U.S. Federal Agencies Targeted Employees With Commercial Spy Software

SpectorSoft spyware is the latest tool to be employed by some U.S. government officials to conduct surveillance on staff. Best known for its off-the-shelf products for parents to track children, the Vero Beach, Florida, digital manufacturer has been revealed to be selling "keylogger" software to the U.S. Food and Drug Administration (FDA) to track every digital move of certain employees.

Police officials have long been happy to endorse the 14 year old private company's products: "Our Internet safety presentation for parents and children has several tools that are important for parents, and Internet monitoring software is one of the tools," Sergeant Paul Garcia of Albuquerque, New Mexico, was quoted as saying in company literature in 2009. "Along with our IT team, I tested several products, and our first choice is Spector."

Dr Jefrrey Shuren, the director of the Center for Devices and Radiological Health at the FDA, apparently concurs. According to a court filing by Steven Kohn, a lawyer at the National Whistleblower Center, Shuren personally sent federal investigators at the office of the inspector general "several screen shots and documents obtained through spying on the private email correspondence of Dr. Robert C. Smith, Dr. Ewa M. Czerska, Mr. Paul T. Hardy, and Mr. Julian J. Nicholas." (all FDA scientists apart from Hardy who worked for the U.S. Public Health Service Commissioned Corps)

The technology used by the FDA was identified by Eric Lichtblau and Scott Shane at the New York Times as SpectorSoft products which "captured screen images from the government laptops of the five scientists as they were being used at work or at home. The software tracked their keystrokes, intercepted their personal e-mails, copied the documents on their personal thumb drives and even followed their messages line by line as they were being drafted."

The surveillance began soon after the scientists sent a letter in January 2009 letter to John Podesta, then director of the transition team of the newly elected Obama administration, blowing the whistle on how senior FDA staff  "ordered, intimidated, and coerced FDA experts to modify their scientific reviews, conclusions and recommendations in violation of the law."

Journalists took an immediate interest in the concerns raised by the scientists. An article published on January 12, 2009, took issue with the SecondLook Digital Computer-Aided Detection System for Mammography manufactured by iCAD Inc. of New Hampshire. The reporter quoted an internal FDA review of the product that suggested it might miss cancers and risked "unnecessary biopsy or even surgery (by placing false positive marks) and unnecessary additional radiation."

A second critical article appeared in the New York Times in March 2010 challenging FDA approval for coloscopy devices manufactured by General Electric of New York. "One CT colonoscopy device that they exposed made it onto the market, 600 to 800 times the radiation dosage of similar devices that are more effective," says Kohn. (Researchers estimate that as many as 14,000 people may die every year of radiation-induced cancers as a result of excessive use of such scanning practices).

After the articles appeared GE officials and iCAD CEO Ken Ferry allegedly complained to the FDA the whistleblowers may have revealed trade secrets. In June 2010 Shuren took a personal interest in the matter by sending the results of the surveillance of the scientists to federal investigators. (To the credit of the investigators, they declined to act noting that government employees have the right to blow the whistle to Congress.)

The scientists are predictably outraged by the news of the surveillance. "Who would have thought that they would have the nerve to be monitoring my communications to Congress?" Robert Smith, one of scientists, told the Washington Post. "How dare they?" Members of Congress were also furious. The FDA "sound(s) more like the East German Stasi than a consumer protection agency in a free country" said Senator Chuck Grassley, a Republican from Iowa.

The agency denies it broke the law. "FDA did not monitor the employees' use of non-government-owned computers at any time. Neither members of Congress nor their staffs were the focus of monitoring," the FDA told Democracy Now! "At no point in time did FDA attempt to impede or delay any communication between these individuals and Congress. Employees have appropriate routes to voice their concerns without disclosing confidential information to the public, and FDA has policies in place to ensure employees are aware of their rights and options."

However, Quality Associates Inc. of Fulton, Maryland, another FDA contractor mistakenly posted the data retrieved by the SpectorSoft software on the Internet, where one of the scientists recently discovered the data and the extent of the surveillance operation. "(O)ne congressman, Van Hollen, was specifically put on it. Aides for Senate and House were put on it. Journalists were on it. Scientists and doctors were on it," says Kohn.

"This is the insidious nature of electronic surveillance, because once they had the first whistleblower, Dr. Smith, target number one, they were able to learn who he was talking to and who was supportive of what he was trying to change. They were able to then identify all the other whistleblowers and then people who endorsed them. And then they created a list. And this list set forth additional targeted monitoring or surveillance."

While one would hope that the FDA's action was a rogue operation, it is definitely not the only agency in the market for covert surveillance spy software to track federal employees. A contract posted in June by the Transportation Security Administration (TSA) seeks a product to "monitor user activities through keystroke monitoring/logging; chat monitoring/logging; email monitoring/logging; attachment monitoring/logging; website monitoring/logging; network activity monitoring/logging; files transferred monitoring/logging; document tracking monitoring/logging; screenshot capture; program activity monitoring/logging," with a key requirement that the "end user must not have the ability to detect this technology." (first revealed by NextGov)

The solicitation was simply posted for public information, the TSA will not accept unsolicited bids. One presumes that SpectorSoft would be keen to bid. The company is in no trouble since it did not break any laws in selling software to the FDA. On the other hand, Quality Associates, which has a $20 million document archival contract with the FDA as well as a $30 million contract with the National Institutes of Health, seems likely to be shunned for future government contracts.

• 116 Human Rights