"In this case, however, the FDA's purpose of conducting surveillance was not lawful," Grassley and Issa wrote in a letter to Jeffrey Zients, the acting head of the Office of Management and Budget. "To the extent that it monitored communications with the Congress and the Office of Special Counsel, the FDA was not legitimately investigating wrongdoing or tracing a security breach. Disclosures to OSC and Congress are authorized and protected by law."
As part of its monitoring, the FDA gained access to employees' personal emails.
Grassley and Issa acknowledge that such monitoring could be legal if the employees were receiving and sending emails on government computers, but the lawmakers said it is also possible the agency intercepted the passwords to the employees' personal accounts. They could have used the passwords to access messages that were only sent on personal computers.
"In the absence of a subpoena, such activity would violate the Stored Communications Act," Grassley and Issa wrote.
The lawmakers requested that the Office of Management and Budget conduct a survey of all federal agencies to determine their polices for monitoring their employees' private email accounts.