FDA defends itself against accusations its email snooping broke whistleblower laws

Walter Harris--Courtesy of FDA

During a week in which The Guardian revealed that Britain intercepted and stored webcam images from millions of people, the FDA email snooping revealed in 2012 looks relatively innocent. But Republicans investigating the program think the regulator may have violated whistleblower laws by monitoring employees' emails.

The report by Republican lawmakers Darrell Issa and Charles Grassley comes two years after The New York Times first broke news of the FDA email surveillance program. Issa and Grassley accuse FDA of running an "excessively intrusive" monitoring program that was more focused on retaliating against employees for going public with safety concerns than uncovering leaks of proprietary company information. The retaliation reportedly relates to the release of information about pending medical device approvals.

The FDA claims its activities are designed to protect confidential information entrusted to it by industry. Issa and Grassley disagree. "It was far more invasive than what would be necessary to detect inappropriate use of the computer systems. The agency captured a picture of whatever was on the screen every 5 seconds, and recorded every keystroke typed. Again, the FDA did not monitor every FDA employee this aggressively, just the whistleblowers," Grassley said at a hearing to discuss the report.

Speaking to The Washington Post, FDA spokesperson Erica Jefferson said the report's findings "paint an incomplete picture of the matter" and are an inaccurate representation of its policies. "The FDA did not target, intercept or prevent any communications to Congress or retaliate against [the scientists] for their complaints to Congress. HHS and FDA have robust protections in place for whistleblowers," Jefferson said. Acting FDA chief information officer Walter Harris made similar points in his testimony at the hearing.

"Safeguarding the confidential information that regulated entities share with FDA is critical to the agency's ability to carry out its public health mission, and FDA has adopted policies and procedures to preserve the data security of its confidential information. These IT controls broadly include logging of all system events, monitoring of data entering and leaving the FDA IT enterprise, and ensuring authorized access to systems," Harris said.

- check out the report (PDF)
- here's the Washington Post article
- read Grassley's comments (PDF)
- and Harris' testimony (PDF)