Personal tools

bayse.html

CFP'91 - Bayse

Security Capabilities, Privacy & Integrity

William A. Bayse, Key Speaker
Dorothy Denning, Chair

Wednesday, March 27, 1991


Copyright (c) 1991 IEEE. Reprinted, with permission, from The First Conference on Computers, Freedom and Privacy, held March 26-28, 1991, in Burlingame, California. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the IEEE copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Institute of Electrical and Electronics Engineers. To copy otherwise, or to republish, requires a fee and specific permission.

Published in 1991 by IEEE Computer Society Press, order number 2565. Library of Congress number 91-75772. Order hard copies from IEEE Computer Society Press, Customer Service Center, 10662 Los Vaqueros Circle, PO Box 3014, Los Alamitos, CA 90720-1264.


DENNING: ... It's a great pleasure this evening for me to be able to introduce the banquet speaker, Al Bayse. I've known Al for several years now. I first met him while I was working at SRI, doing some work in the area of intrusion detection. I found out that the FBI, and Al in particular, were interested in that work. They are now working with SRI jointly on some of that work.

Al is the Assistant Director [of the FBI] in charge of the Technical Services Division. One of his main responsibilities there is being responsible for the NCIC, the National Crime Information Center. A few years ago, CPSR wrote a report raising several concerns about the NCIC. This was presented to Al and the FBI. [Al] was very responsive to the suggestions that CPSR made.

He has a very long, distinguished career in the FBI and before that at NASA and also in the Army. [He] has degrees and has studied in the areas of math, physics and computing. [applause]


NCIC-2000: Balancing Computer Security Capabilities with Privacy and Integrity

William A. Bayse

... Thank you, Dorothy. ... This is really a dichotomy. Yesterday I talked to a room about this full, or more so, of policemen. What a difference a day makes. [laughter] ...

I want to start out with a little quote about the future. I just ran across this gentleman by the name of Charles Franklin Kettering, who lived from 1876 to 1958. Now, 1958 is when the space program started, so he missed a lot by dying then. [He said] this in something called "Seed for Thought," in 1949: ... "We should all be concerned about the future, because we'll have to spend the rest of our lives there." ...

We are going to be spending time together in the future - I sort of insist on it. I think the CPSR and ACLU used to try to entice me to come to meetings ... and now I do it gladly. In fact, I insist on it. I think we ought to do it cooperatively and productively, and I think that's the way we're going now. I have responded to oversight from the committees and to the suggestions of CPSR and ACLU and a number of other bodies that are trying to improve data integrity, and trying to improve functionality of systems in law enforcement.

I've had the opportunity on several occasions to interact with a number of you here. It's sort of like old-home week to come back and see Donn Parker ... and Dorothy [Denning] and ... others in the group here. It's nice to see the professionals come out, and it's nice to see you people who are moving forward in ... your various areas - including the hackers and including those that are doing this stuff for fun and for general personal interest.

But my interactions with groups like this and with you in particular is because, [it reflects] my interest in what you're doing and in your views, and my willingness to work with you to address this delicate balance in protecting civil and constitutional rights and privacy, and in achieving [the] vital and effective law-enforcement capabilities that are under my responsibility. So there's a duality there. Maybe they don't sound too compatible. But they are compatible. And ... technology gives us a lot in this area.

A lot of it comes down to people and behavior and attitude - as to how ... we're going to have law-enforcement capabilities that allow us, organizations like the FBI, to uphold the law, and allows you all to have the freedom to express yourselves and to deal with the systems that you're working with. I respect what you're trying to accomplish, both as a professional and as an individual person.

What I want to talk about - as well as NCIC 2000 - is basically some history of the NCIC system ... so you'll know ... where this all started. I'll give you a little history on that. I have another quote here, though, by Sarah Josepha Hale. This was done in 1829, just a few years before I was born and some time after Peter Neumann was born, I think. [laughter]

This is from Sketches of American Character in 1829: "Democracies have been, and governments called, free. But the spirit of independence and the consciousness of unalienable rights were never before transfused in the minds of a whole people. The feeling of equality which they proudly cherish does not proceed from an ignorance of their station, but from the knowledge of their rights. And it is ... this knowledge which will render it so exceedingly difficult for any tyrant ever to triumph over the liberties in our country." And in Iraq, too. [laughter]

There are a lot of approaches and perspectives on freedom and liberties, privacy, that we can all exchange and all work with in trying to move forward. Technology is a driver in all of this now. Nobody wants to silence expression or opinion-making, but there are times when, you know, we have to do our job and our work, and our missions in law enforcement - ... [in] the law-enforcement services we provide to the nation in terms of forensic laboratory, in terms of National Crime Information Center and fingerprint identification.

We hold big, massive files on individuals. We have their fingerprints. We have their names, their dates of birth and those types of things. Some of those fingerprints are civil prints ... of people who've never committed anything, any crimes. But we do have systems of records on people, and it's disturbing to some people. I'm going to discuss that openly. We'll debate it, or you can ask about it. But the one thing we also have is a civil-rights program, an investigative program for the United States government, ... at the federal level, and we pursue that pretty vigorously as well as we pursue other things vigorously.

One of the things that I typically do at a conference like this is to take a survey. It's called a "futures survey," and it's a "Baysian" survey - because I really don't have any choice in that matter. [laughter] ... Some of you people are pretty alert; that was completely lost on the cops yesterday. [laughter] In fact, they were tough. They didn't laugh at all. ... I don't think they trusted me. [laughter] No ... it was a good conference, but it wasn't exactly lively. [Bayes is the name of a well-known mathematician and probability theorist, for whom a major probability theorem is named. -JW]

Well ... let's try for it anyway. How about a show of hands for all of you all who think about the future. [almost all hands go up] [laughter] There were a couple of guys yesterday who didn't raise their hands. [laughter] I see one right here who didn't - that has to be about it.

Do you know what you're going to do tomorrow? OK, this is a little tougher because in the first place you have to define your terms a little bit - from your own perspective: "Do you think about the future in a visionary and venturesome way?" Raise your hands. [many hands go up] Gosh, there's a lot of you that do that. Boy, I didn't get many hands on that, yesterday. [laughter]

How about you all who attempt to predict the future? [a number of hands go up] How many? I had one yesterday. Hey! This is pretty good. Well, based on my research, you ought to be a little more cautious, because when I prepared for this speech my preparatory reading showed that as far back as 357 A.D. the Emperor Constantius made a law forbidding anyone to consult a soothsayer, a mathematician - that includes us, doesn't it? [laughter] - or a forecaster. May curiosity to foretell the future be silenced forever?

And the states of New York - where I was yesterday - and North Carolina have statutes declaring [that it's] disorderly or criminal to forecast the future. [laughter]

I had one guy in a bind yesterday. It's noteworthy that each state carries a violation under its criminal code, and the New York code made persons liable to a fine of 250 bucks or six months in prison. Boy! There's no contest there, is there? [laughter] So we'll go easy on these predictions.

AUDIENCE MEMBER: Does that include the economy? [laughter]

BAYSE: Yeah, I guess. [OK, to the NCIC.]

The NCIC system has been around quite some time, and I'd like to sketch for you the history of it and what the system's all about. Then I'm going to present a few statistics on its operation, and tell you what my concerns are in protecting privacy and constitutional rights and data integrity in this system.

...It's a very high-velocity, high-performance system that supports the cop on the street, essentially. It does it a million times a day. ... When we talk about real-time, and endangerment, and patrol incidents on the side of the road, or those types of things, there are some things that need to be done to protect the subjects of ... this work by the police. And there have to be some things to be done to protect the information as well.

I'm speaking to you all as a law-enforcement professional and ... as a technical practitioner as well. And I'm accountable for the development and effective application of technology in the FBI. I'm held accountable by my boss and our Director, who's a former federal judge - and he was a very strict one down in Texas. So if ... you think you've got some oversight, try a Texas judge. [laughter] I can't imagine why anybody would want to commit a crime in Texas and go to a prison in Texas. I can't imagine that. [laughter]

Well [back to the NCIC]. We provide a lot of basic services. We require a lot of technology. We have a multi-mission. We have criminal investigative: 200 jurisdictions, from the Migratory Bird Act, to some of the big racketeering and corruption statutes. So if you go out here on the water and shoot one of the waterfowl, we've got a couple of agents here that would like to talk to you. [laughter]

The multi-mission nature of this includes, as well, foreign counter-intelligence. And ... we're the only organization that has that [mission] ... in the United States. The other intelligence community agencies operate outside of the United States in terms of that mission.

And [there are] the law-enforcement services: laboratory, forensic science laboratory, identification services (that's fingerprints) - and the National Crime Information Center. They're the three biggest components. And training for them. We do train a lot of law-enforcement people, from patrolmen all the way up to executives and foreign police as well.

There are a number of areas of developing technology that will not only make law enforcement more effective but will also substantially reduce the opportunity for error. One of the biggest fears we have, of course, is data that's erroneous, that stays in the system too long, that's out of date - or simply gets put in there erroneously. Then something like a false arrest occurs, or somebody detaining someone too long ... during patrol. Those actions really erode confidence and credibility in the system.

[We place] a very high premium on data accuracy, which is one component of integrity, but it's not all of integrity. The developments that we're going to have in the next generation of the system are going to use things like artificial intelligence for intrusion detection [and] for error detection.

We can, for instance, determine - from experts who do record- keeping and records management at the police precinct level or at the state police level - when an arrest warrant that's been in the system for a while should be [reviewed]. We don't want any over-aged ones in there - ones that have run their course. And yet, we're holding millions of records in this system. And ... it's run a million times a day - there are a million transactions a day on the system. So how do we keep record quality in there, and particularly [concerning] ones that are out of date?

One of the scenarios that I talk about sometimes - and it's happened - is somebody goes to a party, parks their car in a parking lot at a hotel - like this hotel; maybe you'll have this problem tonight - goes to the party in the hotel, comes back and can't find their car, reports it stolen. Well, the reason he can't find the car is because he really can't see the car, you know. [laughter] And so he reports it stolen. Then the next morning, [he] remembers that he left his car at the hotel and goes back and picks it up, drives it. In the meantime, that [stolen car] report goes into the National Crime Information Center: "Wanted, stolen-car file" - at the local level, the state level and the federal level.

So he runs a red light, gets stopped by a patrolman. The car's stolen, even though he's got his identification and everything else there. We've got the making of a nice incident. Because the car has been reported stolen, he gets upset because he's been stopped in his own car, which he knows isn't stolen. And you've got the concern about those things.

We've got to put technology to work on this, and we've got a lot of good ways of doing this. We work with the Mitre Corporation. We work with Peter Neumann [of SRI International] and others on ways of looking at records, both individually and collectively, and at databases of records for this. I'll talk a little bit more about those techniques, later.

The use of automated fingerprint identification systems is another big service that we provide. ... Imagine ... being in an organization where, everyday, 40,000 fingerprint cards come in to a mailroom, and you're trying to process these ten-print cards. That's another big challenge, and another big system of records with accuracy concerns.

Crime has become a more complex and mobile enterprise. You can read the evening news about the drug traffickers - [for instance] the Crips and Bloods - who've travelled out of L.A. and end up in someplace like Cincinnati or someplace in the Midwest. And drug dealers in Chicago [or] savings-and-loan swindlers throughout the nation. Those are all areas of our jurisdiction. The methods and technologies that we used in the '70s - conventional-transaction, query-search-retrieval computer systems - aren't capable of supporting our investigations any more.

And information is the life-blood of the entire criminal-justice process. Sharing of information between local, state and federal agencies throughout the United States is essential to ... an effective criminal-justice system. And in sharing that information and managing that information, the idea of integrity has to hold a top priority.

To meet the need, the National Crime Information Center was established in FBI headquarters, back in 1967. During that first year of operation, I think, NCIC ran two-million transactions. (We do that in two days, now.) That was for one year, on an IBM System 360, Model 65. Peter [Neumann] got one of those for Christmas that year, I think.

The system contains documented criminal-justice information concerning wanted and missing persons. And, you know, some people want to be missing. They don't want anybody to find them. They've bugged out. That's another issue on record-keeping on persons. Stolen vehicles, other stolen property.

And, the [record-keeping area] that's caused the most concern in the civil-liberties community is the criminal-history information, that is, the "rap sheets."

The NCIC one of the most successful partnerships ... among federal, state and local levels of government. We maintain a host computer in Washington, D.C. It's a big IBM mainframe. Well, it's a Japanese mainframe. [laughter]

We had a case a few years ago, IBM v. Hitachi, where there were some Hitachi employees trying to, I'll say, "obtain" IBM proprietary information from an individual they thought was an intermediary. Turned out he was an FBI undercover agent. Boy, were they surprised. ... And it was all on tape.

We ran ... our case-management system with an IBM operating system, MVS ... on a Hitachi computer for that [case]. I thought that was pretty ironic. [laughter] They pled, and I think there was a settlement out of court, for $100,000. The technology they were trying to get was worth millions. It was the IBM source code for MVS. It was a disk, the new design of their thermal module, the thermal-conduction module for the IBM series, and a bunch of other high-tech things. That was a good case, and it had a lot of ironies and little twists in it, not the least of which [was] it ended with a ... $100,000 settlement. ...

We maintain this host computer, then, in Washington, and each state provides a terminal connection to that. So there's a network out there It reaches out to 60,000 organizations. The network itself doesn't; there are 32,000 access points on this system - a lot of them in patrol cars. Mobile data terminals are very prominent in criminal justice and the street patrols. A number of counties in Virginia around [the] Washington area have them, and I'm sure there're some out here.

Operating costs are borne at ... each level of government. There's an advisory policy board that represents each state and that advises the Director. So this policy board can go directly to the Director and give advice, regardless of what I advise the Director to do. Sometimes that works out pretty well; I don't resent it.

The current NCIC system includes a dedicated network with the 58,000 agencies accessing through [terminals]. ... If you count all the mobile data terminals, there are 64,000 terminals on this system. I don't know of any other system that has that many. Many of them are riding the radio waves. The users vary in size. New York P.D. [Police Department] has over 25,000 sworn personnel that use this system. The Flowery Branch Police Department in Georgia has one man part-time. So there's the extremes - the part-time guy down in Flowery Branch, Georgia, and 25,000 sworn personnel in New York.

It's a diverse user community. We serve sheriff's offices, prosecutors, the courts, corrections agencies at all levels and military investigators. All have access to this system.

... It's a repository, centralized in Washington, D.C., that's accessible [from] anywhere in the United States that has an authorized user. Just keeping up with who the authorized users are [is a major task] - we have to be sure that that's OK. And it also goes to Puerto Rico, the American Virgin Islands, and the ... RCMP [Royal Canadian Mounted Police] in Canada.

The system can accommodate large files and large transaction volumes. The file sizes range from over two-million stolen or recovered guns, down to one file on 600 foreign fugitives. During 1990, the transactions averaged over a million a day, with 95 percent of the transactions against wanted persons and vehicle files. So that's why it's important for these - what are called "hot files," where there are warrants or "wants," (wanted for questioning) or the stolen-car records - [to be] accurate. It impinges on the individuals whose names are in there, or whose cars are recorded in there, if they aren't accurate.

It's imperative [and] under my responsibility for us to have the accuracy that you would expect from a system like this and not to have to worry about over-age records - records that have been put in by someone and they forgot to take it out, or there weren't enough data-entry personnel ... or quality-control people that day to change ... the records.

One way to do that is monitor the records themselves with a system that ..., in real time, [can] scan the records and look for anomalous records, or content of the records being either out of date or candidates for reinspection. The main thing is, if a record even has a hint of being out of date or anomalous or in need of update, we should ... change it - or at least set it aside and have a human being look at it.

This thing runs 24 hours a day seven days a week, and ... it's "up" 99-plus percent of the time. Response time at the patrol car is in seconds. It's a system that you would like to use if you were out on the street, protecting your ... customers.

... One of the most controversial [databases] that we've ever put in [since 1967, when we established informational databases] was the U.S. Secret Service protective file, in '83. At that time there was some concern that - since the Secret Service had these people; had investigative interest in individuals who were considered threats to protectees, but didn't have a formal charge against them or a warrant or anything - that this was putting some information in there that didn't have enough formalisms; not enough verification under a warrant. But ... there are only a handful of records in there. Probably less than 25. I think the most that's ever been in there is 100, or plus.

But there were individuals who said, ... we'll end up having a million records in there. Well, you're never going to have a million threats to protectees. At least not in our lifetime.

Most recently [we've added] the foreign-fugitive [database]. Because of our extra-territorial jurisdiction in counter-terrorism and narcotics, we do get some fugitives overseas and occasionally we would go over there, with our jurisdiction, and pluck those fugitives. Plucked one right out of the Mediterranean. Hey, he had a criminal warrant; he killed an American. I mean, what [do] you want - let him go? He might have been on ... Pan Am 103, you know? We should be doing this. We've got to do it. ...

... These [and other databases] are the established ones that we keep up to date. ... [There were] seven million records in there, on file, on March 1 [1991]. [Since I'm giving this talk on March 27th], this is pretty real time, isn't it?

And [looking at the breakdown of how many records are in the various databases], that ... U.S. Secret Service file has 33 now, 33 records in it [out of seven million]. ...

[We have a database on] stolen boats. A lot of [boats] are stolen and used in drug trafficking. We're trying to get those babies back, because the owners are really upset when they lose their boats. [Another] one is pretty interesting - stolen license plates.

... The average transactions in February [were mostly] on vehicles and wanted persons. So the concern over some of these other files is a little bit misplaced, because what we're [really using are the] hot files. Everything in the Wanted Persons database is either a warrant, or wanted for questioning. There's a formal reason for being there. And the vehicles are reported stolen.

But there's still a concern over accuracy in here. There're a lot of records and a lot of transactions. Every day there are almost 500,000 queries, updates or input, records created on vehicles in the United States. That's amazing to me, even though I've seen it for all these years - half a million a day .... That's because the protocol for the patrolmen out there is - when they pull you over, if you run a red light or whatever it is [and] you've got expired license plates - they're going to check to see if the car is stolen.

This is pretty much public-record stuff, and we publish this every month. So if you're interested you can probably get copies.

The record high for any day was about 1.2 million - August of last year. Those were transactions. The inquiries narrow it down - to the wanted/missing persons (just inquiries on that) and stolen vehicles and license plates. ... In Virginia, if you lose one of those vanity plates, you get a replacement but the other one apparently doesn't get put into the system. They just give a duplicate. So you could have two people running around with the license. Or they take it out of the system and they could have two people running around with the same license plate, one stolen and one not. That's an anomaly in the system. Figure out the rules for that one. I don't know. That one's got me bothered.

... [In NCIC's] first year, '68, we got up to six million [transactions]. We do that in six days now - less than six days. And our estimate for '91 is 410-million transactions. ... We've done 61.7 [million] so far [this year]....

The Interstate Identification Index subsystem is a pointer system to criminal records. This system was produced as an alternative to message-switching and holding a central file of criminal histories in Washington by the FBI, for the states. The records themselves, the rap sheets, are out in the states, in their systems. ... Let's say they've arrested someone in Florida [and] want to know if there's anybody else that has a record on this individual. The pointer system would say, yeah, there's a record ... in Maine. So Florida and Maine get together over their national law-enforcement network and get that record. ... This was in response to a lot of oversight and concern expressed by Don Edwards in his [House] subcommittee. And it's working pretty well.

[Our cost is] three cents a transaction. ... The system runs ... 360- million transactions, and I think we pay about $9 million a year to run this whole system, federal costs. The states have to pay for their ... [operations]. ...

Every three or four years we do a statistical sample of benefits. ... In '88 we did this survey over a 12-month period.... Almost 170,000 vehicles were recovered on åhits' in this system - stolen vehicles. The Blue Book value of this is over a billion dollars. So the car owners like it. The insurance company likes it. I don't think the car dealers like it. [laughter]

The "wanted persons" located: ... 81,000, the number of persons arrested, and most of these arrests were incidental to other actions on the system; [they] were arrested based on hits in the system. We had additional charges filed on 71,000 individuals.

We found 36,000 missing juveniles. Some of these missing juveniles may not have wanted to be found. Some of them were found in stolen cars, as a matter of fact. [laughter]

Missing adults: There are a lot of missing adults who, I guess, may have concern about being found at all. They want to get the hell away from everything, I presume. ...

[These are typical] ... annual benefits. There are a lot more than that, but this is what we concentrate on. So if you look at what you're paying as a taxpayer for a transaction, you know, you can go to the FBI building and for 60 cents you can get a Snicker's bar, or you can get 20 stolen-car checks. [laughter]

AUDIENCE MEMBER: Does that include telecommunications costs?

BAYSE: Down to the state level - fed telecommunications to the state. They're about 9,600 bits per second, up from, say, somewhere in North Carolina right into Washington and the major police departments. [These costs do] include 'em, though. Now, the states have their own systems. Some of them have magnificent, big, potent systems. Florida is putting in a new system now. ...

[There's] no dial-up on this system. [laughter]

AUDIENCE MEMBER: Why not?

BAYSE: I think you could answer your own question.

AUDIENCE MEMBER: ... Isn't this a matter of public record, all this stuff?

BAYSE: Some of it is and some of it isn't. ... The Supreme Court made a ruling that, if you have a concentration of criminal-history records, it's considered sensitive information. ... You can go get a rap sheet at a courthouse - an individual one - [but] when you have a concentration of this information [it's a different matter]. That's what Don Edwards' [concern] is: There's a lot of information about people here. And, while any individual record might be public record, ... - you can go to the post office and see 15 "wanted" posters - here you can go in and see hundreds of thousands of wanted posters, essentially; electronic wanted posters. That's the concern, the fact that you've got these bodies of large concentrations of records on individuals. Most of it is public record. The Secret Service stuff isn't, but that's a very small part of it.

AUDIENCE MEMBER: Is the stuff that is public record available on- line?

BAYSE: No. No, it's not.

AUDIENCE MEMBER: How would you feel about having it be available on-line?

BAYSE: To whom?

AUDIENCE MEMBER: To public dial-up.

BAYSE: No. I'd feel very concerned about having people's records on- line. ... That's been debated and ... I think there would be a lot of concern by us and others on having that available.

AUDIENCE MEMBER: How about access by people to their own records?

BAYSE: You've got the Freedom of Information Act to do that - already a legal way you can do that.

AUDIENCE MEMBER: What about on the police cars? Can somebody ... enter that system by the radio frequency?

AUDIENCE MEMBER: What is the legality of that? Somebody picks up on the radio frequency of the transmission to the [patrol car].

BAYSE: But that's data transmission. What are they going to pick up? They're not going to get ... audio. I don't know anybody that can demodulate the data off those police frequencies.

CHORUS OF AUDIENCE VOICES: We do! [extensive laughter and applause]

BAYSE: You've done it? Maybe we could have someone read you your rights then. [laughter] ...

AUDIENCE MEMBER: But it's still over the public airways.

BAYSE: It's on a frequency assigned to law enforcement.

AUDIENCE MEMBER: It's still legal to receive it, though, and you can do whatever you want to try to decrypt it.

BAYSE: ... I don't even know how much of it's encrypted.

AUDIENCE MEMBER: ...Very low.

AUDIENCE MEMBER: Don't they encrypt it with DES [Data Encryption Standard], anyway?

BAYSE: You got something that'll break DES already? [laughter]

AUDIENCE MEMBER: When you do it, you just store it for five years and then you ... break [it] on your desktop computer. [laughter and applause]

BAYSE: As Dorothy indicated, there have been a number of issues concerning NCIC that have been addressed by CPSR and OTA [Office of Technology Assessment]. There've been some studies done in the civil- liberties community. And, through the hearings and other processes, we've addressed things such as message-switching (which is objectionable [to] the Congress), the Secret Service file, and other matters - and we've reached resolutions on those.

I think those were good compatibility actions on the part of the Bureau and law enforcement - which had to concur in it, the policy board particularly - and the Congress. ... Our alternative to message-switching, as I mentioned to you, was to have that pointer system.

Data quality: One of the things we've done in data quality - which I think has been important to us and important to the people whose names are filed in the system and important to the states - was to develop an audit program. We spend about a million dollars a year, federal money, to audit the system at the state level and at the federal level.

If you look, for instance, in a wanted-persons file, the federal wanted- persons file has zero errors because they are mostly FBI records. We can take draconian measures on that [to assure accuracy].

At the state level, the error rates were sort of scattered around. They were high, and there have been a bunch of analyses done at universities and by NCIC-watchers. They were pretty compelling that we had to do something about [state-level errors]. So we commissioned the audit program. We have a staff of 30 auditors that ... are government employees. They deploy to each state every two years and audit their records. Within the policy board, there is a sanctions committee that reviews the audit reports that are produced by NCIC staff for the states. ... Then the sanctions committee, which is headed by a federal judge, takes appropriate action. ... The harshest action in that would be to expunge somebody's records and take them off the system. That only has to be threatened once, and then, usually, those records start coming around, cleaning up.

There have been a lot of positive acts, ... and the reason that we do these things is because of the velocity of this system, the number of times those records are used. If you get an erroneous record in there with all the transaction traffic we've got, there's a good probability that record will get retrieved. We have to ensure the quality of the data. And we do it through a formal audit process.

AUDIENCE MEMBER: When this data is requested, do the requesters get an error indication ... a confidance indication of how good the data might be?

BAYSE: No, they have to do a confirmation. When they make a query, they get a response. They have to go to the originating organization and get a confirmation, before they can take any action on it, [confirming] that the record is still valid. That's a hedge against the fact that maybe a warrant - maybe a stolen-car record - was retrieved but when we found out the car had been returned ... the record hadn't been taken out.

AUDIENCE MEMBER: [inaudible question, possibly concerning the error rate]

BAYSE: No, we don't tell him the number. We just tell him whether the record is still valid. That's called the hit-confirmation process. That's better than telling them the error rate.

AUDIENCE MEMBER: If it's an FBI-originated record, do you tell them that you have [for example] a 95% certainty that it's a proper record?

BAYSE: In the federal ... That's right. It's about 100 percent accurate. So we could tell them it's about 100 percent accurate, but we also go through the confirmation process. ...

There's a couple of other items about NCIC I wanted to bring up [specifically] about NCIC-2000 [the planned upgrade of the current system to a new system]. Some of the features we're going to put in, ... it's a total new design. We'll eventually throw this antique away. It served well, but it's time now to go on and move to another regime.

NCIC-2000 is a complete new start. It starts this fiscal year; there's funding available to start the project. It'll be done under a competitive procurement process. We'll go out to the marketplace and [take] ..., probably, a system-integrator type of approach to it, and build a new system from scratch. In the meantime we'll keep this one running until the new system is built. That'll take about three years.

... There's a need to initiate a new cycle. You all know a lot about software, and some of the software in this system that was written in '67 is still in there. ... These are assembly-language-code instructions, the old ALC that was around in '67, which was different than now. It takes a big staff of assembly-language-type programmers to keep that going. [some booing] Yeah, there are a lot of those guys that are probably at work right now that would agree with, "Boo." [laughter]

One of the other features that we want in NCIC-2000 is a more positive identification at the patrol car. Right now we do this hit- confirmation process to ensure the record's still valid. But we could take a scenario where somebody in the state of Illinois gets a hit saying that the individual is wanted in the state of California - at a time of day where there aren't going to be many people around to do the hit confirmation.

One of the things we're going to add in the NCIC-2000 is a positive- identification feature. That would include both photographs and fingerprints. So, in addition to the hit confirmation, ... this individual, at the patrol-car level, will be able to take a video image of the person for identification as well as a fingerprint, a live, scanned fingerprint at the patrol car and move that through the network ... and do a match at the central repository of fingerprints and photographs. It's to your advantage to do this. [some booing]

AUDIENCE MEMBER: What happens...? Where does that fingerprint go if it doesn't match?

BAYSE: ... It's over. The fingerprint file is just established. That doesn't get added to the fingerprint file. It just goes away.

AUDIENCE MEMBER: Where does the suspect's fingerprint file go? The one who's being tested at the patrol car?

BAYSE: It goes nowhere.

AUDIENCE MEMBER: So if it doesn't match; it's discarded?

BAYSE: Yeah, yeah, that's right. It's the same way as seeing if you had a license. You know, your picture on your driver's license looks like you. We don't ... take another picture [and] put it in a file anywhere.

AUDIENCE MEMBER: Would that incoming fingerprint be matched against fingerprints that you don't have people connected to?

BAYSE: I don't know how that's possible. ... I don't understand the question. [laughter]

AUDIENCE MEMBER: ...You'd like to know who they ... belong to.

BAYSE: This would be fingerprints on wanted persons.

AUDIENCE MEMBER: You're looking for positive confirmation.

BAYSE: Yeah, we're looking for confirmation of this individual, who comes back with a "wanted" - is wanted - and by searching the wanted- records files, we're looking to identify that person to see if he's still really wanted. So we do the fingerprint or the photo match.

AUDIENCE MEMBER: Sir, unless I'm mistaken I think that the question was, "If you fail to make a hit on the wanted ID you're attempting to make, is that same data checked against a larger database of all wanteds?"

BAYSE: It's already been checked against the large database. We've got a record hit, but we don't have a confirmation. If we don't get ... the positive ID then ... there's no reason to detain that person.

AUDIENCE MEMBER: Somehow the audience is missing the fact that you're trying to avoid a false arrest.

BAYSE: Yeah, yeah, I know.

AUDIENCE MEMBER: Excuse me, sir. So far the questions have centered on the problem of what happens once a person has been stopped and his fingerprints have been checked.

I'm concerned about the ability of an on-site fingerprints check to provide greater justification or excuse for stopping a greater number of people. If you're looking for someone who's a ... suspected criminal who's 5 foot 8 and blond and wears glasses and is female, would that encourage police officers to stop every 5-foot-8 blond female with glasses and just randomly run her fingerprints through the system to see if they match? ... I wonder what that'll do to the probable-cause requirement. ...

BAYSE: NO, I don't think that ... scenario holds here.

AUDIENCE MEMBERS: Why not?

BAYSE: It just doesn't. I mean, ... they pull a car over for a ... reason, not just a dragnet type of approach. ... The fingerprints wouldn't match anyway unless the person's wanted.

AUDIENCE MEMBER: I think my point is: Being stopped, alone, is an intrusion upon my civil liberties, unless there's a reasonable suspicion for that stop ... .

BAYSE: ... But, you're posing a scenario .... I don't agree ... that they are going to stop people ... for some reason that I don't agree with. I mean, I don't understand your concern. All this does is ensure that ... if you do stop somebody and they aren't wanted, they are released promptly rather than detained on a reasonable-suspicion basis.

AUDIENCE MEMBER: I think the point that's being made is that this efficient system would make it feasible to do what would now be a slow and indiscriminate dragnet.

BAYSE: Well, that's not the intention of doing this at all. ...

AUDIENCE MEMBER: ... That's not the intention, yeah. It's curious that a new tool is often a temptation to people to say, "Gee, we could do this and maybe we will." Clearly, you don't intend this. What will really happen; time will tell. ...

AUDIENCE MEMBER: You're not going to be doing a fingerprint check unless you've got a name and date of birth.

BAYSE: That's right.

AUDIENCE MEMBER: So you're never going to have a patrolman stopping a car on a visible match to get a fingerprint, unless he has a hit on the warrant first.

BAYSE: That's right.

AUDIENCE MEMBER: Does that mean the system's not capable of doing that stuff, or just ... ? [inaudible]

AUDIENCE MEMBER: I think the question being asked is: Let's say that a print's lifted from the scene of a crime, but you don't have an ID to it. You stop somebody on the street and you get a fingerprint. Is that matched up first against those that are wanted with warrants, then beyond that to fingerprints that have no ID to 'em?

BAYSE: No, I don't think so. No, that's not what this is for, at all.

AUDIENCE MEMBERS: ... Isn't it the case that you can't stop people on the street and get a fingerprint.

That's not legal.

Unless you arrest them. You can't demand a fingerprint from a person on the street. ... [inaudible]

BAYSE: If we've stopped them and ... we've got a record hit, yes, we can do it. Yeah. ...

AUDIENCE MEMBER: I'm concerned about something a little bit different. ... We've talked about the state level and federal level. Let's say I'm a police officer and I've got reasonable cause to stop somebody. And he has given me a little bit of something that I'm looking for. I film him. I fingerprint him. I send it through your cycle. You say, "No. We don't want him." You lose your information. At the police level, at the state or the city level, can that information be held in a loop? ...

BAYSE: Well ... this system doesn't .... You're talking about an arrest situation where fingerprints, all ten prints, are taken and then they're submitted ...?

AUDIENCE MEMBER: No. Out on the street. ... They scan the fingerprints, they take a video ....

BAYSE: We're only going to scan one print.

AUDIENCE MEMBER: What I'm saying is they send you something, video and fingerprint. You lose it because you say, "Hey, there's no hit here." Can they keep it, like, in their RAM and add it to some database locally because they say, "We want to keep track of this person anyway." In other words, does that information get lost all the way on the loop?

BAYSE: It's supposed to get lost because they don't have a confirmation on the hit.

AUDIENCE MEMBER: OK. [laughter]

BAYSE: There are ... written policies to govern all of it.

AUDIENCE MEMBER: I'm thinking in terms of Alameda County. When someone is arrested, they've got to assign a number, a corpus number, I think, is what it's called. That instantly divides the population between those who have been arrested and those who haven't been. It really doesn't make a distinction as to whether they were actually acquitted or convicted.

My concern with on-the-spot fingerprinting of suspects or people that you contact is that this could turn into an electronic FI card, or field- interrogation card, which, you know, cops do. They keep little index cards and these are usually filed in-house at a [local] department.

Even though the NCIC may not keep a record, there is this temptation for a department to possibly record this contact with a fingerprint. That's what I'm worried about.

BAYSE: Well, the functionality of this system doesn't support that. All it does is help make a positive ID once you've tried to identify the individual, based on a fingerprint or a photograph.

KEITH HENSON: That's especially true, by the way, with cheaper and cheaper media. ... There was actually a situation where I can intensely appreciate the value of accurate databases.

I rented a car at O'Hare Airport, and went ... zipping off the freeway and I was a little bit fast. [I slowed] down fast enough that they couldn't nail me on going too fast. [But] somebody grabbed me. The cop, the guy who was the highway patrolman, got me [but] let me go [with a] minor warning on the thing, and I took off. I got about a block and a half. And they had run their thing ... through the crime records ....

And one of them pulled in front of me. ... Another one pulled up beside me, pushing me off the road. The first guy got out with a pistol. It turned out that somebody had typed in one wrong digit, on a car from Indiana. And there wasn't even any way for them to fix this particular kind of problem at that time. I'm sure they've gotten better at that. But, you know, ... I really bitched at Avis about them renting me a stolen car. [laughter]

... They let me go, of course. But it isn't exactly "of course." They may well have fingerprinted me and scanned me, and put that stuff in, [just] in case I actually had stolen the car and somehow was fooling them that it was an Avis car. ...

BAYSE: ... It would have been better if you would have had that [new system].

I want to get back to the question you had about disposition; reporting on an arrest. [In] that disposition reporting, each one of those arrests that gets posted at any level is supposed to have the disposition appended to the arrest record: "released without charges," "released after questioning," whatever it is. ... If that arrest record then has some retention cycle, the fact of the arrest and then the disposition ... should always be there. So if another arrest was made, for another reason, say a reason that required some action, the first arrest record [will have] the disposition posted. And there's no consequence of that first posting because it wouldn't be [used].

Sometimes somebody has been arrested and then arrested again, and the first disposition isn't posted, and you say, "Hey, this guy has already been arrested. Maybe we ought to hold him, because we just found out he's got an arrest record." That's a big concern of ours - and a big concern that .... all those records are associated with the fingerprint cards. Yes sir.

AUDIENCE MEMBER: Do you have any plans yet to put together a database system supporting DNA identification?

BAYSE: Yeah, there's some ... plans to do that, some studies looking at that. Yeah. Not necessarily in this system, but there are some discussions of it. That's in our forensic laboratory. ... Well ... let me see if I can find any more things that will raise the hair on the back of your neck or something. [laughter]

AUDIENCE MEMBER: Please, infuriate us some more. [laughter]

BAYSE: That's what we're here for. [laughter]

[Back to NCIC-2000] the other features will be using database- management techniques rather than the file-oriented methods now. Just modernize the whole architecture of the system, and we will be doing some improved access controls, access controls on individuals that are using the system; better authentication. We'll be using the trusted structure that's now been established as a federal government standard for access and data handling. I think I could go on through a lot of that but I really don't see any reason to pursue it any further. The only function that's probably controversial at all is the positive ID and that shouldn't be controversial ... because it's particularly oriented toward a positive ID for the right reason.

JANLORI GOLDMAN: Al, hi. I'm glad you're here tonight. I have a question for you that hopefully you can answer. One of the things that we've been talking [about] the last couple of days is that there are a lot of issues to work on in the privacy area and not enough people to do it.

[Here's] one of the things that most concerns me. Over the last few years, we've had the opportunity to work together on a number of issues. We've had some agreement on some issues and some assurances that the things [that] we can agree [on] we don't have to worry about for awhile.

But that isn't always the case. One of the most frustrating experiences that I've had, and a number of my colleagues have had, is that one year we'll win an issue. We consider [instances] where we agree with you [to be] "winning an issue." We'll win an issue. And the next year, it comes up [again]. It's got a different face on it. It shows up in a different bill. It ... looks different in some way. And we've got to fight it all over again as though it was a brand-new issue. One of the prime examples of this is something that you just raised about disposition reporting.

BAYSE: Yup.

GOLDMAN: In 1987-88, we fought very, very hard - the civil-liberties community; the civil-rights community - on disposition reporting. There was something called the One-Year Rule, which was an FBI regulation that arrest records without dispositions would not be made available to the non-criminal-justice community. We worked on that. We had a hearing on it. We got an agreement from the FBI that the One-Year Rule would remain in place.

Last year, without anyone consulting with us; without any new justification - the One-Year Rule was repealed. Arrests without dispositions are made available to the non-law-enforcement community.

I don't understand what changed in those few years. And it happened without anyone saying, "You guys still care about this? Does anyone still care about this?" We still care about it, and what do we do about it now? Even when we're able to commit the resources that are so scarce, we fight the same battles year after year.

The "suspect file" [issue] that CPSR and ACLU were able to work on [with you] and we agreed that it was not going to be a part of NCIC-2000, I wonder where is that going to come up next? When are we going to have to fight that battle over and over?

How can we get some assurance from the FBI that when we do agree on an issue and we're able to win it, we don't have to fight it again the next year?

BAYSE: I can ... see what your concerns are. On the One-Year Rule, I'll ... have to get you an answer on what happened there, because ... it is in another area and I just haven't .... I'll have to get something in writing and send it to you bilaterally, from us to you - or, through, maybe, the Edwards Subcommittee. That has to do with the disposition reporting on the rap sheets and there's budget money being allocated to update all the dispositions right now.

GOLDMAN: Our argument about the One-Year Rule is that, until all the records are complete; until the state can report court disposition ... that information is not going to be made available. Nothing has changed. There's more money going into disposition reporting but it's a step backwards ....

BAYSE: On ... going into disposition reporting and posting the records. That's what the money is for.

GOLDMAN: Right, but the [One Year] Rule was repealed before we have more accurate records. That's just one example, it's one example. ... The other examples are, with FINCEN [Financial Crimes Enforcement Network], we fought the Economic Crime Index issue with you a number of years ago. We considered it a victory when the FBI decided not to create an Economic Crime Index on people suspected of engaging in money laundering. And the next year, Treasury gets millions and millions of dollars in an appropriations bill to create an information-sharing system at the federal level to fight money laundering. It's the same issue. And we're back fighting it again, but it's already a done deal.

BAYSE: You ... don't want me to speak on the part of Treasury. I'm going to decline that one. No, we didn't do it but we certainly went with your approach on that ... one. You'll have to take that one up with the Department of Treasury.

GOLDMAN: Well they sent you, so....

BAYSE: They didn't send me anywhere.

GOLDMAN: I know.

BAYSE: No, they didn't. This is Justice. Justice. But that FINCEN money laundering they're doing, I don't ... know if that's the same thing as the Economic Crime Index. It's different.

GOLDMAN: Well, they call it something else, but it ... [inaudible].

BAYSE: Yeah, but we had an index that was going to identify specific types of cases that were being worked, like on these mobile con men and so forth - or con women; whatever. That was an index that would just alert somebody that ... there is the same type of con game going on somewhere else. I don't know if that's analogous to what they're doing. They're looking for economic crimes, and narcotics money laundering and things like that.

GOLDMAN: Right, but it's the same issue, Al. It's the same issue of putting information about suspects into a computerized file that is then shared by federal agencies. That information is used. And it raises many of the same concerns.

BAYSE: Well, I'm not sure what standard they're going to use for that. I mean some of these would be case investigations.

GOLDMAN: We're not sure, either, because we can't get any information about it. The Treasury Department keeps telling us that it's secret and classified, and we have no information about it. And it was done in an appropriations bill, so there were no hearings; no public debate. I realize that it's not your department, but....

BAYSE: Well, then why are you - [laughter]

If I had an answer I would tell you. I mean, they've got a mission to do all this financial analysis of all kinds of criminal activities. They're focusing a lot on counter-narcotics.

GOLDMAN: Right, but I think FINCEN will involve FBI records. They want FBI records, INS records [Immigration and Naturalization Service]. They want records from the Justice Department. They want records from all over, in order to catch these people who are involved in money laundering. If we agree on a principle about putting information on suspects into a file, it might be something that you folks could support in terms of us working together on that issue and saying, "We don't want to put this information into a shared file."

AUDIENCE MEMBER: I have two questions. First of all, rather than this issue of disposition, why do you need [inaduible] that someone's been acquitted after their arrest? Why wouldn't the entire record just be expunged from the system? Secondly, I'm wondering what are the methods of input for all of these files into your system? Where do they come from besides just the state and local police levels?

BAYSE: If it's a federal offense, it's done by the federal agency that makes the arrest; generates the arrest record.

AUDIENCE QUESTION: [inaudible]

BAYSE: They're all legitimate arresting agencies. There are a lot of federal agencies that make arrests: Treasury, Customs, you know, at the border, and so forth. ...

AUDIENCE QUESTION: [inaudible]

BAYSE: There are some, but there are some on warrants but not on arrest records, unless they're [probably] some exchange on a case-by-case basis. There's no major exchange of arrest records. As far as expunging the records, there is a retention cycle under the federal-records systems, to keep these records for awhile.

AUDIENCE MEMBER: How long is it?

BAYSE: ... I'd have to get you an answer on that one.

DAVE REDELL: I just had one further clarification that I'd like to request about the scanned-image facility. As I understand it, the idea is that the database would contain scanned images of both the fingerprint and a mugshot, and that the patrol car unit would have input and output capabilities for both of those scanned images.

I understand the scenario you talked about with the positive ID, where you scan in the fingerprint and it's matched in the database. And I can imagine a similar kind of facility where you would print out the mugshot and match it by eye, in the patrol car.

But what's the function of scanning in the mugshot in the patrol car? You really have it in mind that you're going to do some kind of automated matching of mugshots?

BAYSE: Not at this point. We're just taking a record of the mugshot in case there's a match.

REDELL: I don't follow the logic.

BAYSE: Well, ... once that mugshot is made, it's to be used to identify the person. So we have to see if that mugshot is on file in some other agency. [audience noise] It's like a drivers license picture. Is this the person or not?

AUDIENCE MEMBER: Wait, we're talking about a mugshot that came in from a police car.

BAYSE: Right.

AUDIENCE MEMBER: What happens to it?

BAYSE: It has to be matched against a set of mugshots that may be in a mugshot book.

AUDIENCE MEMBER: Manually?

BAYSE: It may be manually. We might have ... a mugshot but no fingerprint.

Have you ever seen those mugshot books, those big, thick books they have in the police precinct? If that is sent in, if that thing goes over the wire, comes out on a printer in the police precinct, [then] they take the mugshot off and look at the book. They can find the mugshot and say, "Yeah, he's wanted."

They'd be used to identify this individual, or to say that there is no identification of this individual. He's not in the mugshot book.

If it's ... matching mugshots through some computer method, then it would be matching it that way. But ... I don't know whether that'll happen that way or not. Usually they're still using these big books of mugshots.

We're trying to identify the individual. That's the only reason this thing exists. Positively - or to let him go because there's no identification; there's no identifying information. The fingerprint is the best way.

MARC ROTENBERG: I have to share Janlori's frustration in working with the Bureau on these issues, and say at the outset that CPSR has always appreciated your participation in our events. I think this is, in fact, the fourth event that we've sponsored that you've participated in. Your participation level, in fact, is higher than some of our members. [laughter and applause]

But having said that, let me also remind you that in August of 1989 we sent a Freedom of Information Act request to the FBI. We asked about your policies regarding the monitoring and surveillance of computer bulletin boards used by political and advocacy organizations. This was before Operation Sun Devil, before the creation of the EFF. We wanted to know exactly what our government was doing in this area of new communications freedom.

We did everything right under the Freedom of Information Act. We sent the Bureau four certified letters. We even went into Congress, not after the ten-day statutory time limit had expired, but [after] six months had expired. And we had a hearing on this issue.

Still no response from the Bureau. Finally, we've had to sue you. And we're now in litigation, trying to find out what your policy is regarding the monitoring of computer bulletin boards. We've received a document so far that ... contains so much black ink covering the relevant passages it's very difficult to know what's going on.

Now I'm not going to ask you about that particular suit, [some laughter] although I did want to take the opportunity to remind this group that it exists.

I'm going to ask you about another related issue, where we might also consider litigating. It regards the FBI's monitoring and surveillance of computer bulletin boards that are used by Eastern Europeans, Soviets or foreign nationals.

We have reason to believe that under your counter-intelligence program you are, in fact, approaching computer bulletin board system operators and asking for them to assist you in providing information about people who are in this country who are not U.S. citizens.

What concerns us in particular about this program is that many of us are familiar with the [FBI's] , in which the FBI came to librarians and asked librarians to provide the Bureau with information about library patrons who were borrowing unclassified information in libraries in the United States.

So I'm not asking you about the monitoring of bulletin boards used by political and . I'm asking you about the monitoring of bulletin boards where there may be information about the activities of foreign nationals, and I want to know what the FBI's current policy is.

BAYSE: I don't have an answer for you, at this point.

ROTENBERG: Nothing?

BAYSE: That's right. Especially if you've got one in litigation, and you're considering another one, this would be a poor time to discuss it.

LANCE HOFFMAN: Question on the ... audit trails?

BAYSE: Yeah.

HOFFMAN: In the old NCIC, the bad old days, you couldn't really tell where the request was coming from or who the request was coming from. You couldn't really authenticate beyond a certain point, certainly [not] at the state and local level, what was going on.

Has that changed, and whether or not it has, what is going to be the situation in terms of positive identification of the query originator [and] the response - the whole audit trail in the NCIC-2000?

BAYSE: Well, it's got a good audit trail. The authentication at the user level is done at the level the user's at. If it's a local, then that local user is identified by badge number or some other code. That doesn't always get up to the federal level because it goes into a dispatch area. ... If there's a problem, a concern - like somebody misusing a rap sheet or something (and that has happened and we've referred it to prosecution), then that's done by an investigative process. Seldom happens. But there is identification of the individuals at the level where they submit their queries. I tested that pretty heavily with a couple of states just a couple of weeks ago, and they've got a pretty good system for doing that.

HOFFMAN: They retain those logs and so forth ...?

BAYSE: Yeah, yeah. Right now there's a mix of manual and automated logs depending on the sophistication of the system at the state and local level.

HOFFMAN: What about for NCIC-2000?

BAYSE: I would prefer to bring that individual authentication all the way up from the local level. We're still negotiating that because it's a lot of data. They don't want to pass it through. They think they can handle it at that level and maintain the integrity of the audit trail, based on the individual authentication of who requested the record. But we're still working on that.

AUDIENCE MEMBER: ... Is there any consideration being given to using those audit trails of the individual queries to track the possibility of abuse of the system? Many of us here believe that most law enforcement has good intentions and good faith, but it only takes one bad apple to take advantage of the power of information, to cause a problem. And I'm concerned.

BAYSE: I'm going to hit this one right out of the ballpark.

AUDIENCE MEMBER: Good.

BAYSE: [We're developing an] Intrusion Detection Expert System. ... We're contemplating using those transaction logs for indications and warnings of either errors or improper use, including mistakes. And ... we've already got a contract ... working on it, and building it in some of the FBI's internal systems as well.

BOB JACOBSON [former Principal Consultant, California Assembly Utilities and Commerce Committee]: You have 65,000 sworn officers using this system. That's the number you gave.

My last year in the California Legislature we had three complaints of misuse of data. Some of them are coming off the Cal Justice System, some of them are ... linked into NCIC. I don't know how that works. One was a person, a sworn officer, who was giving data to a person, a bonds-person, who goes after people with stolen cars.

A sillier one, but one that was actually more evocative in its full implication, was the Port of Stockton port director deputizing his unsworn deputies so that they could then go use the criminal justice system to pull runs on the intelligence records on the Board of Directors of the Port, so that he could in fact embarrass two of them to resign from the Board [of Directors of the port].

Nothing was done about that, by the way. There was a grand jury convened and nothing was accomplished because it seemed to be within the power of his authority as port director to do that.

Finally, I think the thing that's most egregious and yet I've heard nothing about it: In 1985 or '86, ACLU of Southern California alleged and successfully eventuated the prosecution of a police officer who was taking data out of police records and putting them into private bulletin boards run by a right-wing association in Virginia. I think that one's pretty well known, the Western Goals Foundation.

It was alleged at the time that that was only one small tip of an iceberg - of a ring, essentially, of red-squad BBSs run by police departments around the country. At one point that might have been taken as sort of foolish. In fact they did get a conviction on this officer.

It's not clear what kinds of records he was inputting, whether they were paper records or on-line records or where he was getting them. But the ACLU of Southern California did not have the resources to prosecute the case.

In effect what they were doing is running a parallel NCIC of their own. At least that's the allegation.

I wonder if you've heard anything about that, if anything has been followed up on that. That was a really incredible situation and I think that while we'd like to think the best of our law-enforcement officers, the events of recent days [the Los Angeles Police Department videotaped beating incident] has tended to call into question the potential collusions that might be occurring.

BAYSE: I'm not familiar with that case. Doesn't California have a computer fraud and abuse act, computer-crime act?

BOB JACOBSON: If it's enforced, it has one. [laughter] My question is [that] the FBI has a civil-rights obligation....

BAYSE: Yeah.

JACOBSON: ... You have a civil-rights obligation and you hear of something like that happening. My question to you would be, "Who is responsible for actually beginning the investigation, the civil rights [division] or ...?"

BAYSE: The local field office of the FBI.

JACOBSON: Well, nothing's being done....

BAYSE: Where was this?

JACOBSON: Los Angeles.

BAYSE: Yeah. Yeah. ... I don't know if that was referred to the Los Angeles office or not.

JACOBSON: I think it was referred but nothing occurred. We tried to pass state legislation....

BAYSE: You sure it was referred?

JACOBSON: I'm quite sure that there was a complaint filed, but I don't know what happened to it.

DENNING (Chair): It's getting late and I have a feeling that this audience could keep us busy here with questions all night. So I'd like to suggest that we retire and return tomorrow morning at 9 o'clock. I'd also like to thank Al for coming and particularly for fielding the questions. [applause]

BAYSE: I enjoyed it, and I appreciated it.

DENNING: Thanks a lot.



Return to CFP'91 Index page.


Return to the CPSR home page.


Send mail to webmaster.

Archived CPSR Information
Created before October 2004
Announcements

Sign up for CPSR announcements emails

Chapters

International Chapters -

> Canada
> Japan
> Peru
> Spain
          more...

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
more...
Why did you join CPSR?

The growing importance of civil liberties in a paranoid world: we need organizations like CPSR.