This is the accessible text file for GAO report number GAO-11-334 entitled 'Combating Child Pornography: Steps Are Needed to Ensure That Tips to Law Enforcement Are Useful and Forensic Examinations Are Cost Effective' which was released on April 1, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Committees: March 2011: Combating Child Pornography: Steps Are Needed to Ensure That Tips to Law Enforcement Are Useful and Forensic Examinations Are Cost Effective: GAO-11-334: GAO Highlights: Highlights of GAO-11-334, a report to congressional committees. Why GAO Did This Study: The Department of Justice (DOJ) reports that online child pornography crime has increased. DOJ funds the National Center for Missing and Exploited Children (NCMEC), which maintains the CyberTipline to receive child pornography tips. The Providing Resources, Officers, and Technology To Eradicate Cyber Threats to Our Children Act of 2008 (the Act) contains provisions to facilitate these investigations and create a national strategy to prevent, among other things, child pornography. The Act directed GAO to report on actions to minimize duplication and enhance federal expenditures to address this crime. This report examines (1) the extent to which NCMEC determines the usefulness of tips; (2) mechanisms to help law enforcement coordination (i.e., deconfliction); and (3) the extent to which agencies are addressing factors that federal law enforcement reports may inhibit investigations. GAO analyzed the Act and spoke to law enforcement officials who investigate these crimes, selected to reflect geographic range, among other things. Although these interviews cannot be generalized, they provided insight into investigations. What GAO Found: NCMEC takes steps to obtain feedback from law enforcement on the usefulness of CyberTipline reports; however, it does not systematically collect information on how useful individual reports are for initiating and advancing investigations or about information gaps that limit reports’ usefulness. For instance, NCMEC solicits feedback via e-mail or in person quarterly from federal law enforcement liaisons at NCMEC about the overall usefulness of CyberTipline reports. However, according to many law enforcement officials GAO contacted, information in a CyberTipline report may not contain an image of apparent child pornography or may contain old data. NCMEC officials said that they are interested in obtaining additional feedback to enhance the usefulness of its reports and could explore additional methods to gather such information, such as creating a systematic process for obtaining feedback from federal law enforcement. Enhancing its processes for collecting feedback on the usefulness of CyberTipline reports could help NCMEC ensure that reports are as useful as possible to law enforcement. Existing deconfliction mechanisms generally prevent pursuit of the same suspects but are fragmented; DOJ is in the early stages of developing a system to address this fragmentation. Many law enforcement officials GAO contacted reported using various nonautomated (e.g., task forces) and automated (e.g., investigative systems) mechanisms to avoid duplication of effort in investigations. But these officials reported that there is not a single automated system that provides comprehensive case information and deconfliction, which can contribute to difficulties coordinating investigations. As mandated in the Act, DOJ is developing a national system to, among other things, provide law enforcement with a single deconfliction tool. Specifically, DOJ is conducting a needs assessment—which it plans to complete in 12 to 24 months—to use as a basis for system development. However, because DOJ is waiting on the results of the needs assessment to begin system development, it may be several years before the system is operational. Backlogs in the forensic analysis of digital evidence can delay or hinder online child pornography investigations; assessing the costs and benefits of taking extra steps to ensure the integrity of forensic analysis could help determine if there are efficiencies that could reduce backlogs. Forensic analysis of digital evidence consists of the review of information from digital media, such as hard drives, and can prove online child pornography crime. Several factors may contribute to backlogs in forensic analysis, including the steps federal law enforcement agencies believe enhance the integrity of analysis, such as making exact copies of digital evidence to discourage tampering. The FBI takes additional steps it believes enhance integrity, such as separating the forensic examination from the investigation. However, some federal officials and prosecutors GAO spoke with differed on the need for such steps. According to DOJ, the national strategy’s working group is in a good position to address backlog issues and having this group assess the costs and benefits of steps taken to ensure the integrity of forensic analysis could help it determine potential efficiencies that could reduce backlogs. What GAO Recommends: GAO recommends that NCMEC enhance its processes to collect feedback to improve tips and that DOJ assess the costs and benefits of steps agencies take to ensure the integrity of forensic analysis. NCMEC and DOJ generally concurred with our recommendations and discussed actions to address them. View [hyperlink, http://www.gao.gov/products/GAO-11-334] or key components. For more information, contact Eileen Larence at (202) 512- 8777 or larencee@gao.gov. [End of section] Contents: Letter: Background: DOJ Has To Take Action on Three Remaining Responsibilities under the Act: NCMEC Provided ESPs Reporting Guidance and Online Detection Information: Expanding Feedback from Law Enforcement Could Help Improve the Usefulness of CyberTipline Reports and Better Address Increasing Number of Reports: Existing Deconfliction Mechanisms, While Fragmented, Generally Prevent Pursuit of the Same Suspects; DOJ Is Starting to Develop a National System: Backlogs in Forensic Analysis of Digital Evidence and Length of Time ESPs Retain User Data Can Hinder Investigations: Conclusions: Recommendations: Agency Comments, Third Party Views, and Our Evaluation: Appendix I: Key Federal Agencies Involved in Combating Online Child Pornography: Appendix II: Status of Efforts of DOJ and NCMEC's CyberTipline to Implement Provisions of the PROTECT Our Children Act of 2008: Appendix III: Overview of NIDS Components and System Functions Outlined by the PROTECT Our Children Act of 2008: Appendix IV: Comments from the Department of Justice: Appendix V: Comments from the National Center for Missing and Exploited Children: Appendix VI: GAO Contact and Acknowledgments: Tables: Table 1: Federal Agencies Involved in Combating Child Pornography: Table 2: Overview of Process Different Federal Agencies with Liaisons at NCMEC Use to Review and Forward CyberTipline Reports for Investigation: Table 3: FBI Personnel Dedicated to Combating Child Exploitation: Table 4: FBI Resources Obligated for Combating Child Exploitation: Table 5: Number of FBI Child Pornography Investigations and Arrests: Table 6: CEOS Personnel Dedicated for Combating Child Exploitation and Obscenity Offenses: Table 7: CEOS Funds Obligated for Combating Federal Child Exploitation and Obscenity Offenses: Table 8: Number of ICAC Task Force Child Exploitation Cases Investigated and Arrests: Table 9: ICE Personnel Dedicated for Combating Child Exploitation: Table 10: ICE Resources Obligated for Combating Child Exploitation: Table 11: Number of Child Pornography Cases Initiated and Arrests by ICE Agents: Table 12: Number of USSS Investigations and Arrests Related to Child Pornography: Table 13: Full Time and Part Time Postal Inspectors Assigned to Child Exploitation Investigations: Table 14: Postal Inspection Service Investigations and Arrests Related to Child Exploitation and Child Pornography: Table 15: Status of Efforts of the Attorney General and NCMEC's CyberTipline to Implement Their Responsibilities under the PROTECT Our Children Act of 2008: Table 16: Information on the NIDS Components Required by and Functions Described in the PROTECT Our Children Act of 2008: Figures: Figure 1: Number of Arrests by ICAC Task Forces and Federal Law Enforcement Agencies Involved in Online Child Exploitation and Child Pornography Investigations from Fiscal Years 2006 through 2010: Figure 2: Overview of NCMEC Process for Receiving and Disseminating CyberTipline Reports: [End of section] United States Government Accountability Office: Washington, DC 20548: March 31, 2011: The Honorable Patrick J. Leahy: Chairman: The Honorable Charles E. Grassley: Ranking Member: Committee on the Judiciary: United States Senate: The Honorable Lamar S. Smith: Chairman: The Honorable John Conyers, Jr. Ranking Member: Committee on the Judiciary: House of Representatives: The Internet, while changing the way our society communicates, has also changed the nature of many crimes, including online child pornography. According to the Department of Justice's (DOJ) National Strategy for Child Exploitation Prevention and Interdiction (National Strategy), the numbers of child pornography images traded on the Internet, child pornography offenders, and children victimized by child pornography have dramatically increased.[Footnote 1] For example, Internet Crimes Against Children (ICAC) task forces reported an increase of about 150 percent in the number of arrests for child pornography-related offenses, from about 2,100 in fiscal year 2006 to about 5,300 in fiscal year 2010.[Footnote 2] Similarly, since fiscal year 2006, the number of defendants prosecuted by U.S. Attorneys' Offices for child exploitation crime, including online child pornography, increased by 35 percent, with 2,250 indictments against 2,367 defendants filed in fiscal year 2010.[Footnote 3] These crimes carry severe penalties. For example, for the first offense, possessing child pornography may result in imprisonment of up to 10 years; receiving, selling, or distributing child pornography may result in imprisonment of at least 5 years and up to 20 years; and producing child pornography may result in imprisonment of at least 15 years and up to 30 years.[Footnote 4] Further, the offenders who commit child pornography crimes often pose a physical threat to children. According to DOJ's National Strategy, analysis of federally prosecuted child pornography cases indicates contact offenses against children, such as the sexual abuse of a minor, were discovered in approximately one- third of all cases. Digital cameras and computers have made it easier for offenders to produce and distribute child pornography because they can bypass print shops and upload photos from their cameras directly to the Internet. In addition, the increased sophistication of offenders in the production and distribution of child pornography and the use of advanced technologies to avoid detection has made it more difficult for law enforcement to detect their activities and identify suspects who attempt to hide their identifying information. In response to the increase in online child pornography crime, multiple federal law enforcement agencies have developed specialized units to address crimes against children, and Congress has passed legislation requiring greater coordination on, and authorizing an increase in resources available to address, these crimes. For example, due to the increase in the number of investigations that involved sex offenders using computers to share pornographic images of minors, in 1995 the Federal Bureau of Investigation (FBI) developed the Innocent Images National Initiative (Innocent Images), which teams FBI agents and local police in task forces to conduct undercover investigations of suspected offenders. Similarly, Immigration and Customs Enforcement (ICE), which enforces trans-border violations of federal child exploitation statutes and works to, among other things, prevent the introduction of prohibited contraband, such as child pornography, into the United States, initiated its Cyber Crimes Center in 1997. Finally, the United States Postal Inspection Service (USPIS) has 45 specially trained inspectors located in its field divisions who investigate crimes related to the exploitation of children and have jurisdiction over these types of crimes that involve the mail. To assist these law enforcement efforts, DOJ's Office of Juvenile Justice and Delinquency Prevention (OJJDP) allocates funds to the National Center for Missing and Exploited Children (NCMEC), which serves as a national resource center for information related to crimes against children.[Footnote 5] The center also maintains the CyberTipline to receive tips on child pornography from electronic service providers (ESP) and members of the general public.[Footnote 6] In addition to federal efforts to address these crimes, state and local law enforcement agencies generally enforce child pornography laws within their own jurisdictions and may work collaboratively with federal agencies through federal task forces to combat child pornography. More recently, Congress passed the Providing Resources, Officers, and Technology To Eradicate Cyber Threats to Our Children Act of 2008 (PROTECT Our Children Act of 2008, or the Act) which requires, among other things, that the Attorney General create and implement a National Strategy for Child Exploitation Prevention and Interdiction.[Footnote 7] The National Strategy, published in August 2010, has the goal of preventing child sexual exploitation from occurring. The Act also requires that ESPs report to NCMEC any instances of apparent child pornography that they become aware of on their networks. In addition, the Act requires the Attorney General to establish a National Internet Crimes Against Children Data System (NIDS) to serve as, among other things, a platform to conduct undercover investigations of child exploitation crime and a centralized system for deconfliction for federal, state, and local law enforcement.[Footnote 8] The Act also directs us to report on, among other things, the efforts of the Attorney General and NCMEC's CyberTipline in carrying out their responsibilities under the Act. In addition, it directs us to report on actions taken to minimize duplication and enhance the expenditure of federal resources in enforcing, investigating, and prosecuting child pornography crimes. Specifically, this report addresses the following questions: * To what extent have DOJ and the CyberTipline implemented their responsibilities under the Act? * What information does NCMEC provide to ESPs to facilitate reporting of apparent online child pornography to the CyberTipline? * To what extent does NCMEC have mechanisms in place to help determine how useful law enforcement agencies find the CyberTipline incident information and services that it provides for initiating online child pornography investigations? * What deconfliction mechanisms exist that help prevent law enforcement agencies from pursuing the same suspected online child pornography offenders or interfering with each other's investigations, and to what extent, if any, could these mechanisms be improved? * What factors, if any, did federal law enforcement agencies report as limiting their ability to investigate and prosecute suspected online child pornography offenders, and to what extent are agencies addressing these factors? For all objectives, we analyzed the Act, which outlines requirements for DOJ, NCMEC, and ESPs, and the National Strategy, which, among other things, describes information on threats to children and reviews law enforcement coordination efforts and federal forensic analysis programs. We also analyzed data from fiscal year 2006 through fiscal year 2010 on the number of investigations and arrests by federal law enforcement agencies and ICAC task forces to assess trends in child exploitation and child pornography cases.[Footnote 9] To assess the extent to which DOJ and NCMEC have implemented their responsibilities under the Act, we interviewed DOJ's National Coordinator for Child Exploitation Prevention and Interdiction, the senior official responsible for coordinating the development of the National Strategy, and NCMEC officials to discuss efforts to implement the Act's provisions. We compared these efforts with criteria in standard practices for program management.[Footnote 10] To identify the information NCMEC provides to ESPs to facilitate reporting of apparent online child pornography, we assessed documentation NCMEC provides to ESPs, such as its guide for reporting to the CyberTipline, and interviewed officials from NCMEC. To obtain information on any concerns ESPs had about reporting to the CyberTipline, we interviewed officials from a nonprobability sample of 19 ESPs, which we selected from among the 620 ESPs that had registered with NCMEC as of April 2010.[Footnote 11] We selected these 19 ESPs to reflect a range of geographic locations, types of service provided, number of tips submitted to the CyberTipline, and number of child pornography investigations referred to and accepted for prosecution in the judicial district in which the ESP was located. Their comments cannot be generalized to all ESPs; however, the interviews provided perspectives from ESPs about reporting to the CyberTipline. We also interviewed officials from three civil liberties organizations--the American Civil Liberties Union, the Electronic Frontier Foundation, and the Center for Democracy and Technology--to obtain information about privacy concerns expressed by Internet consumers in response to ESPs' reporting activities.[Footnote 12] To assess the extent to which NCMEC has mechanisms in place to help determine how useful law enforcement agencies find CyberTipline information, we reviewed relevant documentation, such as NCMEC's feedback forms and training briefings about the CyberTipline. To determine trends in the use of the CyberTipline, we analyzed data on the number of reports submitted by ESPs and the general public and the number of these reports NCMEC made available to law enforcement from January 1, 2008, through December 31, 2010.[Footnote 13] We also interviewed the three federal law enforcement liaisons from the FBI, ICE, and USPIS located at NCMEC and officials from 8 of the 61 ICAC task forces about the usefulness of the CyberTipline reports and the services NCMEC provided. Specifically, we interviewed officials from ICAC task forces located in six federal judicial districts, which we selected to obtain geographic representation and based on the number of child pornography investigations referred to and accepted by U.S. Attorneys' Offices for prosecution.[Footnote 14] While the information obtained from these interviews cannot be generalized to all ICAC task forces or their members, the interviews provided a range of perspectives about how useful NCMEC's information and services were for initiating investigations. We compared the mechanisms NCMEC has in place with best practices articulated in our prior reports highlighting the importance of soliciting input from users and assessing whether the information disseminated is meeting users' needs.[Footnote 15] To determine what mechanisms prevent law enforcement agencies from pursuing the same offenders or interfering with each others' investigations, we assessed information on tools available to facilitate coordination and deconfliction, such as the ICAC Data Network Toolkit Manual, as well as memoranda of understanding between DOJ and agencies participating in the ICAC Task Force Program. We also reviewed OJJDP's fiscal years 2009 and 2010 grant solicitations for the NIDS project, the proposal for its development, and grant manuals, which outlined the agency's approach for system development. To discuss available mechanisms, we interviewed law enforcement officials who investigate child pornography offenders in the six judicial districts we selected. Specifically, we held 20 interviews with law enforcement officials from FBI, ICE, United States Secret Service (USSS), and USPIS; 8 interviews with officials from ICAC task forces; and 7 interviews with Assistant United States Attorneys (AUSA) who serve as coordinators for the Project Safe Childhood Initiative. [Footnote 16] The information obtained from these interviews is not generalizeable to law enforcement officials or agencies in all judicial districts. However, it provided examples and perspectives about law enforcement's efforts to coordinate investigations and use deconfliction mechanisms. To determine factors, if any, federal law enforcement agencies identified that limited their ability to investigate and prosecute suspected online child pornography offenders and to what extent agencies are addressing these factors, we included questions on this topic in our interviews with law enforcement officials from FBI, ICE, USSS, USPIS, and AUSAs. We also toured FBI, ICE, and USPIS digital forensic laboratories to observe their forensic processes. In addition, we interviewed prosecutors from the Child Exploitation and Obscenity Section (CEOS) who work directly with digital forensic examiners assigned to CEOS's High Technology Investigative Unit, which is collocated with CEOS prosecutors, to support investigations and prosecutions; officials from FBI's Innocent Images and Digital Evidence Section, which oversees forensic analysis of digital evidence; officials from ICE's Cyber Crimes Center; and officials from USPIS's Digital Evidence Unit, which is responsible for forensic analysis practices, on how these agencies are addressing the factors identified.[Footnote 17] We compared these efforts to guidance outlined by the Office of Management and Budget (OMB) for considering alternative means of achieving program objectives.[Footnote 18] We conducted this performance audit from September 2009 through March 2011 in accordance with generally accepted government auditing standards.[Footnote 19] Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: National Center for Missing and Exploited Children (NCMEC) and the CyberTipline: NCMEC is a private, nonprofit organization that serves as the nation's resource center for child protection. NCMEC's mission is to assist in the location and recovery of missing children and to prevent the abduction, molestation, sexual exploitation, and victimization of children. NCMEC is congressionally authorized to carry out certain tasks with grant funding it receives through a cooperative agreement with OJJDP.[Footnote 20] According to NCMEC, for calendar year 2009, NCMEC received about 77 percent of its funding from federal sources, with the remainder coming from other revenue and support, such as corporate and private donations. From fiscal years 2008 through 2010, NCMEC operated the CyberTipline at a cost of about $7.6 million, an average of $2.5 million per year excluding support by computer programmers. In support of its mission and consistent with the Missing Children's Assistance Act, NCMEC maintains a 24-hour, toll-free telephone tipline for leads from individuals reporting the sexual exploitation of children and information on the possession, manufacture, or distribution of child pornography. NCMEC also coordinates public and private programs to locate missing children; offers technical assistance, training, and consultation to law enforcement agencies; and has developed specialized training programs and materials for law enforcement personnel. NCMEC also maintains the CyberTipline to receive tips on child pornography from ESPs, which are required under the Act to report to NCMEC any instances when they become aware of apparent child pornography on their networks, as well as from the general public. [Footnote 21] ESPs that have registered with NCMEC can provide reports to the CyberTipline through a secure reporting form.[Footnote 22] NCMEC reported that as of December 31, 2010, 738 ESPs had registered out of an estimated 5,000 ESPs. According to NCMEC officials, it is difficult to identify the total number of ESPs or those that have not registered with NCMEC because there is no single source or list of the universe of ESPs. Based on our discussions with ESPs, they vary by types of services provided, ranging from access points to the Internet, search engines, and classified advertisements, to social networking sites. They may offer paid and free services, and have thousands or millions of customers. NCMEC reported that from January 1, 2008, through December 31, 2010, 194 registered ESPs made about 248,000 reports to the CyberTipline.[Footnote 23] Federal Law Enforcement Agencies Involved in Combating Online Child Pornography: As shown in table 1, several federal law enforcement agencies are involved in, and have specific units devoted to, combating online child pornography. Table 1: Federal Agencies Involved in Combating Child Pornography: Department: DOJ; Component: FBI; Law enforcement effort: Proactively investigates crimes against children. Crimes Against Children Unit coordinators are located in each of the 56 field offices. Also has Innocent Images to combat Internet-related sexual exploitation of children. Department: DOJ; Component: CEOS, within the Criminal Division; Law enforcement effort: Prosecutes federal child sexual exploitation offenses, including child pornography crimes, enticement of children for sexually predatory purposes, transportation of offenders or children across state lines for sexually predatory purposes, domestic sex trafficking of children, and child sex tourism. Provides prosecutorial guidance to federal law enforcement agencies and U.S. Attorneys' Offices nationwide. Also develops and refines policies, legislative proposals, government practices, and agency regulations in the areas of sexual exploitation of minors. Department: DOJ; Component: 94 United States Attorneys' Offices; Law enforcement effort: Prosecutes federal child exploitation-related cases. Department: DOJ; Component: OJJDP; Law enforcement effort: Allocates funds and administers the ICAC Task Force Program, which encourages multijurisdictional and multiagency responses to crimes against children involving the Internet. Department: Department of Homeland Security (DHS); Component: ICE, Cyber Crimes Center; Law enforcement effort: Enforces trans-border violations of federal child exploitation statutes. Among other things, works to prevent the introduction of prohibited merchandise and contraband, such as child pornography, into the United States and investigates, interdicts, and prosecutes those individuals involved in possession, receipt, distribution, advertisement, transportation, and production of child pornography. Department: Department of Homeland Security (DHS); Component: USSS; Law enforcement effort: Provides forensic and technical assistance in matters involving missing and sexually exploited children. Department: U.S. Postal Service; Component: USPIS; Law enforcement effort: Investigates child pornography and child sexual exploitation cases that involve U.S. mail, as well as Internet- related offenses in cases where mail is involved; The objective of the child exploitation program is to reduce and deter the use of the postal system for the procurement or delivery of materials that promote the sexual exploitation of children. Source: GAO analysis of information provided by DOJ, DHS, and USPIS. [End of table] Appendix I provides additional details on the mission, role, level of resources, and numbers of investigations and arrests of these agencies. Trends in the Number of Child Exploitation and Pornography Investigations: In its National Strategy, DOJ reported that the incidence of child exploitation, which, among other things, includes possessing, distributing, and producing child pornography, has been increasing since the 1990s, although the precise number of offenders accessing and trading child pornography material online is not known. For example, DOJ data show that from fiscal years 2006 through 2010, ICAC task forces estimate over an 80 percent increase in the number of complaints received from the public related to the possession, distribution, and manufacture of child pornography. These task forces also reported that arrests for child pornography have increased about 150 percent during the same period. FBI, ICE, and USSS reported increases in arrests of 17 percent, 37 percent, and 69 percent, respectively, from fiscal years 2006 through 2010. The USPIS reported a 54 percent decline in arrests for child pornography and child exploitation involving the U.S. mail. According to officials, this decline is, in part, due to the increased availability of child pornography through the Internet rather than the mail. Figure 1 shows the number of arrests made by ICAC task force investigators and federal law enforcement related to online child exploitation and child pornography from fiscal years 2006 through 2010. Figure 1: Number of Arrests by ICAC Task Forces and Federal Law Enforcement Agencies Involved in Online Child Exploitation and Child Pornography Investigations from Fiscal Years 2006 through 2010: [Refer to PDF for image: multiple line graph] Number of law enforcement arrests: Fiscal year: 2006; FBI: 936; ICAC task force: 2,148; ICE: 681; USPIS: 252; USSS: 88. Fiscal year: 2007; FBI: 1,115; ICAC task force: 2,525; ICE: 948; USPIS: 155; USSS: 94. Fiscal year: 2008; FBI: 1,144; ICAC task force: 3,133; ICE: 863; USPIS: 165; USSS: 80. Fiscal year: 2009; FBI: 1,077; ICAC task force: 4,492; ICE: 957; USPIS: 186; USSS: 88. Fiscal year: 2010; FBI: 1,094; ICAC task force: 5,317; ICE: 931; USPIS: 115; USSS: 149. Source: GAO analysis of information provided by FBI, ICE, USPIS, USSS, and OJJDP. Note: Joint investigations between federal law enforcement agencies and ICAC task forces may be counted in both ICAC and federal investigative data. Although the extent is not known, DOJ officials said they believe the overlap is minimal. [End of figure] DOJ Has To Take Action on Three Remaining Responsibilities under the Act: The Act, enacted in October of 2008, requires, among other things, that the Attorney General create and implement a National Strategy for Child Exploitation Prevention and Interdiction and contains provisions on the establishment of ICAC task forces. It also calls for the designation of a senior official at DOJ responsible for the National Strategy--the National Coordinator--who is to act as a liaison with other federal entities in the development of the strategy. In January 2010, DOJ selected a National Coordinator and in August 2010, to coincide with the publication of the National Strategy, formed the National Strategy Working Group to assist with its implementation. [Footnote 24] This Working Group consists of six subcommittees that address implementation of specific provisions of the strategy, such as examining means to reduce backlogs of forensic analysis or coordinating grant funding with DOJ missions.[Footnote 25] The Act also establishes in law the ICAC Task Force Program, which is dedicated to developing responses to online enticement of children by sexual offenders, child exploitation, and child pornography. Currently, there are 61 task forces with at least one per state, as required by the Act. The Act also authorizes the Attorney General to award grants to these task forces, and in fiscal year 2010, OJJDP awarded approximately $19 million to state and local law enforcement agencies. The Act also contains provisions that require NCMEC to, among other things, minimize the number of NCMEC employees who are provided access to CyberTipline images and forward child pornography related tips to law enforcement to further investigations. According to NCMEC officials, since the passage of the Act, NCMEC has reduced the number of employees with access to CyberTipline images by 21 percent from 72 to 57 by removing access to images by employees who transfer from the NCMEC division that reviews CyberTipline reports to other divisions. NCMEC also created a "read only" level of access to the CyberTipline for employees whose job responsibilities require them to have access to CyberTipline information, but not images. The Act also requires NCMEC to provide information that relates to any apparent child pornography image of an identified child to federal, state, and local law enforcement involved in the investigation of child pornography crime. NCMEC has several initiatives underway to provide law enforcement such information. For example, according to NCMEC officials, it has established a portal that allows law enforcement agencies access to NCMEC's systems to quickly identify hash values of identified child victims.[Footnote 26] The portal separates out hash values of identified child victims from those who have not been identified so that law enforcement can quickly match hash values they receive during investigations against the database of image information. NCMEC officials said that they plan to continue to register additional law enforcement officers in 2011. Further information on DOJ's and NCMEC's status in implementing provisions of the Act is provided in appendix II. However, to date, DOJ has yet to take action on three provisions of the Act. * Specifically, the Act requires the National Institute of Justice within DOJ to prepare a report, not later than 1 year after enactment (i.e., October 2009), to identify the factors indicating whether the subject of an online investigation poses a high risk of harm to children.[Footnote 27] According to senior DOJ officials, this report has not been initiated because funds have not been appropriated for this activity under the Act, and DOJ does not have plans or a time frame to conduct such a study. However, according to the National Coordinator, an examination of how such a study would be conducted would likely be considered by the Working Group as it moves forward. * In addition, the Act requires the Attorney General to submit a report to the Judiciary Committees, not later than 12 months after enactment, on various features of the Act, including an assessment of the information-sharing structure established in response to the Act and data related to CyberTipline reports.[Footnote 28] According to officials, DOJ has not prepared this report and does not yet have a time frame for completing it. * Finally, the Act requires the Attorney General to designate, in consultation with the Secretary of State, foreign law enforcement agencies to receive CyberTipline reports from NCMEC, as well as specify the conditions under which a report may be forwarded to such foreign agencies.[Footnote 29] The Act also requires the Attorney General to develop a process for foreign agencies to request assistance from federal law enforcement related to NCMEC's reports. [Footnote 30] According to the National Coordinator, DOJ has not yet designated a list of foreign law enforcement agencies to which CyberTipline reports may be forwarded nor established a process for these agencies to request DOJ's assistance. Nevertheless, NCMEC officials said that the center currently refers CyberTipline reports to some foreign law enforcement agencies through ICE attaches, as necessary, as we discuss later in this report. DOJ officials said that they plan to coordinate with NCMEC to determine how their designation would work best with NCMEC's current process, but has no time frames for doing so. DOJ has taken action to implement many of the provisions in the Act, but DOJ has not yet completed three provisions for which it has responsibility and has no specific plans or time frames for doing so. Standard practices for program and project management state that specific desired outcomes or results, such as the implementation of these provisions, should be defined and documented in the planning process along with the appropriate milestones and time frames needed to achieve those results.[Footnote 31] By defining the steps necessary to achieve these three provisions along with appropriate time frames for completion, DOJ could better ensure that it will comply with the law and be able to obtain information that may allow it to better protect the public and further investigations. Specifically, information on the danger posed by individuals being investigated for online child pornography crime could help law enforcement agencies allocate investigative resources towards those suspects most likely to pose a risk to the public. Similarly, an assessment of the information- sharing structure and data from the CyberTipline and the designation of foreign law enforcement agencies to receive NCMEC reports could speed the process of disseminating these reports, which may facilitate investigations conducted by these agencies. NCMEC Provided ESPs Reporting Guidance and Online Detection Information: NCMEC Has Developed a Guide to Address ESPs' Concerns about Reporting Apparent Online Child Pornography: To help ESPs fulfill their responsibilities under law, NCMEC provides information to ESPs to address their concerns related to reporting apparent online child pornography to NCMEC's CyberTipline. Under the Missing Children's Assistance Act, NCMEC is authorized to operate a CyberTipline to provide ESPs with an effective means of reporting apparent Internet-related child sexual exploitation.[Footnote 32] The Act explicitly does not require ESPs to monitor their networks to detect apparent child pornography, but it requires ESPs to report the facts and circumstances of incidents of apparent child pornography, of which they become aware, to the CyberTipline.[Footnote 33] ESPs may become aware of apparent child pornography on their networks through passive means, such as receiving reports from users, or through active means, such as having personnel search for images on their networks or by monitoring chat rooms to detect instances when users may be trading illegal images. ESPs may also become aware of child pornography through technical means, such as using specialized software to detect and remove illegal files from their systems. Officials we interviewed from 18 of the 19 ESPs expressed concerns about making reports of apparent child pornography to the CyberTipline in fulfillment of their responsibilities under the Act.[Footnote 34] These concerns included:[Footnote 35] * Cost: Officials to whom we spoke from 16 of the 19 ESPs expressed concerns about the costs associated with reporting or monitoring their networks for apparent child pornography. According to officials from 4 of these 16 ESPs, devoting staff and resources to review and report apparent child pornography can be costly. Officials from 1 ESP reported that it cost $500,000 to develop a system to automate reporting to NCMEC--a reporting system they said was necessary to address the volume of instances of apparent child pornography encountered on the ESP's network. Additionally, officials from 13 of the 19 ESPs we spoke with said that establishing methods to detect apparent child pornography, while not required, can be costly to implement. For example, 4 of these ESPs said it was costly to search for key words, check their computer network for images, or provide users with a method to flag images. Further, officials from 4 of the 19 ESPs stated that costs have prevented them from implementing these types of methods, and thus they have relied solely on user complaints to detect apparent child pornography. * Technology: Officials with whom we spoke from 10 of the 19 ESPs had concerns related to technology in reporting and detecting apparent online child pornography. For example, officials from 5 of these 10 ESPs stated that making a large number of reports, which can contain hundreds of files per report and multiple submissions, can be a slow process if done manually, and officials from 3 of these 5 ESPs also stated that reporting can be technically challenging to automate. * Psychological Impact: Officials from 10 of the 19 ESPs reported having concerns over their employees' psychological discomfort that sometimes results from exposure to apparent child pornography images. * Litigation: Officials from 7 of the 19 ESPs reported having concerns about being sued as a result of their reporting responsibilities under the Act. For example, officials from 2 ESPs stated that forwarding apparent child pornography images in fulfillment of their responsibilities under the Act could make them subject to liability for possessing and transmitting such images. However, the Act states that any civil claim or criminal charge against an ESP arising from the performance of reporting or preserving information may not be brought in any federal or state court.[Footnote 36] Another official stated that the ESP is often sued for using methods to detect apparent online child pornography by the customers it reports. In response to such concerns, in August 2010, NCMEC provided a guide to registered ESPs that contained, among other things, resources ESPs could use to help report to the CyberTipline as well as information on detecting apparent child pornography on their networks.[Footnote 37] For example, NCMEC's guide includes information on how to automate reporting by building an interface between the CyberTipline and an ESP's system so that ESPs can make a large number of reports, such as several hundred, faster. NCMEC also provides information on how ESPs may address the psychological impact on employees when they view apparent online child pornography in order to make reports to the CyberTipline. For example, NCMEC's guide provides two resources for individuals who have been exposed to child pornography during the course of their work. Employees may contact NCMEC to speak to staff in its Safeguard program, and they may access OJJDP's Web site called Supporting Heroes in Mental Health Foundational Training, which provides resources such as videos, guides, and an online forum.[Footnote 38] Related to concerns about liability, the guide includes excerpts from the Act about ESPs' reporting requirements, which state that ESPs have immunity if a lawsuit is brought against them for downloading and transmitting apparent child pornography if it was during the course of fulfilling their reporting duties. NCMEC is providing ESPs with information about their responsibilities to report incidents of apparent online child pornography to the CyberTipline through the guide; however, it is too early to tell whether these concerns have been addressed.[Footnote 39] NCMEC Provides ESPs Voluntary Methods to Help Reduce Apparent Online Child Pornography, and Some ESPs Have Developed Their Own Means to Detect It: Although ESPs are not required to monitor their networks, NCMEC provides registered ESPs with voluntary proactive methods that they may use to detect apparent online child pornography and then report it as the Act requires. These methods include: * Key word lists: NCMEC provides lists that contain terms often associated with child sexual exploitation. * Uniform Resource Locator (URL) sharing: NCMEC distributes a daily list of URLs--which specify the address of a Web page and how to retrieve it--containing apparent online child pornography to ESPs. ESPs can use this information to help prevent the distribution of child pornography. For example, ESPs that host Web sites can check the URL list to ensure that none of the sites that they host are on the list. * Hash value sharing: NCMEC provides a list of hash values of apparent online child pornography to ESPs which use specialized software to detect and remove illegal files from their systems. In addition, officials to whom we spoke from 9 of the 19 ESPs reported taking their own proactive measures to detect and help reduce apparent online child pornography on their networks so that it may be reported to the CyberTipline. For example, in addition to receiving customer complaints, 4 of these ESPs said that they monitor or moderate chat rooms and forums for apparent online child pornography and 6 reported using key word lists to search for child pornography, while 3 ESPs reported that they use both of these methods. These 9 ESPs reported that they have these additional, proactive mechanisms in place to better detect apparent online child pornography because they do not want to allow such illegal activity on their Web sites. On the other hand, officials from 10 of 19 ESPs reported that they had not implemented their own additional methods. However, 8 of these 10 used NCMEC's URL and hash value sharing initiatives, according to NCMEC. The remaining 2 ESPs did not implement any methods due to cost concerns, and noted that implementing additional methods to detect apparent child pornography would be a business decision that would require them to consider costs, as well as the types of services they provide. Further, according to three civil liberties organizations we interviewed, consumers want to use the Internet freely and do not want their online activities to be monitored. They stated that ESPs' proactive monitoring also raises potential constitutional issues because if ESPs are acting as agents of the government when they search users' activities and communications, they are subject to the requirements of the Fourth Amendment to obtain probable cause and a search warrant.[Footnote 40] However, officials we spoke with from the 9 ESPs that utilize these methods stated that their terms of service specify that users cannot conduct illegal activity while on their networks, which includes the possession or trading of child pornography. Therefore, they said that methods to detect apparent child pornography are a means of ensuring compliance with the ESPs' terms of service, which is distinct from conducting government- directed searches for information. Expanding Feedback from Law Enforcement Could Help Improve the Usefulness of CyberTipline Reports and Better Address Increasing Number of Reports: NCMEC Makes CyberTipline Reports Available to Law Enforcement Based on Jurisdiction: As required under the Missing Children's Assistance Act, NCMEC refers CyberTipline reports of apparent child pornography from ESPs and the general public to federal, state, local, and international law enforcement agencies for investigation, as shown in figure 2.[Footnote 41] Figure 2: Overview of NCMEC Process for Receiving and Disseminating CyberTipline Reports: [Refer to PDF for image: illustration] ESPs and general public report incidents of apparent child pornography via the CyberTipline: CyberTipline: NCMEC prioritizes the CyberTipline reports and NCMEC analysts conduct research and analysis on the CyberTipline report. According to whether or not a geographic jurisdiction can be determined, analysts make the report available to varying law enforcement agencies: Jurisdiction can be determined: NCMEC refers the CyberTipline report (“referral”) to the respective law enforcement agency (ICACs or international partners) via a virtual private network for further investigation.[A] Jurisdiction cannot be determined: NCMEC makes the CyberTipline report available through the CyberTipline system to all federal law enforcement agency users with access, including liaisons located at NCMEC from FBI, ICE, and USPIS. Users can access all reports and sort them according to agency investigative priorities. Federal law enforcement liaisons, or staff located at NCMEC or in the field may review reports to determine if they may initiate or advance an investigation. Source: GAO analysis of NCMEC; FBI; ICE; and USPIS data. [A] Virtual private networks allow NCMEC to disseminate CyberTipline reports to ICAC task forces or international partners through secure encrypted connections. [End of figure] When a CyberTipline report is initially submitted by an ESP[Footnote 42] or the general public, the reporting party must select one of eight "reporting categories," including possession, manufacture, and distribution of child pornography.[Footnote 43] NCMEC then prioritizes the CyberTipline reports and analysts conduct research and analysis on them.[Footnote 44] This analysis may include: (1) determining whether an alleged child pornography image is that of an actual child; (2) determining whether an image in a CyberTipline report is new or has been viewed by law enforcement in the past, which may indicate whether the child in the image is currently being abused; or (3) among other things, reviewing e-mail addresses, Web addresses, and other information to determine if the offender associated with the CyberTipline report may be involved in an organized child pornography sharing ring. After processing the CyberTipline report, NCMEC analysts select a "reclassified incident type" which best describes the completed CyberTipline report. There are currently 17 reclassified incident types, including confirmed child pornography.[Footnote 45] NCMEC officials stated that once a CyberTipline report and any associated analysis has been reclassified, it does not necessarily mean the tip will be useful to law enforcement in initiating or advancing an investigation. The determination as to whether a CyberTipline report may be useful in initiating an investigation is at the judgment of law enforcement personnel. NCMEC analysts make the CyberTipline report and their analysis available to law enforcement according to whether or not a geographic jurisdiction can be determined. When the geographic jurisdiction of a CyberTipline report can be determined based on the location of the suspect, the victim, or both,[Footnote 46] NCMEC will refer the report ("referral") to the respective law enforcement agency (primarily ICAC task forces) via a secured system called a virtual private network. [Footnote 47] However, when the jurisdiction of a CyberTipline report cannot be determined because, for example, the ESP did not include a zip code or IP address, NCMEC makes the report available through the secure CyberTipline system to federal law enforcement agency users who have access to the system.[Footnote 48] As of November 24, 2010, 41 federal law enforcement users had access to this secure system, including agency liaisons from FBI, ICE, and USPIS who are located at NCMEC. The CyberTipline system allows users to access all CyberTipline reports ever submitted, as well as search for and prioritize reports of specific reclassified incident types that are of investigative interest to the agency. According to NCMEC officials, the search function was designed at the federal agencies' request to allow them streamlined access to those reports which, based on reclassified incident types, they indicated most often fall within their investigative purview. For example, the FBI liaison can choose to search for all CyberTipline reports associated with confirmed child pornography. Federal law enforcement liaisons, or staff located at NCMEC or in the field, may review reports to determine if they may initiate or advance an investigation, as described in table 2. Table 2: Overview of Process Different Federal Agencies with Liaisons at NCMEC Use to Review and Forward CyberTipline Reports for Investigation: Agency: FBI; Overview of CyberTipline report review: To address CyberTipline reports and child pornography, FBI has one liaison assigned to NCMEC who supervises two Investigative Support Specialists who review the reports. FBI officials stated that they prioritize child pornography- related CyberTipline reports based on, among other things, whether they fall within their investigative purview and whether or not a jurisdiction or subject can be determined. However, among the reports that meet those parameters, officials said that they are not able to further prioritize the reports until they open them and can determine what type of information is included in the report. When FBI Investigative Support Specialists determine that a CyberTipline report is likely to enable the agency to initiate or advance an investigation, they prepare an investigative packet, for which they supplement information from the report (or numerous other reports), with FBI data as well as data from other sources. They then submit the packet to the FBI liaison who reviews it and forwards it to FBI field agents for investigation. Agency: ICE; Overview of CyberTipline report review: According to ICE officials, while ICE can access and review CyberTipline reports in the CyberTipline system, most CyberTipline reports reviewed by ICE officials are sent directly to them via e-mail from NCMEC analysts. In addition, according to officials, ICE uses its resources to assist NCMEC in disseminating CyberTipline referrals to foreign law enforcement agencies. ICE has established virtual private network connections in approximately 10 countries, allowing the dissemination of CyberTipline referrals to the responsible law enforcement agencies in these countries. Agency: USPIS; Overview of CyberTipline report review: Currently, the USPIS liaison located at NCMEC does not review CyberTipline reports; rather up to five field postal inspectors with subject matter expertise have access to the CyberTipline system and review the reports. According to the Child Pornography National Program Manager for USPIS, NCMEC also e- mails CyberTipline reports determined by NCMEC analysts to have a nexus to the mail directly to the USPIS liaison located at NCMEC. The liaison then sends any CyberTipline report that has a solid U.S. mail nexus to the field for attention. The official said that the agency focuses on CyberTipline reports that have (1) a viable nexus to U.S. mail, (2) a viable mailing address, and (3) cooperation of the victim and/or the reporting party (e.g., parent or guardian). The official added that a new liaison would be assigned to NCMEC in the spring of 2011 and that this individual would review CyberTipline reports. Source: FBI, ICE, and USPIS. [End of table] The CyberTipline provides leads for federal, state, and local law enforcement agencies, along with their own sources, such as undercover investigations. For example, according to FBI officials, the FBI develops approximately 100 to 200 investigative leads per year to be used to initiate investigations based on CyberTipline reports, and a USPIS official estimated that about 10 percent of leads come from the CyberTipline. Officials we interviewed from seven of the eight task forces stated that CyberTipline reports make up 50 percent or more of their leads, and five of those seven reported receiving between 80 to 95 percent of their leads from CyberTipline reports.[Footnote 49] Soliciting Additional Information on the Usefulness of CyberTipline Reports Could Help NCMEC Ensure Reports Are as Useful as Possible to Law Enforcement: The number of CyberTipline reports NCMEC received and made available to law enforcement agencies has increased over the past few years, making it important that these reports are as useful as possible to the law enforcement agencies investigating online child pornography. According to NCMEC, the number of CyberTipline reports determined by federal law enforcement agencies to be most often within their investigative purview has increased by about 134 percent from about 74,000 in 2008 to about 173,000 in 2010. Similarly, the number of CyberTipline reports that NCMEC referred to ICAC task forces increased about 71 percent from about 14,000 in 2008 to about 24,000 in 2010. [Footnote 50] However, according to the FBI liaison at NCMEC and officials in six out of eight ICAC task forces we contacted, information in individual CyberTipline reports was not always useful for initiating law enforcement action, such as obtaining a subpoena, initiating an investigation, or executing a search warrant.[Footnote 51] For example, according to these officials, reports initially submitted to NCMEC by the ESP or the general public may: * not contain information, such as an IP address or an image; * contain old data provided by ESPs, which may prohibit obtaining a subpoena; * contain an image that did not meet the legal definition of child pornography; or: * include information that is not a violation of child pornography laws in general or in a particular state. NCMEC makes these CyberTipline reports that do not contain certain information, such as an IP address or image, available to law enforcement because, according to NCMEC officials, it believes that law enforcement may be able to use other information in the report to further other investigations. For example, according to these officials, a CyberTipline report may have an e-mail address or username that is associated with a known offender, and the information in it may be useful to an ongoing law enforcement investigation. Federal law enforcement officials from FBI, ICE, and USPIS who work directly with NCMEC, as well as officials in five of the eight ICAC task forces, stated that receiving such reports could be useful, for example, to furthering other ongoing or future investigations. NCMEC takes steps to obtain feedback on the usefulness of CyberTipline reports made available to law enforcement. Specifically, NCMEC solicits feedback via e-mail or in person each quarter from the federal law enforcement liaisons at NCMEC about the usefulness of the CyberTipline reports overall. According to NCMEC officials, the questions they pose vary and are intended to obtain a general idea of the usefulness of the CyberTipline reports. Officials from FBI and USPIS who work directly with NCMEC in reviewing CyberTipline reports confirmed that they speak to NCMEC officials on a continuous basis to discuss the status of CyberTipline reports that they have taken action on and their outcomes, as well as how the process of providing reports could be improved. For ICAC task forces, NCMEC sends a feedback form approximately 8 weeks after referring a CyberTipline report that includes a question asking whether or not the information provided by NCMEC's analysts in the CyberTipline report was useful.[Footnote 52] However, NCMEC does not systematically collect information on how useful individual reports are to initiating and advancing investigations from law enforcement users or the extent to which reports contain specific types of information law enforcement may need. For example, NCMEC does not have a systematic process--a standard set of questions applied consistently over time--for obtaining information from federal liaisons about why individual CyberTipline reports may or may not be useful in initiating or advancing investigations and what the information gaps are that limited their usefulness. Similarly, NCMEC does not ask ICAC task forces why individual CyberTipline reports were or were not useful and how they could be made more useful. Capturing this type of feedback could help NCMEC work with law enforcement to determine which reports do not assist in initiating and advancing investigations, why not, what key information is missing, whether NCMEC could add more analysis to supplement reports, and what steps it might take to assist ESPs in including as much useful information as possible in future CyberTipline reports. In addition officials in six of the eight ICAC task forces we selected reported that such an assessment of which elements make a CyberTipline report more useful could enhance law enforcement's ability to use the information to further investigations. For example, one commander noted that such an assessment would be helpful in providing a more focused report for investigative follow-up. Soliciting such information about the usefulness of CyberTipline reports is consistent with best practices, such as regularly soliciting stakeholder input and involving stakeholders early and throughout the decision-making process that we have previously reported for effectively meeting stakeholder needs.[Footnote 53] Further, we have reported that by comprehensively soliciting feedback from all of its users, an agency can better ensure that it has a full picture of the needs of those users and how well it is meeting those needs, and can also make improvements that are relevant to them. [Footnote 54] NCMEC officials acknowledged that they would like to obtain more feedback from law enforcement agencies and could explore more targeted ways of obtaining it. For instance, during our meetings with NCMEC officials, these officials discussed ways to facilitate the better collection of feedback, such as creating a systematic process for obtaining feedback from the federal agencies; adding additional questions geared toward understanding why an individual CyberTipline report was or was not useful; developing an easier-to-use electronic feedback form; or holding ongoing discussions with ICAC commanders on how the process of collecting feedback can be improved. However, NCMEC officials said that they did not yet have plans in place for implementing such feedback mechanisms in part because they do not want to overburden law enforcement agencies. Our interviews with law enforcement agencies indicate that these agencies see benefit in having this feedback. Taking steps to work with law enforcement to determine effective ways to enhance its feedback processes could help NCMEC better ensure that law enforcement receives the most useful information to initiate and advance investigations and could also help NCMEC provide more focused guidance to ESPs in terms of what types of information to include in CyberTipline reports. Existing Deconfliction Mechanisms, While Fragmented, Generally Prevent Pursuit of the Same Suspects; DOJ Is Starting to Develop a National System: Deconfliction Mechanisms Vary but Generally Help to Avoid Duplication of Effort: In 22 of 28 interviews we conducted with cognizant supervisory special agents from FBI, ICE, and USSS; postal inspectors; and ICAC task force commanders in the judicial districts we visited, law enforcement officials reported that they concurrently used various automated and nonautomated deconfliction mechanisms to help resolve conflicts in online child exploitation investigations and prevent pursuit of the same suspects.[Footnote 55] Nonautomated procedures include: the use of interpersonal relationships or contacts between investigators from different law enforcement entities or task forces to resolve case conflicts; deconfliction reports and services that NCMEC provides to ICAC task forces and federal law enforcement agency personnel; and exchanges of law enforcement information through area Project Safe Childhood coordinators.[Footnote 56] For example, an ICE Assistant Special Agent in Charge (ASAC) we interviewed reported that deconfliction is often accomplished through interaction between agents from the different agencies investigating the case. The agency with the best evidence generally conducts the investigation, in some instances with assistance from other law enforcement agencies. In instances where law enforcement agencies determine through these mechanisms that they are pursuing the same target, officials said that an option is for one agency to discontinue its investigation and allow another agency to pursue the target instead. The agencies involved can compare the evidence each one has collected as well as the focus of their investigations before determining which agency is in the best position to proceed with the investigation. These officials also said that deconfliction is important because there is potential for inefficiencies and waste of investigative resources when multiple agencies are pursuing the same target. For example, an FBI Supervisory Special Agent cited an instance when the agency learned that a local law enforcement agency had already made contact with a suspect a month before the FBI served a search warrant. Not all duplication is inefficient, however, as there are instances where multiple agencies pursue the same target for different offenses. For example, one agency may be investigating the target as a suspect for distribution of child pornography and another investigating the target for sexual abuse. Nevertheless, in 22 of 28 interviews, officials said that they are able to resolve most case conflicts by using a combination of nonautomated and automated deconfliction mechanisms. Officials in 14 of the 28 interviews also reported using automated investigative systems to identify information and track suspects engaging in trafficking child pornography online.[Footnote 57] These investigative systems covertly identify and monitor computer networks where users share files directly with one another, also known as peer- to-peer file sharing.[Footnote 58] These covert investigative systems also provide deconfliction for investigators allowing registered users to share case information and avoid initiating duplicate investigations on targets already under investigation. In 12 of 28 interviews, law enforcement officials also reported avoiding pursuing the same child pornography targets by checking information about a suspect against external law enforcement databases, such as the SafetyNet system in New York, and systems containing national crime data, including the National Crime Information Center.[Footnote 59] These databases can be used to ascertain whether a target has a criminal history or is also under investigation by other law enforcement entities, among other things. However, law enforcement officials in 7 of 28 interviews, as well as two senior DOJ officials, reported limitations with the existing automated investigative systems and law enforcement databases that can impact their usefulness in child pornography investigations. Among the limitations, these officials stated that an automated system or database does not exist that provides comprehensive case information and deconfliction for all federal, state, and local law enforcement agencies. Since a comprehensive deconfliction system for all law enforcement entities is not yet available, the automated systems in use provide investigators with partial case information because, in general, these systems and databases are not integrated. For example, the investigative systems do not integrate information, in part, because the systems are developed by different organizations, and the developers limit access to case information to registered users of their systems in order to control who has access to investigative information. These officials also reported that another factor that contributes to the absence of a comprehensive national system for deconfliction are prohibitions by federal and state agencies which restrict access to investigative information by external law enforcement entities. For example, according to DOJ, the FBI always must consider case and security concerns when sharing information. In addition, a DOJ Deputy Associate Administrator said that federal agencies have requirements to use their own data systems, which often allow limited or no external access to other entities. DOJ officials also agreed that because of the partial or fragmented information, the available automated systems may contribute to information sharing obstacles between agencies and difficulties in coordinating actions between investigations. These officials agreed further that this can also impede compilation of strategic information on the most dangerous offenders and adversely impact identifying new trends that offenders are using online to attempt to exploit children. DOJ is beginning to develop a national system to address some of these shortcomings, as we discuss in the following section. DOJ Is in the Early Stage of Developing a National System to Provide a Deconfliction Tool: The Act requires the Attorney General to develop a National Internet Crimes Against Children Data System (NIDS), an online data system that is to include information-sharing capacity, case deconfliction, and other capabilities. According to the Act, the purpose and intent of NIDS, among other things, is to create a deconfliction system for ICAC task forces, as well as for federal, state, local, and tribal law enforcement agencies that investigate and prosecute child exploitation crimes. The planned deconfliction component is to allow authorized law enforcement agencies to access NIDS and contribute information to resolve conflicts in online child pornography investigations. DOJ officials overseeing the development of NIDS reported that NIDS is intended to address the known deconfliction limitations of existing investigative systems, such as reporting partial or fragmented case information, as well as the lack of data sharing among various law enforcement entities due to system integration. The officials stated that NIDS is also to incorporate new and emerging technologies, rather than being based solely on existing investigative systems. Appendix III provides a description of NIDS functions required by the Act. The Act does not specify a time frame for NIDS implementation, but according to senior DOJ officials, issuance of the solicitation for the development of NIDS was delayed until spring 2010 because the National Coordinator had not been selected, funding was not sufficient to construct the NIDS system, and the complexity of the system made it difficult to develop and implement. More specifically: * DOJ issued the initial solicitation for the construction, maintenance, and housing of NIDS in March 2009, 9 months before it selected a National Coordinator. Once a National Coordinator was appointed in January 2010, DOJ decided to issue a revised solicitation to, among other things, conduct a needs assessment to collect requirements information for the future development of NIDS. DOJ issued this revised solicitation in June 2010. Generally accepted information technology system development practices call for organizations to follow a disciplined approach, including performing a needs assessment to define system requirements prior to beginning system acquisition activities.[Footnote 60] As described later, this information is to serve as an assessment of technical requirements for the construction of NIDS, and DOJ plans to use the requirements as the basis to determine how to build NIDS. * The National Coordinator reported that funding was not appropriated to support development of a system as complex as NIDS. The Act authorizes $2 million for NIDS in each of fiscal years 2009 through 2016. However, DOJ officials stated that the agency did not request funds for NIDS in the fiscal year 2012 President's Budget because American Recovery and Reinvestment Act of 2009 (ARRA) funding was available beginning in 2009 and extending to the end of fiscal year 2010.[Footnote 61] DOJ is funding the NIDS needs assessment project through an ARRA grant it awarded to the ICAC task forces, which provided about $921,000 and was obligated in fiscal year 2010 and is to run through fiscal year 2011. DOJ officials noted that the department has not yet developed a projection of the cost to construct and implement NIDS because it must first determine the technical requirements for NIDS. * The National Coordinator also reported significant challenges associated with the development of NIDS. Among these challenges, the Act requires NIDS to incorporate a method for law enforcement to conduct covert investigations of child pornography suspects online and provide for a case deconfliction system, as well as gather and analyze child pornography related data, among other things. In addition, the National Coordinator said that DOJ must ensure NIDS is accessible by ICAC task forces, and federal, state, local, and tribal law enforcement agencies, which presents a challenge because the systems these entities use may not be compatible. The National Coordinator reported that a system with the intended capacity of NIDS will be a challenge to construct; however, DOJ officials believe it can be accomplished and stated that an interim step in the process of constructing it will be the development of the needs assessment to determine NIDS requirements. In general, the 2010 NIDS needs assessment grant solicitation is for evaluating case deconfliction and covert investigative capabilities of existing software and investigative tools. The solicitation is also for determining the information reporting capabilities among federal, state, and local law enforcement agencies to assist in identification of offenders; identifying the shortcomings in these agencies' systems and developing new software and investigative tools that address these identified shortcomings; assisting law enforcement agencies in covert investigations; and supporting research to identify and predict which offenders are most dangerous so that DOJ can use that information to identify high-priority suspects to timely report them to law enforcement agencies. In September 2010, after conducting a competitive solicitation for proposals and an external peer review process for the NIDS proposal, DOJ selected an existing ICAC task force agency, the Massachusetts State Police, as the grantee.[Footnote 62] The grant recipient, along with the Pennsylvania ICAC task force and the University of Massachusetts Amherst, previously developed an investigative system which is currently in use by 58 of 61 ICAC task forces nationwide.[Footnote 63] Because of this experience, expertise reflected in the proposal submitted, and the recommendations of the external peer reviewers, DOJ determined this grant recipient would be qualified to complete the needs assessment and other activities as required by the 2010 NIDS solicitation. In October 2010, DOJ initiated the effort to conduct a needs assessment to identify NIDS requirements and plans to complete the effort within 12 to 24 months. Until this initial work is done, however, DOJ will not know precisely when NIDS is to become operational. Therefore, the national deconfliction system the Act requires may not be operational for a number of years. In the meantime, however, DOJ has approved the continued use of existing automated systems for case deconfliction purposes as a stopgap measure. Backlogs in Forensic Analysis of Digital Evidence and Length of Time ESPs Retain User Data Can Hinder Investigations: Assessing the Costs and Benefits of Forensic Analysis Steps Could Help Determine Efficiencies to Reduce Backlogs: According to prosecutors in DOJ's CEOS, the information contained on a suspect's hard drive is key to an investigation of online child pornography, and the forensic analysis of suspects' computers is the most important aspect of an investigation of this crime. Forensic analysis of digital evidence includes the extraction and review of information from digital media, such as computer hard drives, and can prove possession, receipt, distribution, or production of online child pornography.[Footnote 64] However, headquarters officials we interviewed responsible for overseeing forensic analysis to address child pornography crimes from FBI, CEOS, ICE, USSS, and USPIS all reported that forensic resources available to review digital evidence in support of investigations and prosecutions of online child pornography crime are scarce relative to the demand for such services. Further, they all stated that backlogs in the forensic analysis of suspects' computers to extract and analyze evidence, such as images or chat logs, may delay and, in some cases, hinder investigations and prosecutions of offenders.[Footnote 65] According to a 2007 FBI memorandum, subjects of a child pornography investigation are usually not arrested when a suspect's computer is seized, but after full forensic examination is completed, which, according to DOJ officials, may take a period of 1 week to over 1 year in some cases, depending on the level of detailed forensic analysis requested by prosecutors or investigators, or because of the needs of the individual case. However, ICE and FBI agents we interviewed who investigate these crimes stated that if there is a perceived imminent threat from the suspect, such as evidence that a child is being abused, the suspect may be arrested immediately or forensic analysis of the suspect's computer may be expedited to facilitate faster arrest. FBI's 2007 memorandum also expressed a concern that delays in charging suspects while forensic examinations take place could allow potential abusers of children to remain free to commit additional crimes until digital evidence had been examined, and it is determined there is enough evidence to arrest and indict the suspect. The memorandum went on to state that it is possible that this scenario can lead to increased exposure of children to child predators. Similarly, the National Academy of Sciences[Footnote 66] reported in a 2009 review of forensic practices that backlogs in any area of forensic analysis, including analysis of digital evidence, can contribute to the release of guilty suspects who go on to commit further crime, as well as result in delayed investigations of those who are not yet charged.[Footnote 67] DOJ headquarters prosecutors stated that no comprehensive statistics exist as to whether or to what extent suspects have continued to engage in child pornography crime while their computers are analyzed. However, federal law enforcement officials we interviewed who investigate these crimes stated that suspects have, in some instances, continued to commit crimes. For example: * ICE officials in Kansas City stated that after being served a search warrant, one suspect purchased a new computer and continued to engage in the receipt of online child pornography. * ICE Cyber Crimes Center officials stated that after one California suspect's computer was seized, he purchased a new computer and warned individuals with whom he had been trading child pornography images that an investigation was taking place. Several Factors May Contribute to Backlogs in Forensic Analysis of Digital Evidence: Headquarters officials from FBI, ICE, CEOS, USPIS, and USSS that we interviewed who oversee forensic analysis all identified several factors that may contribute to backlogs in forensic analysis. These include the increase in the volume of people using computers and the Internet, the low cost and ease of obtaining digital media storage capacity, and the wide variety and constant evolution of technologies being used by offenders. For example, FBI statistics show that the volume of data processed at its Regional Computer Forensic Laboratories[Footnote 68] has increased almost 3,000 percent, from approximately 82 terabytes in fiscal year 2003 to 2,334 terabytes in fiscal year 2009.[Footnote 69] In addition, variations in the amount of digital evidence federal prosecutors request to be reviewed in support of prosecutions of online child pornography crimes may increase the amount of time needed for forensic analysis of digital evidence and further contribute to backlogs. For example, two senior officials from FBI's Digital Evidence Section stated that requests by some federal prosecutors that all digital information be reviewed for a given prosecution can increase the amount of time needed at FBI labs for each examination, which further contributes to backlogs at these labs. According to these officials, hard drives and other digital media obtained during investigations could contain hundreds of thousands of images and movies of child pornography, and to review all of them for a single investigation could take a forensic examiner or investigator several months, which may not be efficient. Alternatively, these FBI officials also stated that a strategy that calls for more thorough reviews of digital evidence for those cases where the suspect's characteristics indicate that the person may pose a physical danger to children would more efficiently allocate scarce forensic resources.[Footnote 70] This, in turn, could allow those resources to be used to conduct forensic analysis on a greater number of suspects, which could increase DOJ's ability to prosecute a greater number of offenders. However, prosecutors we interviewed in DOJ headquarters noted that thorough reviews of suspects' digital media can be important because images and movies on that digital media may contain evidence that a child is currently being abused by the suspect. If not all information is reviewed, prosecutors may not be able to prosecute the offender on all charges for which the person is guilty, and all children who are currently being abused may not be identified. In addition, senior DOJ officials we interviewed stated that a "tiered" strategy that makes more use of forensic review of a suspect's computer in his or her residence may allow for efficiencies in the forensic process. For example, according to FBI and ICE agents we interviewed who investigate these crimes, reviewing a suspect's computer within their residence allows law enforcement officers to remove only those computers that are most likely to contain child pornography, which can reduce the number of computers that must be analyzed as well as make it more likely that a suspect confesses. According to prosecutors in DOJ headquarters, increased use of on- scene forensic review of suspects' computers may also, in some cases, negate the need to send a suspect's computer to a forensic examiner for review. All of these factors may, in turn, reduce backlogs in forensic analysis. Senior DOJ officials noted that these types of case- by-case decisions are currently being made in the field based on, among other things, the resources available to conduct forensic analysis within the judicial district and the priorities of the U.S. Attorney's Office. Another factor that FBI, CEOS, USPIS, and USSS headquarters officials we interviewed who oversee forensic analysis all stated increases backlogs is the steps federal law enforcement agencies take to ensure the integrity of analysis conducted by forensic examiners, which add to the time necessary to complete examinations. According to all of these law enforcement officials, finding apparent child pornography or other evidence on a suspect's digital media can be done by, among other things, conducting key word searches or opening digital folders on the suspect's hard drive to review individual images or movies. Steps taken to ensure the integrity of these activities--such as making exact copies of digital evidence on which to conduct any analysis and taking hash values of original evidence before examinations are conducted--are meant to provide a level of assurance that evidence is not tampered with and that examinations can withstand legal challenges in court.[Footnote 71] However all of these officials stated that these steps may add several hours to several weeks to the laboratory examinations of digital evidence, especially for large volumes of data, and add to the time that subsequent requests for analysis must wait in the queue, which further contributes to backlogs. For example, making an exact copy of a suspect's hard drive may take several days and must be completed before analysis of the information on the hard drive takes place.[Footnote 72] The FBI, through its Computer Analysis Response Team program, takes additional steps to further ensure the integrity of its examination system.[Footnote 73] These steps include: * Requiring uniform training, certification testing, annual proficiency testing and annual continuing education for all certified FBI digital evidence forensic examiners. * Documenting all examination processes, including search and review activities undertaken by the forensic examiner, so that they can be duplicated by another examiner, if necessary, to ensure accountability and accuracy. * Adhering to written forensic protocols which inform the actions of forensic examiners and which are subject to review and audited for compliance. * Separating the forensic examination and investigative search portions of the forensic review. Forensic examiners typically authenticate and extract subsets of data, such as images or chat logs, from seized digital media which has first been reviewed and searched by investigators. FBI agents then conduct content analysis of these data after examiners extract and deliver them to identify information relevant to a specific investigation. * Conducting peer reviews of forensic examination reports. Officials from FBI's Digital Evidence Section stated that these additional steps, while increasing the amount of time necessary to conduct analysis, help to refute any potential claims that there exists a bias on the part of the examiner that influenced the results of a forensic examination. Specifically, the officials stated that these measures are designed to mitigate against the risk that untrained or unqualified forensic examiners could alter digital evidence, which could lead to innocent individuals being sent to prison. Further, the officials said that initiating these additional steps ensures a degree of separation between agents--who conduct an investigation--and examiners--whose primary function is to carry out specific examination activities prescribed by the agents--and is a means of ensuring that investigative bias cannot easily be introduced in the digital forensic analysis process, particularly with respect to forensic expert opinion analysis relating to questions of how, when, why, and by whom data were created, modified, destroyed, or altered. However, headquarters officials we interviewed at CEOS, ICE, and USSS disagreed on the need for such additional steps because they believe the additional steps are not needed to support a successful prosecution and the steps increase the costs and time needed for analysis to take place, thereby further increasing backlogs. All of these officials stated that they do not routinely incorporate all of these additional steps because they do not believe that the addition of these extra steps would discernibly impact the overall integrity of the forensic analysis.[Footnote 74] For example, these officials stated that it is not necessary to separate examiners who extract digital evidence from hard drives from law enforcement agents who review the extracted information; evidence of a suspect's guilt on his or her hard drive is either present or not. These officials noted that unlike other areas of forensic analysis, such as footprint or hair analysis where there is a concern that bias may impact interpretations of results, there is little opportunity for bias on the part of the forensic examiner to affect the results of an investigation. They all added that the steps already in place, specifically copying and taking hash values of original evidence, ensure that any effort to alter the material on a suspect's hard drive would be detected. Six of the seven prosecutors we spoke with stated that they were generally indifferent as to which federal law enforcement agency conducted forensic examinations, and there was no discernable difference in the quality or usefulness of forensic analysis conducted by the different agencies. However, headquarters prosecutors we interviewed stated that the time it takes to receive reports from different agencies varies by district nationwide. In addition, these officials noted that there were differences in the content and subjectivity of the forensic reports that agencies prepared to present examination results. For example, they opined that reports that included detailed information about how the forensic examination was conducted, what was found, and what it means provide prosecutors with more useful data, and one prosecutor indicated that he preferred the format of forensic reports used by some law enforcement agencies over others. While these variations exist, senior DOJ officials noted that the government's analysis of digital evidence is repeatedly subjected to challenges in court when the government puts on its case, and must be determined by a judge to meet standards for admissibility. These officials noted that CEOS computer forensic specialists conduct forensic analysis of digital evidence in cases prosecuted across the country and have presented the results in court frequently over the last several years in numerous cases; however, DOJ is unaware of such evidence being suppressed or ruled inadmissible by any court in any case due to a lack of integrity in the forensic analysis process. According to DOJ headquarters prosecutors, this indicates that the forensic analysis provided by all federal law enforcement agencies to support prosecutions of offenders has incorporated a sufficient amount of integrity into the process. DOJ Working Group Could Assess the Costs and Benefits of Forensic Analysis Steps to Identify Efficiencies: DOJ convened a working group in August 2010, coinciding with the publication of the National Strategy, to carry out elements of the strategy, and this working group established a Technical Assistance Subcommittee, which is responsible for examining technological issues related to combating child exploitation, including forensic analysis of digital evidence. The Act requires DOJ to include in its National Strategy a review of the backlog of forensic analysis for child exploitation cases and plans for reducing the forensic backlogs. [Footnote 75] In response to this requirement, the subcommittee is examining forensic analysis of digital evidence, including efforts to reduce backlogs.[Footnote 76] Specifically, according to the National Coordinator, the working group is reviewing different methods used among the federal agencies to identify practices that may reduce backlogs, such as increased review of computers within a suspect's residence before taking them to a laboratory for forensic examination. However, the National Coordinator said that such a review will not explicitly assess the costs and benefits of steps taken by federal agencies to ensure the integrity of the forensic examination process or the separation of the examination and investigative functions in forensic analysis. Specifically, the working group does not currently plan on assessing whether any enhancement of the credibility of digital evidence resulting from steps taken by federal law enforcement agencies to ensure the integrity of the forensic examination process will outweigh the costs associated with performing these additional steps, such as whether backlogs that may result from implementing these steps will allow offenders to remain on the street for a longer amount of time while evidence is being forensically examined. Differences in steps for conducting forensic analysis of digital evidence exist; however, no federal agency or working group we spoke to has assessed the costs and benefits of steps taken to ensure the integrity of forensic analysis used by federal law enforcement agencies that investigate and prosecute online child pornography crime due to an overall satisfaction with their own individual digital forensic examination processes to date. OMB cites assessments of costs and benefits as key in the consideration of alternative means of achieving program objectives by examining different program methods. OMB also states that these assessments that serve as a basis for evaluating government programs or policies should identify societal costs and benefits, as well as discuss any trade-offs that may not be quantifiable.[Footnote 77] For example, this could include examining qualitative factors--such as delays in arrest and prosecution, which may expose the public to offenders and concerns regarding the integrity of forensic analysis conducted by the government, which could impact the credibility of evidence presented in federal prosecutions--as well as quantitative factors such as financial costs of conducting forensic analysis of digital evidence. According to the DOJ's National Coordinator, the Working Group and its Technical Assistance Subcommittee are in a good position to address backlog issues due to its multiagency membership.[Footnote 78] As the Working Group and its Technical Assistance Subcommittee review different methods of reducing backlogs, assessing the costs and benefits of steps taken to ensure the integrity of forensic analysis, including impacts on timeliness of analysis, could help it to determine potential efficiencies while providing a level of assurance that evidence is presented consistently and is of high quality. This assessment could involve reviewing steps, such as creating copies of digital evidence and separating examination and investigation functions, and determining whether, and to what extent, these steps enhance the credibility of forensic review and do not create undue backlogs. Such an assessment could further provide assurance to law enforcement agencies that conduct forensic analysis of digital evidence that scarce forensic resources are being allocated in a way that maximizes their efficiency and effectiveness. ESP Data Retention Is a Concern, but Officials We Interviewed Were Generally Able to Obtain Data from ESPs or through Other Means: According to CEOS, FBI, ICE, and USSS headquarters officials, data from ESPs, such as IP addresses, can be traced back to offenders, and this information is often key to investigations of online child pornography crime. In June 2010, the Online Safety and Technology Working Group (OSTWG) reported that data retention--the period of time ESPs retain data entered or transmitted by users to their networks--is a very contentious issue with competing needs and concerns from law enforcement, the Internet industry, and consumer privacy advocates. [Footnote 79] Currently, unlike data included in reports to NCMEC, ESPs are generally not required to retain user data not reported to NCMEC that could provide investigators evidence for any specified amount of time.[Footnote 80] According to OSTWG's report, the perspective of law enforcement is that mandatory data retention sufficient to facilitate investigations of online crimes would allow law enforcement to solve more crimes involving the sexual exploitation of children because more information from ESPs would be available to support investigations. Similarly, in January 2011, a Deputy Assistant Attorney General within DOJ testified that data retention is fundamental to the department's work in investigating and prosecuting almost every type of crime. He stated, for example, that in one case, investigators sent legal process--such as a subpoena, court order, or search warrant--to ESPs seeking to identify distributors of child pornography based on IP addresses that were 6 months old or less. Of the 172 requests, they received 33 responses (about 19 percent) noting that the requested information was no longer retained by the company because it was out of their data retention period.[Footnote 81] Alternatively, the OSTWG report stated that the industry perspective is that, while the cost of data storage has fallen over the years, the true cost of data retention comes from having to protect increasing amounts of users' private data from online criminals who may try to access this information to commit crimes, such as identity theft. Similarly, Internet and consumer privacy advocates testified about concerns with mandatory data retention. For example, in January 2011, the executive director of the U.S. Internet Service Provider Association testified before Congress that a data retention mandate would bring with it a complex regulatory framework that would impose new and unforeseen costs, legal risks, and burdens to the Internet industry.[Footnote 82] Also in January 2011, an official from the Center for Democracy and Technology testified that mandatory data retention requirements would aggravate the problem of identity theft and damage competition and innovation in the Internet industry. [Footnote 83] However, headquarters law enforcement officials we spoke with from FBI, CEOS, and ICE, as well as officials from eight of the ICAC task forces, all stated that current ESP data retention periods may be insufficient to facilitate investigations and prosecutions of online child pornography crime.[Footnote 84] Specifically, all of these officials stated that data--such as IP addresses and any corresponding user information which an address may help identify (i.e., name, credit card, and bank account number)--allow law enforcement to identify who possessed, distributed, and manufactured images of child pornography. For example, according to ICE Cyber Crimes Center officials we spoke with, if an offender subscribes to a Web site that sells child pornography, the IP address of the computer associated with that suspect and transaction can be traced back to an individual offender. According to these officials, a law enforcement agency can subpoena an ESP for identifying information, such as name and address, for the individual who had that IP address at the time that the transaction took place.[Footnote 85] However, in some instances, there is a gap in the amount of time between when a child pornography offense occurs and when it is detected by law enforcement. If the ESP does not maintain information on which of its users was associated with a particular IP address, law enforcement will likely not be able to obtain this information, in which case an investigation may not be able to proceed. Officials from 17 of the 19 ESPs we spoke with stated that in general their data retention policies were based on business considerations, such as the types of services provided.[Footnote 86] For example, officials from 4 ESPs that offered paid services, such as Internet connectivity, stated that they keep billing information, such as address or payment history, indefinitely, while officials from 3 ESPs that operate social networking sites stated that they keep user data until the user cancels his or her account. We discussed the extent to which they were able to obtain information from ESPs they contacted with officials from the eight ICAC task forces we selected. Officials from six of the eight said they were able to obtain information from ESPs that enabled them to further their investigations about 80 percent of the time or more.[Footnote 87] In addition, officials from these six task forces stated that when they were not able to obtain information from an ESP, they were generally able to obtain relevant information--such as IP addresses or image data--through other means, such as by interviewing suspects at their residences or reviewing information on their computers. According to the OSTWG report, there is not a consensus on whether any data retention mandates should be imposed on ESPs. Such mandates would require legislative action. The report concluded that data retention is about striking a balance among (1) law enforcement's legitimate need to investigate and prosecute crimes against children carried out or facilitated by the Internet; (2) end users' legitimate privacy expectations; and (3) ESPs' cost of data retention, costs which ultimately get passed onto consumers. Conclusions: With dramatic increases in the numbers of online child pornography offenders and new technologies and tools that these offenders can use to produce and distribute child pornography, Congress passed the PROTECT Our Children Act of 2008 and DOJ and NCMEC are responding to the provisions of the Act. However, DOJ has not implemented three provisions--that address studying the potential danger posed by child pornography offenders, designating foreign law enforcement agencies that can receive reports from NCMEC's CyberTipline, and developing a report on DOJ's information-sharing structure--and has not yet established specific plans or time frames for doing so. Developing steps and time frames for fulfilling these three provisions, as required, may also help better ensure that law enforcement resources are more optimally focused on dangerous offenders as well as help ensure that investigative information is disseminated on a timelier basis. Also since passage of the Act, NCMEC has developed guidance for ESPs to help them in reporting tips and has played a key role in coordinating law enforcement efforts through the operation of its CyberTipline. However NCMEC could take steps to enhance the feedback it receives from law enforcement on the usefulness of CyberTipline reports. Doing so could help NCMEC ensure that these reports consistently contain as much information as possible to help law enforcement take actions, such as advancing investigations, which is critical given the increase in the number of CyberTipline reports. Finally, key to every investigation and prosecution of online child pornography crime is forensic analysis of digital evidence. Among the factors that federal law enforcement officials cited as limiting investigations and prosecutions were variations in the steps that agencies believe enhance integrity of forensic analysis of digital evidence. In some cases, these steps may increase the time it takes to analyze evidence and add to backlogs and delays. DOJ's working group examining forensic issues, due to its multiagency composition, is in a position to assess the costs and benefits of steps taken by different agencies to ensure the integrity of forensic processes. Such an assessment could help identify possible efficiencies in these steps and provide assurance to law enforcement agencies that conduct forensic analysis of digital evidence that scarce forensic resources are being allocated in a way that maximizes their efficiency and effectiveness. Recommendations: To help ensure that DOJ fulfills its obligations as outlined in the PROTECT Our Children Act of 2008 as well as enhance its ability to address online crimes against children, we recommend that the Attorney General define the steps it plans to take and time frames for completing the three provisions of the Act that it has not yet implemented. To help ensure that NCMEC maximizes the feedback it receives from law enforcement agencies about the usefulness of CyberTipline reports in initiating and advancing investigations, we recommend that NCMEC's Chief Executive Officer work with its law enforcement customers to enhance its processes to collect feedback from law enforcement about the usefulness and quality of individual CyberTipline reports and use this information to make any necessary improvements it identifies. To help address backlogs in forensic analysis of digital evidence conducted in support of investigations and prosecutions of online child pornography crime, we recommend that the Attorney General direct the National Strategy Working Group and its Technical Assistance Subcommittee to assess the costs and benefits of the various steps federal law enforcement agencies believe enhance the integrity of forensic analysis of digital evidence in investigating online child pornography crimes, which may be quantitative or qualitative, to identify any efficiencies in the processes agencies use to help them to make more informed decisions on the efficient allocation of limited forensic resources. Agency Comments, Third Party Views, and Our Evaluation: We provided a draft of this report to DOJ, NCMEC, DHS, and USPIS for review and comment. DOJ and NCMEC provided written comments, which are reprinted in appendix IV and V and evaluated below. In commenting on our draft report, DOJ stated that it generally concurred with our recommendations and discussed actions it had taken or plans to take, which address in part, our recommendations. DOJ concurred with our first recommendation to define the steps it plans to take and time frames for completing three provisions of the Act and outlined efforts to address the provisions. For example, in terms of the requirement for NIJ to prepare a report to identify the factors indicating whether the subject of an online investigation poses a high-risk of harm to children, DOJ noted that the grantee selected to develop NIDS would, as part of this effort, provide a paper addressing the dangers posed by child pornography offenders and recommending further research paths. Documentation provided by DOJ indicated that the grantee, as part of the development of the NIDS system would, among other things, conduct a literature review about the links between child pornography and hands-on molestation and develop a research design to address gaps in assessing dangers from child pornography offenders. While these activities are important steps to providing law enforcement with additional information on potential dangers posed by offenders, it will be important for DOJ to ensure that the grantee's efforts or follow-on research comply with statutory requirements--that DOJ identify factors that indicate whether the subject of an online investigation poses a high-risk of harm to children as well as to coordinate with federal law enforcement agencies, NCMEC, and other stakeholders, as required by the Act. Similarly, to address the provision of the Act requiring a report to congressional committees related to information sharing structures, DOJ noted that it has secured a grantee to provide a design for an information sharing system, and when the system is closer to fruition, DOJ plans to report to Congress on its progress. While these are important steps, we maintain that it will also be important for DOJ to commit to plans and timeframes to hold itself accountable for fulfilling these provisions of the Act. DOJ concurred with our recommendation to assess the costs and benefits of steps taken by federal law enforcement agencies that they believe enhance the integrity of the forensic analysis of digital evidence, with one modification. In discussions with DOJ's National Coordinator as well as senior FBI officials responsible for overseeing forensic analysis of digital evidence on this recommendation, officials indicated that they had concerns regarding the proposed recommendation to assess costs and benefits of the processes various federal law enforcement agencies undertake that are believed to enhance the integrity of the forensic analysis of digital evidence. For example, these officials noted that certain costs associated with potential backlogs in forensic analysis, such as the public's increased exposure to offenders, would be very difficult to quantify. We explained that we did not intend for DOJ to conduct this level of cost-benefit analysis and develop such quantifiable dollar estimates, but rather intended for DOJ to qualitatively assess, for example, whether the costs, such as increasing backlogs in forensic analysis, are outweighed by the perceived benefits of the extra steps agencies take to enhance the integrity of the forensic analysis process for this particular crime. Thus, we modified our recommendation to clarify this point. Related to this recommendation, in its comments, DOJ described two working groups currently addressing forensic issues--the Technical Assistance Subcommittee, which has been studying the timeliness and usefulness of forensic examinations and has recommendations under agency review, and the Office of the Deputy Attorney General's Computer Forensics Working Group, which is also examining current digital forensic processes. DOJ noted that these groups plan to take into account the resources associated with various steps DOJ law enforcement takes in conducting digital forensic analysis as part of their examinations. DOJ also noted that it hopes to be able to provide an update to Congress on its progress on digital forensic analysis by about September 2011. We maintain that these groups and their efforts could be the appropriate vehicle to use to conduct the assessment of costs and benefits called for in our recommendation. Doing so could help identify possible efficiencies in agencies' digital forensic analysis processes, ensure scarce forensic resources are allocated to maximize their efficiency and effectiveness, and ultimately, help better address online child sexual exploitation. NCMEC, in its comments, also concurred with our recommendation to enhance its processes to collect feedback from law enforcement agencies about the usefulness of CyberTipline reports. NCMEC stated that it would further its efforts to solicit better feedback from law enforcement on the usefulness of these reports. In addition, NCMEC agreed that better understanding how information ESPs provide may determine whether a law enforcement agency can begin an investigation would be helpful. DOJ also noted in its comments that efforts to improve the CyberTipline process are underway, and the department plans to work with NCMEC to report to Congress on these improvements by about September 2011. Finally, DOJ also provided us with technical comments, which we incorporated into the report, as appropriate. DHS did not provide comments on our report. In an email dated March 16, 2011, the USPIS Acting Assistant Inspector in Charge for child exploitation investigations concurred with the information in the report and provided technical comments, which we incorporated into the report, as appropriate. We are sending copies of this report to the Secretary of Homeland Security, the Attorney General, the Executive Director of NCMEC, and other interested congressional committees and subcommittees. In addition, this report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions concerning this report or wish to discuss the matter further, please contact me at (202) 512-8777, or larencee@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix VI. Signed by: Eileen Regen Larence: Director, Homeland Security and Justice Issues: [End of section] Appendix I: Key Federal Agencies Involved in Combating Online Child Pornography: Appendix I provides information about the mission, role, level of resources, and trends in investigations or cases initiated for key federal agencies involved in combating online child pornography. Department of Justice: Federal Bureau of Investigation: The Federal Bureau of Investigation (FBI) investigates various crimes against children, including online child pornography. For example, FBI investigates violations of federal statutes generally relating to: * producing child pornography; * permitting a minor within one's custody or control to be used in child pornography; * selling or buying children for use in child pornography; and: * transporting, shipping, receiving, or distributing child pornography by any means, including by computer. As shown in tables 3 and 4, the amount of personnel and fiscal resources the FBI has allocated to combating child exploitation crime, including child pornography, increased from fiscal year 2006 through fiscal year 2010.[Footnote 88] Table 3: FBI Personnel Dedicated to Combating Child Exploitation: Number of personnel. FY 2006: Number of personnel: 267; FY 2007: Number of personnel: 283; FY 2008: Number of personnel: 315; FY 2009: Number of personnel: 318; FY 2010: Number of personnel: 313. Source: FBI. Note: Represents agents from FBI's Crimes against Children and Innocent Images National Initiative units. [End of table] Table 4: FBI Resources Obligated for Combating Child Exploitation: FY 2006: $45.5 million; FY 2007: $47.4 million; FY 2008: $54.4 million; FY 2009: $62.7 million; FY 2010: $62.9 million. Source: FBI. Note: Represents funds obligated by FBI's Innocent Images National Initiative unit. [End of table] Innocent Images National Initiative: The FBI established a nationwide initiative to combat the proliferation of online child sexual exploitation. The Innocent Images National Initiative (Innocent Images), a component of the FBI's Cyber Division, is a proactive, investigative initiative whose mission is to combat the proliferation of child pornography facilitated by computer. This initiative is composed of agents working at regional offices nationwide and may involve agents from any of the FBI's 56 field offices. Innocent Images provides centralized coordination and analysis of case information that is national and international in scope and requires coordination with state, local, and international governments as well as among FBI field offices and legal attaches. Its mission is to: * identify, investigate, and prosecute sexual predators who use the Internet and online services to sexually exploit children; * establish a law enforcement presence on the Internet as a deterrent to subjects that use the Internet to exploit children; and: * identify and rescue witting and unwitting child victims. As shown in table 5, FBI child pornography investigations and arrests have increased from fiscal years 2006 through 2010. Table 5: Number of FBI Child Pornography Investigations and Arrests: Number: Investigations; Fiscal year: 2006: 4,467; Fiscal year: 2007: 4,952; Fiscal year: 2008: 5,667; Fiscal year: 2009: 6,062; Fiscal year: 2010: 6,070. Number: Arrests; Fiscal year: 2006: 936; Fiscal year: 2007: 1,115; Fiscal year: 2008: 1,144; Fiscal year: 2009: 1,077; Fiscal year: 2010: 1,094. Source: FBI. [End of table] Child Exploitation and Obscenity Section: The Child Exploitation and Obscenity Section (CEOS) is a unit within the Department of Justice's (DOJ) Criminal Division that specializes in the prosecution of federal child sexual exploitation offenses. Among other things, CEOS is primarily responsible for the development of prosecution, policy, and legislative initiatives in those areas. CEOS's professional staff consists of attorneys and computer forensics specialists in CEOS's High Technology Investigative Unit dedicated to combating the sexual exploitation of children and obscenity. Established in 1987, CEOS focuses on individuals who, in the context of child exploitation: * possess, manufacture, produce, or traffic in child pornography; * travel interstate or internationally to sexually abuse children, or cause children to travel interstate or internationally for that same purpose; * use the Internet to lure children to engage in prohibited sexual conduct; * abuse children on federal and Indian lands; or: * engage in domestic child sex trafficking. CEOS attorneys work closely with federal law enforcement agencies and prosecutors on investigations, trials, and appeals. As shown in tables 6 and 7, the amount of fiscal resources at CEOS dedicated to combating child exploitation, including resources available to assist with and prosecute child pornography and obscenity related cases, grew from fiscal year 2006 through fiscal year 2010, while CEOS's personnel resources fell over that same period. Table 6: CEOS Personnel Dedicated for Combating Child Exploitation and Obscenity Offenses: FY 2006: Number of personnel: 36; FY 2007: Number of personnel: 32; FY 2008: Number of personnel: 32; FY 2009: Number of personnel: 32; FY 2010: Number of personnel: 32. Source: DOJ's Criminal Division. [End of table] Table 7: CEOS Funds Obligated for Combating Federal Child Exploitation and Obscenity Offenses: FY 2006: $4.4 million; FY 2007: $4.8 million; FY 2008: $5.3 million; FY 2009: $5.9 million; FY 2010: $5.9 million. Source: DOJ's Criminal Division. [End of table] Office of Juvenile Justice and Delinquency Prevention: Internet Crimes Against Children Program: Created by DOJ in 1998, the Internet Crimes Against Children (ICAC) program, administered and funded through the Office of Juvenile Justice and Delinquency Prevention (OJJDP), encourages communities nationwide to develop regional, multijurisdictional, and multiagency responses to Internet crimes against children. The program provides grants to state and local law enforcement agencies to build regional task forces that address and combat Internet-related crimes against children. ICAC program grants can be used to ensure that investigators receive specialized training and technological resources to combat Internet-related crimes. Additionally, ICAC task forces have been established to serve as sources of prevention, education, and forensic investigative assistance to those who work to address Internet crimes against children. ICAC's objectives include: * developing or expanding multiagency, multijurisdictional task forces that include representatives from law enforcement, prosecution, victim services, and child protective services, among others; * ensuring investigative capacity by properly equipping and training ICAC task force investigators; * developing and maintaining case management systems to document reported offenses and investigative results; and: * developing response protocols or memorandums of understanding to foster collaboration, information sharing, and service integration among public and private organizations to protect children from being sexually exploited. A number of federal agencies are also involved in the ICAC Task Force Program through membership on various task force units and through participation on the ICAC Task Force Board. These partners include DOJ's CEOS, FBI, the Executive Office for United States Attorneys, Immigration and Customs Enforcement (ICE), and the United States Postal Inspection Service (USPIS). As shown in table 8, the number of ICAC task force child exploitation investigations and arrests increased from fiscal year 2006 through 2010. Table 8: Number of ICAC Task Force Child Exploitation Cases Investigated and Arrests: Number: Cases investigated; Fiscal year: 2006: 10,800; Fiscal year: 2007: 14,700; Fiscal year: 2008: 21,700; Fiscal year: 2009: 22,700; Fiscal year: 2010: 32,300. Number: Arrests; Fiscal year: 2006: 2,100; Fiscal year: 2007: 2,500; Fiscal year: 2008: 3,100; Fiscal year: 2009: 4,500; Fiscal year: 2010: 5,300. Source: OJJDP. Note: Prior to the enactment of the PROTECT Our Children Act of 2008, OJJDP did not require ICAC task forces to track investigations data. The agency provided estimates for investigations totals for fiscal years 2006 through 2008, based on multiple variables including arrests and closed investigations among other factors. [End of table] Department of Homeland Security: U.S. Immigration and Customs Enforcement: U.S. Immigration and Customs Enforcement (ICE) was one of the first federal law enforcement agencies to combat the sexual exploitation of children. Beginning in the 1970s, ICE, under the legacy U.S. Customs Service, used its unique customs and border authority to investigate individuals and groups that were introducing child pornography into the United States. Since 2003, ICE has continued this effort through enforcement of trans-border violations of federal child exploitation statutes, including those related to child pornography. The agency becomes involved in cases with foreign links, primarily focusing on child pornography that enters the United States from abroad. In addition, ICE investigates, interdicts, and prosecutes those individuals involved in, among other things: * possession, receipt, distribution, advertisement, transportation, and production of child pornography; * trafficking of children for sexual purposes; and: * traveling in foreign commerce to engage in sexually explicit conduct with minors (also known as sex tourism). ICE's Office of Investigations established the Cyber Crimes Center to more effectively focus ICE resources on Internet crimes. The center brings together all ICE resources dedicated to the investigation of international criminal activity conducted on or facilitated by the Internet, including the sharing and distribution of child pornography. The center also trains personnel and upgrades their techniques to combat the diverse ways in which offenders download, possess, and distribute child pornography. The center acts as a clearinghouse and directs investigations to applicable areas within the United States and foreign countries. Through the Cyber Crimes Center, ICE addresses smuggling over "traditional" borders as well as smuggling associated with the Internet. As shown in tables 9 and 10, the amount of personnel and fiscal resources the ICE has allocated to combating child exploitation crime, including child pornography, increased from fiscal year 2006 through fiscal year 2010. Table 9: ICE Personnel Dedicated for Combating Child Exploitation: Number of personnel. FY 2006: Number of personnel: 208.7; FY 2007: Number of personnel: 211.8; FY 2008: Number of personnel: 228.3; FY 2009: Number of personnel: 227; FY 2010: Number of personnel: 239.3. Source: ICE. Note: Represents agent data manually derived from ICE field offices through September 30, 2010. [End of table] Table 10: ICE Resources Obligated for Combating Child Exploitation: FY 2006: $0.531 million; FY 2007: $1.32 million; FY 2008: $0.916 million; FY 2009: $0.724 million; FY 2010: $0.951 million. Source: ICE. Note: Represents manually derived estimates of funds obligated by ICE field offices through September 30, 2010. [End of table] As shown in table 11, the number of ICE child pornography cases initiated has decreased, while arrests have increased from fiscal years 2006 through 2010. Table 11: Number of Child Pornography Cases Initiated and Arrests by ICE Agents: Number: Cases initiated; Fiscal year: 2006: 3,291; Fiscal year: 2007: 3,191; Fiscal year: 2008: 2,898; Fiscal year: 2009: 2,894; Fiscal year: 2010: 2,622. Number: Arrests; Fiscal year: 2006: 681; Fiscal year: 2007: 948; Fiscal year: 2008: 863; Fiscal year: 2009: 957; Fiscal year: 2010: 931. Source: ICE. [End of table] United States Secret Service: The United States Secret Service (USSS) provides forensic and technical assistance in matters involving missing and sexually exploited children through its Office of Investigations. The USSS' Forensic Investigative Response and Support Team consists of a group of technical and forensic experts, including agents from the Electronic Crimes Special Agent Program, who are available to respond to requests from any law enforcement agency within the United States to perform forensic and technical examinations. Section 105 of the USA Patriot Act requires USSS to develop a national network of electronic crime task forces to combat various forms of electronic crimes. [Footnote 89] In response to this requirement, USSS has established 31 regional Electronic Crimes Task Forces worldwide. The regional task forces work directly with other federal, state, and local law enforcement agencies in the area of child pornography as well as other electronic crimes. According to USSS headquarters officials, online child pornography crime is not a core violation for the agency. Therefore, it has pursued fewer investigations involving this crime than other crimes, such as counterfeiting, and does not track funding or personnel dedicated to this crime. These officials added, however, that some USSS field offices with a background in these areas as well as digital forensic capabilities investigate these crimes. As shown in table 12, while the number of investigations has varied over time, the number of arrests related to child pornography has increased. Table 12: Number of USSS Investigations and Arrests Related to Child Pornography: Investigations: Fiscal year: 302; Fiscal year: 487; Fiscal year: 138; Fiscal year: 98; Fiscal year: 188. Arrests: Fiscal year: 88; Fiscal year: 94; Fiscal year: 80; Fiscal year: 88; Fiscal year: 149. Source: USSS. [End of table] United States Postal Service: United States Postal Inspection Service: The United States Postal Inspection Service (USPIS) is the federal law enforcement arm of the United States Postal Service that is responsible for investigating crimes involving the U.S. mail, including child pornography and child sexual exploitation offenses. Postal Inspectors, specially trained to conduct child exploitation investigations, are assigned to each of its 18 field divisions nationwide. The use of mail to traffic in child pornography, or to sexually exploit children, continues to be a significant societal problem, according to Postal officials. They added that the exchange of child pornography by mail is now often preceded by use of the Internet to communicate with like-minded individuals or to locate sources of child pornography. The objective of the child exploitation program is to reduce and deter the use of the postal system for the procurement or delivery of materials that promote the sexual exploitation of children and to uphold customer confidence. In carrying out its mission, USPIS works with DOJ, FBI, ICE, and other national and international law enforcement agencies. As shown in table 13, the number of full-time Postal Inspectors dedicated to combating child exploitation has decreased overall; however, the number of inspectors addressing these crimes on a part- time basis has increased. Table 13: Full Time and Part Time Postal Inspectors Assigned to Child Exploitation Investigations: Number of postal inspectors: Full time; FY 2006: 37; FY 2007: 37; FY 2008: 38; FY 2009: 36; FY 2010: 26. Number of postal inspectors: Part time; FY 2006: 0; FY 2007: 0; FY 2008: 10; FY 2009: 14; FY 2010: 19. Source: USPIS. [End of table] According to USPIS, as a result of its transformation and reorganization during the past 2 years, it assigned fewer full-time Postal Inspectors to investigate child exploitation in a proactive manner, yet increased the assignment of part-time Postal Inspectors to ensure any lead referred to the division is addressed. As shown in table 14, the number of investigations related to child exploitation and child pornography has decreased. According to USPIS, Postal Inspectors are now focused on high-quality U.S. mail-related investigations involving the sexual exploitation of children, and investigations not involving the U.S. mail (e.g., those that are Internet-related) are now being worked at a significant rate by partners, such as the ICAC task forces. Table 14: Postal Inspection Service Investigations and Arrests Related to Child Exploitation and Child Pornography: Number: Investigations; Fiscal year: 2006: 267; Fiscal year: 2007: 264; Fiscal year: 2008: 310; Fiscal year: 2009: 233; Fiscal year: 2010: 141. Number: Arrests; Fiscal year: 2006: 252; Fiscal year: 2007: 155; Fiscal year: 2008: 165; Fiscal year: 2009: 186; Fiscal year: 2010: 115. Source: USPIS. [End of table] [End of section] Appendix II: Status of Efforts of DOJ and NCMEC's CyberTipline to Implement Provisions of the PROTECT Our Children Act of 2008: Table 15 presents information on the actions taken by DOJ and NCMEC to implement their responsibilities under the Providing Resources, Officers, and Technology To Eradicate Cyber Threats to Our Children Act of 2008 (PROTECT Our Children Act of 2008, or the Act).[Footnote 90] Table 15: Status of Efforts of the Attorney General and NCMEC's CyberTipline to Implement Their Responsibilities under the PROTECT Our Children Act of 2008: Responsible entity or official: Attorney General; Provision: § 101(a) - (c); 42 U.S.C. § 17611(a) - (c); Responsibility: National Strategy for Child Exploitation Prevention and Interdiction: Due 1 year after the date of enactment, and every second year thereafter. The statute requires that the Strategy contain 19 elements, including goals and measurable objectives, a review of DOJ's work, plans for interagency coordination--with ICE and the Departments of State, Commerce and Education, among others--a review of the ICAC Task Force Program, a review of and plans for reducing forensic backlogs, and a review of all available statistical data on child pornography trafficking, among other elements; Status of effort: In August 2010, DOJ released its National Strategy for Child Exploitation Prevention and Interdiction (National Strategy). This document contained elements specified for inclusion by the PROTECT Our Children Act of 2008, including a review of DOJ work related to the prevention and investigation of child exploitation crime, a review of the ICAC Task Force program, a review of the backlog of forensic analysis for child exploitation cases, and plans for reducing the forensic backlog. In terms of plans for updating the National Strategy, DOJ officials stated that they are currently working on implementation of the National Strategy, which was submitted in August. As they move forward with implementation, they said that they plan to decide whether the goals and priorities need to be updated. In addition, they are updating the National Strategy with information from each agency and component. The officials stated that DOJ plans to submit the National Strategy to Congress by April 1, 2011. Responsible entity or official: Attorney General; Provision: § 101(d); 42 U.S.C. § 17611(d); Responsibility: Designation of Senior Official: The Attorney General must designate a DOJ senior official to be responsible for the strategy, who must act as a liaison with other federal entities, ensure proper coordination, be knowledgeable about relevant DOJ budget priorities and efforts, and be available to Congress; Status of effort: DOJ designated a Senior Official responsible for development of the National Strategy on January 13, 2010. To facilitate the role as a liaison with other federal entities, the National Coordinator has called together a multiagency National Strategy Working Group to work on implementing the National Strategy. This working group includes participants from DHS, the Department of State, the Department of Defense, USPIS, the Department of Commerce, the Department of Education, Commanders from four ICAC Task Forces, as well as various components of DOJ, including FBI, CEOS, the OJJDP, and U.S. Attorneys' Offices. There are six subcommittees under the Working Group that are responsible for implementing various components of the National Strategy. They are subcommittees on Technical Assistance, Global Outreach, Community Outreach, Research and Grant Planning, Training, and Law Enforcement Collaboration. Responsible entity or official: Attorney General; Provision: §§ 102-04; 42 U.S.C. §§ 17612-14; Responsibility: ICAC Task Force Program: Establishes in law the ICAC Task Force Program, under the authority of the Attorney General, which is a national program of state and local law enforcement task forces dedicated to developing responses to online enticement of children by sexual predators, child exploitation, and child obscenity and pornography cases. The statute requires that there be at least one task force per state and that the Attorney General consult with and consider the 59 task forces in existence at time of enactment in establishing the program. Requires the Attorney General to conduct periodic review of the effectiveness of each task force and authorizes the Attorney General to establish new task forces, subject to certain conditions. Grants authority to the Attorney General to conduct training; requires periodic review of the effectiveness of training; limits training awards to any one entity to $2 million annually. Includes 9 specified purposes of the task forces and 11 required functions and duties, 1 of which includes working toward achieving the purposes; Status of effort: There is currently at least one ICAC per state. Since the passage of the PROTECT Our Children Act of 2008, 2 new ICAC task forces have been formed, 1 in Houston and 1 in New York City--for a total of 61 ICAC task forces. According to DOJ officials, in general, solicitations for grants for new ICAC task forces were announced approximately 6 months before grant recipients were selected. Approximately 10 days before local entities in the Houston and New York areas were notified that their grant proposals were accepted, Congress was notified of the grant selections. According to DOJ officials, assessments of ICAC performance are done on a monthly and quarterly basis. The information collected includes data on number of arrests and investigations, community education programs, and other factors. According to DOJ officials, DOJ was already collecting from the ICAC task forces and reviewing many data points required by the PROTECT Our Children Act of 2008. A DOJ official stated that the Act included a new requirement that DOJ collect information on the number of investigations conducted. This new data point was incorporated into ICAC program management in 2009-2010. DOJ noted that the ICAC task forces are now required to submit data on these new data points, and program managers review the data submitted. DOJ provides spreadsheets to ICAC task forces listing these and other required data points that are then submitted to OJJDP. In March 2010, DOJ's Office of Audit, Assessment, and Management reviewed the ICAC Technical and Training Assistance program and found that, based on student evaluations and observations, the overall quality of training provided was of high quality and well-received. However, the IG noted concerns with the management of OJJDP's training program. Specifically, the IG reported that OJJDP performance measures for the effectiveness of the training program were output based and did not measure the long-term effectiveness of the training program. To conduct periodic assessments, according to DOJ officials, OJJDP collects posttraining reviews on training programs conducted under the ICAC training program. Officials said that OJJDP conveyed the requirement to training grant recipients in 2009 and 2010 that they must provide immediate and long-term reviews of training efficacy. These assessment efforts are paid for with existing DOJ funding. OJJDP also reviews semiannual progress reports and deliverables produced under every ICAC training program grant. DOJ officials stated that even though the Act authorized up to $60 million per year to enact the various provisions of the Act that affect the ICAC Task Force program, funds have not been appropriated under this section of the Act. Funds have been appropriated for ICACs under other authority--such as the Juvenile Justice and Delinquency Prevention Act (JJDPA) (see, e.g., Conference Report accompanying Consolidated Appropriations Act, 2010, H.R. Rep. No. 111-366 at 678 (2009) (directing a specific amount of funds appropriated under sections 404(b) and 405(a) of the JJDPA be made available for the ICAC program)). According to DOJ officials, where OJJDP was able to incorporate Act requirements within current funding levels it has done so (e.g., enhancing data collection). Responsible entity or official: Attorney General; Provision: § 106(a) - (c); 42 U.S.C. § 17616(a) - (c); Responsibility: ICAC Grant Program: Authorizes the Attorney General to award grants to ICAC task forces, pursuant to statutory factors and criteria. In order to receive funds, task forces must submit applications, describing uses of funds; funds may only be used for specified allowable uses; Status of effort: The ICAC Task Force Program received a total of $50 million in American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, grant funding, which was distributed pursuant to the formula requirements of the PROTECT Our Children Act of 2008. According to DOJ officials, DOJ will use this formula to allocate future appropriations made for the ICAC program and specifically did so in fiscal year 2009 for the 59 ICACs. While the Act did not specify an exact formula for allocating grant monies, it dictated certain considerations that were to be accounted for in allocating funds, for example, the population in each state and number of successful Internet crimes against children prosecutions, among others. Where data were available, OJJDP incorporated these considerations from the Act into its formula for making ICAC funding allocations. However, DOJ officials noted that ICAC funds were not appropriated under this section of the Act, but under other authority. OJJDP awarded $18,997,913 in grant funding to ICAC task forces in fiscal year 2010. ICAC task forces submit annual applications in response to OJJDP's continuation funding solicitation describing activities to be undertaken with grant funding. According to DOJ officials, these applications are reviewed by OJJDP program management teams who examine the applications based on financial and programmatic considerations and compare the goals and objectives stated in the application with the requirements outlined in the solicitation. For example, OJJDP officials would review an application to assess the extent to which the ICAC task force would establish a multijurisdictional and multiagency infrastructure to address child exploitation crime. Responsible entity or official: Attorney General; Provision: § 106(d); 42 U.S.C. § 17616(d); Responsibility: ICAC Program Reporting Requirements: (1) Task forces must submit annual reports to the Attorney General, addressing specific information, such as the number of referrals made by the task force to the U.S. Attorneys office and the number of investigative technical assistance sessions the task force provided, among others. (2) The Attorney General must submit a report to Congress not later than 1 year after enactment on development of the ICAC program and numbers of federal and state investigations, prosecutions and convictions related to child exploitation; Status of effort: Although ICAC funds have not been appropriated under this section of the PROTECT Our Children Act of 2008, according to DOJ officials, OJJDP prepared reports on the ICAC program in 2009 and in 2010 that included information on the disposition of child exploitation cases and sentencing outcomes, which was a requirement in the Act. At the time the Act was passed, OJJDP did not have a mechanism to capture this information. Therefore, information presented in DOJ annual reports may not include the disposition of all cases in 2009 and 2010. According to DOJ officials, the report OJJDP prepared for the Attorney General in 2009 on the status of the ICAC program was incorporated in the National Strategy. The 2010 report on the status of the ICAC program is currently under review at OJJDP, and DOJ officials stated that they plan to incorporate it as part of the update to the National Strategy. Responsible entity or official: Attorney General; Provision: § 105(a) - (f); 42 U.S.C. § 17615(a) - (f); Responsibility: National Internet Crimes Against Children Data System (NIDS): NIDS, to be housed and maintained within DOJ or a credentialed law enforcement agency, is to assist and support law enforcement investigating and prosecuting child exploitation. NIDS, which is required to be available to credentialed law enforcement agencies for a nominal fee, must allow information sharing and case deconfliction, provide a dynamic undercover infrastructure, enable real-time reporting of child exploitation cases involving local victims, identify high-priority suspects, and include a network that provides for secure, online data storage and analysis and online communication, among other things; Status of effort: DOJ issued a grant solicitation for development of NIDS in March 2009. The initial grant solicitation was for the construction, maintenance, and housing of the system and other tasks, such as linking the system with the ICAC Task Force Portal. In January 2010, applicants for the 2009 NIDS grant solicitation were notified that the agency would not make an award under the solicitation because it planned to pursue a different system for deconfliction and investigation than was described in the solicitation. DOJ reissued the NIDS grant solicitation in June 2010 to select a contractor to conduct a national needs assessment and perform other tasks in support of developing the system in the future. In September 2010, DOJ awarded the grant for the NIDS needs assessment and development activities to the Massachusetts State Police, and its partners Fox Valley Technical College, University of Massachusetts, and University of New Hampshire Crimes Against Children Research Center. According to OJJDP officials, no decision has been made as to where the system will be hosted. The National Coordinator said that the U.S. Marshals Service Sex Offender Targeting Center will be considered as an appropriate platform to host the system. Responsible entity or official: Attorney General; Provision: § 105(g); 42 U.S.C. § 17615(g); Responsibility: National Internet Crimes Against Children Data System Steering Committee: Requires the Attorney General to establish a Steering Committee to provide guidance to NIDS on the network requirements and assist in the development of strategic plans for NIDS. Includes requirements for the composition of the 10-member committee; Status of effort: The National Coordinator reported that the NIDS Steering Committee was established in April 2010 with appropriate membership as required by the PROTECT Our Children Act of 2008. The NIDS Steering Committee consists of representatives from ICE, USPIS, FBI, CEOS, OJJDP, and the U.S. Marshals Service, as well as representatives from state and local law enforcement. According to the National Coordinator, the Steering Committee met, but was suspended while DOJ issued a grant solicitation for a NIDS needs assessment. Now that the grantee has been selected, the steering committee has met with the NIDS grantee to discuss formulation and operation of NIDS. The committee plans to provide input to the grantee during the needs assessment process and plans to continue to advise DOJ leadership as to the formulation and operation of NIDS as the system is built and becomes operational. Responsible entity or official: Attorney General; Provision: § 201; 42 U.S.C. § 17631; Responsibility: Additional Regional Computer Forensic Labs: Requires the Attorney General to establish additional computer forensic capacity to address the current backlog; funds made available under this section for additional capacity must be dedicated to assisting law enforcement agencies in preventing, investigating, and prosecuting internet crimes against children. The location of any new labs must be determined in consultation with specified stakeholders, such as the Director of the FBI and the Regional Computer Forensic Laboratory National Steering Committee, and others. The Attorney General is required to submit a report on how appropriated funds were utilized no later than 1 year after enactment and annually; Status of effort: Currently, the FBI is in the process of initiating new Regional Computer Forensics Laboratories (RCFL) in Los Angeles and New Mexico, scheduled to begin operations in January 2011 and March 2011, respectively. In 2006, FBI began the process of seeking a nonpersonnel budget enhancement for these RCFLs and received $6 million in 2008 to build these facilities. To date, the RCFL Program has received no additional funding to initiate these, or any other, RCFLs. FBI has used the base funding of its RCFL National Program to support the 14 existing RCFLs as well as the 2 new RCFLs. In addition, the FBI's Operational Technology Division has initiated multiple efforts both inside and outside of RCFLs to reduce backlogs. These include initiatives such as: The Case Agent Investigative Review system, which provides investigators the ability to review results of digital forensic examinations conducted in an RCFL from an FBI computer terminal; Investigative kiosks that allow law enforcement to extract data from cell phones or loose media in a forensically sound manner and analyze evidence; Expanded use of preview tools to decrease the amount of digital evidence seized and to triage that which is seized for examination. Responsible entity or official: Attorney General; (through the National Institute of Justice); Provision: § 401; Responsibility: National Institute of Justice (NIJ) Study of Risk Factors for Assessing Dangerousness: Requires NIJ to prepare a report to identify the investigative factors indicating whether a subject of an online child exploitation investigation poses a high risk of harm to children, in consultation and coordination with specified entities, such as state, local, and federal law enforcement agencies and NCMEC, among others. Report is due not later than 1 year after enactment, and NIJ must present findings and recommendations to the Judiciary Committees; Status of effort: According to DOJ officials, this report has not been initiated because funds have not been appropriated for this activity under the PROTECT Our Children Act of 2008, and DOJ does not have plans or a time frame to conduct such a study. However, according to the National Coordinator, an examination of how such a study would be conducted would likely be considered by the National Strategy Working Group as it moves forward. Responsible entity or official: Attorney General; NCMEC; Provision: § 501(a); 18 U.S.C. § 2258A; Responsibility: Reporting Requirements of Electronic Communication Service Providers and Remote Computing Service Providers (ESPs): Amends the criminal code to establish monetary penalties for ESPs that fail to report to the CyberTipline actual knowledge of facts and circumstances from which there is an apparent violation of specified provisions of the criminal code relating to the sexual exploitation of children and child pornography. Enforcement: The Attorney General is responsible for the enforcement of the reporting requirements. Designation of law enforcement agencies: Requires the Attorney General to designate federal law enforcement agencies to which NCMEC will forward the reports. Also requires the Attorney General to designate, in consultation with the Secretary of State, foreign law enforcement agencies, the conditions under which a report may be forwarded to such foreign agencies, and a process for foreign agencies to request assistance from federal law enforcement related to reports forwarded to them by NCMEC. Requires that the Attorney General maintain and make available the list of designated foreign agencies to specified entities, including the Judiciary Committees, and provides the sense of Congress that the Attorney General and Secretary of State should make a substantial effort to expand the list. Report forwarding: Requires NCMEC to forward reports to the designated federal law enforcement agencies; and allows NCMEC to forward reports to state/local law enforcement agencies, as well as designated foreign law enforcement agencies, subject to conditions established by the Attorney General and with copies provided to specified entities, including the Attorney General and federal law enforcement agencies. Requires NCMEC to inform the ESP as to whether or not the report was forwarded to a foreign law enforcement agency where the ESP made a report as a result of a request by a foreign law enforcement agency. Limits disclosure of reports by NCMEC to these entities and for purposes under § 2258C (below). Disclosure of information: Limits the permitted disclosures by law enforcement agencies of information contained in a report received from NCMEC to specified individuals and purposes. Preservation: Requires ESPs to preserve information submitted in a report to the CyberTipline for 90 days; Status of effort: DOJ officials reported that as of December 15, 2010, the agency is not aware of any violations where ESPs failed to report to the CyberTipline and therefore has not taken any enforcement actions under this provision. According to the National Coordinator, DOJ has not yet designated a list of federal law enforcement agencies or a list of foreign law enforcement agencies to which CyberTipline reports may be forwarded. NCMEC officials said that NCMEC forwards CyberTipline reports to federal law enforcement agencies. Additionally, NCMEC currently refers CyberTipline reports to foreign law enforcement agencies through ICE. DOJ officials said that they plan to coordinate with NCMEC to determine how such a formal designation would work best with NCMEC's current process, but has no time frames for doing so. According to NCMEC, as of December 2010 access to NCMEC's CyberTipline reports is limited to 83 virtual private networks (including ICAC task forces and international law enforcement via ICE) and the federal law enforcement agencies that have representatives who liaison with NCMEC to distribute reports for investigative purposes. Responsible entity or official: NCMEC; Provision: § 501(a); 18 U.S.C. § 2258C; Responsibility: Use to Combat Child Pornography of Technical Elements Relating to Images Reported to the CyberTipline: Allows NCMEC to provide to ESPs, and requires NCMEC to provide to federal, state, and local law enforcement involved in the investigation of child pornography crime, elements relating to any apparent child pornography image of an identified child--but not actual images--for the purpose of permitting the ESP to stop further transmission of images and for the investigation of child pornography cases, respectively; Status of effort: NCMEC has several initiatives to provide law enforcement and ESPs elements relating to apparent child pornography images of an identified child. For example, according to NCMEC officials, it has developed an initiative called the Law Enforcement Services Portal, which allows law enforcement agencies access to NCMEC's Child Recognition and Identification systems to quickly identify hash values[A] of identified child victims. The portal separates out hash values of identified child victims from those who have not been identified so that law enforcement can quickly match hash values they receive during investigations against the database of image information. According to NCMEC officials, the Law Enforcement Services Portal is operational and efforts to register additional law enforcement officers will continue in 2011. NCMEC established its Hash Value Sharing initiative in 2008 to provide elements relating to apparent child pornography images of an identified child. NCMEC provides a list of hash values to requesting ESPs who use hash-seeking software to detect and remove illegal files from their systems. NCMEC provided hash values to 10 ESPs, as of November 23, 2010. In addition, NCMEC established its Uniform Resource Locator (URL) initiative in 2008. Through this initiative, NCMEC provides a daily list of active URLs (also known as Web addresses) that contain photos or videos of apparent child pornography, and, as of November 23, 2010, has provided this list of URLs to 85 ESPs. ESPs may take action to prevent users from accessing these sites. For example, ESPs that host Web sites can check the URL list to ensure that none of the sites that they host are on the list. Under its Child Victim Identification Program, NCMEC requests that when a federal, state, or local law enforcement agency has identified child victims featured in child pornography images that it provides NCMEC with copies of the images and information related to the investigation. NCMEC uses this information to assist law enforcement agencies and prosecutors with determining if submitted images contain children who have been identified in past investigations. Under this program, NCMEC also helps prosecutors prove that a real child is depicted in child pornography images. According to NCMEC, through this effort, children have been rescued from ongoing exploitation as a result of the cooperative efforts between the program and law enforcement. Responsible entity or official: NCMEC; Provision: § 501(a); 42 U.S.C. § 2258D(d); Responsibility: Minimizing Access: Requires NCMEC to minimize the number of employees who are provided access to any image provided under § 2258A and ensure that any such image is permanently destroyed upon notification from a law enforcement agency; Status of effort: According to NCMEC officials, since the passage of the Act NCMEC has reduced the number of employees with access to CyberTipline images by 21 percent from 72 to 57 by removing access to images from employees who transfer from the NCMEC's Exploited Child Division, which reviews CyberTipline reports, to other divisions. Another means that NCMEC has used to minimize the number of employees with access to CyberTipline images is to create a "read only" level of access to the CyberTipline for employees whose job responsibilities require them to have access to CyberTipline information, but not images. Currently, a total of 86 employees have "read only" access. NCMEC officials stated that NCMEC has never been asked by a law enforcement agency to permanently destroy images. Responsible entity or official: Attorney General; Provision: § 502(a); Responsibility: Attorney General Report on Implementation, Investigative Methods and Information Sharing: Requires the Attorney General to submit a report to the Judiciary Committees, not later than 12 months after enactment, on the structure established in response to the Act, legal and constitutional implications of the structure, privacy safeguards, and numerical information related to §§ 2258A(b) and 2258C; Status of effort: According to officials, DOJ has not prepared this report and does not yet have a time frame for completing it. Source: The PROTECT Our Children Act of 2008 and GAO analysis of information from DOJ and NCMEC. [A] Hash values, also known as digital fingerprints, are computational values that serve as unique identifiers for electronic files, such as images, documents, or storage media such as hard drives. [End of table] [End of section] Appendix III: Overview of NIDS Components and System Functions Outlined by the PROTECT Our Children Act of 2008: Table 16 provides an overview of the technical specifications of the National Internet Crimes Against Children Data System (NIDS) as described by the PROTECT Our Children Act of 2008.[Footnote 91] Table 16: Information on the NIDS Components Required by and Functions Described in the PROTECT Our Children Act of 2008: NIDS component: Case deconfliction; NIDS functional description: NIDS is to provide a secure, online system for federal law enforcement agencies; ICAC task forces; and other state, local, and tribal law enforcement agencies to use in resolving case conflicts. NIDS component: Real-time reporting; NIDS functional description: NIDS is required to ensure that child exploitation cases involving local child victims that are reasonably detectable using available software and data are, immediately upon their detection, made available to participating law enforcement agencies. NIDS component: High-priority suspects identification; NIDS functional description: Every 30 days, at a minimum, NIDS shall: (1) identify high-priority suspects, such as suspects determined by the volume of suspected criminal activity or other indicators of seriousness of offense or dangerousness to the community or a potential local victim; and; (2) report all such identified high- priority suspects to participating law enforcement agencies. NIDS components: Data collection and analysis; NIDS functional description: NIDS is required to ensure the availability of any statistical data indicating the overall magnitude of child pornography trafficking and child exploitation in the United States and internationally, such as the number of computers and users engaged in peer-to-peer child pornography, among other data. NIDS components: Local data analysis; NIDS functional description: NIDS is to provide a secure online data storage and analysis system that credentialed users may use. NIDS components: Secure connections; NIDS functional description: NIDS is required to provide secure connections with state, local, and tribal law enforcement computer networks, consistent with reasonable and established security protocols and guidelines. NIDS components: Dynamic undercover infrastructure; NIDS functional description: NIDS is to provide for a dynamic undercover infrastructure to facilitate online investigations of child exploitation. NIDS components: Software development and support; NIDS functional description: NIDS is required to facilitate and develop essential software and network capability for law enforcement participants, as well as provide software or direct hosting and support for online investigations of child exploitation activities. NIDS components: Online communications and collaboration; NIDS functional description: NIDS must provide for a secure system enabling online communications and collaboration by participants regarding ongoing investigations, investigatory techniques, and best practices. NIDS components: Guidelines and training and technical assistance; NIDS functional description: NIDS must provide for guidelines as well as training and technical assistance on use of the system. Source: PROTECT Our Children Act of 2008. [End of table] [End of section] Appendix IV: Comments from the Department of Justice: U.S. Department of Justice: Office of the Deputy Attorney General: Washington, DC 20530: March 25, 2011: Ms. Eileen R. Larence: Director, Homeland Security and Justice: United States Government Accountability Office: Washington, DC 20548: Dear Ms. Larence: The Department has reviewed the Government Accountability Office's (GAO) draft report entitled "Combating Child Pornography: Steps Needed to Ensure Tips to Law Enforcement are Useful and Forensic Examinations are Cost Effective," GA0-11-334. We appreciate GAO's acknowledgment of the progress made under the Act: specifically, the creation and implementation of the National Strategy; formal establishment of 61 ICAC task forces; selection of the National Coordinator; and, implementation of the National Strategy. The Department generally concurs with the GAO's recommendations and will provide updates to Congress on our progress in implementing them. In its draft report, GAO notes that three provisions of the Act require additional work to implement. As noted below, activity related to each provision is ongoing. One provision of the Act requires the National Institute of Justice ("ND") to complete a report identifying factors that indicate levels of dangerousness of online offenders. Toward that end, the Department solicited grant applications related to the design of the National Internet Crimes Against Children Data System ("NIDS"). The grantee team will provide the Department with three products: 1) an assessment of what is needed to build a system providing law enforcement with information sharing and deconfliction tools; 2) new undercover investigative tools; and 3) a white paper addressing the dangerousness issue with recommendations on further research paths. The latter will allow the Department to determine the appropriate avenue to direct research grants for further study of this complex issue and will assist in identifying the factors contemplated by the Act. The grant was awarded in September 2010, and these three products will be delivered by August 31, 2012. GAO also noted that the Department has not completed work on that provision of the Act related to information sharing structures. As noted above, the Department solicited grant applications for the design of an information sharing system, and when the system is, closer to fruition, the Department will report to Congress on its progress. Finally, with respect to that portion of the Act requiring the designation of foreign law enforcement agencies to receive CyberTips from the National Center for Missing and Exploited Children ("NCMEC"), a working group has been established, which includes various law enforcement agencies and NCMEC, and is working to satisfy this provision. We expect to be able to report on substantial progress on this provision of the Act to Congress in the next six months. With respect to the three remaining recommendations, the Department concurs with GAO. One recommendation is that NCMEC enhance its ability to collect feedback from law enforcement on the efficacy of the CyberTips it distributes to law enforcement. Efforts to improve the CyberTip process are underway, and NCMEC and the Department will be able to report to Congress on these improvements in the next six months. GAO also recommended that the Department build the National Internet Crimes Against Children Data System, as required in the Protect Our Children Act of 2008. We concur, and as noted above, are in process of receiving a needs assessment on the system from a qualified team of grantees. We also agree with the recommendation that the efficacy of computer forensic process should be assessed. There are two major efforts currently underway to review and assess digital forensics across the Department. The GAO has recommended that the Attorney General direct the National Strategy Working Group and its Technical Assistance Subconunittee to assess the efficacy of various steps federal law enforcement agencies take that they believe enhances the integrity of forensic analysis of digital evidence in investigating online child pornography crimes. The Subcommittee has been studying the issue of the timeliness and usefulness of computer forensic examinations and has made recommendations that are currently under review. In addition to the work of the above-referenced Subcommittee, the Office of the Deputy Attorney General leads a Computer Forensics Working Group. This group is also examining the current processes by which the Department conducts its digital forensics examinations. As part of these reviews, the Department will be taking into account the resources associated with various steps DOJ law enforcement takes in conducting digital forensic analysis. We hope to be able to provide an update to Congress on our progress on digital forensics in the next six months. The Department appreciates the work of the GAO and this opportunity to comment on the GAO's draft report. Should you have any questions regarding this topic, please do not hesitate to contact Richard Theis, Department of Justice Audit Liaison on 202-514-0469. Sincerely, Signed by: Francey Hakes: National Coordinator for Child Exploitation Prevention and Interdiction: [End of section] Appendix V: Comments from the National Center for Missing and Exploited Children: National Center For Missing & Exploited Children: Charles B. Wang International Children's Building: 699 Prince Street: Alexandria, VA 22314-3175: Telephone: 703-224-2150: Facsimile: 703-224-2122: [hyperlink, http://www.missingkids.com] [hyperlink, http://www.cybertipline.com] Other Offices: California: Florida: New York: Texas: March 22, 2011: Eileen R. Larance: Director, Homeland Security and Justice: United States Government Accountability Office: Washington, DC: Dear Ms. Larance: The National Center for Missing & Exploited Children (NCMEC) was pleased to work with your staff for the report entitled "Combating Child Pornography: Steps Needed to Ensure Tips to Law Enforcement are Useful and Forensic Examinations are Cost Effective", GA0-11-334. As noted in the report, NCMEC will further its efforts to solicit better feedback from law enforcement on the usefulness of individual CyberTipline reports. We agree there should be a better understanding of how information provided by electronic communication service providers, pursuant to 18 U.S.C. §2258A, may determine whether a law enforcement agency can begin an investigation. We appreciate the GAO's recognition that NCMEC has played a key role in coordinating law enforcement efforts through the operation of the CyberTipline. NCMEC will continue to meet with stakeholders to explore ways to improve the overall CyberTipline process. Thank you very much. Signed by: Ernie Allen: President and Chief Executive Officer: [End of section] Appendix VI: GAO Contact and Acknowledgments: GAO Contact: Eileen R. Larence, (202) 512-8777 or larencee@gao.gov: Acknowledgments: In addition to the contact named above, Mary Catherine Hult, Assistant Director, and Robert Rivas, Analyst-in-Charge, managed this assignment. David Alexander, Kristy Brown, Amy Bush, Christopher Conrad, Katherine Davis, Pawnee A. Davis, Lorraine Ettaro, Harold Lewis, Marvin McGill, Gary Mountjoy, Susan Sachs, and Janet Temko made significant contributions to this report. [End of section] Footnotes: [1] The National Strategy for Child Exploitation Prevention and Interdiction, A Report to Congress, U.S. Department of Justice, August 2010. [2] The ICAC Task Force Program is a network of 61 task forces comprised of federal, state, local, and tribal law enforcement and prosecutorial agencies. ICAC task force agencies engage in investigations, forensic examinations, and prosecutions of Internet crimes against children. [3] Pursuant to the Providing Resources, Officers, and Technology To Eradicate Cyber Threats to Our Children Act of 2008 (PROTECT Our Children Act of 2008), "child exploitation" generally consists of conduct involving a minor that violates specific criminal provisions of the U.S. Code, or any sexual activity involving a minor for which a person can be charged with a criminal offense. Pub. L. No. 110-401, § 2, 122 Stat. 4229, 4230. Some of these criminal provisions include, for example, causing a minor to engage in a sex act by force; transporting an individual for purposes of prostitution or other criminal sexual activity; or mailing, receiving, and distributing child pornography. Child pornography has a more specific definition under 18 U.S.C. § 2256, and generally consists of any visual depiction, the production of which involves the use of a minor engaging in sexually explicit conduct or that involves a minor engaging in sexually explicit conduct. [4] 18 U.S.C. §§ 2251, 2252, 2252A. [5] The Missing Children's Assistance Act, as amended, directs OJJDP to make an annual grant to NCMEC to carry out various responsibilities related to missing and exploited children. Among these are coordinating public and private programs to locate missing children, providing technical assistance and training, and providing information and assistance services. 42 U.S.C. § 5773(b)(1). [6] The PROTECT Our Children Act of 2008 requires electronic communication service providers and remote computing service providers to make reports to the CyberTipline. Pub. L. No. 110-401, § 501(a) (codified at 18 U.S.C. § 2258A). Collectively termed ESPs for purposes of this report, these include any service that provides to users the ability to send or receive wire or electronic communications, such as e-mail and instant messaging services and gateway access to the Internet; as well as data storage services, such as those that offer subscribers the opportunity to store materials like address books, calendars, photo albums, video content, electronic files, documents, and other types of content. [7] Pub. L. No. 110-401, 122 Stat. 4229. [8] Deconfliction is the coordination and information sharing among law enforcement agencies on multijurisdiction investigations to help ensure officer safety and the effective use of resources. [9] We chose these dates to obtain an overview of trends in law enforcement activity related to efforts to combat online crimes against children as well as to examine federal activity before and after passage of the PROTECT Our Children Act of 2008. Specifically, we analyzed data on investigations and arrests from FBI, ICE, United States Secret Service, and USPIS; resource data from FBI, DOJ's Child Exploitation and Obscenity Section, ICE, and USPIS; and data on cases and investigations reported by ICAC task forces to OJJDP. To assess the reliability of these data, we questioned officials knowledgeable on their respective agency's data systems about how the data were compiled and the steps taken to ensure data quality. Based on their responses, we determined these data to be sufficiently reliable for the purposes of this report. [10] Program management standards we reviewed are reflected in the Project Management Institute's The Standard for Program Management © (2006). [11] NCMEC provides a Web page specifically for ESPs that have registered with NCMEC to allow for secured submission of CyberTipline reports. We selected ESPs from among the 620 that had registered as of April 2010 to reflect time before and after enactment of the Act. [12] We selected these organizations based on their varied perspectives and focuses in civil liberties, high-technology, and partnerships with Internet and law enforcement communities. The information obtained from these interviews cannot be generalized to all such organizations; however, the interviews provided an overview of perspectives about Internet-related privacy concerns. [13] We selected these dates to provide 2 full years of data from the time of our review, reflecting time before and after enactment of the Act. To assess the reliability of these data, we questioned NCMEC officials knowledgeable on the data about how the reports were compiled and the steps taken to ensure data quality. Based on their responses, we determined these data to be sufficiently reliable to report general trends. [14] These ICAC task forces were located in the Middle District of Florida, the Western District of New York, the Western District of Missouri, the Northern District of California, the District of Arizona, and the Eastern District of Virginia. We also interviewed officials from two ICAC task forces, the Northern District of Texas and the Eastern District of Pennsylvania, which we selected based on their experience with an automated deconfliction tool and geographic location. [15] For example, see GAO, Transportation Research: Opportunities for Improving the Oversight of DOT's Research Programs and User Satisfaction with Transportation Statistics, [hyperlink, http://www.gao.gov/products/GAO-06-917] (Washington, D.C.: Aug. 15, 2006). [16] The initiative is a DOJ initiative designed to reduce the incidence of sexual exploitation of children. Among their responsibilities, coordinators interact with area law enforcement to reduce child exploitation. In addition to interviewing coordinators in the six selected districts, we interviewed AUSAs from a seventh district, selected to reflect geographic range. [17] Within DOJ's Criminal Division, CEOS attorneys prosecute federal child exploitation offenses, including child pornography crimes, and provide prosecutorial guidance to federal law enforcement agencies, among other things. [18] See Circular No. A-11 Preparation, Submission, and Execution of the Budget (July 2010); Circular No. A-94 Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs (October 1992); and Circular A-4 Regulatory Analysis (September 2003). [19] We briefed the reporting committees in October 2010 to meet time frames specified in the Act. [20] See 42 U.S.C. § 5773(b)(1). [21] See Pub. L. No. 110-401, § 501(a) (codified at 18 U.S.C. § 2258A). Before the passage of the PROTECT Our Children Act of 2008, ESPs were required to report instances of apparent child pornography to the CyberTipline under 42 U.S.C. § 13032(b), which provided for civil penalties for failure to report. [22] NCMEC maintains a secure Web page available specifically for registered ESPs as well as a Web page available for the general public, both of which allow for reports to be made to the CyberTipline. According to NCMEC officials, ESPs can also submit child pornography-related tips to the general public's Web page, in which case NCMEC contacts the ESP to register them so that future tips can be submitted to the ESP secure Web page. [23] The number of reports submitted to the CyberTipline does not equate to the actual number of incidents of apparent child pornography being reported because, for example, different individuals may have reported the same incident to an ESP and each of these reports is recorded separately. [24] This working group includes participants from the FBI, CEOS, ICE, USPIS, five ICAC task forces, the Executive Office for United States Attorneys, the Department of Defense, and USSS. [25] The six subcommittees are Technical Assistance, Global Outreach, Community Outreach, Research and Grant Planning, Training, and Law Enforcement Collaboration. [26] In general, a portal is a Web site that serves as a starting point to other destinations or activities and provides information from different sources in a unified way. Hash values, also known as digital fingerprints, are computational values that serve as unique identifiers for electronic files, such as images, documents, or storage media such as hard drives. [27] Pub. L. No. 110-401, § 401. [28] Id. § 502(a). [29] Id. § 501(a) (codified at 18 U.S.C. § 2258A(d)). [30] Id. [31] Project Management Institute, The Standard for Program Management © (2006). [32] 42 U.S.C. § 5773(b)(1)(P). [33] Pub. L. No. 110-401, § 501(a) (codified at 18 U.S.C. § 2258A(a)(1),(f)). [34] According to NCMEC officials, there is no way to know how many, or which, ESPs do not report because there is no known source or list of all existing ESPs. Officials also stated that those ESPs that do not report may not have apparent child pornography on their networks to report. [35] Officials could report having more than one concern. [36] Pub. L. No. 110-401, § 501(a) (codified at 18 U.S.C. § 2258B(a)). Under the Act, ESPs are required to preserve information reported to the CyberTipline for 90 days. § 2258A(h). [37] Prior to developing the guide, NCMEC provided information to ESPs about their legal obligations to report to NCMEC under the Act and, according to NCMEC officials, plans to continue such action. For example, NCMEC officials attended conferences twice a year where they provided ESPs with information about its CyberTipline and answered ESPs' questions. Officials said that NCMEC also answers ESPs' questions about making reports to the CyberTipline through phone calls and e-mails. [38] The CyberTipline Safeguard Program provides training and consultation to NCMEC staff members exposed to harmful content (i.e., child sexual abuse images). The goal of the program is to minimize potential harm as a result of viewing objectionable material on a daily basis. This goal is accomplished through the use of in-house social workers and regular visits by a consulting, private psychologist. ESPs that express interest in developing their own wellness programs may contact NCMEC to discuss how to develop a similar program for their employees. [39] Because the guide was new, we did not solicit ESPs' opinions about it. Instead, we compared the contents of the guide to the concerns ESPs identified to determine the extent to which the guide provided information that could help to address these concerns. [40] See, e.g., U.S. v. Richardson, 607 F.3d 357 (4th Cir. 2010) (holding that AOL was not acting as a government agent subject to the requirements of the Fourth Amendment when it searched defendant's e- mail and subsequently reported child pornography it found to NCMEC in conformance with requirements now codified at 18 U.S.C. § 2258A). [41] 42 U.S.C. § 5773(b)(1)(P). [42] The PROTECT Our Children Act of 2008 requires ESPs to report any facts and circumstances from which there is an apparent child pornography violation. However, the facts and circumstances that an ESP possesses or includes in its report may vary. [43] The other seven reporting categories are: online enticement of children for sexual acts, child prostitution, sex tourism involving children, extrafamilial child sexual molestation, unsolicited obscene material sent to a child, misleading domain names, and misleading words or digital images on the Internet. [44] NCMEC assigns a priority level to every CyberTipline report received. CyberTipline reports that indicate a child is in imminent danger, such as online enticement, are priority 1. Reports of child pornography from registered ESPs that are made to the registered ESP reporting Web page are designated priority 4. This priority level indicates that the report may contain illegal content. [45] The other 16 reclassified incident types are: child pornography (not Internet-related); child pornography (unconfirmed); child pornography (unconfirmed - international); child prostitution; child sex tourism; child sexual molestation; child trafficking (nonsexual exploitation); cyberbullying; online enticement - pretravel; online enticement - travel; other type of incident; appears adult; not enough info/dummy record; SPAM; unable to access; and ESP test report. [46] Jurisdictional information may include address, zip codes, IP addresses, state, or cell phone numbers. According to NCMEC officials, analysts conduct open-source, online searches in an attempt to determine possible jurisdiction or corroborate information in the initial CyberTipline report. [47] Virtual private networks allow NCMEC to disseminate CyberTipline reports to ICAC task forces through secure encrypted connections. [48] Federal law enforcement has the authority to obtain jurisdictional information through the legal process, such as by serving a subpoena. Therefore, according to NCMEC officials, federal law enforcement liaisons are the appropriate recipients of CyberTipline reports in which no jurisdiction was determined by NCMEC because they are sometimes able to determine a jurisdiction based on other information in the report when they serve a subpoena to an ESP to obtain the suspect's location because they can use such legal process to obtain additional information. [49] An official from the eighth task force stated that the ICAC received about 10 to 15 percent of its leads from the CyberTipline but generally relied on undercover investigations for its leads. [50] The number of reports provided by NCMEC to law enforcement agencies does not equate to the actual number of incidents of apparent child pornography being reported because, for example, different individuals may have reported the same incident to an ESP and each of these reports is recorded separately. [51] Officials from one ICAC task force stated that they found all information valuable and officials from one ICAC task force did not provide information on usefulness. [52] This form also contains five other questions related to case status. [53] GAO, Anti-Money Laundering: Improved Communication Could Enhance the Support FinCEN provides to Law Enforcement, [hyperlink, http://www.gao.gov/products/GAO-10-141] (Washington, D.C.: Dec. 14, 2009); GAO, Juvenile Justice: DOJ is Enhancing Information on Effective Programs, but Could Better Assess the Utility of This Information, [hyperlink, http://www.gao.gov/products/GAO-10-125] (Washington, D.C., December 2009); Performance Budgeting: PART Focuses Attention on Program Performance, but More Can Be Done to Engage Congress, [hyperlink, http://www.gao.gov/products/GAO-06-28] (Washington, D.C., October 2005); Transportation Research: Opportunities for Improving the Oversight of DOT's Research Programs and User Satisfaction with Transportation Statistics, [hyperlink, http://www.gao.gov/products/GAO-06-917] (Washington, D.C.: Aug.15, 2006). [54] [hyperlink, http://www.gao.gov/products/GAO-06-917]. [55] In 6 of the 28 interviews, officials indicated that they had not pursued the same target as another agency. [56] NCMEC produces a monthly deconfliction report that provides information on the status of CyberTipline reports referred to ICAC task forces. FBI, ICE and USPIS liaisons located at NCMEC provide information and research to investigators in the field. [57] Because we asked officials about deconfliction mechanisms and other efforts in place to avoid duplication of effort among law enforcement agencies in general, not all officials provided information on the use of specific types of deconfliction mechanisms. [58] Peer-to-peer file sharing programs are Internet applications operating over peer-to-peer networks that enable direct communication between users. [59] SafetyNet is an integrated records management system for law enforcement agencies that provides reporting and analysis capabilities to assist with crime prevention, investigation, and incident analysis. The National Crime Information Center is a computerized index of criminal justice information maintained by the FBI and made available to federal, state, and local law enforcement and other criminal justice agencies nationwide. Its files contain among other items, criminal record history information and information on fugitives, stolen property, and missing persons. [60] GAO, Information Technology, Opportunities Exist to Improve Management of DOD's Electronic Health Records Initiative, [hyperlink, http://www.gao.gov/products/GAO-11-50], (Washington D.C.: October 2010), 25. [61] Pub. L. No. 111-5, 123 Stat. 115, 130 (2009). ARRA provides DOJ with funding for grants to assist state, local, and tribal law enforcement to combat Internet crimes against children, among other things. ARRA funding was available for obligation until the end of fiscal year 2010. [62] The Massachusetts State Police partnered with Fox Valley Technical College, University of Massachusetts, and University of New Hampshire Crimes Against Children Research Center. [63] The ICAC task forces use multiple investigative tools. [64] Forensic analysis of digital evidence can be conducted on different types of media, such as global positioning system devices, memory cards, or compact discs, and can be conducted by federal, state, and local law enforcement agencies in support of a variety of investigations, such as online child pornography crime and identity theft. [65] Currently, no governmentwide standards or criteria exist for federal law enforcement for how to calculate the timeliness of forensic analysis or backlogs in analysis, and various law enforcement agencies have developed their own measures to calculate and track timeliness and backlogs. For example, the FBI categorizes a request for forensic examination of digital evidence as being in backlog status if: (1) after being submitted for examination, more than 30 days have passed without a lead examiner being assigned, or (2) a request has been assigned to an examiner and more than 60 days have passed without the examination being completed. ICE defines a request for forensic analysis as being in backlog if action is not taken on digital media upon arrival. For the purposes of this report, the term backlog refers, in general, to any delay in forensic analysis. [66] The National Academy of Sciences is a federally sponsored entity chartered to investigate, examine, experiment, and report on any subject of science and provide advice on the scientific and technological issues that pervade policy decisions. [67] The report also stated that backlogs in forensic analysis can result in prolonged incarceration for innocent persons wrongly charged and awaiting trial. National Research Council of the National Academies. "Strengthening Forensic Science in the United States, a Path Forward." (The National Academy Press, Washington, D.C.: 2009). [68] The FBI has partnered with other federal, state, and local law enforcement agencies to establish 14 Regional Computer Forensic Laboratories to examine digital evidence in support of criminal investigations in areas such as child pornography, terrorism, financial crimes, and fraud. According to FBI officials, 2 additional laboratories in Los Angeles and New Mexico are to begin operations in 2011. These laboratories are staffed by federal, state, and local law enforcement agency personnel who are trained and certified by the FBI to collect and examine digital evidence pursuant to FBI requirements. [69] According to FBI officials, this increase is due to increasing amounts of data related to several types of crimes, including fraud and identity theft, as well as online child pornography crime. However, they added that online child pornography and other child exploitation matters take up about 40 percent of the FBI's digital forensics examination, and may constitute a higher percentage at some Regional Computer Forensic Laboratories. [70] The officials stated, for example, that if an online child pornography suspect were a teacher or was on the sex offender registry, a thorough review of all of the material on that suspect's computer would be called for because the individual would routinely have access to children or may have already abused children. Alternatively, these FBI officials stated, reviews of hard drives belonging to suspects with no access to children and no previous history of child exploitation crime might not need as full a review. [71] Any alternation of these electronic files changes the values. Once digital forensic analysis is completed, verifying that the digital fingerprint of the copied evidence still matches that of the original digital evidence mathematically demonstrates that the evidence has not been altered during the process. [72] DOJ officials noted that many agencies conduct on-scene forensics, but do so only after applying a "write-blocker," which is a software tool that allows forensic analysts to examine a suspect's computer hard drives or other digital media without altering data on that media to ensure that data are not added to the suspect's storage media. The "write-blocker" is another step taken to ensure the integrity of the forensic analysis. [73] The Computer Analysis Response Team, as well as the Regional Computer Forensic Laboratories, provides assistance to FBI field offices in the search and seizure of computer evidence, as well as forensic examinations and technical support for FBI investigations. [74] CEOS officials stated that they do not require forensic analysts to record search activities; however, they may do so at their own discretion. Additionally, USSS labs conduct peer reviews of forensic reports before they are released. [75] Pub. L. No. 110-401, § 101(c)(10)-(11). [76] In addition to the subcommittee's efforts, federal law enforcement agencies have reported taking steps to address backlogs. For example, USSS officials stated that the agency has sent teams of examiners to field locations to address backlogs in specific offices. The FBI has developed kiosks that allow agents to review evidence in a forensically sound manner without sending evidence to a forensics lab for analysis. [77] See Circular No. A-94 Guidelines and Discount Rates for Benefit- Cost Analysis of Federal Programs (October 1992). [78] The Working Group includes members from FBI, CEOS, ICE, USPIS, five ICAC task forces, the Executive Office for United States Attorneys, Department of Defense, and USSS. [79] OSTWG was established by the Protecting Children in the 21ST Century Act to evaluate the data retention practices of ESPs, among other things. Pub. L. No. 110-385 § 214, 122 Stat. 4096, 4103-04 (2008). [80] As noted earlier in the report, an exception to this general rule is that ESPs are automatically required to preserve the contents of any report to NCMEC's CyberTipline, as well as any commingled images or data, for 90 days. 18 U.S.C. § 2258A(h). In addition, law enforcement may direct an ESP to preserve existing records or other evidence for a renewable period of 90 days. 18 U.S.C. § 2703(f). [81] Statement of Jason Weinstein, Deputy Assistant Attorney General, Criminal Division. Hearing on "Data Retention as a Tool for Investigating Internet Child Pornography and Other Internet Crimes," before the U.S. House of Representatives, Committee on the Judiciary, Subcommittee on Crime, Terrorism, and Homeland Security, January 25, 2011. [82] Statement of Kate Dean, United States Internet Service Provider Association. Hearing on "Data Retention as a Tool for Investigating Internet Child Pornography and Other Internet Crimes," before the U.S. House of Representatives, Committee on the Judiciary, Subcommittee on Crime, Terrorism, and Homeland Security, January 25, 2011. [83] Statement of John B. Morris, Jr., Center for Democracy and Technology. Hearing on "Data Retention as a Tool for Investigating Internet Child Pornography and Other Internet Crimes," before the House Committee on the Judiciary, Subcommittee on Crime, Terrorism and Homeland Security, January 25, 2011. The Center for Democracy and Technology is a nonprofit public interest organization dedicated to keeping the Internet open, innovative, and free. [84] DOJ's National Coordinator stated that DOJ has not taken a position regarding the need for data retention requirements. The International Association of Chiefs of Police passed a resolution in 2006 calling for the development of appropriate but uniform data retention requirements for ESPs to require, among other things, the retention of customer subscriber information for a minimum specified period of time so that it will be available to the law enforcement community. [85] See 18 U.S.C. § 2703(c)(2). Law enforcement can also request that the ESP preserve stored records and communications for a period of 90 days, which is renewable upon request. 18 U.S.C. § 2703(f). [86] Two ESPs opted to not provide information on their data retention policies. [87] Officials from two ICACs did not provide information about how often they were able to obtain information from ESPs. [88] Pursuant to the Providing Resources, Officers, and Technology To Eradicate Cyber Threats to Our Children Act of 2008 (PROTECT our Children Act of 2008), "child exploitation" generally consists of conduct involving a minor that violates specific criminal provisions of the U.S. Code, or any sexual activity involving a minor for which a person can be charged with a criminal offense. Pub. L. No. 110-401, § 2, 122 Stat. 4229, 4230. Some of these criminal provisions include, for example, causing a minor to engage in a sex act by force; transporting an individual for purposes of prostitution or other criminal sexual activity; or mailing, receiving, and distributing child pornography. Child pornography has a more specific definition under 18 U.S.C. § 2256, and generally consists of any visual depiction, the production of which involves the use of a minor engaging in sexually explicit conduct or that involves a minor engaging in sexually explicit conduct. [89] Pub. L. No. 107-56, 115 Stat. 272, 277 (2001). [90] Pub. L. No. 110-401, 122 Stat. 4229. [91] Pub. L. No. 110-401, § 105, 122 Stat. 4229, 4236 (2008). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: