scientists, it installed monitoring software on their laptop computers to capture their communications.
The software, sold by SpectorSoft of Vero Beach, Fla., could do more than vacuum up the scientists’ e-mails as they complained to lawmakers and others about medical devices they thought were dangerous. It could be programmed to intercept a tweet or Facebook post. It could snap screen shots of their computers. It could even track an employee’s keystrokes, retrieve files from hard drives or search for keywords.
“Every activity, in complete detail,” SpectorSoft’s Web site says about its best-selling product, Spector 360. The Florida-based company says it does not disclose information about its clients. Federal contracting data, however, show that SpectorSoft has multiple government contracts for its monitoring software.
Government workers have long known their bosses can look over their shoulder to monitor their computer activity. But now, prompted by the WikiLeaks scandal and concerns over unauthorized disclosures, the government is secretly capturing a far richer, more granular picture of their communications, in real time.
Federal workers’ personal computers are also increasingly seen as fair game, experts said.
Agencies outside the field of intelligence spent $5.6 billion in fiscal 2011 to safeguard their classified information with hardware, software, personnel and other methods, up from $4.7 billion in fiscal 2010, according to the Information Security Oversight Office. Although only a portion of the money — the amount is not specified — was spent on monitoring for insider threats, industry experts say virtually every arm of the government conducts some form of sophisticated electronic monitoring.
“It used to be, to get all of an agency’s records out you needed a truck,” said Jason Radgowsky, director of information security and privacy for District-based Tantus Technologies, which evaluates monitoring systems for the Federal Aviation Administration, the Export-Import Bank and the National Institutes of Health. “Now you can put everything on a little USB thumb drive.”
The stepped-up monitoring is raising red flags for privacy advocates, who have cited the potential for abuse. Among other concerns, they say they are alarmed that the government has monitored federal workers — including the FDA scientists, starting in 2010 — when they use Gmail, Yahoo or other personal e-mail accounts on government computers.
Although the FDA has said it acted out of concern that the scientists were improperly sharing trade secrets, the scientists have argued in a lawsuit that they were targeted because they were blowing the whistle on what they thought had been an unethical review process.
At least two other agencies, the Transportation Security Administration and the Federal Maritime Commission, are under congressional scrutiny for seeking and using employee monitoring software that critics say is intrusive.
Federal agencies generally decline to elaborate on their monitoring practices or what activity might trigger them to closely watch an employee’s communications. But officials defend the push for more aggressive surveillance, noting that the federal workforce is more mobile and wired than ever — and more vulnerable to leaking sensitive information by accident or design.
“Nobody’s reading anybody’s e-mail here,” said Rob Carey, the Defense Department’s principal deputy chief information officer. “The FDA case would not happen here. We have rules in place. There has to be probable cause. It appears that there was monitoring going on that shouldn’t have been.”
Federal workers see a banner whenever they log into their computers telling them that they have “no reasonable expectation” of privacy. Their personal e-mail accounts can be monitored when they are accessed through a government computer. So can their government smartphones, iPads or other devices when they rely on federal networks.
Experts say that even personal devices are monitored when they are used to access government communications, although there is debate over whether personal e-mails can legally be caught in the net.
“The general policy right now is if a personal device accesses any agency information, it adopts the profile of a government-issued device,” said Tom Clare, senior director of product marketing for San Diego-based Websense, which sells web-filtering software to dozens of federal agencies, including the Department of Health and Human Services. “They’re going to monitor everything.”
Agencies are not required to inform employees when their communications are being closely watched.
“We have customers that don’t want to let their employees know because they want to see their true habits,” said Nick Catalini, SpectorSoft’s senior marketing manager. He declined to disclose the company’s government customers.
“Think of it as someone stood behind you and put a video camera behind you while you’re working,” Catalini said. “It comes back down to: What does the agency want to record?”
Under federal rules, it is up to each agency to set policies on what can be monitored. But that flexibility has a downside, industry officials and privacy advocates say. Monitoring software can overcollect, and officials have discretion as to what they review and why.
“There’s always the ability for a human being to come in after the fact and look through communications,” said Seth David Schoen of the Electronic Frontier Foundation, a digital advocacy group. “And there will be a trove of communications there for them to look through retrospectively.”
Officials said they are simply employing automated techniques to detect suspicious activity and are not trying to snoop.
“We are looking for what we call indicators of compromise,” said Joy Miller, deputy assistant secretary for security at the Department of Health and Human Services, the FDA’s parent agency. “We’re monitoring a system, not everybody in that environment.”
Miller declined to comment on the FDA surveillance because it is the subject of a lawsuit.
But Stephen M. Kohn, an attorney for the scientists, said that even innocuous intentions can compromise the privacy of employees who are whistleblowers.
“How do you distinguish between a constitutionally protected contact with the press and an illegal leak?” Kohn asked. “You can’t. What you have right now is the ability to find every single Deep Throat in the government.”
Privacy advocates and lawmakers are taking a closer look at how federal agencies use monitoring software and why.
In June, after the TSA issued a solicitation for an “insider-threat software package,” two House Democrats appealed to Administrator John Pistole to scrap the idea, saying whistleblowers would be targeted.
The solicitation specified that employees “must not have the ability to detect this technology” and “must not have the ability to kill the process or service.”
“It is difficult to see how this serious infringement of constitutionally protected rights would provide a concomitant increase in the nation’s security,” wrote Reps. Sheila Jackson Lee (D-Tex.) and Bennie Thompson (D-Miss.), members of a panel that oversees the aviation security agency.
A TSA official said the software would not be used to target whistleblowers. “It’s about protecting the sensitive nature of the transportation security mission,” spokesman David Castelveter said.
The Maritime Commission, an independent agency that regulates international ocean transportation for U.S. exporters and importers, is under investigation by a House committee over alleged spying on the personal e-mail communication of several employees with grievances against managers.
According to Rep. Darrell Issa (R-Calif.), chairman of the House Committee on Oversight and Government Reform, the commission used SpectorSoft software.
The agency declined to comment.
Julie Tate contributed to this report.