Several federal agencies have purchased an advanced software application that allows administrators to see every single action, item, mouse click and more performed on their employees’ computers. Some say it’s being implemented to end whistleblowing.
In the midst of a witch-hunt that has targeted anyone accused of leaking documents, the US federal government has been linked to a massive acquisition of spyware that allows the higher ups to get ahold of essentially any communiqué and comment made by its employees on any electronic device. Some agents with the Food and Drug Administration insist that their personal conversations were unlawfully monitored by their higher-ups using the program, citing their superiors’ fears that whistleblowers will continue to come to lawmakers to voice concern over dangerous practices within the FDA.
“We are looking for what we call indicators of compromise,” Joy Miller, deputy assistant secretary for security at the Department of Health and Human Services, the FDA’s parent agency, says to the Washington Post. “We’re monitoring a system, not everybody in that environment.”
Journalists with the Post penned an article this week that examines the use of Spector 360, monitoring software made by the SpectorSoft group, within the FDA and other agencies.
According to the FDA, staffers had their computer activity monitored and logged over concern that employees were disclosing trade secrets. Those agents, however, argue that they were spied on to ensure that they were not reporting internal corruption to Congress. And while the Post’s expose examines the government’s attempts to chill any employee’s attempt at blowing the whistle on wrongdoing, it only begins to open up what great lengths the feds are willing to go to.
In January, six FDA scientists filed a lawsuit against the agency in US District Court over claims that they were unlawfully spied on after approaching Congress with their concerns that their office was allowing the approval of medical devices that posed a risk to the public. When the Post reported on those claims at the time, they unearthed emails dating back to early 2009 that showed that the FDA had intercepted emails between agency whistleblowers and congressional staffers.
“Who would have thought that they would have the nerve to be monitoring my communications to Congress?” Robert C. Smith, one of the plaintiffs, told the Post at the time.
Seven months later, not only are federal employees being still subjected to constant monitoring, but some have suggested that the surveillance surpasses what the government is allowed to do by the books. One expert tells the paper that any device used to access encrypted government data is then considered fair-game for any surveillance software.
“The general policy right now is if a personal device accesses any agency information, it adopts the profile of a government-issued device,” Tom Clare, senior director of product marketing for Websense, tells the Post. “They’re going to monitor everything.”
And it isn’t just everything, but everywhere, too, apparently. In an investigation carried out earlier this month by the National law Journal, the paper writes, “Government-contract records show that the U.S. Department of Veterans Affairs (V.A.) purchased spy software from the same company that supplied the FDA’s computer monitoring program, according to the database USAspending.gov.”
The Drug Enforcement Administration has also been tied to the software, an accusation confirmed by spokeswoman Dawn Dearden to the National Law Journal. On her part, though, Dearden pleads that the DEA “is aware of protections afforded to whistleblowers and does not monitor or check for that kind of activity.”
Despite this claim, some say that this monitoring could chill even thoughts of blowing the whistle.
“The actions of agency management have negatively impacted employee morale and resulted in significant concerns about agency management practices,” Colleen Kelley, president of the National Treasury Employees Union, tells the Journal. “For example, in light of what has happened at FDA, some employees voiced to [the union] their reluctance to report wrongdoing, for fear of retaliation.”
Transportation Security Administration Spokesman David Castelveter adds to the Post that the use of such software within that agency isn’t part of a war on whistleblowing, but instead is “about protecting the sensitive nature of the transportation security mission.” When certain information is kept under wraps to avoid being brought to the public, though — as with the lawsuit against the FDA — sensitive information is sometimes needed to be introduced outside of the agency for the sake of safety.
The Post reports that Spector 360 has been sold to at least one dozen federal agencies. In a request for solicitations posted by the Department of Homeland Security’s TSA in July, the government goes about explaining exactly what they look for in such software.
“The scope of this procurement is an enterprise insider threat software package,” the solicitation reads. “In order to detect an insider threat, technology is required to monitor and obtain visibility into users' actions. TSA Focused Operations requires a tool that can monitor user activities at the user host level.”
Included in the government’s requirements for responses is the ability for the software to look at and log keystrokes, chats, email correspondence, website activity and file transferring, as well as the capacity to capture a screenshot of any activity occurring on a computer monitor at any time. It also mandates that the end user “must not have the ability to detect this technology,” nor the ability to terminating the monitoring on their own.
According to a press release published in June, SpectorSoft has provided services to more than 160,000 businesses, government organizations, schools and law enforcement agencies. In a case study included on the SpectorSoft.com website, KBSolutions, Inc. President Jim Tanner claims, “To date, no offender has successfully attacked Spector Pro or defeated it.”