Employees have no expectation of privacy at work, right?  And this is especially true for government employees working on government computers on government networks?

Right?

I mean, the log on banner expressly says that there is no expectation of privacy, and that the government – both as government, as law enforcement, and as employer can monitor anything and everything you do.

A recent case coming out of the FDA’s Office of Inspector General demonstrates that, even where there is a warning banner where employees specifically acknowledge that they have no expectation of privacy, an employer can get into trouble if it doesn’t engage in an appropriate legal review of the purposes, scope and intent of employee monitoring. This especially when the employees being monitored are subject to scrutiny because of leaks to the press  and other potential whistleblowing activities.

The case began when the New York Times published a series of articles about how, in the waning days of the George W. Bush administration, the FDA was rushing to approve a bunch of medical devices without adequate testing or concerns for patient safety.

The FDA initiated an investigation that  as many as five FDA scientists, disclosed information to the New York Times, which then published these concerns. The disclosures to the Times regarded the scientists concerns that the FDA was bowing to political and other pressure to approve certain iCAD manufactured mammography devices without sufficient scientific scrutiny.

The scientists also reported to then President-elect Obama’s transition team its belief that “the scientific review process for medical devices at FDA had been corrupted and distorted by FDA managers.”

The scientists also expressed their concerns to the New York Times  that the “FDA downplayed the risks of radiation exposure when considering applications for the approval of certain uses of radiological devices. “

The Times published an article that stated that “a group of agency scientists who are concerned about the risks of CT scans say they will testify at [an FDA meeting on how to protect patients from unnecessary radiation exposure]  that FDA managers ignored or suppressed their concerns…”

They also mentioned a specific device manufactured by General Electric (GE). In response to the New York Times articles, and company complaints that the article referenced confidential corporate information, the FDA installed monitoring software on 5 scientists’ machines, (including one scientist mentioned in the story).  The software included SpectreSoft screen capture and keystroke capture software and EnCase digital forensics.

The agency directors captured these scientists’ emails, passwords, data from hard drives and thumb drives, conducted forensics and analytics on their computers (and personal media) and used this data to demote or fire these employees.  Many of the employees had previously filed complaints with the agency, and therefore may have been entitled to legal protection under the Federal Whistleblower Protection Act, or as possible qui tam or false claim act plaintiffs.

In conducting its forensic investigation, the FDA officials relied on the FDA’s expansive “warning banner” which not only was available to all employees, but also which had to be clicked on (“I agree”) by anyone with access to the FDA’s computers or network.  The banner read:

This is a Food and Drug Administration (FDA) computer system and is provided for the processing of official U.S. Government information only. All data contained on this computer system is owned by the FDA and may, for the purpose of protecting the rights and property of the FDA, be monitored, intercepted, recorded, read, copied, or captured in any manner and disclosed by and to authorized personnel. USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO THIS MONITORING, INTERCEPTION, RECORDING, READING, COPYING, OR CAPTURING AND DISCLOSURE. THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM. Authorized personnel may give to law enforcement officials any potential evidence of crime found on FDA computer systems. Unauthorized access or use of this computer system and software may subject violators to criminal, civil, and/or administrative action. The standards of ethical conduct for employees of the Executive Branch (5 C.F.R. § 2635.704) do not permit the use of government property, including computers, for other than authorized purposes.

That’s about as broad an authorization as you can get.  NO expectation of privacy.  A transfer of title to EVERYTHING contained on the computer (all data is owned by the FDA), and no limitation whatsoever on what the FDA can do with it – including turning the data over to law enforcement.  It’s hard to violate THAT policy.

So what’s the problem?  These were government employees on government computers on a government network.  The investigators can do ANYTHING they want, right?

Not so fast.

You see, nobody thought to call the agency lawyers first.  And when they did, (after the fact) the agency lawyers gave the investigators no real guidance (they created a draft policy which wasn’t disseminated) about how to investigate.  The agency had only technical guidance for how to conduct a forensic investigation and incident response (the NIST incident response guidelines) not a legal opinion on WHEN and HOW to do it.  They relied almost exclusively on the idea that employees had no reasonable expectation of privacy.

The problem is, even assuming no “reasonable expectation of privacy” (or as the OIG report calls is “REP”) the agency’s conduct could have been beyond the pale.  As the OIG report concluded:

Because there was no policy in place at FDA or CDRH to ensure compliance with applicable laws and restrictions, such as the Fourth Amendment, Title III, and the WPA, it was particularly important for FDA and CDRH to ensure that it understood the full extent of the limits on the agency and the rights of its employees. However, we found no evidence that FDA or CDRH planned its investigation or scoped the monitoring with the timely assistance of counsel, who could have advised FDA and CDRH prior to the monitoring on compliance with relevant requirements, such as the Fourth Amendment, criminal prohibitions on the interception of electronic communications, and the WPA; there was no policy in place at FDA or CDRH to ensure compliance with these requirements.

The OIG was specifically concerned that nobody considered whether the leaks by the scientist constituted crimes, or just possible regulatory prohibitions, whether the login banner really removed the scientists’ expectation of privacy, whether the keystroke capture and forensic examination was a “reasonable search” considering the circumstances, and whether the scientists were entitled to protection under the Whistleblower statute.  The investigators also failed to consider the implication of things like the federal wiretap laws, stored communications act, or other statutes on their actions.  It’s not so much that they got it wrong, but that they didn’t get legal advice at all.

The OIG provided some advice for agencies seeking to conduct forensic investigations in the future.  They noted that:

HHS should ensure that its operating divisions (OpDivs) draft and implement policies and related procedural internal controls that provide reasonable assurance of compliance with laws and regulations, particularly those governing current and prospective employee monitoring.  At a minimum, the internal controls concerning electronic monitoring of employees should address:

•        the agency’s authority to monitor employee communications or access employee files;

•        protection of the rights of employees and the extent of an employee’s expectation of privacy while using agency IT resources;

•        specific conditions for requesting access to employee communications;

•        defined roles and responsibilities for initiating, reviewing, and approving requests to access employee communications and data; and

•        retention of records that document the initiation, review, and approval of electronic monitoring, including opinions and recommendations of legal counsel.

All good ideas, as far as they go.  But more importantly, when conducting an investigation, lawyers and investigators should be mindful of the difference between what they are PERMITTED to do, and what they SHOULD do.  Just because you have claimed that NOBODY has an expectation of privacy doesn’t mean that you should go around willy-nilly and read everyone’s emails.  And you don’t want people to work in a place (well, unless you are the NSA) where people expect you to.  As the Supreme Court noted in O’Connor v. Ortega, 480 U.S. 709 (1987).

Individuals do not lose Fourth Amendment rights merely because they work for the government instead of a private employer. The operational realities of the workplace, however, may make some employees’ expectations of privacy unreasonable when an intrusion is by a supervisor rather than a law enforcement official. Public employees’ expectations of privacy in their offices, desks, and file cabinets, like similar expectations of employees in the private sector, may be reduced by virtue of actual office practices and procedures, or by legitimate regulation.

Ortega, 480 U.S. at 717.  So it’s not just a matter of what you SAY, but what you DO.  And before you DO anything, ask a lawyer.  We don’t bite.  Honest.  Most of the time…

Leave a Reply