During his 2013 nomination hearing to be FBI director, James Comey called whistleblowers “a critical element of a functioning democracy” and vowed to protect them from reprisals. He said that “folks have to feel free to raise their concerns, and if they are not addressed up their chain-of-command, to take them to an appropriate place.”
This might sound comforting to an FBI agent considering reporting internal waste, fraud or mismanagement. The problem is that any FBI employee taking Comey’s advice would find themselves stripped of the meager protections offered through Justice Department regulations governing FBI whistleblowers. Most people who see a problem on the job naturally report it first to their own supervisor. But the regulation only protects disclosures made to a handful of high-ranking officials and not those made to direct supervisors in the employees’ chain-of-command. So, the regulation serves more as a trap for would-be whistleblowers rather than a shield against retaliation.
It has a real chilling effect. The Justice Department dismisses a significant portion of FBI whistleblower claims because they are reported to the wrong person, according to the Government Accountability Office (GAO). The FBI is the only federal agency that doesn’t protect chain-of-command whistleblower reports to supervisors.
But don’t think those correctly navigating the Justice Department’s regulatory requirements have an easy path. FBI whistleblower cases are adjudicated in an internal Justice Department process that is exempted from judicial review. The Justice Department argues that allowing FBI whistleblowers to go to court would risk exposing sensitive national security information.
The fact is the Justice Department’s process doesn’t protect whistleblowers. The GAO looked at more than five dozen FBI whistleblower claims and found only three that resulted in some form of corrective action. It took the Justice Department 8 to 10 years to investigate and adjudicate these three cases. If you can imagine the financial and emotional costs of litigating a claim against your own employer for 10 years, you might understand why 42 percent of FBI employees questioned in a 2009 survey said they did not report all of the misconduct they saw on the job and 18 percent said they never reported any wrongdoing they witnessed.
Danielle Brian, who runs the Project on Government Oversight, which often relies on whistleblowers, explained why whistleblowers come to her, and how employees of the intelligence agencies are most vulnerable to retaliation:
There is a reason for the FBI’s rules. Congress exempted the FBI and other intelligence agencies from the protections it gave to other federal employees through the Whistleblower Protection Act, fearing that adjudicating such claims might risk exposing national security secrets. But this fear is misplaced.
Babak Pasdar, CEO of Bat Blue Networks and an information technology and network security expert, is also a whistleblower. In 2003, Verizon Wireless hired him to upgrade its security infrastructure. In the course of his work, he found a circuit that provided an unidentified third-party direct access to the company’s data center, with no controls and no meaningful logging of the activity taking place over this portal. When he reported this obvious breach of the carrier’s security policies and industry standards, he was told this was the “Quantico circuit” and he should just ignore it. Quantico is the home of the FBI academy and a U.S. Marine base, and the obvious implication was that this circuit provided unfettered government access to the telecommunications company’s data. Recognizing the legal and security risks posed by such a portal, and unable to convince the company to address the matter appropriately, Pasdar brought the matter to Congress.
The legality of giving the government such unfettered access to telecommunications data is still being debated. What isn’t debatable among information security experts is that these government “backdoors” into the telecommunications companies’ data centers are bad security, as Pasdar explains:
“You cannot be half secure, just like you can’t be half pregnant,” seems like a simple concept. If a vulnerability is created for one purpose, then there is no guarantee that it won’t be exploited by others for a different purpose. But the security threats created by the government’s secretive data access arrangements don’t seem to be properly weighed before these programs are implemented. It’s too easy to make poor decisions when the planning is done in secret, which is why it is so crucial that intelligence community employees have safe and clear avenues to raise their concerns within their agencies, other executive branch agencies and Congress. These employees are well-trained in the proper handling of classified information and are fully capable of reporting without risking unauthorized disclosures.
In fact, the failure to provide these safe avenues for reporting internal government misconduct is what drives anonymous leaks to the press. Pasdar discusses what later intelligence leaks by National Security Agency contractor Edward Snowden revealed about the data portal he discovered a decade earlier: