U.S. suit raises questions about email privacy at work
FRAMINGHAM, Mass. — A recent lawsuit filed against the U.S. Food and Drug Administration draws attention to whether employees have a reasonable expectation of privacy when using personal email accounts on workplace computers.

The lawsuit was filed last month by six whistleblowers at the FDA who allege that their private emails were extensively monitored after they began complaining to lawmakers about serious irregularities in the agency’s medical device review process.

In the complaint filed in U.S. District Court for the District of Columbia, the six alleged that the FDA installed spyware on their workplace computers to monitor and intercept their communications.

The complaint acknowledges that the intercepted correspondence was created, transmitted, received and viewed on government-issued computers and government-owned networks. But it noted that the email was private, password protected, and sent using third-party, non-governmental email services such as Yahoo and Gmail.

The intercepted communications also included email sent from private email accounts on private equipment by family members, friends and associates, but viewed on FDA-issued computers.

According to the complaint, the employees had “explicit permission” to use their government-issued computers for personal purposes. Nonetheless, the FDA secretly searched and seized private electronic communications when the plaintiffs “had a reasonable expectation of privacy” the complaint noted.

Toronto lawyer Christine Thomlinson, who specializes in Canadian employment law, said in an email that under similar circumstances many employees here would expect privacy. A court could agree, she said.
In jurisdictions covered by legislation like the fedeal Personal Information Protection and Electronics Documents Act (PIPEDA), or similar statutes in Quebec, Alberta and B.C., there are requirements established by statute, she wrote that say employers must obtain employee consent to monitor email, and do it in a reasonable way.
Other Canadian jurisdictions don’t have privacy legislation, she noted.
She also pointed out a 2011 decision by the Ontario Court of Appeal, which held that a high school teacher accused of being in possession of child pornography on a school-issued latop had a reasonable expectation of privacy in part because he had exclusive use of the device and permission to take it home.
The Supreme Court of Canada has granted leave to hear an appeal on that case, she added.
Documents related to the U.S. case, published by the National Whistleblowers Center show numerous instances of the FDA intercepting what appear to be confidential attorney-client communications.

Also captured were email messages between the whistleblowers and a former staff member for the House Committee on Energy and Commerce and a former chief investigator for the Senate Finance Committee. One FDA intercept shows a screen shot of dogs belonging to one of the whistleblowers while another captures an exchange in which one whistleblower exhorts another to “hang in there”

The intercepted email accounts contained “extremely private and intimate correspondence with family … friends and loved ones,” the complaint noted. Many of the accounts were used for personal finances, banking and other personal purposes. “Defendants intercepted emails that are considered private by all traditional standards.”

The secret searches and seizures lasted for two years, the complaint alleged. In total the FDA is alleged to have monitored private email conversations of nine scientists and physicians.

Data from their intercepted communications was collected and stored in an internal filing system called FDA9.

The lawsuit alleges that FDA used the data to retaliate against the whistleblowers.

The plaintiffs charge the agency with violating their First Amendment rights under the U.S. Constitution to free speech and association, their Fourth Amendment’s rights against unreasonable search and seizure and their Fifth Amendment’s right to due process.

The FDA did respond to a request for comment on the lawsuit.

Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation said the case presents some “really interesting questions about the right to use your email at your workplace.”

Many companies have computer use guidelines clearly specifying what employees can and cannot do with their work computers. They are using tools that use filtering and other technologies to make sure that employees do not accidentally or deliberately transmit sensitive documents or illicit material via their email.

Even so, the issue of whether employers have the legal right to actively monitor password protected, private email accounts, just because their computers are being used, remains largely untested in courts, he said.

Fakhoury pointed to a 2010 case where the U.S. Supreme Court ruled that employers can search through text messages, including personal ones, if they have reason to believe that workplace rules or laws are being violated

That case is slightly different, though, because it involves personal text messages being sent on a workplace pager. The FDA lawsuit refers to messages intercepted from personal, password-protected email accounts. “It is a distinction that has not been looked at in any great detail,” he said.

What adds to the complexity of the case is the fact that the monitoring involved whistleblowers, Fakhoury added. “That may be a whole separate legal issue under First Amendment law,” he said.

Miriam Schulman, director of the Markkula Center for Applied Ethics at Santa Clara University said that whistleblowers could have avoided the whole issue by using their own computers, “But just because you do something dumb, doesn’t remove your privacy rights,” she said.

An employer might have justification to monitor an employee’s communication if there’s reason to believe that the employee is breaking the law or stealing information.

“Monitoring is generally an invasion and something that you would want to do in extreme cases where you have some kind of a terrorist threat or child pornography,” Schulman said. It’s not something you do when people are being, what they consider to be good citizens, and reporting what they see,” she said.

(From Computerworld U.S. With additional files from Howard Solomon, Network World Canada)

Related Download
Improving the State of Affairs With Analytics Sponsor: SAS
Improving the State of Affairs With Analytics
Download this case study-rich white paper to learn why data management and analytics are so crucial in the public sector, and how to put it to work in your organization.
Register Now