This is the accessible text file for GAO report number GAO-11-334 
entitled 'Combating Child Pornography: Steps Are Needed to Ensure That 
Tips to Law Enforcement Are Useful and Forensic Examinations Are Cost 
Effective' which was released on April 1, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Report to Congressional Committees: 

March 2011: 

Combating Child Pornography: 

Steps Are Needed to Ensure That Tips to Law Enforcement Are Useful and 
Forensic Examinations Are Cost Effective: 

GAO-11-334: 

GAO Highlights: 

Highlights of GAO-11-334, a report to congressional committees. 

Why GAO Did This Study: 

The Department of Justice (DOJ) reports that online child pornography 
crime has increased. DOJ funds the National Center for Missing and 
Exploited Children (NCMEC), which maintains the CyberTipline to 
receive child pornography tips. The Providing Resources, Officers, and 
Technology To Eradicate Cyber Threats to Our Children Act of 2008 (the 
Act) contains provisions to facilitate these investigations and create 
a national strategy to prevent, among other things, child pornography. 
The Act directed GAO to report on actions to minimize duplication and 
enhance federal expenditures to address this crime. This report 
examines (1) the extent to which NCMEC determines the usefulness of 
tips; (2) mechanisms to help law enforcement coordination (i.e., 
deconfliction); and (3) the extent to which agencies are addressing 
factors that federal law enforcement reports may inhibit 
investigations. GAO analyzed the Act and spoke to law enforcement 
officials who investigate these crimes, selected to reflect geographic 
range, among other things. Although these interviews cannot be 
generalized, they provided insight into investigations. 

What GAO Found: 

NCMEC takes steps to obtain feedback from law enforcement on the 
usefulness of CyberTipline reports; however, it does not 
systematically collect information on how useful individual reports 
are for initiating and advancing investigations or about information 
gaps that limit reports’ usefulness. For instance, NCMEC solicits 
feedback via e-mail or in person quarterly from federal law 
enforcement liaisons at NCMEC about the overall usefulness of 
CyberTipline reports. However, according to many law enforcement 
officials GAO contacted, information in a CyberTipline report may not 
contain an image of apparent child pornography or may contain old 
data. NCMEC officials said that they are interested in obtaining 
additional feedback to enhance the usefulness of its reports and could 
explore additional methods to gather such information, such as 
creating a systematic process for obtaining feedback from federal law 
enforcement. Enhancing its processes for collecting feedback on the 
usefulness of CyberTipline reports could help NCMEC ensure that 
reports are as useful as possible to law enforcement. 

Existing deconfliction mechanisms generally prevent pursuit of the 
same suspects but are fragmented; DOJ is in the early stages of 
developing a system to address this fragmentation. Many law 
enforcement officials GAO contacted reported using various 
nonautomated (e.g., task forces) and automated (e.g., investigative 
systems) mechanisms to avoid duplication of effort in investigations. 
But these officials reported that there is not a single automated 
system that provides comprehensive case information and deconfliction, 
which can contribute to difficulties coordinating investigations. As 
mandated in the Act, DOJ is developing a national system to, among 
other things, provide law enforcement with a single deconfliction 
tool. Specifically, DOJ is conducting a needs assessment—which it 
plans to complete in 12 to 24 months—to use as a basis for system 
development. However, because DOJ is waiting on the results of the 
needs assessment to begin system development, it may be several years 
before the system is operational. 

Backlogs in the forensic analysis of digital evidence can delay or 
hinder online child pornography investigations; assessing the costs 
and benefits of taking extra steps to ensure the integrity of forensic 
analysis could help determine if there are efficiencies that could 
reduce backlogs. Forensic analysis of digital evidence consists of the 
review of information from digital media, such as hard drives, and can 
prove online child pornography crime. Several factors may contribute 
to backlogs in forensic analysis, including the steps federal law 
enforcement agencies believe enhance the integrity of analysis, such 
as making exact copies of digital evidence to discourage tampering. 
The FBI takes additional steps it believes enhance integrity, such as 
separating the forensic examination from the investigation. However, 
some federal officials and prosecutors GAO spoke with differed on the 
need for such steps. According to DOJ, the national strategy’s working 
group is in a good position to address backlog issues and having this 
group assess the costs and benefits of steps taken to ensure the 
integrity of forensic analysis could help it determine potential 
efficiencies that could reduce backlogs. 

What GAO Recommends: 

GAO recommends that NCMEC enhance its processes to collect feedback to 
improve tips and that DOJ assess the costs and benefits of steps 
agencies take to ensure the integrity of forensic analysis. NCMEC and 
DOJ generally concurred with our recommendations and discussed actions 
to address them. 

View [hyperlink, http://www.gao.gov/products/GAO-11-334] or key 
components. For more information, contact Eileen Larence at (202) 512-
8777 or larencee@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

DOJ Has To Take Action on Three Remaining Responsibilities under the 
Act: 

NCMEC Provided ESPs Reporting Guidance and Online Detection 
Information: 

Expanding Feedback from Law Enforcement Could Help Improve the 
Usefulness of CyberTipline Reports and Better Address Increasing 
Number of Reports: 

Existing Deconfliction Mechanisms, While Fragmented, Generally Prevent 
Pursuit of the Same Suspects; 

DOJ Is Starting to Develop a National System: 

Backlogs in Forensic Analysis of Digital Evidence and Length of Time 
ESPs Retain User Data Can Hinder Investigations: 

Conclusions: 

Recommendations: 

Agency Comments, Third Party Views, and Our Evaluation: 

Appendix I: Key Federal Agencies Involved in Combating Online Child 
Pornography: 

Appendix II: Status of Efforts of DOJ and NCMEC's CyberTipline to 
Implement Provisions of the PROTECT Our Children Act of 2008: 

Appendix III: Overview of NIDS Components and System Functions 
Outlined by the PROTECT Our Children Act of 2008: 

Appendix IV: Comments from the Department of Justice: 

Appendix V: Comments from the National Center for Missing and 
Exploited Children: 

Appendix VI: GAO Contact and Acknowledgments: 

Tables: 

Table 1: Federal Agencies Involved in Combating Child Pornography: 

Table 2: Overview of Process Different Federal Agencies with Liaisons 
at NCMEC Use to Review and Forward CyberTipline Reports for 
Investigation: 

Table 3: FBI Personnel Dedicated to Combating Child Exploitation: 

Table 4: FBI Resources Obligated for Combating Child Exploitation: 

Table 5: Number of FBI Child Pornography Investigations and Arrests: 

Table 6: CEOS Personnel Dedicated for Combating Child Exploitation and 
Obscenity Offenses: 

Table 7: CEOS Funds Obligated for Combating Federal Child Exploitation 
and Obscenity Offenses: 

Table 8: Number of ICAC Task Force Child Exploitation Cases 
Investigated and Arrests: 

Table 9: ICE Personnel Dedicated for Combating Child Exploitation: 

Table 10: ICE Resources Obligated for Combating Child Exploitation: 

Table 11: Number of Child Pornography Cases Initiated and Arrests by 
ICE Agents: 

Table 12: Number of USSS Investigations and Arrests Related to Child 
Pornography: 

Table 13: Full Time and Part Time Postal Inspectors Assigned to Child 
Exploitation Investigations: 

Table 14: Postal Inspection Service Investigations and Arrests Related 
to Child Exploitation and Child Pornography: 

Table 15: Status of Efforts of the Attorney General and NCMEC's 
CyberTipline to Implement Their Responsibilities under the PROTECT Our 
Children Act of 2008: 

Table 16: Information on the NIDS Components Required by and Functions 
Described in the PROTECT Our Children Act of 2008: 

Figures: 

Figure 1: Number of Arrests by ICAC Task Forces and Federal Law 
Enforcement Agencies Involved in Online Child Exploitation and Child 
Pornography Investigations from Fiscal Years 2006 through 2010: 

Figure 2: Overview of NCMEC Process for Receiving and Disseminating 
CyberTipline Reports: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

March 31, 2011: 

The Honorable Patrick J. Leahy: 
Chairman: 
The Honorable Charles E. Grassley: 
Ranking Member: 
Committee on the Judiciary: 
United States Senate: 

The Honorable Lamar S. Smith: 
Chairman: 
The Honorable John Conyers, Jr. 
Ranking Member: 
Committee on the Judiciary: 
House of Representatives: 

The Internet, while changing the way our society communicates, has 
also changed the nature of many crimes, including online child 
pornography. According to the Department of Justice's (DOJ) National 
Strategy for Child Exploitation Prevention and Interdiction (National 
Strategy), the numbers of child pornography images traded on the 
Internet, child pornography offenders, and children victimized by 
child pornography have dramatically increased.[Footnote 1] For 
example, Internet Crimes Against Children (ICAC) task forces reported 
an increase of about 150 percent in the number of arrests for child 
pornography-related offenses, from about 2,100 in fiscal year 2006 to 
about 5,300 in fiscal year 2010.[Footnote 2] Similarly, since fiscal 
year 2006, the number of defendants prosecuted by U.S. Attorneys' 
Offices for child exploitation crime, including online child 
pornography, increased by 35 percent, with 2,250 indictments against 
2,367 defendants filed in fiscal year 2010.[Footnote 3] These crimes 
carry severe penalties. For example, for the first offense, possessing 
child pornography may result in imprisonment of up to 10 years; 
receiving, selling, or distributing child pornography may result in 
imprisonment of at least 5 years and up to 20 years; and producing 
child pornography may result in imprisonment of at least 15 years and 
up to 30 years.[Footnote 4] Further, the offenders who commit child 
pornography crimes often pose a physical threat to children. According 
to DOJ's National Strategy, analysis of federally prosecuted child 
pornography cases indicates contact offenses against children, such as 
the sexual abuse of a minor, were discovered in approximately one-
third of all cases. 

Digital cameras and computers have made it easier for offenders to 
produce and distribute child pornography because they can bypass print 
shops and upload photos from their cameras directly to the Internet. 
In addition, the increased sophistication of offenders in the 
production and distribution of child pornography and the use of 
advanced technologies to avoid detection has made it more difficult 
for law enforcement to detect their activities and identify suspects 
who attempt to hide their identifying information. 

In response to the increase in online child pornography crime, 
multiple federal law enforcement agencies have developed specialized 
units to address crimes against children, and Congress has passed 
legislation requiring greater coordination on, and authorizing an 
increase in resources available to address, these crimes. For example, 
due to the increase in the number of investigations that involved sex 
offenders using computers to share pornographic images of minors, in 
1995 the Federal Bureau of Investigation (FBI) developed the Innocent 
Images National Initiative (Innocent Images), which teams FBI agents 
and local police in task forces to conduct undercover investigations 
of suspected offenders. Similarly, Immigration and Customs Enforcement 
(ICE), which enforces trans-border violations of federal child 
exploitation statutes and works to, among other things, prevent the 
introduction of prohibited contraband, such as child pornography, into 
the United States, initiated its Cyber Crimes Center in 1997. Finally, 
the United States Postal Inspection Service (USPIS) has 45 specially 
trained inspectors located in its field divisions who investigate 
crimes related to the exploitation of children and have jurisdiction 
over these types of crimes that involve the mail. To assist these law 
enforcement efforts, DOJ's Office of Juvenile Justice and Delinquency 
Prevention (OJJDP) allocates funds to the National Center for Missing 
and Exploited Children (NCMEC), which serves as a national resource 
center for information related to crimes against children.[Footnote 5] 
The center also maintains the CyberTipline to receive tips on child 
pornography from electronic service providers (ESP) and members of the 
general public.[Footnote 6] In addition to federal efforts to address 
these crimes, state and local law enforcement agencies generally 
enforce child pornography laws within their own jurisdictions and may 
work collaboratively with federal agencies through federal task forces 
to combat child pornography. 

More recently, Congress passed the Providing Resources, Officers, and 
Technology To Eradicate Cyber Threats to Our Children Act of 2008 
(PROTECT Our Children Act of 2008, or the Act) which requires, among 
other things, that the Attorney General create and implement a 
National Strategy for Child Exploitation Prevention and 
Interdiction.[Footnote 7] The National Strategy, published in August 
2010, has the goal of preventing child sexual exploitation from 
occurring. The Act also requires that ESPs report to NCMEC any 
instances of apparent child pornography that they become aware of on 
their networks. In addition, the Act requires the Attorney General to 
establish a National Internet Crimes Against Children Data System 
(NIDS) to serve as, among other things, a platform to conduct 
undercover investigations of child exploitation crime and a 
centralized system for deconfliction for federal, state, and local law 
enforcement.[Footnote 8] 

The Act also directs us to report on, among other things, the efforts 
of the Attorney General and NCMEC's CyberTipline in carrying out their 
responsibilities under the Act. In addition, it directs us to report 
on actions taken to minimize duplication and enhance the expenditure 
of federal resources in enforcing, investigating, and prosecuting 
child pornography crimes. Specifically, this report addresses the 
following questions: 

* To what extent have DOJ and the CyberTipline implemented their 
responsibilities under the Act? 

* What information does NCMEC provide to ESPs to facilitate reporting 
of apparent online child pornography to the CyberTipline? 

* To what extent does NCMEC have mechanisms in place to help determine 
how useful law enforcement agencies find the CyberTipline incident 
information and services that it provides for initiating online child 
pornography investigations? 

* What deconfliction mechanisms exist that help prevent law 
enforcement agencies from pursuing the same suspected online child 
pornography offenders or interfering with each other's investigations, 
and to what extent, if any, could these mechanisms be improved? 

* What factors, if any, did federal law enforcement agencies report as 
limiting their ability to investigate and prosecute suspected online 
child pornography offenders, and to what extent are agencies 
addressing these factors? 

For all objectives, we analyzed the Act, which outlines requirements 
for DOJ, NCMEC, and ESPs, and the National Strategy, which, among 
other things, describes information on threats to children and reviews 
law enforcement coordination efforts and federal forensic analysis 
programs. We also analyzed data from fiscal year 2006 through fiscal 
year 2010 on the number of investigations and arrests by federal law 
enforcement agencies and ICAC task forces to assess trends in child 
exploitation and child pornography cases.[Footnote 9] To assess the 
extent to which DOJ and NCMEC have implemented their responsibilities 
under the Act, we interviewed DOJ's National Coordinator for Child 
Exploitation Prevention and Interdiction, the senior official 
responsible for coordinating the development of the National Strategy, 
and NCMEC officials to discuss efforts to implement the Act's 
provisions. We compared these efforts with criteria in standard 
practices for program management.[Footnote 10] 

To identify the information NCMEC provides to ESPs to facilitate 
reporting of apparent online child pornography, we assessed 
documentation NCMEC provides to ESPs, such as its guide for reporting 
to the CyberTipline, and interviewed officials from NCMEC. To obtain 
information on any concerns ESPs had about reporting to the 
CyberTipline, we interviewed officials from a nonprobability sample of 
19 ESPs, which we selected from among the 620 ESPs that had registered 
with NCMEC as of April 2010.[Footnote 11] We selected these 19 ESPs to 
reflect a range of geographic locations, types of service provided, 
number of tips submitted to the CyberTipline, and number of child 
pornography investigations referred to and accepted for prosecution in 
the judicial district in which the ESP was located. Their comments 
cannot be generalized to all ESPs; however, the interviews provided 
perspectives from ESPs about reporting to the CyberTipline. We also 
interviewed officials from three civil liberties organizations--the 
American Civil Liberties Union, the Electronic Frontier Foundation, 
and the Center for Democracy and Technology--to obtain information 
about privacy concerns expressed by Internet consumers in response to 
ESPs' reporting activities.[Footnote 12] 

To assess the extent to which NCMEC has mechanisms in place to help 
determine how useful law enforcement agencies find CyberTipline 
information, we reviewed relevant documentation, such as NCMEC's 
feedback forms and training briefings about the CyberTipline. To 
determine trends in the use of the CyberTipline, we analyzed data on 
the number of reports submitted by ESPs and the general public and the 
number of these reports NCMEC made available to law enforcement from 
January 1, 2008, through December 31, 2010.[Footnote 13] We also 
interviewed the three federal law enforcement liaisons from the FBI, 
ICE, and USPIS located at NCMEC and officials from 8 of the 61 ICAC 
task forces about the usefulness of the CyberTipline reports and the 
services NCMEC provided. Specifically, we interviewed officials from 
ICAC task forces located in six federal judicial districts, which we 
selected to obtain geographic representation and based on the number 
of child pornography investigations referred to and accepted by U.S. 
Attorneys' Offices for prosecution.[Footnote 14] While the information 
obtained from these interviews cannot be generalized to all ICAC task 
forces or their members, the interviews provided a range of 
perspectives about how useful NCMEC's information and services were 
for initiating investigations. We compared the mechanisms NCMEC has in 
place with best practices articulated in our prior reports 
highlighting the importance of soliciting input from users and 
assessing whether the information disseminated is meeting users' 
needs.[Footnote 15] 

To determine what mechanisms prevent law enforcement agencies from 
pursuing the same offenders or interfering with each others' 
investigations, we assessed information on tools available to 
facilitate coordination and deconfliction, such as the ICAC Data 
Network Toolkit Manual, as well as memoranda of understanding between 
DOJ and agencies participating in the ICAC Task Force Program. We also 
reviewed OJJDP's fiscal years 2009 and 2010 grant solicitations for 
the NIDS project, the proposal for its development, and grant manuals, 
which outlined the agency's approach for system development. To 
discuss available mechanisms, we interviewed law enforcement officials 
who investigate child pornography offenders in the six judicial 
districts we selected. Specifically, we held 20 interviews with law 
enforcement officials from FBI, ICE, United States Secret Service 
(USSS), and USPIS; 8 interviews with officials from ICAC task forces; 
and 7 interviews with Assistant United States Attorneys (AUSA) who 
serve as coordinators for the Project Safe Childhood Initiative. 
[Footnote 16] The information obtained from these interviews is not 
generalizeable to law enforcement officials or agencies in all 
judicial districts. However, it provided examples and perspectives 
about law enforcement's efforts to coordinate investigations and use 
deconfliction mechanisms. 

To determine factors, if any, federal law enforcement agencies 
identified that limited their ability to investigate and prosecute 
suspected online child pornography offenders and to what extent 
agencies are addressing these factors, we included questions on this 
topic in our interviews with law enforcement officials from FBI, ICE, 
USSS, USPIS, and AUSAs. We also toured FBI, ICE, and USPIS digital 
forensic laboratories to observe their forensic processes. In 
addition, we interviewed prosecutors from the Child Exploitation and 
Obscenity Section (CEOS) who work directly with digital forensic 
examiners assigned to CEOS's High Technology Investigative Unit, which 
is collocated with CEOS prosecutors, to support investigations and 
prosecutions; officials from FBI's Innocent Images and Digital 
Evidence Section, which oversees forensic analysis of digital 
evidence; officials from ICE's Cyber Crimes Center; and officials from 
USPIS's Digital Evidence Unit, which is responsible for forensic 
analysis practices, on how these agencies are addressing the factors 
identified.[Footnote 17] We compared these efforts to guidance 
outlined by the Office of Management and Budget (OMB) for considering 
alternative means of achieving program objectives.[Footnote 18] 

We conducted this performance audit from September 2009 through March 
2011 in accordance with generally accepted government auditing 
standards.[Footnote 19] Those standards require that we plan and 
perform the audit to obtain sufficient, appropriate evidence to 
provide a reasonable basis for our findings and conclusions based on 
our audit objectives. We believe that the evidence obtained provides a 
reasonable basis for our findings and conclusions based on our audit 
objectives. 

Background: 

National Center for Missing and Exploited Children (NCMEC) and the 
CyberTipline: 

NCMEC is a private, nonprofit organization that serves as the nation's 
resource center for child protection. NCMEC's mission is to assist in 
the location and recovery of missing children and to prevent the 
abduction, molestation, sexual exploitation, and victimization of 
children. NCMEC is congressionally authorized to carry out certain 
tasks with grant funding it receives through a cooperative agreement 
with OJJDP.[Footnote 20] According to NCMEC, for calendar year 2009, 
NCMEC received about 77 percent of its funding from federal sources, 
with the remainder coming from other revenue and support, such as 
corporate and private donations. From fiscal years 2008 through 2010, 
NCMEC operated the CyberTipline at a cost of about $7.6 million, an 
average of $2.5 million per year excluding support by computer 
programmers. 

In support of its mission and consistent with the Missing Children's 
Assistance Act, NCMEC maintains a 24-hour, toll-free telephone tipline 
for leads from individuals reporting the sexual exploitation of 
children and information on the possession, manufacture, or 
distribution of child pornography. NCMEC also coordinates public and 
private programs to locate missing children; offers technical 
assistance, training, and consultation to law enforcement agencies; 
and has developed specialized training programs and materials for law 
enforcement personnel. 

NCMEC also maintains the CyberTipline to receive tips on child 
pornography from ESPs, which are required under the Act to report to 
NCMEC any instances when they become aware of apparent child 
pornography on their networks, as well as from the general public. 
[Footnote 21] ESPs that have registered with NCMEC can provide reports 
to the CyberTipline through a secure reporting form.[Footnote 22] 
NCMEC reported that as of December 31, 2010, 738 ESPs had registered 
out of an estimated 5,000 ESPs. According to NCMEC officials, it is 
difficult to identify the total number of ESPs or those that have not 
registered with NCMEC because there is no single source or list of the 
universe of ESPs. Based on our discussions with ESPs, they vary by 
types of services provided, ranging from access points to the 
Internet, search engines, and classified advertisements, to social 
networking sites. They may offer paid and free services, and have 
thousands or millions of customers. NCMEC reported that from January 
1, 2008, through December 31, 2010, 194 registered ESPs made about 
248,000 reports to the CyberTipline.[Footnote 23] 

Federal Law Enforcement Agencies Involved in Combating Online Child 
Pornography: 

As shown in table 1, several federal law enforcement agencies are 
involved in, and have specific units devoted to, combating online 
child pornography. 

Table 1: Federal Agencies Involved in Combating Child Pornography: 

Department: DOJ; 
Component: FBI; 
Law enforcement effort: Proactively investigates crimes against 
children. Crimes Against Children Unit coordinators are located in 
each of the 56 field offices. Also has Innocent Images to combat 
Internet-related sexual exploitation of children. 

Department: DOJ; 
Component: CEOS, within the Criminal Division; 
Law enforcement effort: Prosecutes federal child sexual exploitation 
offenses, including child pornography crimes, enticement of children 
for sexually predatory purposes, transportation of offenders or 
children across state lines for sexually predatory purposes, domestic 
sex trafficking of children, and child sex tourism. Provides 
prosecutorial guidance to federal law enforcement agencies and U.S. 
Attorneys' Offices nationwide. Also develops and refines policies, 
legislative proposals, government practices, and agency regulations in 
the areas of sexual exploitation of minors. 

Department: DOJ; 
Component: 94 United States Attorneys' Offices; 
Law enforcement effort: Prosecutes federal child exploitation-related 
cases. 

Department: DOJ; 
Component: OJJDP; 
Law enforcement effort: Allocates funds and administers the ICAC Task 
Force Program, which encourages multijurisdictional and multiagency 
responses to crimes against children involving the Internet. 

Department: Department of Homeland Security (DHS); 
Component: ICE, Cyber Crimes Center; 
Law enforcement effort: Enforces trans-border violations of federal 
child exploitation statutes. Among other things, works to prevent the 
introduction of prohibited merchandise and contraband, such as child 
pornography, into the United States and investigates, interdicts, and 
prosecutes those individuals involved in possession, receipt, 
distribution, advertisement, transportation, and production of child 
pornography. 

Department: Department of Homeland Security (DHS); 
Component: USSS; 
Law enforcement effort: Provides forensic and technical assistance in 
matters involving missing and sexually exploited children. 

Department: U.S. Postal Service; 
Component: USPIS; 
Law enforcement effort: Investigates child pornography and child 
sexual exploitation cases that involve U.S. mail, as well as Internet-
related offenses in cases where mail is involved; The objective of the 
child exploitation program is to reduce and deter the use of the 
postal system for the procurement or delivery of materials that 
promote the sexual exploitation of children. 

Source: GAO analysis of information provided by DOJ, DHS, and USPIS. 

[End of table] 

Appendix I provides additional details on the mission, role, level of 
resources, and numbers of investigations and arrests of these agencies. 

Trends in the Number of Child Exploitation and Pornography 
Investigations: 

In its National Strategy, DOJ reported that the incidence of child 
exploitation, which, among other things, includes possessing, 
distributing, and producing child pornography, has been increasing 
since the 1990s, although the precise number of offenders accessing 
and trading child pornography material online is not known. For 
example, DOJ data show that from fiscal years 2006 through 2010, ICAC 
task forces estimate over an 80 percent increase in the number of 
complaints received from the public related to the possession, 
distribution, and manufacture of child pornography. These task forces 
also reported that arrests for child pornography have increased about 
150 percent during the same period. FBI, ICE, and USSS reported 
increases in arrests of 17 percent, 37 percent, and 69 percent, 
respectively, from fiscal years 2006 through 2010. The USPIS reported 
a 54 percent decline in arrests for child pornography and child 
exploitation involving the U.S. mail. According to officials, this 
decline is, in part, due to the increased availability of child 
pornography through the Internet rather than the mail. Figure 1 shows 
the number of arrests made by ICAC task force investigators and 
federal law enforcement related to online child exploitation and child 
pornography from fiscal years 2006 through 2010. 

Figure 1: Number of Arrests by ICAC Task Forces and Federal Law 
Enforcement Agencies Involved in Online Child Exploitation and Child 
Pornography Investigations from Fiscal Years 2006 through 2010: 

[Refer to PDF for image: multiple line graph] 

Number of law enforcement arrests: 

Fiscal year: 2006; 
FBI: 936; 
ICAC task force: 2,148; 
ICE: 681; 
USPIS: 252; 
USSS: 88. 

Fiscal year: 2007; 
FBI: 1,115; 
ICAC task force: 2,525; 
ICE: 948; 
USPIS: 155; 
USSS: 94. 

Fiscal year: 2008; 
FBI: 1,144; 
ICAC task force: 3,133; 
ICE: 863; 
USPIS: 165; 
USSS: 80. 

Fiscal year: 2009; 
FBI: 1,077; 
ICAC task force: 4,492; 
ICE: 957; 
USPIS: 186; 
USSS: 88. 

Fiscal year: 2010; 
FBI: 1,094; 
ICAC task force: 5,317; 
ICE: 931; 
USPIS: 115; 
USSS: 149. 

Source: GAO analysis of information provided by FBI, ICE, USPIS, USSS, 
and OJJDP. 

Note: Joint investigations between federal law enforcement agencies 
and ICAC task forces may be counted in both ICAC and federal 
investigative data. Although the extent is not known, DOJ officials 
said they believe the overlap is minimal. 

[End of figure] 

DOJ Has To Take Action on Three Remaining Responsibilities under the 
Act: 

The Act, enacted in October of 2008, requires, among other things, 
that the Attorney General create and implement a National Strategy for 
Child Exploitation Prevention and Interdiction and contains provisions 
on the establishment of ICAC task forces. It also calls for the 
designation of a senior official at DOJ responsible for the National 
Strategy--the National Coordinator--who is to act as a liaison with 
other federal entities in the development of the strategy. In January 
2010, DOJ selected a National Coordinator and in August 2010, to 
coincide with the publication of the National Strategy, formed the 
National Strategy Working Group to assist with its implementation. 
[Footnote 24] This Working Group consists of six subcommittees that 
address implementation of specific provisions of the strategy, such as 
examining means to reduce backlogs of forensic analysis or 
coordinating grant funding with DOJ missions.[Footnote 25] The Act 
also establishes in law the ICAC Task Force Program, which is 
dedicated to developing responses to online enticement of children by 
sexual offenders, child exploitation, and child pornography. 
Currently, there are 61 task forces with at least one per state, as 
required by the Act. The Act also authorizes the Attorney General to 
award grants to these task forces, and in fiscal year 2010, OJJDP 
awarded approximately $19 million to state and local law enforcement 
agencies. 

The Act also contains provisions that require NCMEC to, among other 
things, minimize the number of NCMEC employees who are provided access 
to CyberTipline images and forward child pornography related tips to 
law enforcement to further investigations. According to NCMEC 
officials, since the passage of the Act, NCMEC has reduced the number 
of employees with access to CyberTipline images by 21 percent from 72 
to 57 by removing access to images by employees who transfer from the 
NCMEC division that reviews CyberTipline reports to other divisions. 
NCMEC also created a "read only" level of access to the CyberTipline 
for employees whose job responsibilities require them to have access 
to CyberTipline information, but not images. The Act also requires 
NCMEC to provide information that relates to any apparent child 
pornography image of an identified child to federal, state, and local 
law enforcement involved in the investigation of child pornography 
crime. NCMEC has several initiatives underway to provide law 
enforcement such information. For example, according to NCMEC 
officials, it has established a portal that allows law enforcement 
agencies access to NCMEC's systems to quickly identify hash values of 
identified child victims.[Footnote 26] The portal separates out hash 
values of identified child victims from those who have not been 
identified so that law enforcement can quickly match hash values they 
receive during investigations against the database of image 
information. NCMEC officials said that they plan to continue to 
register additional law enforcement officers in 2011. Further 
information on DOJ's and NCMEC's status in implementing provisions of 
the Act is provided in appendix II. 

However, to date, DOJ has yet to take action on three provisions of 
the Act. 

* Specifically, the Act requires the National Institute of Justice 
within DOJ to prepare a report, not later than 1 year after enactment 
(i.e., October 2009), to identify the factors indicating whether the 
subject of an online investigation poses a high risk of harm to 
children.[Footnote 27] According to senior DOJ officials, this report 
has not been initiated because funds have not been appropriated for 
this activity under the Act, and DOJ does not have plans or a time 
frame to conduct such a study. However, according to the National 
Coordinator, an examination of how such a study would be conducted 
would likely be considered by the Working Group as it moves forward. 

* In addition, the Act requires the Attorney General to submit a 
report to the Judiciary Committees, not later than 12 months after 
enactment, on various features of the Act, including an assessment of 
the information-sharing structure established in response to the Act 
and data related to CyberTipline reports.[Footnote 28] According to 
officials, DOJ has not prepared this report and does not yet have a 
time frame for completing it. 

* Finally, the Act requires the Attorney General to designate, in 
consultation with the Secretary of State, foreign law enforcement 
agencies to receive CyberTipline reports from NCMEC, as well as 
specify the conditions under which a report may be forwarded to such 
foreign agencies.[Footnote 29] The Act also requires the Attorney 
General to develop a process for foreign agencies to request 
assistance from federal law enforcement related to NCMEC's reports. 
[Footnote 30] According to the National Coordinator, DOJ has not yet 
designated a list of foreign law enforcement agencies to which 
CyberTipline reports may be forwarded nor established a process for 
these agencies to request DOJ's assistance. Nevertheless, NCMEC 
officials said that the center currently refers CyberTipline reports 
to some foreign law enforcement agencies through ICE attaches, as 
necessary, as we discuss later in this report. DOJ officials said that 
they plan to coordinate with NCMEC to determine how their designation 
would work best with NCMEC's current process, but has no time frames 
for doing so. 

DOJ has taken action to implement many of the provisions in the Act, 
but DOJ has not yet completed three provisions for which it has 
responsibility and has no specific plans or time frames for doing so. 
Standard practices for program and project management state that 
specific desired outcomes or results, such as the implementation of 
these provisions, should be defined and documented in the planning 
process along with the appropriate milestones and time frames needed 
to achieve those results.[Footnote 31] By defining the steps necessary 
to achieve these three provisions along with appropriate time frames 
for completion, DOJ could better ensure that it will comply with the 
law and be able to obtain information that may allow it to better 
protect the public and further investigations. Specifically, 
information on the danger posed by individuals being investigated for 
online child pornography crime could help law enforcement agencies 
allocate investigative resources towards those suspects most likely to 
pose a risk to the public. Similarly, an assessment of the information-
sharing structure and data from the CyberTipline and the designation 
of foreign law enforcement agencies to receive NCMEC reports could 
speed the process of disseminating these reports, which may facilitate 
investigations conducted by these agencies. 

NCMEC Provided ESPs Reporting Guidance and Online Detection 
Information: 

NCMEC Has Developed a Guide to Address ESPs' Concerns about Reporting 
Apparent Online Child Pornography: 

To help ESPs fulfill their responsibilities under law, NCMEC provides 
information to ESPs to address their concerns related to reporting 
apparent online child pornography to NCMEC's CyberTipline. Under the 
Missing Children's Assistance Act, NCMEC is authorized to operate a 
CyberTipline to provide ESPs with an effective means of reporting 
apparent Internet-related child sexual exploitation.[Footnote 32] The 
Act explicitly does not require ESPs to monitor their networks to 
detect apparent child pornography, but it requires ESPs to report the 
facts and circumstances of incidents of apparent child pornography, of 
which they become aware, to the CyberTipline.[Footnote 33] ESPs may 
become aware of apparent child pornography on their networks through 
passive means, such as receiving reports from users, or through active 
means, such as having personnel search for images on their networks or 
by monitoring chat rooms to detect instances when users may be trading 
illegal images. ESPs may also become aware of child pornography 
through technical means, such as using specialized software to detect 
and remove illegal files from their systems. 

Officials we interviewed from 18 of the 19 ESPs expressed concerns 
about making reports of apparent child pornography to the CyberTipline 
in fulfillment of their responsibilities under the Act.[Footnote 34] 
These concerns included:[Footnote 35] 

* Cost: Officials to whom we spoke from 16 of the 19 ESPs expressed 
concerns about the costs associated with reporting or monitoring their 
networks for apparent child pornography. According to officials from 4 
of these 16 ESPs, devoting staff and resources to review and report 
apparent child pornography can be costly. Officials from 1 ESP 
reported that it cost $500,000 to develop a system to automate 
reporting to NCMEC--a reporting system they said was necessary to 
address the volume of instances of apparent child pornography 
encountered on the ESP's network. Additionally, officials from 13 of 
the 19 ESPs we spoke with said that establishing methods to detect 
apparent child pornography, while not required, can be costly to 
implement. For example, 4 of these ESPs said it was costly to search 
for key words, check their computer network for images, or provide 
users with a method to flag images. Further, officials from 4 of the 
19 ESPs stated that costs have prevented them from implementing these 
types of methods, and thus they have relied solely on user complaints 
to detect apparent child pornography. 

* Technology: Officials with whom we spoke from 10 of the 19 ESPs had 
concerns related to technology in reporting and detecting apparent 
online child pornography. For example, officials from 5 of these 10 
ESPs stated that making a large number of reports, which can contain 
hundreds of files per report and multiple submissions, can be a slow 
process if done manually, and officials from 3 of these 5 ESPs also 
stated that reporting can be technically challenging to automate. 

* Psychological Impact: Officials from 10 of the 19 ESPs reported 
having concerns over their employees' psychological discomfort that 
sometimes results from exposure to apparent child pornography images. 

* Litigation: Officials from 7 of the 19 ESPs reported having concerns 
about being sued as a result of their reporting responsibilities under 
the Act. For example, officials from 2 ESPs stated that forwarding 
apparent child pornography images in fulfillment of their 
responsibilities under the Act could make them subject to liability 
for possessing and transmitting such images. However, the Act states 
that any civil claim or criminal charge against an ESP arising from 
the performance of reporting or preserving information may not be 
brought in any federal or state court.[Footnote 36] Another official 
stated that the ESP is often sued for using methods to detect apparent 
online child pornography by the customers it reports. 

In response to such concerns, in August 2010, NCMEC provided a guide 
to registered ESPs that contained, among other things, resources ESPs 
could use to help report to the CyberTipline as well as information on 
detecting apparent child pornography on their networks.[Footnote 37] 
For example, NCMEC's guide includes information on how to automate 
reporting by building an interface between the CyberTipline and an 
ESP's system so that ESPs can make a large number of reports, such as 
several hundred, faster. NCMEC also provides information on how ESPs 
may address the psychological impact on employees when they view 
apparent online child pornography in order to make reports to the 
CyberTipline. For example, NCMEC's guide provides two resources for 
individuals who have been exposed to child pornography during the 
course of their work. Employees may contact NCMEC to speak to staff in 
its Safeguard program, and they may access OJJDP's Web site called 
Supporting Heroes in Mental Health Foundational Training, which 
provides resources such as videos, guides, and an online 
forum.[Footnote 38] Related to concerns about liability, the guide 
includes excerpts from the Act about ESPs' reporting requirements, 
which state that ESPs have immunity if a lawsuit is brought against 
them for downloading and transmitting apparent child pornography if it 
was during the course of fulfilling their reporting duties. NCMEC is 
providing ESPs with information about their responsibilities to report 
incidents of apparent online child pornography to the CyberTipline 
through the guide; however, it is too early to tell whether these 
concerns have been addressed.[Footnote 39] 

NCMEC Provides ESPs Voluntary Methods to Help Reduce Apparent Online 
Child Pornography, and Some ESPs Have Developed Their Own Means to 
Detect It: 

Although ESPs are not required to monitor their networks, NCMEC 
provides registered ESPs with voluntary proactive methods that they 
may use to detect apparent online child pornography and then report it 
as the Act requires. These methods include: 

* Key word lists: NCMEC provides lists that contain terms often 
associated with child sexual exploitation. 

* Uniform Resource Locator (URL) sharing: NCMEC distributes a daily 
list of URLs--which specify the address of a Web page and how to 
retrieve it--containing apparent online child pornography to ESPs. 
ESPs can use this information to help prevent the distribution of 
child pornography. For example, ESPs that host Web sites can check the 
URL list to ensure that none of the sites that they host are on the 
list. 

* Hash value sharing: NCMEC provides a list of hash values of apparent 
online child pornography to ESPs which use specialized software to 
detect and remove illegal files from their systems. 

In addition, officials to whom we spoke from 9 of the 19 ESPs reported 
taking their own proactive measures to detect and help reduce apparent 
online child pornography on their networks so that it may be reported 
to the CyberTipline. For example, in addition to receiving customer 
complaints, 4 of these ESPs said that they monitor or moderate chat 
rooms and forums for apparent online child pornography and 6 reported 
using key word lists to search for child pornography, while 3 ESPs 
reported that they use both of these methods. These 9 ESPs reported 
that they have these additional, proactive mechanisms in place to 
better detect apparent online child pornography because they do not 
want to allow such illegal activity on their Web sites. On the other 
hand, officials from 10 of 19 ESPs reported that they had not 
implemented their own additional methods. However, 8 of these 10 used 
NCMEC's URL and hash value sharing initiatives, according to NCMEC. 
The remaining 2 ESPs did not implement any methods due to cost 
concerns, and noted that implementing additional methods to detect 
apparent child pornography would be a business decision that would 
require them to consider costs, as well as the types of services they 
provide. 

Further, according to three civil liberties organizations we 
interviewed, consumers want to use the Internet freely and do not want 
their online activities to be monitored. They stated that ESPs' 
proactive monitoring also raises potential constitutional issues 
because if ESPs are acting as agents of the government when they 
search users' activities and communications, they are subject to the 
requirements of the Fourth Amendment to obtain probable cause and a 
search warrant.[Footnote 40] However, officials we spoke with from the 
9 ESPs that utilize these methods stated that their terms of service 
specify that users cannot conduct illegal activity while on their 
networks, which includes the possession or trading of child 
pornography. Therefore, they said that methods to detect apparent 
child pornography are a means of ensuring compliance with the ESPs' 
terms of service, which is distinct from conducting government-
directed searches for information. 

Expanding Feedback from Law Enforcement Could Help Improve the 
Usefulness of CyberTipline Reports and Better Address Increasing 
Number of Reports: 

NCMEC Makes CyberTipline Reports Available to Law Enforcement Based on 
Jurisdiction: 

As required under the Missing Children's Assistance Act, NCMEC refers 
CyberTipline reports of apparent child pornography from ESPs and the 
general public to federal, state, local, and international law 
enforcement agencies for investigation, as shown in figure 2.[Footnote 
41] 

Figure 2: Overview of NCMEC Process for Receiving and Disseminating 
CyberTipline Reports: 

[Refer to PDF for image: illustration] 

ESPs and general public report incidents of apparent child pornography 
via the CyberTipline: 

CyberTipline: 

NCMEC prioritizes the CyberTipline reports and NCMEC analysts conduct 
research and analysis on the CyberTipline report. According to whether 
or not a geographic jurisdiction can be determined, analysts make the 
report available to varying law enforcement agencies: 

Jurisdiction can be determined: 
NCMEC refers the CyberTipline report (“referral”) to the respective 
law enforcement agency (ICACs or international partners) via a virtual 
private network for further investigation.[A] 

Jurisdiction cannot be determined: 
NCMEC makes the CyberTipline report available through the CyberTipline 
system to all federal law enforcement agency users with access, 
including liaisons located at NCMEC from FBI, ICE, and USPIS. Users 
can access all reports and sort them according to agency investigative 
priorities. Federal law enforcement liaisons, or staff located at 
NCMEC or in the field may review reports to determine if they may 
initiate or advance an investigation. 

Source: GAO analysis of NCMEC; FBI; ICE; and USPIS data. 

[A] Virtual private networks allow NCMEC to disseminate CyberTipline 
reports to ICAC task forces or international partners through secure 
encrypted connections. 

[End of figure] 

When a CyberTipline report is initially submitted by an ESP[Footnote 
42] or the general public, the reporting party must select one of 
eight "reporting categories," including possession, manufacture, and 
distribution of child pornography.[Footnote 43] NCMEC then prioritizes 
the CyberTipline reports and analysts conduct research and analysis on 
them.[Footnote 44] This analysis may include: (1) determining whether 
an alleged child pornography image is that of an actual child; 

(2) determining whether an image in a CyberTipline report is new or 
has been viewed by law enforcement in the past, which may indicate 
whether the child in the image is currently being abused; 

or (3) among other things, reviewing e-mail addresses, Web addresses, 
and other information to determine if the offender associated with the 
CyberTipline report may be involved in an organized child pornography 
sharing ring. After processing the CyberTipline report, NCMEC analysts 
select a "reclassified incident type" which best describes the 
completed CyberTipline report. There are currently 17 reclassified 
incident types, including confirmed child pornography.[Footnote 45] 
NCMEC officials stated that once a CyberTipline report and any 
associated analysis has been reclassified, it does not necessarily 
mean the tip will be useful to law enforcement in initiating or 
advancing an investigation. The determination as to whether a 
CyberTipline report may be useful in initiating an investigation is at 
the judgment of law enforcement personnel. 

NCMEC analysts make the CyberTipline report and their analysis 
available to law enforcement according to whether or not a geographic 
jurisdiction can be determined. When the geographic jurisdiction of a 
CyberTipline report can be determined based on the location of the 
suspect, the victim, or both,[Footnote 46] NCMEC will refer the report 
("referral") to the respective law enforcement agency (primarily ICAC 
task forces) via a secured system called a virtual private network. 
[Footnote 47] However, when the jurisdiction of a CyberTipline report 
cannot be determined because, for example, the ESP did not include a 
zip code or IP address, NCMEC makes the report available through the 
secure CyberTipline system to federal law enforcement agency users who 
have access to the system.[Footnote 48] As of November 24, 2010, 41 
federal law enforcement users had access to this secure system, 
including agency liaisons from FBI, ICE, and USPIS who are located at 
NCMEC. 

The CyberTipline system allows users to access all CyberTipline 
reports ever submitted, as well as search for and prioritize reports 
of specific reclassified incident types that are of investigative 
interest to the agency. According to NCMEC officials, the search 
function was designed at the federal agencies' request to allow them 
streamlined access to those reports which, based on reclassified 
incident types, they indicated most often fall within their 
investigative purview. For example, the FBI liaison can choose to 
search for all CyberTipline reports associated with confirmed child 
pornography. Federal law enforcement liaisons, or staff located at 
NCMEC or in the field, may review reports to determine if they may 
initiate or advance an investigation, as described in table 2. 

Table 2: Overview of Process Different Federal Agencies with Liaisons 
at NCMEC Use to Review and Forward CyberTipline Reports for 
Investigation: 

Agency: FBI; 
Overview of CyberTipline report review: To address CyberTipline 
reports and child pornography, FBI has one liaison assigned to NCMEC 
who supervises two Investigative Support Specialists who review the 
reports. FBI officials stated that they prioritize child pornography-
related CyberTipline reports based on, among other things, whether 
they fall within their investigative purview and whether or not a 
jurisdiction or subject can be determined. However, among the reports 
that meet those parameters, officials said that they are not able to 
further prioritize the reports until they open them and can determine 
what type of information is included in the report. When FBI 
Investigative Support Specialists determine that a CyberTipline report 
is likely to enable the agency to initiate or advance an 
investigation, they prepare an investigative packet, for which they 
supplement information from the report (or numerous other reports), 
with FBI data as well as data from other sources. They then submit the 
packet to the FBI liaison who reviews it and forwards it to FBI field 
agents for investigation. 

Agency: ICE; 
Overview of CyberTipline report review: According to ICE officials, 
while ICE can access and review CyberTipline reports in the 
CyberTipline system, most CyberTipline reports reviewed by ICE 
officials are sent directly to them via e-mail from NCMEC analysts. In 
addition, according to officials, ICE uses its resources to assist 
NCMEC in disseminating CyberTipline referrals to foreign law 
enforcement agencies. ICE has established virtual private network 
connections in approximately 10 countries, allowing the dissemination 
of CyberTipline referrals to the responsible law enforcement agencies 
in these countries. 

Agency: USPIS; 
Overview of CyberTipline report review: Currently, the USPIS liaison 
located at NCMEC does not review CyberTipline reports; rather up to 
five field postal inspectors with subject matter expertise have access 
to the CyberTipline system and review the reports. According to the 
Child Pornography National Program Manager for USPIS, NCMEC also e-
mails CyberTipline reports determined by NCMEC analysts to have a 
nexus to the mail directly to the USPIS liaison located at NCMEC. The 
liaison then sends any CyberTipline report that has a solid U.S. mail 
nexus to the field for attention. The official said that the agency 
focuses on CyberTipline reports that have (1) a viable nexus to U.S. 
mail, (2) a viable mailing address, and (3) cooperation of the victim 
and/or the reporting party (e.g., parent or guardian). The official 
added that a new liaison would be assigned to NCMEC in the spring of 
2011 and that this individual would review CyberTipline reports. 

Source: FBI, ICE, and USPIS. 

[End of table] 

The CyberTipline provides leads for federal, state, and local law 
enforcement agencies, along with their own sources, such as undercover 
investigations. For example, according to FBI officials, the FBI 
develops approximately 100 to 200 investigative leads per year to be 
used to initiate investigations based on CyberTipline reports, and a 
USPIS official estimated that about 10 percent of leads come from the 
CyberTipline. Officials we interviewed from seven of the eight task 
forces stated that CyberTipline reports make up 50 percent or more of 
their leads, and five of those seven reported receiving between 80 to 
95 percent of their leads from CyberTipline reports.[Footnote 49] 

Soliciting Additional Information on the Usefulness of CyberTipline 
Reports Could Help NCMEC Ensure Reports Are as Useful as Possible to 
Law Enforcement: 

The number of CyberTipline reports NCMEC received and made available 
to law enforcement agencies has increased over the past few years, 
making it important that these reports are as useful as possible to 
the law enforcement agencies investigating online child pornography. 
According to NCMEC, the number of CyberTipline reports determined by 
federal law enforcement agencies to be most often within their 
investigative purview has increased by about 134 percent from about 
74,000 in 2008 to about 173,000 in 2010. Similarly, the number of 
CyberTipline reports that NCMEC referred to ICAC task forces increased 
about 71 percent from about 14,000 in 2008 to about 24,000 in 2010. 
[Footnote 50] 

However, according to the FBI liaison at NCMEC and officials in six 
out of eight ICAC task forces we contacted, information in individual 
CyberTipline reports was not always useful for initiating law 
enforcement action, such as obtaining a subpoena, initiating an 
investigation, or executing a search warrant.[Footnote 51] For 
example, according to these officials, reports initially submitted to 
NCMEC by the ESP or the general public may: 

* not contain information, such as an IP address or an image; 

* contain old data provided by ESPs, which may prohibit obtaining a 
subpoena; 

* contain an image that did not meet the legal definition of child 
pornography; or: 

* include information that is not a violation of child pornography 
laws in general or in a particular state. 

NCMEC makes these CyberTipline reports that do not contain certain 
information, such as an IP address or image, available to law 
enforcement because, according to NCMEC officials, it believes that 
law enforcement may be able to use other information in the report to 
further other investigations. For example, according to these 
officials, a CyberTipline report may have an e-mail address or 
username that is associated with a known offender, and the information 
in it may be useful to an ongoing law enforcement investigation. 
Federal law enforcement officials from FBI, ICE, and USPIS who work 
directly with NCMEC, as well as officials in five of the eight ICAC 
task forces, stated that receiving such reports could be useful, for 
example, to furthering other ongoing or future investigations. 

NCMEC takes steps to obtain feedback on the usefulness of CyberTipline 
reports made available to law enforcement. Specifically, NCMEC 
solicits feedback via e-mail or in person each quarter from the 
federal law enforcement liaisons at NCMEC about the usefulness of the 
CyberTipline reports overall. According to NCMEC officials, the 
questions they pose vary and are intended to obtain a general idea of 
the usefulness of the CyberTipline reports. Officials from FBI and 
USPIS who work directly with NCMEC in reviewing CyberTipline reports 
confirmed that they speak to NCMEC officials on a continuous basis to 
discuss the status of CyberTipline reports that they have taken action 
on and their outcomes, as well as how the process of providing reports 
could be improved. For ICAC task forces, NCMEC sends a feedback form 
approximately 8 weeks after referring a CyberTipline report that 
includes a question asking whether or not the information provided by 
NCMEC's analysts in the CyberTipline report was useful.[Footnote 52] 

However, NCMEC does not systematically collect information on how 
useful individual reports are to initiating and advancing 
investigations from law enforcement users or the extent to which 
reports contain specific types of information law enforcement may 
need. For example, NCMEC does not have a systematic process--a 
standard set of questions applied consistently over time--for 
obtaining information from federal liaisons about why individual 
CyberTipline reports may or may not be useful in initiating or 
advancing investigations and what the information gaps are that 
limited their usefulness. Similarly, NCMEC does not ask ICAC task 
forces why individual CyberTipline reports were or were not useful and 
how they could be made more useful. Capturing this type of feedback 
could help NCMEC work with law enforcement to determine which reports 
do not assist in initiating and advancing investigations, why not, 
what key information is missing, whether NCMEC could add more analysis 
to supplement reports, and what steps it might take to assist ESPs in 
including as much useful information as possible in future 
CyberTipline reports. In addition officials in six of the eight ICAC 
task forces we selected reported that such an assessment of which 
elements make a CyberTipline report more useful could enhance law 
enforcement's ability to use the information to further 
investigations. For example, one commander noted that such an 
assessment would be helpful in providing a more focused report for 
investigative follow-up. 

Soliciting such information about the usefulness of CyberTipline 
reports is consistent with best practices, such as regularly 
soliciting stakeholder input and involving stakeholders early and 
throughout the decision-making process that we have previously 
reported for effectively meeting stakeholder needs.[Footnote 53] 
Further, we have reported that by comprehensively soliciting feedback 
from all of its users, an agency can better ensure that it has a full 
picture of the needs of those users and how well it is meeting those 
needs, and can also make improvements that are relevant to them. 
[Footnote 54] NCMEC officials acknowledged that they would like to 
obtain more feedback from law enforcement agencies and could explore 
more targeted ways of obtaining it. For instance, during our meetings 
with NCMEC officials, these officials discussed ways to facilitate the 
better collection of feedback, such as creating a systematic process 
for obtaining feedback from the federal agencies; adding additional 
questions geared toward understanding why an individual CyberTipline 
report was or was not useful; developing an easier-to-use electronic 
feedback form; or holding ongoing discussions with ICAC commanders on 
how the process of collecting feedback can be improved. However, NCMEC 
officials said that they did not yet have plans in place for 
implementing such feedback mechanisms in part because they do not want 
to overburden law enforcement agencies. Our interviews with law 
enforcement agencies indicate that these agencies see benefit in 
having this feedback. Taking steps to work with law enforcement to 
determine effective ways to enhance its feedback processes could help 
NCMEC better ensure that law enforcement receives the most useful 
information to initiate and advance investigations and could also help 
NCMEC provide more focused guidance to ESPs in terms of what types of 
information to include in CyberTipline reports. 

Existing Deconfliction Mechanisms, While Fragmented, Generally Prevent 
Pursuit of the Same Suspects; 

DOJ Is Starting to Develop a National System: 

Deconfliction Mechanisms Vary but Generally Help to Avoid Duplication 
of Effort: 

In 22 of 28 interviews we conducted with cognizant supervisory special 
agents from FBI, ICE, and USSS; postal inspectors; and ICAC task force 
commanders in the judicial districts we visited, law enforcement 
officials reported that they concurrently used various automated and 
nonautomated deconfliction mechanisms to help resolve conflicts in 
online child exploitation investigations and prevent pursuit of the 
same suspects.[Footnote 55] Nonautomated procedures include: the use 
of interpersonal relationships or contacts between investigators from 
different law enforcement entities or task forces to resolve case 
conflicts; deconfliction reports and services that NCMEC provides to 
ICAC task forces and federal law enforcement agency personnel; 

and exchanges of law enforcement information through area Project Safe 
Childhood coordinators.[Footnote 56] For example, an ICE Assistant 
Special Agent in Charge (ASAC) we interviewed reported that 
deconfliction is often accomplished through interaction between agents 
from the different agencies investigating the case. The agency with 
the best evidence generally conducts the investigation, in some 
instances with assistance from other law enforcement agencies. 

In instances where law enforcement agencies determine through these 
mechanisms that they are pursuing the same target, officials said that 
an option is for one agency to discontinue its investigation and allow 
another agency to pursue the target instead. The agencies involved can 
compare the evidence each one has collected as well as the focus of 
their investigations before determining which agency is in the best 
position to proceed with the investigation. These officials also said 
that deconfliction is important because there is potential for 
inefficiencies and waste of investigative resources when multiple 
agencies are pursuing the same target. For example, an FBI Supervisory 
Special Agent cited an instance when the agency learned that a local 
law enforcement agency had already made contact with a suspect a month 
before the FBI served a search warrant. Not all duplication is 
inefficient, however, as there are instances where multiple agencies 
pursue the same target for different offenses. For example, one agency 
may be investigating the target as a suspect for distribution of child 
pornography and another investigating the target for sexual abuse. 
Nevertheless, in 22 of 28 interviews, officials said that they are 
able to resolve most case conflicts by using a combination of 
nonautomated and automated deconfliction mechanisms. 

Officials in 14 of the 28 interviews also reported using automated 
investigative systems to identify information and track suspects 
engaging in trafficking child pornography online.[Footnote 57] These 
investigative systems covertly identify and monitor computer networks 
where users share files directly with one another, also known as peer- 
to-peer file sharing.[Footnote 58] These covert investigative systems 
also provide deconfliction for investigators allowing registered users 
to share case information and avoid initiating duplicate 
investigations on targets already under investigation. In 12 of 28 
interviews, law enforcement officials also reported avoiding pursuing 
the same child pornography targets by checking information about a 
suspect against external law enforcement databases, such as the 
SafetyNet system in New York, and systems containing national crime 
data, including the National Crime Information Center.[Footnote 59] 
These databases can be used to ascertain whether a target has a 
criminal history or is also under investigation by other law 
enforcement entities, among other things. 

However, law enforcement officials in 7 of 28 interviews, as well as 
two senior DOJ officials, reported limitations with the existing 
automated investigative systems and law enforcement databases that can 
impact their usefulness in child pornography investigations. Among the 
limitations, these officials stated that an automated system or 
database does not exist that provides comprehensive case information 
and deconfliction for all federal, state, and local law enforcement 
agencies. Since a comprehensive deconfliction system for all law 
enforcement entities is not yet available, the automated systems in 
use provide investigators with partial case information because, in 
general, these systems and databases are not integrated. For example, 
the investigative systems do not integrate information, in part, 
because the systems are developed by different organizations, and the 
developers limit access to case information to registered users of 
their systems in order to control who has access to investigative 
information. These officials also reported that another factor that 
contributes to the absence of a comprehensive national system for 
deconfliction are prohibitions by federal and state agencies which 
restrict access to investigative information by external law 
enforcement entities. For example, according to DOJ, the FBI always 
must consider case and security concerns when sharing information. In 
addition, a DOJ Deputy Associate Administrator said that federal 
agencies have requirements to use their own data systems, which often 
allow limited or no external access to other entities. DOJ officials 
also agreed that because of the partial or fragmented information, the 
available automated systems may contribute to information sharing 
obstacles between agencies and difficulties in coordinating actions 
between investigations. These officials agreed further that this can 
also impede compilation of strategic information on the most dangerous 
offenders and adversely impact identifying new trends that offenders 
are using online to attempt to exploit children. DOJ is beginning to 
develop a national system to address some of these shortcomings, as we 
discuss in the following section. 

DOJ Is in the Early Stage of Developing a National System to Provide a 
Deconfliction Tool: 

The Act requires the Attorney General to develop a National Internet 
Crimes Against Children Data System (NIDS), an online data system that 
is to include information-sharing capacity, case deconfliction, and 
other capabilities. According to the Act, the purpose and intent of 
NIDS, among other things, is to create a deconfliction system for ICAC 
task forces, as well as for federal, state, local, and tribal law 
enforcement agencies that investigate and prosecute child exploitation 
crimes. The planned deconfliction component is to allow authorized law 
enforcement agencies to access NIDS and contribute information to 
resolve conflicts in online child pornography investigations. DOJ 
officials overseeing the development of NIDS reported that NIDS is 
intended to address the known deconfliction limitations of existing 
investigative systems, such as reporting partial or fragmented case 
information, as well as the lack of data sharing among various law 
enforcement entities due to system integration. The officials stated 
that NIDS is also to incorporate new and emerging technologies, rather 
than being based solely on existing investigative systems. Appendix 
III provides a description of NIDS functions required by the Act. 

The Act does not specify a time frame for NIDS implementation, but 
according to senior DOJ officials, issuance of the solicitation for 
the development of NIDS was delayed until spring 2010 because the 
National Coordinator had not been selected, funding was not sufficient 
to construct the NIDS system, and the complexity of the system made it 
difficult to develop and implement. More specifically: 

* DOJ issued the initial solicitation for the construction, 
maintenance, and housing of NIDS in March 2009, 9 months before it 
selected a National Coordinator. Once a National Coordinator was 
appointed in January 2010, DOJ decided to issue a revised solicitation 
to, among other things, conduct a needs assessment to collect 
requirements information for the future development of NIDS. DOJ 
issued this revised solicitation in June 2010. Generally accepted 
information technology system development practices call for 
organizations to follow a disciplined approach, including performing a 
needs assessment to define system requirements prior to beginning 
system acquisition activities.[Footnote 60] As described later, this 
information is to serve as an assessment of technical requirements for 
the construction of NIDS, and DOJ plans to use the requirements as the 
basis to determine how to build NIDS. 

* The National Coordinator reported that funding was not appropriated 
to support development of a system as complex as NIDS. The Act 
authorizes $2 million for NIDS in each of fiscal years 2009 through 
2016. However, DOJ officials stated that the agency did not request 
funds for NIDS in the fiscal year 2012 President's Budget because 
American Recovery and Reinvestment Act of 2009 (ARRA) funding was 
available beginning in 2009 and extending to the end of fiscal year 
2010.[Footnote 61] DOJ is funding the NIDS needs assessment project 
through an ARRA grant it awarded to the ICAC task forces, which 
provided about $921,000 and was obligated in fiscal year 2010 and is 
to run through fiscal year 2011. DOJ officials noted that the 
department has not yet developed a projection of the cost to construct 
and implement NIDS because it must first determine the technical 
requirements for NIDS. 

* The National Coordinator also reported significant challenges 
associated with the development of NIDS. Among these challenges, the 
Act requires NIDS to incorporate a method for law enforcement to 
conduct covert investigations of child pornography suspects online and 
provide for a case deconfliction system, as well as gather and analyze 
child pornography related data, among other things. In addition, the 
National Coordinator said that DOJ must ensure NIDS is accessible by 
ICAC task forces, and federal, state, local, and tribal law 
enforcement agencies, which presents a challenge because the systems 
these entities use may not be compatible. The National Coordinator 
reported that a system with the intended capacity of NIDS will be a 
challenge to construct; however, DOJ officials believe it can be 
accomplished and stated that an interim step in the process of 
constructing it will be the development of the needs assessment to 
determine NIDS requirements. 

In general, the 2010 NIDS needs assessment grant solicitation is for 
evaluating case deconfliction and covert investigative capabilities of 
existing software and investigative tools. The solicitation is also 
for determining the information reporting capabilities among federal, 
state, and local law enforcement agencies to assist in identification 
of offenders; identifying the shortcomings in these agencies' systems 
and developing new software and investigative tools that address these 
identified shortcomings; assisting law enforcement agencies in covert 
investigations; and supporting research to identify and predict which 
offenders are most dangerous so that DOJ can use that information to 
identify high-priority suspects to timely report them to law 
enforcement agencies. 

In September 2010, after conducting a competitive solicitation for 
proposals and an external peer review process for the NIDS proposal, 
DOJ selected an existing ICAC task force agency, the Massachusetts 
State Police, as the grantee.[Footnote 62] The grant recipient, along 
with the Pennsylvania ICAC task force and the University of 
Massachusetts Amherst, previously developed an investigative system 
which is currently in use by 58 of 61 ICAC task forces 
nationwide.[Footnote 63] Because of this experience, expertise 
reflected in the proposal submitted, and the recommendations of the 
external peer reviewers, DOJ determined this grant recipient would be 
qualified to complete the needs assessment and other activities as 
required by the 2010 NIDS solicitation. 

In October 2010, DOJ initiated the effort to conduct a needs 
assessment to identify NIDS requirements and plans to complete the 
effort within 12 to 24 months. Until this initial work is done, 
however, DOJ will not know precisely when NIDS is to become 
operational. Therefore, the national deconfliction system the Act 
requires may not be operational for a number of years. In the 
meantime, however, DOJ has approved the continued use of existing 
automated systems for case deconfliction purposes as a stopgap measure. 

Backlogs in Forensic Analysis of Digital Evidence and Length of Time 
ESPs Retain User Data Can Hinder Investigations: 

Assessing the Costs and Benefits of Forensic Analysis Steps Could Help 
Determine Efficiencies to Reduce Backlogs: 

According to prosecutors in DOJ's CEOS, the information contained on a 
suspect's hard drive is key to an investigation of online child 
pornography, and the forensic analysis of suspects' computers is the 
most important aspect of an investigation of this crime. Forensic 
analysis of digital evidence includes the extraction and review of 
information from digital media, such as computer hard drives, and can 
prove possession, receipt, distribution, or production of online child 
pornography.[Footnote 64] However, headquarters officials we 
interviewed responsible for overseeing forensic analysis to address 
child pornography crimes from FBI, CEOS, ICE, USSS, and USPIS all 
reported that forensic resources available to review digital evidence 
in support of investigations and prosecutions of online child 
pornography crime are scarce relative to the demand for such services. 
Further, they all stated that backlogs in the forensic analysis of 
suspects' computers to extract and analyze evidence, such as images or 
chat logs, may delay and, in some cases, hinder investigations and 
prosecutions of offenders.[Footnote 65] 

According to a 2007 FBI memorandum, subjects of a child pornography 
investigation are usually not arrested when a suspect's computer is 
seized, but after full forensic examination is completed, which, 
according to DOJ officials, may take a period of 1 week to over 1 year 
in some cases, depending on the level of detailed forensic analysis 
requested by prosecutors or investigators, or because of the needs of 
the individual case. However, ICE and FBI agents we interviewed who 
investigate these crimes stated that if there is a perceived imminent 
threat from the suspect, such as evidence that a child is being 
abused, the suspect may be arrested immediately or forensic analysis 
of the suspect's computer may be expedited to facilitate faster 
arrest. FBI's 2007 memorandum also expressed a concern that delays in 
charging suspects while forensic examinations take place could allow 
potential abusers of children to remain free to commit additional 
crimes until digital evidence had been examined, and it is determined 
there is enough evidence to arrest and indict the suspect. The 
memorandum went on to state that it is possible that this scenario can 
lead to increased exposure of children to child predators. Similarly, 
the National Academy of Sciences[Footnote 66] reported in a 2009 
review of forensic practices that backlogs in any area of forensic 
analysis, including analysis of digital evidence, can contribute to 
the release of guilty suspects who go on to commit further crime, as 
well as result in delayed investigations of those who are not yet 
charged.[Footnote 67] 

DOJ headquarters prosecutors stated that no comprehensive statistics 
exist as to whether or to what extent suspects have continued to 
engage in child pornography crime while their computers are analyzed. 
However, federal law enforcement officials we interviewed who 
investigate these crimes stated that suspects have, in some instances, 
continued to commit crimes. For example: 

* ICE officials in Kansas City stated that after being served a search 
warrant, one suspect purchased a new computer and continued to engage 
in the receipt of online child pornography. 

* ICE Cyber Crimes Center officials stated that after one California 
suspect's computer was seized, he purchased a new computer and warned 
individuals with whom he had been trading child pornography images 
that an investigation was taking place. 

Several Factors May Contribute to Backlogs in Forensic Analysis of 
Digital Evidence: 

Headquarters officials from FBI, ICE, CEOS, USPIS, and USSS that we 
interviewed who oversee forensic analysis all identified several 
factors that may contribute to backlogs in forensic analysis. These 
include the increase in the volume of people using computers and the 
Internet, the low cost and ease of obtaining digital media storage 
capacity, and the wide variety and constant evolution of technologies 
being used by offenders. For example, FBI statistics show that the 
volume of data processed at its Regional Computer Forensic 
Laboratories[Footnote 68] has increased almost 3,000 percent, from 
approximately 82 terabytes in fiscal year 2003 to 2,334 terabytes in 
fiscal year 2009.[Footnote 69] 

In addition, variations in the amount of digital evidence federal 
prosecutors request to be reviewed in support of prosecutions of 
online child pornography crimes may increase the amount of time needed 
for forensic analysis of digital evidence and further contribute to 
backlogs. For example, two senior officials from FBI's Digital 
Evidence Section stated that requests by some federal prosecutors that 
all digital information be reviewed for a given prosecution can 
increase the amount of time needed at FBI labs for each examination, 
which further contributes to backlogs at these labs. According to 
these officials, hard drives and other digital media obtained during 
investigations could contain hundreds of thousands of images and 
movies of child pornography, and to review all of them for a single 
investigation could take a forensic examiner or investigator several 
months, which may not be efficient. 

Alternatively, these FBI officials also stated that a strategy that 
calls for more thorough reviews of digital evidence for those cases 
where the suspect's characteristics indicate that the person may pose 
a physical danger to children would more efficiently allocate scarce 
forensic resources.[Footnote 70] This, in turn, could allow those 
resources to be used to conduct forensic analysis on a greater number 
of suspects, which could increase DOJ's ability to prosecute a greater 
number of offenders. However, prosecutors we interviewed in DOJ 
headquarters noted that thorough reviews of suspects' digital media 
can be important because images and movies on that digital media may 
contain evidence that a child is currently being abused by the 
suspect. If not all information is reviewed, prosecutors may not be 
able to prosecute the offender on all charges for which the person is 
guilty, and all children who are currently being abused may not be 
identified. 

In addition, senior DOJ officials we interviewed stated that a 
"tiered" strategy that makes more use of forensic review of a 
suspect's computer in his or her residence may allow for efficiencies 
in the forensic process. For example, according to FBI and ICE agents 
we interviewed who investigate these crimes, reviewing a suspect's 
computer within their residence allows law enforcement officers to 
remove only those computers that are most likely to contain child 
pornography, which can reduce the number of computers that must be 
analyzed as well as make it more likely that a suspect confesses. 
According to prosecutors in DOJ headquarters, increased use of on-
scene forensic review of suspects' computers may also, in some cases, 
negate the need to send a suspect's computer to a forensic examiner 
for review. All of these factors may, in turn, reduce backlogs in 
forensic analysis. Senior DOJ officials noted that these types of case-
by-case decisions are currently being made in the field based on, 
among other things, the resources available to conduct forensic 
analysis within the judicial district and the priorities of the U.S. 
Attorney's Office. 

Another factor that FBI, CEOS, USPIS, and USSS headquarters officials 
we interviewed who oversee forensic analysis all stated increases 
backlogs is the steps federal law enforcement agencies take to ensure 
the integrity of analysis conducted by forensic examiners, which add 
to the time necessary to complete examinations. According to all of 
these law enforcement officials, finding apparent child pornography or 
other evidence on a suspect's digital media can be done by, among 
other things, conducting key word searches or opening digital folders 
on the suspect's hard drive to review individual images or movies. 
Steps taken to ensure the integrity of these activities--such as 
making exact copies of digital evidence on which to conduct any 
analysis and taking hash values of original evidence before 
examinations are conducted--are meant to provide a level of assurance 
that evidence is not tampered with and that examinations can withstand 
legal challenges in court.[Footnote 71] However all of these officials 
stated that these steps may add several hours to several weeks to the 
laboratory examinations of digital evidence, especially for large 
volumes of data, and add to the time that subsequent requests for 
analysis must wait in the queue, which further contributes to 
backlogs. For example, making an exact copy of a suspect's hard drive 
may take several days and must be completed before analysis of the 
information on the hard drive takes place.[Footnote 72] 

The FBI, through its Computer Analysis Response Team program, takes 
additional steps to further ensure the integrity of its examination 
system.[Footnote 73] These steps include: 

* Requiring uniform training, certification testing, annual 
proficiency testing and annual continuing education for all certified 
FBI digital evidence forensic examiners. 

* Documenting all examination processes, including search and review 
activities undertaken by the forensic examiner, so that they can be 
duplicated by another examiner, if necessary, to ensure accountability 
and accuracy. 

* Adhering to written forensic protocols which inform the actions of 
forensic examiners and which are subject to review and audited for 
compliance. 

* Separating the forensic examination and investigative search 
portions of the forensic review. Forensic examiners typically 
authenticate and extract subsets of data, such as images or chat logs, 
from seized digital media which has first been reviewed and searched 
by investigators. FBI agents then conduct content analysis of these 
data after examiners extract and deliver them to identify information 
relevant to a specific investigation. 

* Conducting peer reviews of forensic examination reports. 

Officials from FBI's Digital Evidence Section stated that these 
additional steps, while increasing the amount of time necessary to 
conduct analysis, help to refute any potential claims that there 
exists a bias on the part of the examiner that influenced the results 
of a forensic examination. Specifically, the officials stated that 
these measures are designed to mitigate against the risk that 
untrained or unqualified forensic examiners could alter digital 
evidence, which could lead to innocent individuals being sent to 
prison. Further, the officials said that initiating these additional 
steps ensures a degree of separation between agents--who conduct an 
investigation--and examiners--whose primary function is to carry out 
specific examination activities prescribed by the agents--and is a 
means of ensuring that investigative bias cannot easily be introduced 
in the digital forensic analysis process, particularly with respect to 
forensic expert opinion analysis relating to questions of how, when, 
why, and by whom data were created, modified, destroyed, or altered. 

However, headquarters officials we interviewed at CEOS, ICE, and USSS 
disagreed on the need for such additional steps because they believe 
the additional steps are not needed to support a successful 
prosecution and the steps increase the costs and time needed for 
analysis to take place, thereby further increasing backlogs. All of 
these officials stated that they do not routinely incorporate all of 
these additional steps because they do not believe that the addition 
of these extra steps would discernibly impact the overall integrity of 
the forensic analysis.[Footnote 74] For example, these officials 
stated that it is not necessary to separate examiners who extract 
digital evidence from hard drives from law enforcement agents who 
review the extracted information; 

evidence of a suspect's guilt on his or her hard drive is either 
present or not. These officials noted that unlike other areas of 
forensic analysis, such as footprint or hair analysis where there is a 
concern that bias may impact interpretations of results, there is 
little opportunity for bias on the part of the forensic examiner to 
affect the results of an investigation. They all added that the steps 
already in place, specifically copying and taking hash values of 
original evidence, ensure that any effort to alter the material on a 
suspect's hard drive would be detected. 

Six of the seven prosecutors we spoke with stated that they were 
generally indifferent as to which federal law enforcement agency 
conducted forensic examinations, and there was no discernable 
difference in the quality or usefulness of forensic analysis conducted 
by the different agencies. However, headquarters prosecutors we 
interviewed stated that the time it takes to receive reports from 
different agencies varies by district nationwide. In addition, these 
officials noted that there were differences in the content and 
subjectivity of the forensic reports that agencies prepared to present 
examination results. For example, they opined that reports that 
included detailed information about how the forensic examination was 
conducted, what was found, and what it means provide prosecutors with 
more useful data, and one prosecutor indicated that he preferred the 
format of forensic reports used by some law enforcement agencies over 
others. 

While these variations exist, senior DOJ officials noted that the 
government's analysis of digital evidence is repeatedly subjected to 
challenges in court when the government puts on its case, and must be 
determined by a judge to meet standards for admissibility. These 
officials noted that CEOS computer forensic specialists conduct 
forensic analysis of digital evidence in cases prosecuted across the 
country and have presented the results in court frequently over the 
last several years in numerous cases; 

however, DOJ is unaware of such evidence being suppressed or ruled 
inadmissible by any court in any case due to a lack of integrity in 
the forensic analysis process. According to DOJ headquarters 
prosecutors, this indicates that the forensic analysis provided by all 
federal law enforcement agencies to support prosecutions of offenders 
has incorporated a sufficient amount of integrity into the process. 

DOJ Working Group Could Assess the Costs and Benefits of Forensic 
Analysis Steps to Identify Efficiencies: 

DOJ convened a working group in August 2010, coinciding with the 
publication of the National Strategy, to carry out elements of the 
strategy, and this working group established a Technical Assistance 
Subcommittee, which is responsible for examining technological issues 
related to combating child exploitation, including forensic analysis 
of digital evidence. The Act requires DOJ to include in its National 
Strategy a review of the backlog of forensic analysis for child 
exploitation cases and plans for reducing the forensic backlogs. 
[Footnote 75] In response to this requirement, the subcommittee is 
examining forensic analysis of digital evidence, including efforts to 
reduce backlogs.[Footnote 76] Specifically, according to the National 
Coordinator, the working group is reviewing different methods used 
among the federal agencies to identify practices that may reduce 
backlogs, such as increased review of computers within a suspect's 
residence before taking them to a laboratory for forensic examination. 
However, the National Coordinator said that such a review will not 
explicitly assess the costs and benefits of steps taken by federal 
agencies to ensure the integrity of the forensic examination process 
or the separation of the examination and investigative functions in 
forensic analysis. Specifically, the working group does not currently 
plan on assessing whether any enhancement of the credibility of 
digital evidence resulting from steps taken by federal law enforcement 
agencies to ensure the integrity of the forensic examination process 
will outweigh the costs associated with performing these additional 
steps, such as whether backlogs that may result from implementing 
these steps will allow offenders to remain on the street for a longer 
amount of time while evidence is being forensically examined. 

Differences in steps for conducting forensic analysis of digital 
evidence exist; 

however, no federal agency or working group we spoke to has assessed 
the costs and benefits of steps taken to ensure the integrity of 
forensic analysis used by federal law enforcement agencies that 
investigate and prosecute online child pornography crime due to an 
overall satisfaction with their own individual digital forensic 
examination processes to date. OMB cites assessments of costs and 
benefits as key in the consideration of alternative means of achieving 
program objectives by examining different program methods. OMB also 
states that these assessments that serve as a basis for evaluating 
government programs or policies should identify societal costs and 
benefits, as well as discuss any trade-offs that may not be 
quantifiable.[Footnote 77] For example, this could include examining 
qualitative factors--such as delays in arrest and prosecution, which 
may expose the public to offenders and concerns regarding the 
integrity of forensic analysis conducted by the government, which 
could impact the credibility of evidence presented in federal 
prosecutions--as well as quantitative factors such as financial costs 
of conducting forensic analysis of digital evidence. 

According to the DOJ's National Coordinator, the Working Group and its 
Technical Assistance Subcommittee are in a good position to address 
backlog issues due to its multiagency membership.[Footnote 78] As the 
Working Group and its Technical Assistance Subcommittee review 
different methods of reducing backlogs, assessing the costs and 
benefits of steps taken to ensure the integrity of forensic analysis, 
including impacts on timeliness of analysis, could help it to 
determine potential efficiencies while providing a level of assurance 
that evidence is presented consistently and is of high quality. This 
assessment could involve reviewing steps, such as creating copies of 
digital evidence and separating examination and investigation 
functions, and determining whether, and to what extent, these steps 
enhance the credibility of forensic review and do not create undue 
backlogs. Such an assessment could further provide assurance to law 
enforcement agencies that conduct forensic analysis of digital 
evidence that scarce forensic resources are being allocated in a way 
that maximizes their efficiency and effectiveness. 

ESP Data Retention Is a Concern, but Officials We Interviewed Were 
Generally Able to Obtain Data from ESPs or through Other Means: 

According to CEOS, FBI, ICE, and USSS headquarters officials, data 
from ESPs, such as IP addresses, can be traced back to offenders, and 
this information is often key to investigations of online child 
pornography crime. In June 2010, the Online Safety and Technology 
Working Group (OSTWG) reported that data retention--the period of time 
ESPs retain data entered or transmitted by users to their networks--is 
a very contentious issue with competing needs and concerns from law 
enforcement, the Internet industry, and consumer privacy advocates. 
[Footnote 79] Currently, unlike data included in reports to NCMEC, 
ESPs are generally not required to retain user data not reported to 
NCMEC that could provide investigators evidence for any specified 
amount of time.[Footnote 80] According to OSTWG's report, the 
perspective of law enforcement is that mandatory data retention 
sufficient to facilitate investigations of online crimes would allow 
law enforcement to solve more crimes involving the sexual exploitation 
of children because more information from ESPs would be available to 
support investigations. Similarly, in January 2011, a Deputy Assistant 
Attorney General within DOJ testified that data retention is 
fundamental to the department's work in investigating and prosecuting 
almost every type of crime. He stated, for example, that in one case, 
investigators sent legal process--such as a subpoena, court order, or 
search warrant--to ESPs seeking to identify distributors of child 
pornography based on IP addresses that were 6 months old or less. Of 
the 172 requests, they received 33 responses (about 19 percent) noting 
that the requested information was no longer retained by the company 
because it was out of their data retention period.[Footnote 81] 

Alternatively, the OSTWG report stated that the industry perspective 
is that, while the cost of data storage has fallen over the years, the 
true cost of data retention comes from having to protect increasing 
amounts of users' private data from online criminals who may try to 
access this information to commit crimes, such as identity theft. 
Similarly, Internet and consumer privacy advocates testified about 
concerns with mandatory data retention. For example, in January 2011, 
the executive director of the U.S. Internet Service Provider 
Association testified before Congress that a data retention mandate 
would bring with it a complex regulatory framework that would impose 
new and unforeseen costs, legal risks, and burdens to the Internet 
industry.[Footnote 82] Also in January 2011, an official from the 
Center for Democracy and Technology testified that mandatory data 
retention requirements would aggravate the problem of identity theft 
and damage competition and innovation in the Internet industry. 
[Footnote 83] 

However, headquarters law enforcement officials we spoke with from 
FBI, CEOS, and ICE, as well as officials from eight of the ICAC task 
forces, all stated that current ESP data retention periods may be 
insufficient to facilitate investigations and prosecutions of online 
child pornography crime.[Footnote 84] Specifically, all of these 
officials stated that data--such as IP addresses and any corresponding 
user information which an address may help identify (i.e., name, 
credit card, and bank account number)--allow law enforcement to 
identify who possessed, distributed, and manufactured images of child 
pornography. For example, according to ICE Cyber Crimes Center 
officials we spoke with, if an offender subscribes to a Web site that 
sells child pornography, the IP address of the computer associated 
with that suspect and transaction can be traced back to an individual 
offender. According to these officials, a law enforcement agency can 
subpoena an ESP for identifying information, such as name and address, 
for the individual who had that IP address at the time that the 
transaction took place.[Footnote 85] However, in some instances, there 
is a gap in the amount of time between when a child pornography 
offense occurs and when it is detected by law enforcement. If the ESP 
does not maintain information on which of its users was associated 
with a particular IP address, law enforcement will likely not be able 
to obtain this information, in which case an investigation may not be 
able to proceed. 

Officials from 17 of the 19 ESPs we spoke with stated that in general 
their data retention policies were based on business considerations, 
such as the types of services provided.[Footnote 86] For example, 
officials from 4 ESPs that offered paid services, such as Internet 
connectivity, stated that they keep billing information, such as 
address or payment history, indefinitely, while officials from 3 ESPs 
that operate social networking sites stated that they keep user data 
until the user cancels his or her account. We discussed the extent to 
which they were able to obtain information from ESPs they contacted 
with officials from the eight ICAC task forces we selected. Officials 
from six of the eight said they were able to obtain information from 
ESPs that enabled them to further their investigations about 80 
percent of the time or more.[Footnote 87] In addition, officials from 
these six task forces stated that when they were not able to obtain 
information from an ESP, they were generally able to obtain relevant 
information--such as IP addresses or image data--through other means, 
such as by interviewing suspects at their residences or reviewing 
information on their computers. 

According to the OSTWG report, there is not a consensus on whether any 
data retention mandates should be imposed on ESPs. Such mandates would 
require legislative action. The report concluded that data retention 
is about striking a balance among (1) law enforcement's legitimate 
need to investigate and prosecute crimes against children carried out 
or facilitated by the Internet; (2) end users' legitimate privacy 
expectations; and (3) ESPs' cost of data retention, costs which 
ultimately get passed onto consumers. 

Conclusions: 

With dramatic increases in the numbers of online child pornography 
offenders and new technologies and tools that these offenders can use 
to produce and distribute child pornography, Congress passed the 
PROTECT Our Children Act of 2008 and DOJ and NCMEC are responding to 
the provisions of the Act. However, DOJ has not implemented three 
provisions--that address studying the potential danger posed by child 
pornography offenders, designating foreign law enforcement agencies 
that can receive reports from NCMEC's CyberTipline, and developing a 
report on DOJ's information-sharing structure--and has not yet 
established specific plans or time frames for doing so. Developing 
steps and time frames for fulfilling these three provisions, as 
required, may also help better ensure that law enforcement resources 
are more optimally focused on dangerous offenders as well as help 
ensure that investigative information is disseminated on a timelier 
basis. Also since passage of the Act, NCMEC has developed guidance for 
ESPs to help them in reporting tips and has played a key role in 
coordinating law enforcement efforts through the operation of its 
CyberTipline. However NCMEC could take steps to enhance the feedback 
it receives from law enforcement on the usefulness of CyberTipline 
reports. Doing so could help NCMEC ensure that these reports 
consistently contain as much information as possible to help law 
enforcement take actions, such as advancing investigations, which is 
critical given the increase in the number of CyberTipline reports. 

Finally, key to every investigation and prosecution of online child 
pornography crime is forensic analysis of digital evidence. Among the 
factors that federal law enforcement officials cited as limiting 
investigations and prosecutions were variations in the steps that 
agencies believe enhance integrity of forensic analysis of digital 
evidence. In some cases, these steps may increase the time it takes to 
analyze evidence and add to backlogs and delays. DOJ's working group 
examining forensic issues, due to its multiagency composition, is in a 
position to assess the costs and benefits of steps taken by different 
agencies to ensure the integrity of forensic processes. Such an 
assessment could help identify possible efficiencies in these steps 
and provide assurance to law enforcement agencies that conduct 
forensic analysis of digital evidence that scarce forensic resources 
are being allocated in a way that maximizes their efficiency and 
effectiveness. 

Recommendations: 

To help ensure that DOJ fulfills its obligations as outlined in the 
PROTECT Our Children Act of 2008 as well as enhance its ability to 
address online crimes against children, we recommend that the Attorney 
General define the steps it plans to take and time frames for 
completing the three provisions of the Act that it has not yet 
implemented. 

To help ensure that NCMEC maximizes the feedback it receives from law 
enforcement agencies about the usefulness of CyberTipline reports in 
initiating and advancing investigations, we recommend that NCMEC's 
Chief Executive Officer work with its law enforcement customers to 
enhance its processes to collect feedback from law enforcement about 
the usefulness and quality of individual CyberTipline reports and use 
this information to make any necessary improvements it identifies. 

To help address backlogs in forensic analysis of digital evidence 
conducted in support of investigations and prosecutions of online 
child pornography crime, we recommend that the Attorney General direct 
the National Strategy Working Group and its Technical Assistance 
Subcommittee to assess the costs and benefits of the various steps 
federal law enforcement agencies believe enhance the integrity of 
forensic analysis of digital evidence in investigating online child 
pornography crimes, which may be quantitative or qualitative, to 
identify any efficiencies in the processes agencies use to help them 
to make more informed decisions on the efficient allocation of limited 
forensic resources. 

Agency Comments, Third Party Views, and Our Evaluation: 

We provided a draft of this report to DOJ, NCMEC, DHS, and USPIS for 
review and comment. DOJ and NCMEC provided written comments, which are 
reprinted in appendix IV and V and evaluated below. In commenting on 
our draft report, DOJ stated that it generally concurred with our 
recommendations and discussed actions it had taken or plans to take, 
which address in part, our recommendations. 

DOJ concurred with our first recommendation to define the steps it 
plans to take and time frames for completing three provisions of the 
Act and outlined efforts to address the provisions. For example, in 
terms of the requirement for NIJ to prepare a report to identify the 
factors indicating whether the subject of an online investigation 
poses a high-risk of harm to children, DOJ noted that the grantee 
selected to develop NIDS would, as part of this effort, provide a 
paper addressing the dangers posed by child pornography offenders and 
recommending further research paths. Documentation provided by DOJ 
indicated that the grantee, as part of the development of the NIDS 
system would, among other things, conduct a literature review about 
the links between child pornography and hands-on molestation and 
develop a research design to address gaps in assessing dangers from 
child pornography offenders. While these activities are important 
steps to providing law enforcement with additional information on 
potential dangers posed by offenders, it will be important for DOJ to 
ensure that the grantee's efforts or follow-on research comply with 
statutory requirements--that DOJ identify factors that indicate 
whether the subject of an online investigation poses a high-risk of 
harm to children as well as to coordinate with federal law enforcement 
agencies, NCMEC, and other stakeholders, as required by the Act. 
Similarly, to address the provision of the Act requiring a report to 
congressional committees related to information sharing structures, 
DOJ noted that it has secured a grantee to provide a design for an 
information sharing system, and when the system is closer to fruition, 
DOJ plans to report to Congress on its progress. While these are 
important steps, we maintain that it will also be important for DOJ to 
commit to plans and timeframes to hold itself accountable for 
fulfilling these provisions of the Act. 

DOJ concurred with our recommendation to assess the costs and benefits 
of steps taken by federal law enforcement agencies that they believe 
enhance the integrity of the forensic analysis of digital evidence, 
with one modification. In discussions with DOJ's National Coordinator 
as well as senior FBI officials responsible for overseeing forensic 
analysis of digital evidence on this recommendation, officials 
indicated that they had concerns regarding the proposed recommendation 
to assess costs and benefits of the processes various federal law 
enforcement agencies undertake that are believed to enhance the 
integrity of the forensic analysis of digital evidence. For example, 
these officials noted that certain costs associated with potential 
backlogs in forensic analysis, such as the public's increased exposure 
to offenders, would be very difficult to quantify. We explained that 
we did not intend for DOJ to conduct this level of cost-benefit 
analysis and develop such quantifiable dollar estimates, but rather 
intended for DOJ to qualitatively assess, for example, whether the 
costs, such as increasing backlogs in forensic analysis, are 
outweighed by the perceived benefits of the extra steps agencies take 
to enhance the integrity of the forensic analysis process for this 
particular crime. Thus, we modified our recommendation to clarify this 
point. 

Related to this recommendation, in its comments, DOJ described two 
working groups currently addressing forensic issues--the Technical 
Assistance Subcommittee, which has been studying the timeliness and 
usefulness of forensic examinations and has recommendations under 
agency review, and the Office of the Deputy Attorney General's 
Computer Forensics Working Group, which is also examining current 
digital forensic processes. DOJ noted that these groups plan to take 
into account the resources associated with various steps DOJ law 
enforcement takes in conducting digital forensic analysis as part of 
their examinations. DOJ also noted that it hopes to be able to provide 
an update to Congress on its progress on digital forensic analysis by 
about September 2011. We maintain that these groups and their efforts 
could be the appropriate vehicle to use to conduct the assessment of 
costs and benefits called for in our recommendation. Doing so could 
help identify possible efficiencies in agencies' digital forensic 
analysis processes, ensure scarce forensic resources are allocated to 
maximize their efficiency and effectiveness, and ultimately, help 
better address online child sexual exploitation. 

NCMEC, in its comments, also concurred with our recommendation to 
enhance its processes to collect feedback from law enforcement 
agencies about the usefulness of CyberTipline reports. NCMEC stated 
that it would further its efforts to solicit better feedback from law 
enforcement on the usefulness of these reports. In addition, NCMEC 
agreed that better understanding how information ESPs provide may 
determine whether a law enforcement agency can begin an investigation 
would be helpful. DOJ also noted in its comments that efforts to 
improve the CyberTipline process are underway, and the department 
plans to work with NCMEC to report to Congress on these improvements 
by about September 2011. 

Finally, DOJ also provided us with technical comments, which we 
incorporated into the report, as appropriate. DHS did not provide 
comments on our report. In an email dated March 16, 2011, the USPIS 
Acting Assistant Inspector in Charge for child exploitation 
investigations concurred with the information in the report and 
provided technical comments, which we incorporated into the report, as 
appropriate. 

We are sending copies of this report to the Secretary of Homeland 
Security, the Attorney General, the Executive Director of NCMEC, and 
other interested congressional committees and subcommittees. In 
addition, this report will be available at no charge on GAO's Web site 
at [hyperlink, http://www.gao.gov]. If you or your staff have any 
questions concerning this report or wish to discuss the matter 
further, please contact me at (202) 512-8777, or larencee@gao.gov. 
Contact points for our Offices of Congressional Relations and Public 
Affairs may be found on the last page of this report. Key contributors 
to this report are listed in appendix VI. 

Signed by: 

Eileen Regen Larence: 
Director, Homeland Security and Justice Issues: 

[End of section] 

Appendix I: Key Federal Agencies Involved in Combating Online Child 
Pornography: 

Appendix I provides information about the mission, role, level of 
resources, and trends in investigations or cases initiated for key 
federal agencies involved in combating online child pornography. 

Department of Justice: 

Federal Bureau of Investigation: 

The Federal Bureau of Investigation (FBI) investigates various crimes 
against children, including online child pornography. For example, FBI 
investigates violations of federal statutes generally relating to: 

* producing child pornography; 

* permitting a minor within one's custody or control to be used in 
child pornography; 

* selling or buying children for use in child pornography; 

and: 

* transporting, shipping, receiving, or distributing child pornography 
by any means, including by computer. 

As shown in tables 3 and 4, the amount of personnel and fiscal 
resources the FBI has allocated to combating child exploitation crime, 
including child pornography, increased from fiscal year 2006 through 
fiscal year 2010.[Footnote 88] 

Table 3: FBI Personnel Dedicated to Combating Child Exploitation: 

Number of personnel. 

FY 2006: 
Number of personnel: 267; 

FY 2007: 
Number of personnel: 283; 

FY 2008: 
Number of personnel: 315; 

FY 2009: 
Number of personnel: 318; 

FY 2010: 
Number of personnel: 313. 

Source: FBI. 

Note: Represents agents from FBI's Crimes against Children and 
Innocent Images National Initiative units. 

[End of table] 

Table 4: FBI Resources Obligated for Combating Child Exploitation: 

FY 2006: $45.5 million; 
FY 2007: $47.4 million; 
FY 2008: $54.4 million; 
FY 2009: $62.7 million; 
FY 2010: $62.9 million. 

Source: FBI. 

Note: Represents funds obligated by FBI's Innocent Images National 
Initiative unit. 

[End of table] 

Innocent Images National Initiative: 

The FBI established a nationwide initiative to combat the 
proliferation of online child sexual exploitation. The Innocent Images 
National Initiative (Innocent Images), a component of the FBI's Cyber 
Division, is a proactive, investigative initiative whose mission is to 
combat the proliferation of child pornography facilitated by computer. 
This initiative is composed of agents working at regional offices 
nationwide and may involve agents from any of the FBI's 56 field 
offices. Innocent Images provides centralized coordination and 
analysis of case information that is national and international in 
scope and requires coordination with state, local, and international 
governments as well as among FBI field offices and legal attaches. Its 
mission is to: 

* identify, investigate, and prosecute sexual predators who use the 
Internet and online services to sexually exploit children; 

* establish a law enforcement presence on the Internet as a deterrent 
to subjects that use the Internet to exploit children; 

and: 

* identify and rescue witting and unwitting child victims. 

As shown in table 5, FBI child pornography investigations and arrests 
have increased from fiscal years 2006 through 2010. 

Table 5: Number of FBI Child Pornography Investigations and Arrests: 

Number: Investigations; 
Fiscal year: 2006: 4,467; 
Fiscal year: 2007: 4,952; 
Fiscal year: 2008: 5,667; 
Fiscal year: 2009: 6,062; 
Fiscal year: 2010: 6,070. 

Number: Arrests; 
Fiscal year: 2006: 936; 
Fiscal year: 2007: 1,115; 
Fiscal year: 2008: 1,144; 
Fiscal year: 2009: 1,077; 
Fiscal year: 2010: 1,094. 

Source: FBI. 

[End of table] 

Child Exploitation and Obscenity Section: 

The Child Exploitation and Obscenity Section (CEOS) is a unit within 
the Department of Justice's (DOJ) Criminal Division that specializes 
in the prosecution of federal child sexual exploitation offenses. 
Among other things, CEOS is primarily responsible for the development 
of prosecution, policy, and legislative initiatives in those areas. 
CEOS's professional staff consists of attorneys and computer forensics 
specialists in CEOS's High Technology Investigative Unit dedicated to 
combating the sexual exploitation of children and obscenity. 
Established in 1987, CEOS focuses on individuals who, in the context 
of child exploitation: 

* possess, manufacture, produce, or traffic in child pornography; 

* travel interstate or internationally to sexually abuse children, or 
cause children to travel interstate or internationally for that same 
purpose; 

* use the Internet to lure children to engage in prohibited sexual 
conduct; 

* abuse children on federal and Indian lands; 
or: 

* engage in domestic child sex trafficking. 

CEOS attorneys work closely with federal law enforcement agencies and 
prosecutors on investigations, trials, and appeals. As shown in tables 
6 and 7, the amount of fiscal resources at CEOS dedicated to combating 
child exploitation, including resources available to assist with and 
prosecute child pornography and obscenity related cases, grew from 
fiscal year 2006 through fiscal year 2010, while CEOS's personnel 
resources fell over that same period. 

Table 6: CEOS Personnel Dedicated for Combating Child Exploitation and 
Obscenity Offenses: 

FY 2006: 
Number of personnel: 36; 

FY 2007: 
Number of personnel: 32; 

FY 2008: 
Number of personnel: 32; 

FY 2009: 
Number of personnel: 32; 

FY 2010: 
Number of personnel: 32. 

Source: DOJ's Criminal Division. 

[End of table] 

Table 7: CEOS Funds Obligated for Combating Federal Child Exploitation 
and Obscenity Offenses: 

FY 2006: $4.4 million; 
FY 2007: $4.8 million; 
FY 2008: $5.3 million; 
FY 2009: $5.9 million; 
FY 2010: $5.9 million. 

Source: DOJ's Criminal Division. 

[End of table] 

Office of Juvenile Justice and Delinquency Prevention: Internet Crimes 
Against Children Program: 

Created by DOJ in 1998, the Internet Crimes Against Children (ICAC) 
program, administered and funded through the Office of Juvenile 
Justice and Delinquency Prevention (OJJDP), encourages communities 
nationwide to develop regional, multijurisdictional, and multiagency 
responses to Internet crimes against children. The program provides 
grants to state and local law enforcement agencies to build regional 
task forces that address and combat Internet-related crimes against 
children. ICAC program grants can be used to ensure that investigators 
receive specialized training and technological resources to combat 
Internet-related crimes. Additionally, ICAC task forces have been 
established to serve as sources of prevention, education, and forensic 
investigative assistance to those who work to address Internet crimes 
against children. ICAC's objectives include: 

* developing or expanding multiagency, multijurisdictional task forces 
that include representatives from law enforcement, prosecution, victim 
services, and child protective services, among others; 

* ensuring investigative capacity by properly equipping and training 
ICAC task force investigators; 

* developing and maintaining case management systems to document 
reported offenses and investigative results; and: 

* developing response protocols or memorandums of understanding to 
foster collaboration, information sharing, and service integration 
among public and private organizations to protect children from being 
sexually exploited. 

A number of federal agencies are also involved in the ICAC Task Force 
Program through membership on various task force units and through 
participation on the ICAC Task Force Board. These partners include 
DOJ's CEOS, FBI, the Executive Office for United States Attorneys, 
Immigration and Customs Enforcement (ICE), and the United States 
Postal Inspection Service (USPIS). 

As shown in table 8, the number of ICAC task force child exploitation 
investigations and arrests increased from fiscal year 2006 through 
2010. 

Table 8: Number of ICAC Task Force Child Exploitation Cases 
Investigated and Arrests: 

Number: Cases investigated; 
Fiscal year: 2006: 10,800; 
Fiscal year: 2007: 14,700; 
Fiscal year: 2008: 21,700; 
Fiscal year: 2009: 22,700; 
Fiscal year: 2010: 32,300. 

Number: Arrests; 
Fiscal year: 2006: 2,100; 
Fiscal year: 2007: 2,500; 
Fiscal year: 2008: 3,100; 
Fiscal year: 2009: 4,500; 
Fiscal year: 2010: 5,300. 

Source: OJJDP. 

Note: Prior to the enactment of the PROTECT Our Children Act of 2008, 
OJJDP did not require ICAC task forces to track investigations data. 
The agency provided estimates for investigations totals for fiscal 
years 2006 through 2008, based on multiple variables including arrests 
and closed investigations among other factors. 

[End of table] 

Department of Homeland Security: 

U.S. Immigration and Customs Enforcement: 

U.S. Immigration and Customs Enforcement (ICE) was one of the first 
federal law enforcement agencies to combat the sexual exploitation of 
children. Beginning in the 1970s, ICE, under the legacy U.S. Customs 
Service, used its unique customs and border authority to investigate 
individuals and groups that were introducing child pornography into 
the United States. Since 2003, ICE has continued this effort through 
enforcement of trans-border violations of federal child exploitation 
statutes, including those related to child pornography. The agency 
becomes involved in cases with foreign links, primarily focusing on 
child pornography that enters the United States from abroad. In 
addition, ICE investigates, interdicts, and prosecutes those 
individuals involved in, among other things: 

* possession, receipt, distribution, advertisement, transportation, 
and production of child pornography; 

* trafficking of children for sexual purposes; and: 

* traveling in foreign commerce to engage in sexually explicit conduct 
with minors (also known as sex tourism). 

ICE's Office of Investigations established the Cyber Crimes Center to 
more effectively focus ICE resources on Internet crimes. The center 
brings together all ICE resources dedicated to the investigation of 
international criminal activity conducted on or facilitated by the 
Internet, including the sharing and distribution of child pornography. 
The center also trains personnel and upgrades their techniques to 
combat the diverse ways in which offenders download, possess, and 
distribute child pornography. The center acts as a clearinghouse and 
directs investigations to applicable areas within the United States 
and foreign countries. Through the Cyber Crimes Center, ICE addresses 
smuggling over "traditional" borders as well as smuggling associated 
with the Internet. 

As shown in tables 9 and 10, the amount of personnel and fiscal 
resources the ICE has allocated to combating child exploitation crime, 
including child pornography, increased from fiscal year 2006 through 
fiscal year 2010. 

Table 9: ICE Personnel Dedicated for Combating Child Exploitation: 

Number of personnel. 

FY 2006: 
Number of personnel: 208.7; 

FY 2007: 
Number of personnel: 211.8; 

FY 2008: 
Number of personnel: 228.3; 

FY 2009: 
Number of personnel: 227; 

FY 2010: 
Number of personnel: 239.3. 

Source: ICE. 

Note: Represents agent data manually derived from ICE field offices 
through September 30, 2010. 

[End of table] 

Table 10: ICE Resources Obligated for Combating Child Exploitation: 

FY 2006: $0.531 million; 
FY 2007: $1.32 million; 
FY 2008: $0.916 million; 
FY 2009: $0.724 million; 
FY 2010: $0.951 million. 

Source: ICE. 

Note: Represents manually derived estimates of funds obligated by ICE 
field offices through September 30, 2010. 

[End of table] 

As shown in table 11, the number of ICE child pornography cases 
initiated has decreased, while arrests have increased from fiscal 
years 2006 through 2010. 

Table 11: Number of Child Pornography Cases Initiated and Arrests by 
ICE Agents: 

Number: Cases initiated; 
Fiscal year: 2006: 3,291; 
Fiscal year: 2007: 3,191; 
Fiscal year: 2008: 2,898; 
Fiscal year: 2009: 2,894; 
Fiscal year: 2010: 2,622. 

Number: Arrests; 
Fiscal year: 2006: 681; 
Fiscal year: 2007: 948; 
Fiscal year: 2008: 863; 
Fiscal year: 2009: 957; 
Fiscal year: 2010: 931. 

Source: ICE. 

[End of table] 

United States Secret Service: 

The United States Secret Service (USSS) provides forensic and 
technical assistance in matters involving missing and sexually 
exploited children through its Office of Investigations. The USSS' 
Forensic Investigative Response and Support Team consists of a group 
of technical and forensic experts, including agents from the 
Electronic Crimes Special Agent Program, who are available to respond 
to requests from any law enforcement agency within the United States 
to perform forensic and technical examinations. Section 105 of the USA 
Patriot Act requires USSS to develop a national network of electronic 
crime task forces to combat various forms of electronic crimes. 
[Footnote 89] In response to this requirement, USSS has established 31 
regional Electronic Crimes Task Forces worldwide. The regional task 
forces work directly with other federal, state, and local law 
enforcement agencies in the area of child pornography as well as other 
electronic crimes. 

According to USSS headquarters officials, online child pornography 
crime is not a core violation for the agency. Therefore, it has 
pursued fewer investigations involving this crime than other crimes, 
such as counterfeiting, and does not track funding or personnel 
dedicated to this crime. These officials added, however, that some 
USSS field offices with a background in these areas as well as digital 
forensic capabilities investigate these crimes. As shown in table 12, 
while the number of investigations has varied over time, the number of 
arrests related to child pornography has increased. 

Table 12: Number of USSS Investigations and Arrests Related to Child 
Pornography: 

Investigations: 
Fiscal year: 302; 
Fiscal year: 487; 
Fiscal year: 138; 
Fiscal year: 98; 
Fiscal year: 188. 

Arrests: 
Fiscal year: 88; 
Fiscal year: 94; 
Fiscal year: 80; 
Fiscal year: 88; 
Fiscal year: 149. 

Source: USSS. 

[End of table] 

United States Postal Service: 

United States Postal Inspection Service: 

The United States Postal Inspection Service (USPIS) is the federal law 
enforcement arm of the United States Postal Service that is 
responsible for investigating crimes involving the U.S. mail, 
including child pornography and child sexual exploitation offenses. 
Postal Inspectors, specially trained to conduct child exploitation 
investigations, are assigned to each of its 18 field divisions 
nationwide. The use of mail to traffic in child pornography, or to 
sexually exploit children, continues to be a significant societal 
problem, according to Postal officials. They added that the exchange 
of child pornography by mail is now often preceded by use of the 
Internet to communicate with like-minded individuals or to locate 
sources of child pornography. 

The objective of the child exploitation program is to reduce and deter 
the use of the postal system for the procurement or delivery of 
materials that promote the sexual exploitation of children and to 
uphold customer confidence. In carrying out its mission, USPIS works 
with DOJ, FBI, ICE, and other national and international law 
enforcement agencies. 

As shown in table 13, the number of full-time Postal Inspectors 
dedicated to combating child exploitation has decreased overall; 

however, the number of inspectors addressing these crimes on a part- 
time basis has increased. 

Table 13: Full Time and Part Time Postal Inspectors Assigned to Child 
Exploitation Investigations: 

Number of postal inspectors: Full time; 
FY 2006: 37; 
FY 2007: 37; 
FY 2008: 38; 
FY 2009: 36; 
FY 2010: 26. 

Number of postal inspectors: Part time; 
FY 2006: 0; 
FY 2007: 0; 
FY 2008: 10; 
FY 2009: 14; 
FY 2010: 19. 

Source: USPIS. 

[End of table] 

According to USPIS, as a result of its transformation and 
reorganization during the past 2 years, it assigned fewer full-time 
Postal Inspectors to investigate child exploitation in a proactive 
manner, yet increased the assignment of part-time Postal Inspectors to 
ensure any lead referred to the division is addressed. As shown in 
table 14, the number of investigations related to child exploitation 
and child pornography has decreased. According to USPIS, Postal 
Inspectors are now focused on high-quality U.S. mail-related 
investigations involving the sexual exploitation of children, and 
investigations not involving the U.S. mail (e.g., those that are 
Internet-related) are now being worked at a significant rate by 
partners, such as the ICAC task forces. 

Table 14: Postal Inspection Service Investigations and Arrests Related 
to Child Exploitation and Child Pornography: 

Number: Investigations; 
Fiscal year: 2006: 267; 
Fiscal year: 2007: 264; 
Fiscal year: 2008: 310; 
Fiscal year: 2009: 233; 
Fiscal year: 2010: 141. 

Number: Arrests; 
Fiscal year: 2006: 252; 
Fiscal year: 2007: 155; 
Fiscal year: 2008: 165; 
Fiscal year: 2009: 186; 
Fiscal year: 2010: 115. 

Source: USPIS. 

[End of table] 

[End of section] 

Appendix II: Status of Efforts of DOJ and NCMEC's CyberTipline to 
Implement Provisions of the PROTECT Our Children Act of 2008: 

Table 15 presents information on the actions taken by DOJ and NCMEC to 
implement their responsibilities under the Providing Resources, 
Officers, and Technology To Eradicate Cyber Threats to Our Children 
Act of 2008 (PROTECT Our Children Act of 2008, or the Act).[Footnote 
90] 

Table 15: Status of Efforts of the Attorney General and NCMEC's 
CyberTipline to Implement Their Responsibilities under the PROTECT Our 
Children Act of 2008: 

Responsible entity or official: Attorney General; 
Provision: § 101(a) - (c); 42 U.S.C. § 17611(a) - (c); 
Responsibility: National Strategy for Child Exploitation Prevention 
and Interdiction: Due 1 year after the date of enactment, and every 
second year thereafter. The statute requires that the Strategy contain 
19 elements, including goals and measurable objectives, a review of 
DOJ's work, plans for interagency coordination--with ICE and the 
Departments of State, Commerce and Education, among others--a review 
of the ICAC Task Force Program, a review of and plans for reducing 
forensic backlogs, and a review of all available statistical data on 
child pornography trafficking, among other elements; 
Status of effort: In August 2010, DOJ released its National Strategy 
for Child Exploitation Prevention and Interdiction (National 
Strategy). This document contained elements specified for inclusion by 
the PROTECT Our Children Act of 2008, including a review of DOJ work 
related to the prevention and investigation of child exploitation 
crime, a review of the ICAC Task Force program, a review of the 
backlog of forensic analysis for child exploitation cases, and plans 
for reducing the forensic backlog. In terms of plans for updating the 
National Strategy, DOJ officials stated that they are currently 
working on implementation of the National Strategy, which was 
submitted in August. As they move forward with implementation, they 
said that they plan to decide whether the goals and priorities need to 
be updated. In addition, they are updating the National Strategy with 
information from each agency and component. The officials stated that 
DOJ plans to submit the National Strategy to Congress by April 1, 2011. 

Responsible entity or official: Attorney General; 
Provision: § 101(d); 42 U.S.C. § 17611(d); 
Responsibility: Designation of Senior Official: The Attorney General 
must designate a DOJ senior official to be responsible for the 
strategy, who must act as a liaison with other federal entities, 
ensure proper coordination, be knowledgeable about relevant DOJ budget 
priorities and efforts, and be available to Congress; 
Status of effort: DOJ designated a Senior Official responsible for 
development of the National Strategy on January 13, 2010. To 
facilitate the role as a liaison with other federal entities, the 
National Coordinator has called together a multiagency National 
Strategy Working Group to work on implementing the National Strategy. 
This working group includes participants from DHS, the Department of 
State, the Department of Defense, USPIS, the Department of Commerce, 
the Department of Education, Commanders from four ICAC Task Forces, as 
well as various components of DOJ, including FBI, CEOS, the OJJDP, and 
U.S. Attorneys' Offices. There are six subcommittees under the Working 
Group that are responsible for implementing various components of the 
National Strategy. They are subcommittees on Technical Assistance, 
Global Outreach, Community Outreach, Research and Grant Planning, 
Training, and Law Enforcement Collaboration. 

Responsible entity or official: Attorney General; 
Provision: §§ 102-04; 42 U.S.C. §§ 17612-14; 
Responsibility: ICAC Task Force Program: Establishes in law the ICAC 
Task Force Program, under the authority of the Attorney General, which 
is a national program of state and local law enforcement task forces 
dedicated to developing responses to online enticement of children by 
sexual predators, child exploitation, and child obscenity and 
pornography cases. The statute requires that there be at least one 
task force per state and that the Attorney General consult with and 
consider the 59 task forces in existence at time of enactment in 
establishing the program. Requires the Attorney General to conduct 
periodic review of the effectiveness of each task force and authorizes 
the Attorney General to establish new task forces, subject to certain 
conditions. Grants authority to the Attorney General to conduct 
training; requires periodic review of the effectiveness of training; 
limits training awards to any one entity to $2 million annually. 
Includes 9 specified purposes of the task forces and 11 required 
functions and duties, 1 of which includes working toward achieving the 
purposes; 
Status of effort: There is currently at least one ICAC per state. 
Since the passage of the PROTECT Our Children Act of 2008, 2 new ICAC 
task forces have been formed, 1 in Houston and 1 in New York City--for 
a total of 61 ICAC task forces. According to DOJ officials, in 
general, solicitations for grants for new ICAC task forces were 
announced approximately 6 months before grant recipients were 
selected. Approximately 10 days before local entities in the Houston 
and New York areas were notified that their grant proposals were 
accepted, Congress was notified of the grant selections. According to 
DOJ officials, assessments of ICAC performance are done on a monthly 
and quarterly basis. The information collected includes data on number 
of arrests and investigations, community education programs, and other 
factors. According to DOJ officials, DOJ was already collecting from 
the ICAC task forces and reviewing many data points required by the 
PROTECT Our Children Act of 2008. A DOJ official stated that the Act 
included a new requirement that DOJ collect information on the number 
of investigations conducted. This new data point was incorporated into 
ICAC program management in 2009-2010. DOJ noted that the ICAC task 
forces are now required to submit data on these new data points, and 
program managers review the data submitted. DOJ provides spreadsheets 
to ICAC task forces listing these and other required data points that 
are then submitted to OJJDP. In March 2010, DOJ's Office of Audit, 
Assessment, and Management reviewed the ICAC Technical and Training 
Assistance program and found that, based on student evaluations and 
observations, the overall quality of training provided was of high 
quality and well-received. However, the IG noted concerns with the 
management of OJJDP's training program. Specifically, the IG reported 
that OJJDP performance measures for the effectiveness of the training 
program were output based and did not measure the long-term 
effectiveness of the training program. To conduct periodic 
assessments, according to DOJ officials, OJJDP collects posttraining 
reviews on training programs conducted under the ICAC training 
program. Officials said that OJJDP conveyed the requirement to 
training grant recipients in 2009 and 2010 that they must provide 
immediate and long-term reviews of training efficacy. These assessment 
efforts are paid for with existing DOJ funding. OJJDP also reviews 
semiannual progress reports and deliverables produced under every ICAC 
training program grant. DOJ officials stated that even though the Act 
authorized up to $60 million per year to enact the various provisions 
of the Act that affect the ICAC Task Force program, funds have not 
been appropriated under this section of the Act. Funds have been 
appropriated for ICACs under other authority--such as the Juvenile 
Justice and Delinquency Prevention Act (JJDPA) (see, e.g., Conference 
Report accompanying Consolidated Appropriations Act, 2010, H.R. Rep. 
No. 111-366 at 678 (2009) (directing a specific amount of funds 
appropriated under sections 404(b) and 405(a) of the JJDPA be made 
available for the ICAC program)). According to DOJ officials, where 
OJJDP was able to incorporate Act requirements within current funding 
levels it has done so (e.g., enhancing data collection). 

Responsible entity or official: Attorney General; 
Provision: § 106(a) - (c); 42 U.S.C. § 17616(a) - (c); 
Responsibility: ICAC Grant Program: Authorizes the Attorney General to 
award grants to ICAC task forces, pursuant to statutory factors and 
criteria. In order to receive funds, task forces must submit 
applications, describing uses of funds; funds may only be used for 
specified allowable uses; 
Status of effort: The ICAC Task Force Program received a total of $50 
million in American Recovery and Reinvestment Act of 2009, Pub. L. No. 
111-5, grant funding, which was distributed pursuant to the formula 
requirements of the PROTECT Our Children Act of 2008. According to DOJ 
officials, DOJ will use this formula to allocate future appropriations 
made for the ICAC program and specifically did so in fiscal year 2009 
for the 59 ICACs. While the Act did not specify an exact formula for 
allocating grant monies, it dictated certain considerations that were 
to be accounted for in allocating funds, for example, the population 
in each state and number of successful Internet crimes against 
children prosecutions, among others. Where data were available, OJJDP 
incorporated these considerations from the Act into its formula for 
making ICAC funding allocations. However, DOJ officials noted that 
ICAC funds were not appropriated under this section of the Act, but 
under other authority. OJJDP awarded $18,997,913 in grant funding to 
ICAC task forces in fiscal year 2010. ICAC task forces submit annual 
applications in response to OJJDP's continuation funding solicitation 
describing activities to be undertaken with grant funding. According 
to DOJ officials, these applications are reviewed by OJJDP program 
management teams who examine the applications based on financial and 
programmatic considerations and compare the goals and objectives 
stated in the application with the requirements outlined in the 
solicitation. For example, OJJDP officials would review an application 
to assess the extent to which the ICAC task force would establish a 
multijurisdictional and multiagency infrastructure to address child 
exploitation crime. 

Responsible entity or official: Attorney General; 
Provision: § 106(d); 42 U.S.C. § 17616(d); 
Responsibility: ICAC Program Reporting Requirements: (1) Task forces 
must submit annual reports to the Attorney General, addressing 
specific information, such as the number of referrals made by the task 
force to the U.S. Attorneys office and the number of investigative 
technical assistance sessions the task force provided, among others. 
(2) The Attorney General must submit a report to Congress not later 
than 1 year after enactment on development of the ICAC program and 
numbers of federal and state investigations, prosecutions and 
convictions related to child exploitation; 
Status of effort: Although ICAC funds have not been appropriated under 
this section of the PROTECT Our Children Act of 2008, according to DOJ 
officials, OJJDP prepared reports on the ICAC program in 2009 and in 
2010 that included information on the disposition of child 
exploitation cases and sentencing outcomes, which was a requirement in 
the Act. At the time the Act was passed, OJJDP did not have a 
mechanism to capture this information. Therefore, information 
presented in DOJ annual reports may not include the disposition of all 
cases in 2009 and 2010. According to DOJ officials, the report OJJDP 
prepared for the Attorney General in 2009 on the status of the ICAC 
program was incorporated in the National Strategy. The 2010 report on 
the status of the ICAC program is currently under review at OJJDP, and 
DOJ officials stated that they plan to incorporate it as part of the 
update to the National Strategy. 

Responsible entity or official: Attorney General; 
Provision: § 105(a) - (f); 42 U.S.C. § 17615(a) - (f); 
Responsibility: National Internet Crimes Against Children Data System 
(NIDS): NIDS, to be housed and maintained within DOJ or a credentialed 
law enforcement agency, is to assist and support law enforcement 
investigating and prosecuting child exploitation. NIDS, which is 
required to be available to credentialed law enforcement agencies for 
a nominal fee, must allow information sharing and case deconfliction, 
provide a dynamic undercover infrastructure, enable real-time 
reporting of child exploitation cases involving local victims, 
identify high-priority suspects, and include a network that provides 
for secure, online data storage and analysis and online communication, 
among other things; 
Status of effort: DOJ issued a grant solicitation for development of 
NIDS in March 2009. The initial grant solicitation was for the 
construction, maintenance, and housing of the system and other tasks, 
such as linking the system with the ICAC Task Force Portal. In January 
2010, applicants for the 2009 NIDS grant solicitation were notified 
that the agency would not make an award under the solicitation because 
it planned to pursue a different system for deconfliction and 
investigation than was described in the solicitation. DOJ reissued the 
NIDS grant solicitation in June 2010 to select a contractor to conduct 
a national needs assessment and perform other tasks in support of 
developing the system in the future. In September 2010, DOJ awarded 
the grant for the NIDS needs assessment and development activities to 
the Massachusetts State Police, and its partners Fox Valley Technical 
College, University of Massachusetts, and University of New Hampshire 
Crimes Against Children Research Center. According to OJJDP officials, 
no decision has been made as to where the system will be hosted. The 
National Coordinator said that the U.S. Marshals Service Sex Offender 
Targeting Center will be considered as an appropriate platform to host 
the system. 

Responsible entity or official: Attorney General; 
Provision: § 105(g); 42 U.S.C. § 17615(g); 
Responsibility: National Internet Crimes Against Children Data System 
Steering Committee: Requires the Attorney General to establish a 
Steering Committee to provide guidance to NIDS on the network 
requirements and assist in the development of strategic plans for 
NIDS. Includes requirements for the composition of the 10-member 
committee; 
Status of effort: The National Coordinator reported that the NIDS 
Steering Committee was established in April 2010 with appropriate 
membership as required by the PROTECT Our Children Act of 2008. The 
NIDS Steering Committee consists of representatives from ICE, USPIS, 
FBI, CEOS, OJJDP, and the U.S. Marshals Service, as well as 
representatives from state and local law enforcement. According to the 
National Coordinator, the Steering Committee met, but was suspended 
while DOJ issued a grant solicitation for a NIDS needs assessment. Now 
that the grantee has been selected, the steering committee has met 
with the NIDS grantee to discuss formulation and operation of NIDS. 
The committee plans to provide input to the grantee during the needs 
assessment process and plans to continue to advise DOJ leadership as 
to the formulation and operation of NIDS as the system is built and 
becomes operational. 

Responsible entity or official: Attorney General; 
Provision: § 201; 42 U.S.C. § 17631; 
Responsibility: Additional Regional Computer Forensic Labs: Requires 
the Attorney General to establish additional computer forensic 
capacity to address the current backlog; funds made available under 
this section for additional capacity must be dedicated to assisting 
law enforcement agencies in preventing, investigating, and prosecuting 
internet crimes against children. The location of any new labs must be 
determined in consultation with specified stakeholders, such as the 
Director of the FBI and the Regional Computer Forensic Laboratory 
National Steering Committee, and others. The Attorney General is 
required to submit a report on how appropriated funds were utilized no 
later than 1 year after enactment and annually; 
Status of effort: Currently, the FBI is in the process of initiating 
new Regional Computer Forensics Laboratories (RCFL) in Los Angeles and 
New Mexico, scheduled to begin operations in January 2011 and March 
2011, respectively. In 2006, FBI began the process of seeking a 
nonpersonnel budget enhancement for these RCFLs and received $6 
million in 2008 to build these facilities. To date, the RCFL Program 
has received no additional funding to initiate these, or any other, 
RCFLs. FBI has used the base funding of its RCFL National Program to 
support the 14 existing RCFLs as well as the 2 new RCFLs. In addition, 
the FBI's Operational Technology Division has initiated multiple 
efforts both inside and outside of RCFLs to reduce backlogs. These 
include initiatives such as: 
The Case Agent Investigative Review system, which provides 
investigators the ability to review results of digital forensic 
examinations conducted in an RCFL from an FBI computer terminal; 
Investigative kiosks that allow law enforcement to extract data from 
cell phones or loose media in a forensically sound manner and analyze 
evidence; Expanded use of preview tools to decrease the amount of 
digital evidence seized and to triage that which is seized for 
examination. 

Responsible entity or official: Attorney General; (through the 
National Institute of Justice); 
Provision: § 401; 
Responsibility: National Institute of Justice (NIJ) Study of Risk 
Factors for Assessing Dangerousness: Requires NIJ to prepare a report 
to identify the investigative factors indicating whether a subject of 
an online child exploitation investigation poses a high risk of harm 
to children, in consultation and coordination with specified entities, 
such as state, local, and federal law enforcement agencies and NCMEC, 
among others. Report is due not later than 1 year after enactment, and 
NIJ must present findings and recommendations to the Judiciary 
Committees; 
Status of effort: According to DOJ officials, this report has not been 
initiated because funds have not been appropriated for this activity 
under the PROTECT Our Children Act of 2008, and DOJ does not have 
plans or a time frame to conduct such a study. However, according to 
the National Coordinator, an examination of how such a study would be 
conducted would likely be considered by the National Strategy Working 
Group as it moves forward. 

Responsible entity or official: Attorney General; NCMEC; 
Provision: § 501(a); 18 U.S.C. § 2258A; 
Responsibility: Reporting Requirements of Electronic Communication 
Service Providers and Remote Computing Service Providers (ESPs): 
Amends the criminal code to establish monetary penalties for ESPs that 
fail to report to the CyberTipline actual knowledge of facts and 
circumstances from which there is an apparent violation of specified 
provisions of the criminal code relating to the sexual exploitation of 
children and child pornography. 
Enforcement: The Attorney General is responsible for the enforcement 
of the reporting requirements. 
Designation of law enforcement agencies: Requires the Attorney General 
to designate federal law enforcement agencies to which NCMEC will 
forward the reports. Also requires the Attorney General to designate, 
in consultation with the Secretary of State, foreign law enforcement 
agencies, the conditions under which a report may be forwarded to such 
foreign agencies, and a process for foreign agencies to request 
assistance from federal law enforcement related to reports forwarded 
to them by NCMEC. Requires that the Attorney General maintain and make 
available the list of designated foreign agencies to specified 
entities, including the Judiciary Committees, and provides the sense 
of Congress that the Attorney General and Secretary of State should 
make a substantial effort to expand the list. 
Report forwarding: Requires NCMEC to forward reports to the designated 
federal law enforcement agencies; and allows NCMEC to forward reports 
to state/local law enforcement agencies, as well as designated foreign 
law enforcement agencies, subject to conditions established by the 
Attorney General and with copies provided to specified entities, 
including the Attorney General and federal law enforcement agencies. 
Requires NCMEC to inform the ESP as to whether or not the report was 
forwarded to a foreign law enforcement agency where the ESP made a 
report as a result of a request by a foreign law enforcement agency. 
Limits disclosure of reports by NCMEC to these entities and for 
purposes under § 2258C (below). 
Disclosure of information: Limits the permitted disclosures by law 
enforcement agencies of information contained in a report received 
from NCMEC to specified individuals and purposes. 
Preservation: Requires ESPs to preserve information submitted in a 
report to the CyberTipline for 90 days; 
Status of effort: DOJ officials reported that as of December 15, 2010, 
the agency is not aware of any violations where ESPs failed to report 
to the CyberTipline and therefore has not taken any enforcement 
actions under this provision. According to the National Coordinator, 
DOJ has not yet designated a list of federal law enforcement agencies 
or a list of foreign law enforcement agencies to which CyberTipline 
reports may be forwarded. NCMEC officials said that NCMEC forwards 
CyberTipline reports to federal law enforcement agencies. 
Additionally, NCMEC currently refers CyberTipline reports to foreign 
law enforcement agencies through ICE. DOJ officials said that they 
plan to coordinate with NCMEC to determine how such a formal 
designation would work best with NCMEC's current process, but has no 
time frames for doing so. According to NCMEC, as of December 2010 
access to NCMEC's CyberTipline reports is limited to 83 virtual 
private networks (including ICAC task forces and international law 
enforcement via ICE) and the federal law enforcement agencies that 
have representatives who liaison with NCMEC to distribute reports for 
investigative purposes. 

Responsible entity or official: NCMEC; 
Provision: § 501(a); 18 U.S.C. § 2258C; 
Responsibility: Use to Combat Child Pornography of Technical Elements 
Relating to Images Reported to the CyberTipline: Allows NCMEC to 
provide to ESPs, and requires NCMEC to provide to federal, state, and 
local law enforcement involved in the investigation of child 
pornography crime, elements relating to any apparent child pornography 
image of an identified child--but not actual images--for the purpose 
of permitting the ESP to stop further transmission of images and for 
the investigation of child pornography cases, respectively; 
Status of effort: NCMEC has several initiatives to provide law 
enforcement and ESPs elements relating to apparent child pornography 
images of an identified child. For example, according to NCMEC 
officials, it has developed an initiative called the Law Enforcement 
Services Portal, which allows law enforcement agencies access to 
NCMEC's Child Recognition and Identification systems to quickly 
identify hash values[A] of identified child victims. The portal 
separates out hash values of identified child victims from those who 
have not been identified so that law enforcement can quickly match 
hash values they receive during investigations against the database of 
image information. According to NCMEC officials, the Law Enforcement 
Services Portal is operational and efforts to register additional law 
enforcement officers will continue in 2011. 
NCMEC established its Hash Value Sharing initiative in 2008 to provide 
elements relating to apparent child pornography images of an 
identified child. NCMEC provides a list of hash values to requesting 
ESPs who use hash-seeking software to detect and remove illegal files 
from their systems. NCMEC provided hash values to 10 ESPs, as of 
November 23, 2010. 
In addition, NCMEC established its Uniform Resource Locator (URL) 
initiative in 2008. Through this initiative, NCMEC provides a daily 
list of active URLs (also known as Web addresses) that contain photos 
or videos of apparent child pornography, and, as of November 23, 2010, 
has provided this list of URLs to 85 ESPs. ESPs may take action to 
prevent users from accessing these sites. For example, ESPs that host 
Web sites can check the URL list to ensure that none of the sites that 
they host are on the list. 
Under its Child Victim Identification Program, NCMEC requests that 
when a federal, state, or local law enforcement agency has identified 
child victims featured in child pornography images that it provides 
NCMEC with copies of the images and information related to the 
investigation. NCMEC uses this information to assist law enforcement 
agencies and prosecutors with determining if submitted images contain 
children who have been identified in past investigations. Under this 
program, NCMEC also helps prosecutors prove that a real child is 
depicted in child pornography images. According to NCMEC, through this 
effort, children have been rescued from ongoing exploitation as a 
result of the cooperative efforts between the program and law 
enforcement. 

Responsible entity or official: NCMEC; 
Provision: § 501(a); 42 U.S.C. § 2258D(d); 
Responsibility: Minimizing Access: Requires NCMEC to minimize the 
number of employees who are provided access to any image provided 
under § 2258A and ensure that any such image is permanently destroyed 
upon notification from a law enforcement agency; 
Status of effort: According to NCMEC officials, since the passage of 
the Act NCMEC has reduced the number of employees with access to 
CyberTipline images by 21 percent from 72 to 57 by removing access to 
images from employees who transfer from the NCMEC's Exploited Child 
Division, which reviews CyberTipline reports, to other divisions. 
Another means that NCMEC has used to minimize the number of employees 
with access to CyberTipline images is to create a "read only" level of 
access to the CyberTipline for employees whose job responsibilities 
require them to have access to CyberTipline information, but not 
images. Currently, a total of 86 employees have "read only" access. 
NCMEC officials stated that NCMEC has never been asked by a law 
enforcement agency to permanently destroy images. 

Responsible entity or official: Attorney General; 
Provision: § 502(a); 
Responsibility: Attorney General Report on Implementation, 
Investigative Methods and Information Sharing: Requires the Attorney 
General to submit a report to the Judiciary Committees, not later than 
12 months after enactment, on the structure established in response to 
the Act, legal and constitutional implications of the structure, 
privacy safeguards, and numerical information related to §§ 2258A(b) 
and 2258C; 
Status of effort: According to officials, DOJ has not prepared this 
report and does not yet have a time frame for completing it. 

Source: The PROTECT Our Children Act of 2008 and GAO analysis of 
information from DOJ and NCMEC. 

[A] Hash values, also known as digital fingerprints, are computational 
values that serve as unique identifiers for electronic files, such as 
images, documents, or storage media such as hard drives. 

[End of table] 

[End of section] 

Appendix III: Overview of NIDS Components and System Functions 
Outlined by the PROTECT Our Children Act of 2008: 

Table 16 provides an overview of the technical specifications of the 
National Internet Crimes Against Children Data System (NIDS) as 
described by the PROTECT Our Children Act of 2008.[Footnote 91] 

Table 16: Information on the NIDS Components Required by and Functions 
Described in the PROTECT Our Children Act of 2008: 

NIDS component: Case deconfliction; 
NIDS functional description: NIDS is to provide a secure, online 
system for federal law enforcement agencies; ICAC task forces; and 
other state, local, and tribal law enforcement agencies to use in 
resolving case conflicts. 

NIDS component: Real-time reporting; 
NIDS functional description: NIDS is required to ensure that child 
exploitation cases involving local child victims that are reasonably 
detectable using available software and data are, immediately upon 
their detection, made available to participating law enforcement 
agencies. 

NIDS component: High-priority suspects identification; 
NIDS functional description: Every 30 days, at a minimum, NIDS shall: 
(1) identify high-priority suspects, such as suspects determined by 
the volume of suspected criminal activity or other indicators of 
seriousness of offense or dangerousness to the community or a 
potential local victim; and; (2) report all such identified high-
priority suspects to participating law enforcement agencies. 

NIDS components: Data collection and analysis; 
NIDS functional description: NIDS is required to ensure the 
availability of any statistical data indicating the overall magnitude 
of child pornography trafficking and child exploitation in the United 
States and internationally, such as the number of computers and users 
engaged in peer-to-peer child pornography, among other data. 

NIDS components: Local data analysis; 
NIDS functional description: NIDS is to provide a secure online data 
storage and analysis system that credentialed users may use. 

NIDS components: Secure connections; 
NIDS functional description: NIDS is required to provide secure 
connections with state, local, and tribal law enforcement computer 
networks, consistent with reasonable and established security 
protocols and guidelines. 

NIDS components: Dynamic undercover infrastructure; 
NIDS functional description: NIDS is to provide for a dynamic 
undercover infrastructure to facilitate online investigations of child 
exploitation. 

NIDS components: Software development and support; 
NIDS functional description: NIDS is required to facilitate and 
develop essential software and network capability for law enforcement 
participants, as well as provide software or direct hosting and 
support for online investigations of child exploitation activities. 

NIDS components: Online communications and collaboration; 
NIDS functional description: NIDS must provide for a secure system 
enabling online communications and collaboration by participants 
regarding ongoing investigations, investigatory techniques, and best 
practices. 

NIDS components: Guidelines and training and technical assistance; 
NIDS functional description: NIDS must provide for guidelines as well 
as training and technical assistance on use of the system. 

Source: PROTECT Our Children Act of 2008. 

[End of table] 

[End of section] 

Appendix IV: Comments from the Department of Justice: 

U.S. Department of Justice: 
Office of the Deputy Attorney General: 
Washington, DC 20530: 

March 25, 2011: 

Ms. Eileen R. Larence: 
Director, Homeland Security and Justice: 
United States Government Accountability Office: 
Washington, DC 20548: 

Dear Ms. Larence: 

The Department has reviewed the Government Accountability Office's 
(GAO) draft report entitled "Combating Child Pornography: Steps Needed 
to Ensure Tips to Law Enforcement are Useful and Forensic Examinations 
are Cost Effective," GA0-11-334. We appreciate GAO's acknowledgment of 
the progress made under the Act: specifically, the creation and 
implementation of the National Strategy; formal establishment of 61 
ICAC task forces; selection of the National Coordinator; and, 
implementation of the National Strategy. The Department generally 
concurs with the GAO's recommendations and will provide updates to 
Congress on our progress in implementing them. 

In its draft report, GAO notes that three provisions of the Act 
require additional work to implement. As noted below, activity related 
to each provision is ongoing. One provision of the Act requires the 
National Institute of Justice ("ND") to complete a report identifying 
factors that indicate levels of dangerousness of online offenders. 
Toward that end, the Department solicited grant applications related 
to the design of the National Internet Crimes Against Children Data 
System ("NIDS"). The grantee team will provide the Department with 
three products: 1) an assessment of what is needed to build a system 
providing law enforcement with information sharing and deconfliction 
tools; 2) new undercover investigative tools; and 3) a white paper 
addressing the dangerousness issue with recommendations on further 
research paths. The latter will allow the Department to determine the 
appropriate avenue to direct research grants for further study of this 
complex issue and will assist in identifying the factors contemplated 
by the Act. The grant was awarded in September 2010, and these three 
products will be delivered by August 31, 2012. 

GAO also noted that the Department has not completed work on that 
provision of the Act related to information sharing structures. As 
noted above, the Department solicited grant applications for the 
design of an information sharing system, and when the system is, 
closer to fruition, the Department will report to Congress on its 
progress. 

Finally, with respect to that portion of the Act requiring the 
designation of foreign law enforcement agencies to receive CyberTips 
from the National Center for Missing and Exploited Children
("NCMEC"), a working group has been established, which includes 
various law enforcement agencies and NCMEC, and is working to satisfy 
this provision. We expect to be able to report on substantial progress 
on this provision of the Act to Congress in the next six months. 

With respect to the three remaining recommendations, the Department 
concurs with GAO. One recommendation is that NCMEC enhance its ability 
to collect feedback from law enforcement on the efficacy of the 
CyberTips it distributes to law enforcement. Efforts to improve the 
CyberTip process are underway, and NCMEC and the Department will be 
able to report to Congress on these improvements in the next six 
months. GAO also recommended that the Department build the National 
Internet Crimes Against Children Data System, as required in the 
Protect Our Children Act of 2008. We concur, and as noted above, are 
in process of receiving a needs assessment on the system from a 
qualified team of grantees. We also agree with the recommendation that 
the efficacy of computer forensic process should be assessed. There 
are two major efforts currently underway to review and assess digital 
forensics across the Department. 

The GAO has recommended that the Attorney General direct the National 
Strategy Working Group and its Technical Assistance Subconunittee to 
assess the efficacy of various steps federal law enforcement agencies 
take that they believe enhances the integrity of forensic analysis of 
digital evidence in investigating online child pornography crimes. The 
Subcommittee has been studying the issue of the timeliness and 
usefulness of computer forensic examinations and has made 
recommendations that are currently under review. 

In addition to the work of the above-referenced Subcommittee, the 
Office of the Deputy Attorney General leads a Computer Forensics 
Working Group. This group is also examining the current processes by 
which the Department conducts its digital forensics examinations. As 
part of these reviews, the Department will be taking into account the 
resources associated with various steps DOJ law enforcement takes in 
conducting digital forensic analysis. We hope to be able to provide an 
update to Congress on our progress on digital forensics in the next 
six months. 

The Department appreciates the work of the GAO and this opportunity to 
comment on the GAO's draft report. Should you have any questions 
regarding this topic, please do not hesitate to contact Richard
Theis, Department of Justice Audit Liaison on 202-514-0469. 

Sincerely, 

Signed by: 

Francey Hakes: 
National Coordinator for Child Exploitation Prevention and 
Interdiction: 

[End of section] 

Appendix V: Comments from the National Center for Missing and 
Exploited Children: 

National Center For	Missing & Exploited	Children: 
Charles B. Wang International	Children's Building:	
699 Prince Street:	
Alexandria, VA 22314-3175: 
Telephone: 703-224-2150: 
Facsimile: 703-224-2122:	
[hyperlink, http://www.missingkids.com]	
[hyperlink, http://www.cybertipline.com] 

Other Offices: 	
California:	
Florida:	
New York:	
Texas:	 

March 22, 2011: 

Eileen R. Larance: 
Director, Homeland Security and Justice: 
United States Government Accountability Office: 
Washington, DC: 

Dear Ms. Larance: 

The National Center for Missing & Exploited Children (NCMEC) was 
pleased to work with your staff for the report entitled "Combating 
Child Pornography: Steps Needed to Ensure Tips to Law Enforcement are 
Useful and Forensic	Examinations are Cost Effective", GA0-11-334. As 
noted in the report, NCMEC will further its efforts to solicit better 
feedback from law enforcement on the usefulness of individual 
CyberTipline reports. We agree there should be a better understanding 
of how information provided by electronic communication service 
providers, pursuant to 18 U.S.C. §2258A, may determine whether a law 
enforcement agency can begin an investigation. 

We appreciate the GAO's recognition that NCMEC has played a key role 
in coordinating law enforcement efforts through the operation of the 
CyberTipline. NCMEC will continue to meet with stakeholders to explore 
ways to improve the overall CyberTipline process. 

Thank you very much. 

Signed by: 

Ernie Allen: 
President and Chief Executive Officer: 

[End of section] 

Appendix VI: GAO Contact and Acknowledgments: 

GAO Contact: 

Eileen R. Larence, (202) 512-8777 or larencee@gao.gov: 

Acknowledgments: 

In addition to the contact named above, Mary Catherine Hult, Assistant 
Director, and Robert Rivas, Analyst-in-Charge, managed this 
assignment. David Alexander, Kristy Brown, Amy Bush, Christopher 
Conrad, Katherine Davis, Pawnee A. Davis, Lorraine Ettaro, Harold 
Lewis, Marvin McGill, Gary Mountjoy, Susan Sachs, and Janet Temko made 
significant contributions to this report. 

[End of section] 

Footnotes: 

[1] The National Strategy for Child Exploitation Prevention and 
Interdiction, A Report to Congress, U.S. Department of Justice, August 
2010. 

[2] The ICAC Task Force Program is a network of 61 task forces 
comprised of federal, state, local, and tribal law enforcement and 
prosecutorial agencies. ICAC task force agencies engage in 
investigations, forensic examinations, and prosecutions of Internet 
crimes against children. 

[3] Pursuant to the Providing Resources, Officers, and Technology To 
Eradicate Cyber Threats to Our Children Act of 2008 (PROTECT Our 
Children Act of 2008), "child exploitation" generally consists of 
conduct involving a minor that violates specific criminal provisions 
of the U.S. Code, or any sexual activity involving a minor for which a 
person can be charged with a criminal offense. Pub. L. No. 110-401, § 
2, 122 Stat. 4229, 4230. Some of these criminal provisions include, 
for example, causing a minor to engage in a sex act by force; 
transporting an individual for purposes of prostitution or other 
criminal sexual activity; or mailing, receiving, and distributing 
child pornography. Child pornography has a more specific definition 
under 18 U.S.C. § 2256, and generally consists of any visual 
depiction, the production of which involves the use of a minor 
engaging in sexually explicit conduct or that involves a minor 
engaging in sexually explicit conduct. 

[4] 18 U.S.C. §§ 2251, 2252, 2252A. 

[5] The Missing Children's Assistance Act, as amended, directs OJJDP 
to make an annual grant to NCMEC to carry out various responsibilities 
related to missing and exploited children. Among these are 
coordinating public and private programs to locate missing children, 
providing technical assistance and training, and providing information 
and assistance services. 42 U.S.C. § 5773(b)(1). 

[6] The PROTECT Our Children Act of 2008 requires electronic 
communication service providers and remote computing service providers 
to make reports to the CyberTipline. Pub. L. No. 110-401, § 501(a) 
(codified at 18 U.S.C. § 2258A). Collectively termed ESPs for purposes 
of this report, these include any service that provides to users the 
ability to send or receive wire or electronic communications, such as 
e-mail and instant messaging services and gateway access to the 
Internet; as well as data storage services, such as those that offer 
subscribers the opportunity to store materials like address books, 
calendars, photo albums, video content, electronic files, documents, 
and other types of content. 

[7] Pub. L. No. 110-401, 122 Stat. 4229. 

[8] Deconfliction is the coordination and information sharing among 
law enforcement agencies on multijurisdiction investigations to help 
ensure officer safety and the effective use of resources. 

[9] We chose these dates to obtain an overview of trends in law 
enforcement activity related to efforts to combat online crimes 
against children as well as to examine federal activity before and 
after passage of the PROTECT Our Children Act of 2008. Specifically, 
we analyzed data on investigations and arrests from FBI, ICE, United 
States Secret Service, and USPIS; resource data from FBI, DOJ's Child 
Exploitation and Obscenity Section, ICE, and USPIS; and data on cases 
and investigations reported by ICAC task forces to OJJDP. To assess 
the reliability of these data, we questioned officials knowledgeable 
on their respective agency's data systems about how the data were 
compiled and the steps taken to ensure data quality. Based on their 
responses, we determined these data to be sufficiently reliable for 
the purposes of this report. 

[10] Program management standards we reviewed are reflected in the 
Project Management Institute's The Standard for Program Management © 
(2006). 

[11] NCMEC provides a Web page specifically for ESPs that have 
registered with NCMEC to allow for secured submission of CyberTipline 
reports. We selected ESPs from among the 620 that had registered as of 
April 2010 to reflect time before and after enactment of the Act. 

[12] We selected these organizations based on their varied 
perspectives and focuses in civil liberties, high-technology, and 
partnerships with Internet and law enforcement communities. The 
information obtained from these interviews cannot be generalized to 
all such organizations; however, the interviews provided an overview 
of perspectives about Internet-related privacy concerns. 

[13] We selected these dates to provide 2 full years of data from the 
time of our review, reflecting time before and after enactment of the 
Act. To assess the reliability of these data, we questioned NCMEC 
officials knowledgeable on the data about how the reports were 
compiled and the steps taken to ensure data quality. Based on their 
responses, we determined these data to be sufficiently reliable to 
report general trends. 

[14] These ICAC task forces were located in the Middle District of 
Florida, the Western District of New York, the Western District of 
Missouri, the Northern District of California, the District of 
Arizona, and the Eastern District of Virginia. We also interviewed 
officials from two ICAC task forces, the Northern District of Texas 
and the Eastern District of Pennsylvania, which we selected based on 
their experience with an automated deconfliction tool and geographic 
location. 

[15] For example, see GAO, Transportation Research: Opportunities for 
Improving the Oversight of DOT's Research Programs and User 
Satisfaction with Transportation Statistics, [hyperlink, 
http://www.gao.gov/products/GAO-06-917] (Washington, D.C.: Aug. 15, 
2006). 

[16] The initiative is a DOJ initiative designed to reduce the 
incidence of sexual exploitation of children. Among their 
responsibilities, coordinators interact with area law enforcement to 
reduce child exploitation. In addition to interviewing coordinators in 
the six selected districts, we interviewed AUSAs from a seventh 
district, selected to reflect geographic range. 

[17] Within DOJ's Criminal Division, CEOS attorneys prosecute federal 
child exploitation offenses, including child pornography crimes, and 
provide prosecutorial guidance to federal law enforcement agencies, 
among other things. 

[18] See Circular No. A-11 Preparation, Submission, and Execution of 
the Budget (July 2010); Circular No. A-94 Guidelines and Discount 
Rates for Benefit-Cost Analysis of Federal Programs (October 1992); 
and Circular A-4 Regulatory Analysis (September 2003). 

[19] We briefed the reporting committees in October 2010 to meet time 
frames specified in the Act. 

[20] See 42 U.S.C. § 5773(b)(1). 

[21] See Pub. L. No. 110-401, § 501(a) (codified at 18 U.S.C. § 
2258A). Before the passage of the PROTECT Our Children Act of 2008, 
ESPs were required to report instances of apparent child pornography 
to the CyberTipline under 42 U.S.C. § 13032(b), which provided for 
civil penalties for failure to report. 

[22] NCMEC maintains a secure Web page available specifically for 
registered ESPs as well as a Web page available for the general 
public, both of which allow for reports to be made to the 
CyberTipline. According to NCMEC officials, ESPs can also submit child 
pornography-related tips to the general public's Web page, in which 
case NCMEC contacts the ESP to register them so that future tips can 
be submitted to the ESP secure Web page. 

[23] The number of reports submitted to the CyberTipline does not 
equate to the actual number of incidents of apparent child pornography 
being reported because, for example, different individuals may have 
reported the same incident to an ESP and each of these reports is 
recorded separately. 

[24] This working group includes participants from the FBI, CEOS, ICE, 
USPIS, five ICAC task forces, the Executive Office for United States 
Attorneys, the Department of Defense, and USSS. 

[25] The six subcommittees are Technical Assistance, Global Outreach, 
Community Outreach, Research and Grant Planning, Training, and Law 
Enforcement Collaboration. 

[26] In general, a portal is a Web site that serves as a starting 
point to other destinations or activities and provides information 
from different sources in a unified way. Hash values, also known as 
digital fingerprints, are computational values that serve as unique 
identifiers for electronic files, such as images, documents, or 
storage media such as hard drives. 

[27] Pub. L. No. 110-401, § 401. 

[28] Id. § 502(a). 

[29] Id. § 501(a) (codified at 18 U.S.C. § 2258A(d)). 

[30] Id. 

[31] Project Management Institute, The Standard for Program Management 
© (2006). 

[32] 42 U.S.C. § 5773(b)(1)(P). 

[33] Pub. L. No. 110-401, § 501(a) (codified at 18 U.S.C. § 
2258A(a)(1),(f)). 

[34] According to NCMEC officials, there is no way to know how many, 
or which, ESPs do not report because there is no known source or list 
of all existing ESPs. Officials also stated that those ESPs that do 
not report may not have apparent child pornography on their networks 
to report. 

[35] Officials could report having more than one concern. 

[36] Pub. L. No. 110-401, § 501(a) (codified at 18 U.S.C. § 2258B(a)). 
Under the Act, ESPs are required to preserve information reported to 
the CyberTipline for 90 days. § 2258A(h). 

[37] Prior to developing the guide, NCMEC provided information to ESPs 
about their legal obligations to report to NCMEC under the Act and, 
according to NCMEC officials, plans to continue such action. For 
example, NCMEC officials attended conferences twice a year where they 
provided ESPs with information about its CyberTipline and answered 
ESPs' questions. Officials said that NCMEC also answers ESPs' 
questions about making reports to the CyberTipline through phone calls 
and e-mails. 

[38] The CyberTipline Safeguard Program provides training and 
consultation to NCMEC staff members exposed to harmful content (i.e., 
child sexual abuse images). The goal of the program is to minimize 
potential harm as a result of viewing objectionable material on a 
daily basis. This goal is accomplished through the use of in-house 
social workers and regular visits by a consulting, private 
psychologist. ESPs that express interest in developing their own 
wellness programs may contact NCMEC to discuss how to develop a 
similar program for their employees. 

[39] Because the guide was new, we did not solicit ESPs' opinions 
about it. Instead, we compared the contents of the guide to the 
concerns ESPs identified to determine the extent to which the guide 
provided information that could help to address these concerns. 

[40] See, e.g., U.S. v. Richardson, 607 F.3d 357 (4th Cir. 2010) 
(holding that AOL was not acting as a government agent subject to the 
requirements of the Fourth Amendment when it searched defendant's e- 
mail and subsequently reported child pornography it found to NCMEC in 
conformance with requirements now codified at 18 U.S.C. § 2258A). 

[41] 42 U.S.C. § 5773(b)(1)(P). 

[42] The PROTECT Our Children Act of 2008 requires ESPs to report any 
facts and circumstances from which there is an apparent child 
pornography violation. However, the facts and circumstances that an 
ESP possesses or includes in its report may vary. 

[43] The other seven reporting categories are: online enticement of 
children for sexual acts, child prostitution, sex tourism involving 
children, extrafamilial child sexual molestation, unsolicited obscene 
material sent to a child, misleading domain names, and misleading 
words or digital images on the Internet. 

[44] NCMEC assigns a priority level to every CyberTipline report 
received. CyberTipline reports that indicate a child is in imminent 
danger, such as online enticement, are priority 1. Reports of child 
pornography from registered ESPs that are made to the registered ESP 
reporting Web page are designated priority 4. This priority level 
indicates that the report may contain illegal content. 

[45] The other 16 reclassified incident types are: child pornography 
(not Internet-related); child pornography (unconfirmed); child 
pornography (unconfirmed - international); child prostitution; child 
sex tourism; child sexual molestation; child trafficking (nonsexual 
exploitation); cyberbullying; online enticement - pretravel; online 
enticement - travel; other type of incident; appears adult; not enough 
info/dummy record; SPAM; unable to access; and ESP test report. 

[46] Jurisdictional information may include address, zip codes, IP 
addresses, state, or cell phone numbers. According to NCMEC officials, 
analysts conduct open-source, online searches in an attempt to 
determine possible jurisdiction or corroborate information in the 
initial CyberTipline report. 

[47] Virtual private networks allow NCMEC to disseminate CyberTipline 
reports to ICAC task forces through secure encrypted connections. 

[48] Federal law enforcement has the authority to obtain 
jurisdictional information through the legal process, such as by 
serving a subpoena. Therefore, according to NCMEC officials, federal 
law enforcement liaisons are the appropriate recipients of 
CyberTipline reports in which no jurisdiction was determined by NCMEC 
because they are sometimes able to determine a jurisdiction based on 
other information in the report when they serve a subpoena to an ESP 
to obtain the suspect's location because they can use such legal 
process to obtain additional information. 

[49] An official from the eighth task force stated that the ICAC 
received about 10 to 15 percent of its leads from the CyberTipline but 
generally relied on undercover investigations for its leads. 

[50] The number of reports provided by NCMEC to law enforcement 
agencies does not equate to the actual number of incidents of apparent 
child pornography being reported because, for example, different 
individuals may have reported the same incident to an ESP and each of 
these reports is recorded separately. 

[51] Officials from one ICAC task force stated that they found all 
information valuable and officials from one ICAC task force did not 
provide information on usefulness. 

[52] This form also contains five other questions related to case 
status. 

[53] GAO, Anti-Money Laundering: Improved Communication Could Enhance 
the Support FinCEN provides to Law Enforcement, [hyperlink, 
http://www.gao.gov/products/GAO-10-141] (Washington, D.C.: Dec. 14, 
2009); GAO, Juvenile Justice: DOJ is Enhancing Information on 
Effective Programs, but Could Better Assess the Utility of This 
Information, [hyperlink, http://www.gao.gov/products/GAO-10-125] 
(Washington, D.C., December 2009); Performance Budgeting: PART Focuses 
Attention on Program Performance, but More Can Be Done to Engage 
Congress, [hyperlink, http://www.gao.gov/products/GAO-06-28] 
(Washington, D.C., October 2005); Transportation Research: 
Opportunities for Improving the Oversight of DOT's Research Programs 
and User Satisfaction with Transportation Statistics, [hyperlink, 
http://www.gao.gov/products/GAO-06-917] (Washington, D.C.: Aug.15, 
2006). 

[54] [hyperlink, http://www.gao.gov/products/GAO-06-917]. 

[55] In 6 of the 28 interviews, officials indicated that they had not 
pursued the same target as another agency. 

[56] NCMEC produces a monthly deconfliction report that provides 
information on the status of CyberTipline reports referred to ICAC 
task forces. FBI, ICE and USPIS liaisons located at NCMEC provide 
information and research to investigators in the field. 

[57] Because we asked officials about deconfliction mechanisms and 
other efforts in place to avoid duplication of effort among law 
enforcement agencies in general, not all officials provided 
information on the use of specific types of deconfliction mechanisms. 

[58] Peer-to-peer file sharing programs are Internet applications 
operating over peer-to-peer networks that enable direct communication 
between users. 

[59] SafetyNet is an integrated records management system for law 
enforcement agencies that provides reporting and analysis capabilities 
to assist with crime prevention, investigation, and incident analysis. 
The National Crime Information Center is a computerized index of 
criminal justice information maintained by the FBI and made available 
to federal, state, and local law enforcement and other criminal 
justice agencies nationwide. Its files contain among other items, 
criminal record history information and information on fugitives, 
stolen property, and missing persons. 

[60] GAO, Information Technology, Opportunities Exist to Improve 
Management of DOD's Electronic Health Records Initiative, [hyperlink, 
http://www.gao.gov/products/GAO-11-50], (Washington D.C.: October 
2010), 25. 

[61] Pub. L. No. 111-5, 123 Stat. 115, 130 (2009). ARRA provides DOJ 
with funding for grants to assist state, local, and tribal law 
enforcement to combat Internet crimes against children, among other 
things. ARRA funding was available for obligation until the end of 
fiscal year 2010. 

[62] The Massachusetts State Police partnered with Fox Valley 
Technical College, University of Massachusetts, and University of New 
Hampshire Crimes Against Children Research Center. 

[63] The ICAC task forces use multiple investigative tools. 

[64] Forensic analysis of digital evidence can be conducted on 
different types of media, such as global positioning system devices, 
memory cards, or compact discs, and can be conducted by federal, 
state, and local law enforcement agencies in support of a variety of 
investigations, such as online child pornography crime and identity 
theft. 

[65] Currently, no governmentwide standards or criteria exist for 
federal law enforcement for how to calculate the timeliness of 
forensic analysis or backlogs in analysis, and various law enforcement 
agencies have developed their own measures to calculate and track 
timeliness and backlogs. For example, the FBI categorizes a request 
for forensic examination of digital evidence as being in backlog 
status if: (1) after being submitted for examination, more than 30 
days have passed without a lead examiner being assigned, or (2) a 
request has been assigned to an examiner and more than 60 days have 
passed without the examination being completed. ICE defines a request 
for forensic analysis as being in backlog if action is not taken on 
digital media upon arrival. For the purposes of this report, the term 
backlog refers, in general, to any delay in forensic analysis. 

[66] The National Academy of Sciences is a federally sponsored entity 
chartered to investigate, examine, experiment, and report on any 
subject of science and provide advice on the scientific and 
technological issues that pervade policy decisions. 

[67] The report also stated that backlogs in forensic analysis can 
result in prolonged incarceration for innocent persons wrongly charged 
and awaiting trial. National Research Council of the National 
Academies. "Strengthening Forensic Science in the United States, a 
Path Forward." (The National Academy Press, Washington, D.C.: 2009). 

[68] The FBI has partnered with other federal, state, and local law 
enforcement agencies to establish 14 Regional Computer Forensic 
Laboratories to examine digital evidence in support of criminal 
investigations in areas such as child pornography, terrorism, 
financial crimes, and fraud. According to FBI officials, 2 additional 
laboratories in Los Angeles and New Mexico are to begin operations in 
2011. These laboratories are staffed by federal, state, and local law 
enforcement agency personnel who are trained and certified by the FBI 
to collect and examine digital evidence pursuant to FBI requirements. 

[69] According to FBI officials, this increase is due to increasing 
amounts of data related to several types of crimes, including fraud 
and identity theft, as well as online child pornography crime. 
However, they added that online child pornography and other child 
exploitation matters take up about 40 percent of the FBI's digital 
forensics examination, and may constitute a higher percentage at some 
Regional Computer Forensic Laboratories. 

[70] The officials stated, for example, that if an online child 
pornography suspect were a teacher or was on the sex offender 
registry, a thorough review of all of the material on that suspect's 
computer would be called for because the individual would routinely 
have access to children or may have already abused children. 
Alternatively, these FBI officials stated, reviews of hard drives 
belonging to suspects with no access to children and no previous 
history of child exploitation crime might not need as full a review. 

[71] Any alternation of these electronic files changes the values. 
Once digital forensic analysis is completed, verifying that the 
digital fingerprint of the copied evidence still matches that of the 
original digital evidence mathematically demonstrates that the 
evidence has not been altered during the process. 

[72] DOJ officials noted that many agencies conduct on-scene 
forensics, but do so only after applying a "write-blocker," which is a 
software tool that allows forensic analysts to examine a suspect's 
computer hard drives or other digital media without altering data on 
that media to ensure that data are not added to the suspect's storage 
media. The "write-blocker" is another step taken to ensure the 
integrity of the forensic analysis. 

[73] The Computer Analysis Response Team, as well as the Regional 
Computer Forensic Laboratories, provides assistance to FBI field 
offices in the search and seizure of computer evidence, as well as 
forensic examinations and technical support for FBI investigations. 

[74] CEOS officials stated that they do not require forensic analysts 
to record search activities; 

however, they may do so at their own discretion. Additionally, USSS 
labs conduct peer reviews of forensic reports before they are released. 

[75] Pub. L. No. 110-401, § 101(c)(10)-(11). 

[76] In addition to the subcommittee's efforts, federal law 
enforcement agencies have reported taking steps to address backlogs. 
For example, USSS officials stated that the agency has sent teams of 
examiners to field locations to address backlogs in specific offices. 
The FBI has developed kiosks that allow agents to review evidence in a 
forensically sound manner without sending evidence to a forensics lab 
for analysis. 

[77] See Circular No. A-94 Guidelines and Discount Rates for Benefit- 
Cost Analysis of Federal Programs (October 1992). 

[78] The Working Group includes members from FBI, CEOS, ICE, USPIS, 
five ICAC task forces, the Executive Office for United States 
Attorneys, Department of Defense, and USSS. 

[79] OSTWG was established by the Protecting Children in the 21ST 
Century Act to evaluate the data retention practices of ESPs, among 
other things. Pub. L. No. 110-385 § 214, 122 Stat. 4096, 4103-04 
(2008). 

[80] As noted earlier in the report, an exception to this general rule 
is that ESPs are automatically required to preserve the contents of 
any report to NCMEC's CyberTipline, as well as any commingled images 
or data, for 90 days. 18 U.S.C. § 2258A(h). In addition, law 
enforcement may direct an ESP to preserve existing records or other 
evidence for a renewable period of 90 days. 18 U.S.C. § 2703(f). 

[81] Statement of Jason Weinstein, Deputy Assistant Attorney General, 
Criminal Division. Hearing on "Data Retention as a Tool for 
Investigating Internet Child Pornography and Other Internet Crimes," 
before the U.S. House of Representatives, Committee on the Judiciary, 
Subcommittee on Crime, Terrorism, and Homeland Security, January 25, 
2011. 

[82] Statement of Kate Dean, United States Internet Service Provider 
Association. Hearing on "Data Retention as a Tool for Investigating 
Internet Child Pornography and Other Internet Crimes," before the U.S. 
House of Representatives, Committee on the Judiciary, Subcommittee on 
Crime, Terrorism, and Homeland Security, January 25, 2011. 

[83] Statement of John B. Morris, Jr., Center for Democracy and 
Technology. Hearing on "Data Retention as a Tool for Investigating 
Internet Child Pornography and Other Internet Crimes," before the 
House Committee on the Judiciary, Subcommittee on Crime, Terrorism and 
Homeland Security, January 25, 2011. The Center for Democracy and 
Technology is a nonprofit public interest organization dedicated to 
keeping the Internet open, innovative, and free. 

[84] DOJ's National Coordinator stated that DOJ has not taken a 
position regarding the need for data retention requirements. The 
International Association of Chiefs of Police passed a resolution in 
2006 calling for the development of appropriate but uniform data 
retention requirements for ESPs to require, among other things, the 
retention of customer subscriber information for a minimum specified 
period of time so that it will be available to the law enforcement 
community. 

[85] See 18 U.S.C. § 2703(c)(2). Law enforcement can also request that 
the ESP preserve stored records and communications for a period of 90 
days, which is renewable upon request. 18 U.S.C. § 2703(f). 

[86] Two ESPs opted to not provide information on their data retention 
policies. 

[87] Officials from two ICACs did not provide information about how 
often they were able to obtain information from ESPs. 

[88] Pursuant to the Providing Resources, Officers, and Technology To 
Eradicate Cyber Threats to Our Children Act of 2008 (PROTECT our 
Children Act of 2008), "child exploitation" generally consists of 
conduct involving a minor that violates specific criminal provisions 
of the U.S. Code, or any sexual activity involving a minor for which a 
person can be charged with a criminal offense. Pub. L. No. 110-401, § 
2, 122 Stat. 4229, 4230. Some of these criminal provisions include, 
for example, causing a minor to engage in a sex act by force; 
transporting an individual for purposes of prostitution or other 
criminal sexual activity; or mailing, receiving, and distributing 
child pornography. Child pornography has a more specific definition 
under 18 U.S.C. § 2256, and generally consists of any visual 
depiction, the production of which involves the use of a minor 
engaging in sexually explicit conduct or that involves a minor 
engaging in sexually explicit conduct. 

[89] Pub. L. No. 107-56, 115 Stat. 272, 277 (2001). 

[90] Pub. L. No. 110-401, 122 Stat. 4229. 

[91] Pub. L. No. 110-401, § 105, 122 Stat. 4229, 4236 (2008). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: