In response to legislation directing federal law enforcement agencies to identify and provide certain services to crime victims, the Department of Justice (DOJ) developed the Victim Notification System (VNS), a computer-based system managed by DOJís Executive Office for United States Attorneys (EOUSA). The VNS assists federal personnel in notifying victims of federal crimes of events occurring in the investigation, prosecution, and incarceration phases of their cases and provides victims various methods to access information regarding their cases.13 The VNS came online in October 2001 and as of October 5, 2007, the VNS contained information on 1,564,667 victims.
The Victim and Witness Protection Act of 1982, the Victims of Crime Act of 1984, the Crime Control Act of 1990, the Violent Crime Control and Law Enforcement Act of 1994, the Justice for All Act of 2004, and the Attorney General’s (AG) Guidelines for Victim and Witness Assistance established procedures to address the needs of victims of crime.14 Each of these contains a directive to ensure that victims are notified of significant stages and procedural developments in the criminal justice process. Notification means keeping victims aware of the status of an investigation of a crime, as well as the subsequent prosecution, trial, incarceration, location, and custody status of the offender related to the crime.
On April 14, 1997, the Attorney General issued a memorandum that directed EOUSA to implement a comprehensive automated victim information and notification system as soon as possible. The Attorney General mandated that the system be available for use by investigative and prosecutorial components such as the Federal Bureau of Investigation (FBI), U.S. Attorneys’ Offices (USAO), and the Federal Bureau of Prisons (BOP).
With funding provided by DOJ’s Office for Victims of Crime (OVC), EOUSA managed the development of the VNS and actual field deployment began in early October 2001. The exhibit on the following page illustrates VNS’s development and funding from fiscal year (FY) 1996 through FY 2007, highlighting a spike in funding in FY 2000, and a slight decline in funding levels since that time. Since work began on creating the system in FY 1998, the VNS has cost a total of more than $38 million.
According to EOUSA officials, the VNS received significantly more funding in FY 2000 than during any subsequent fiscal year to cover the initial development and implementation of the system. Officials stated that no funding was provided for the VNS in FY 2001 because the funding provided during the previous fiscal year had not been fully utilized.15 Moreover, according to OVC officials, several reasons account for the slight decline in funding since FY 2004. Specifically: (1) the VNS is carrying forward the prior year’s balance; and (2) funding for the Office of Justice Programs (OJP), of which the OVC is a part, has decreased.
The VNS is a web-based application. The system hardware consists of a server, located at the Justice Data Center in Rockville, Maryland, as well as a Call Center facility and live back-up server in Louisville, Kentucky. The VNS receives data from automated case management systems at the FBI, USAOs, the DOJ Criminal Division, the United States Postal Inspection Service (USPIS), and the BOP. Specifically, the VNS receives daily downloads from the FBI’s Automated Case Support (ACS) system, the USPIS’s Inspection Service Integrated Information System (ISIIS), the USAO’s Legal Information Office Network System (LIONS), the DOJ Criminal Division’s Automated Case Tracking System II (ACTS II), and BOP’s SENTRY system. Data transferred from the various systems includes case number; victim, defendant, and inmate information; court events; and custody status updates. Notably, some victim-related information that resides in the VNS is personally identifiable information (PII), such as the names, addresses, and, in some cases, social security numbers of victims of federal crimes.
Initially, the system consisted of the VNS, which federal VNS users accessed via a secure intranet connection, and the Call Center, which was used by both federal VNS users and victims of federal crimes. However, in FY 2004 the contract was modified to enhance VNS services by providing victims with Internet access to their case information. This resulted in the development of the Victim Internet System (VIS), which allows victims to have access to a subset of VNS data via the Internet. The VIS database server, in which the users’ encrypted information is stored, is also located at the Justice Data Center.
Federal VNS users who specialize in dealing with victims and victim issues, such as FBI Victim Specialists and USAO Victim/Witness Coordinators, access the VNS to manage the information that relates to cases in the control of their agency. Victims of federal crimes utilize VNS services to obtain information on their related cases. Specifically, victims in the VNS are notified of case events by letter, e‑mail, facsimile, or telephone when a particular event in a case occurs.16 These victims can also obtain information at any time by calling the VNS Call Center or by accessing the VIS. The following graphic illustrates how the various component systems feed into the VNS, as well as how victim users of the system obtain case-related information.
Source: VNS User Manual and the DOJ Criminal Division
In the VNS, a “notification” is a communication from the federal government to a victim, prompted by a particular event in the case. Events that prompt a notification to victims are referred to as “notifiable.” When such an event occurs in a case, the identified victim in that case is notified via the VNS by a variety of means, such as letter, facsimile, e‑mail, or telephone. Only victims and their alternate contacts who are “opted-in” to the system can receive notifications.17 In addition to notification, a victim in the VNS can also obtain information on his or her case at any time by contacting the VNS Call Center or by accessing the VIS, which provides victims the capability to receive notifications, access information regarding their case, and update their personal contact information via the Internet. A victim generally receives notifications regarding the three phases of the federal criminal justice process: the investigative, prosecutorial, and incarceration phases.
The investigative phase consists of the time after a crime has been committed (or allegedly been committed) to the time a case has been accepted or declined by the USAO for prosecution. The FBI and the USPIS are the only federal law enforcement agencies that utilize the VNS to notify victims of events that occur during the investigative phase of the criminal justice process.18 The FBI and the USPIS provide limited investigative case information and detailed victim information through an export of data from their agency case management systems into the VNS. FBI and USPIS personnel then use the VNS to create, approve, and generate seven different victim notifications, such as an initial notification informing a victim that a case is under investigation, informing victims of their rights under U.S. law, or notification that a case has been referred for state or local prosecution.
The prosecutorial phase encompasses the time charges have been filed by the USAO to the time a defendant is sentenced. As with the FBI and the USPIS, USAOs and the DOJ Criminal Division export information from their automated case management systems into the VNS. This information includes case data, as well as defendant, charge, and court event records, from cases that are either linked to previously loaded FBI or USPIS cases or are new USAO or Criminal Division cases investigated by agencies other than the FBI or the USPIS. The USAOs and the DOJ Criminal Division have 90 different notifications that relate to a defendant and contain case-specific information, such as the charges filed, trial dates, custody status, and sentencing information.
The incarceration phase consists of the time a defendant is sentenced until the time a defendant is released from BOP custody. If a defendant is convicted and then sentenced to serve time in a federal facility, he or she becomes an inmate and is transferred to BOP custody. BOP notifications are created when data is received from BOP’s SENTRY system. BOP personnel then use the VNS to create, approve, and generate 22 various types of notifications to victims, such as information related to defendant release, escape, or death.
In late 1999, the Deputy Director of EOUSA designated an Assistant United States Attorney (AUSA), located in Kansas City, Kansas, to assume program management responsibilities over the VNS. Since then, this project manager has been detailed to work full-time on the VNS and has held this position while physically remaining in the USAO in Kansas City. The project manager reports to EOUSA through the Office of Legal Programs and Policy.
In addition to the VNS Project Manager, additional program management responsibilities are to be carried out by various groups, including the VNS Executive Committee and the VNS Working Group. The VNS Executive Committee consists of senior-level management from EOUSA, the DOJ Criminal Division, the FBI, the BOP, the OVC, and the USPIS. The Executive Committee meets once a year to discuss financial issues, review system events from the previous year, and consider planned changes for the upcoming year. The VNS Working Group meets once a quarter and consists of representatives from EOUSA, the FBI, the DOJ Criminal Division, the BOP, and the USPIS. The purpose of the VNS Working Group is to review all proposed system changes and enhancements, implement its priorities, and provide input on any issues with the daily operation of the VNS.
The objectives of this audit were to determine if:
(1) EOUSA has effectively managed the VNS, including overseeing the contractors, ensuring the accuracy of data in the system, and planning for the future;
(2) The VNS is an effective tool for victims of crime; and
(3) The VNS is properly secured to prevent unauthorized use, access, and data modification.
To accomplish our audit objectives, we conducted more than 50 interviews with officials from agencies that are directly involved with the VNS, including officials from EOUSA, the DOJ Criminal Division, the FBI, the BOP, the USPIS, and the OVC. We also spoke with headquarters officials from those agencies that do not directly participate in the VNS, such as the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF); the Drug Enforcement Administration (DEA); the U.S. Marshals Service (USMS); the Administrative Office of the U.S. Courts (AOUSC); Immigration and Customs Enforcement (ICE); and the U.S. Secret Service (USSS) to determine their knowledge of the VNS, whether they were contacted about directly participating in the VNS, and why they do not participate. Additionally, we interviewed the contractor (AT&T Government Solutions), who manages the system, as well as the sub-contractor (Appriss), who manages the Call Center/Help Desk and back-up servers. We also reviewed internal documents from EOUSA, the DOJ Criminal Division, the FBI, the BOP, the USPIS, and the OVC. Those documents included planning materials, contracts, manuals, internal directives and policies, and financial reports. Moreover, we obtained and analyzed empirical data from the VNS and used this information to develop descriptive statistics on the number and types of victims in the system.
We conducted fieldwork in Chicago and Lisle, Illinois; Lexington and Louisville, Kentucky; Kansas City and Leavenworth, Kansas; and Kansas City, Missouri, where we interviewed 22 field personnel. At these locations we spoke with senior management and staff who utilized the VNS at the local USAO, BOP, USPIS, and FBI offices, and reviewed reports and files applicable to our review. In addition, at the FBI, we interviewed special agents who work cases with multiple victims. In general, the scope of our audit covered the period from FY 1998 through FY 2007.
Related to our first objective, we performed a limited review of the services provided by the contractor and sub-contractor, including Call Center operations; discussed the entry of information into the VNS with federal VNS users; reviewed data in the VNS and spoke with federal VNS users to determine if information in the system was accurate; and interviewed non‑participating agencies to determine if outreach was performed and if the agencies were interested in participating directly with the VNS. Regarding our second objective to determine if the VNS is an effective tool for victims, we designed and deployed two surveys: one to victims who were active in the system and another to victims who were no longer active in the system.19 We selected stratified, statistical samples of victims located throughout the world, to whom we sent the surveys.20 We also reviewed other surveys conducted by EOUSA and BOP as well as conducted our own testing of the VIS through use of a test victim account. In order to accomplish our third objective, we utilized a private auditing firm with experience in conducting information technology audits to perform an information security review of the VNS.
The results of our review are detailed in the Findings and Recommendations section of this report. Finding I discusses EOUSA’s management of the VNS. Finding II reviews the VNS’s effectiveness for federal VNS users and victims of crime. Finding III concentrates on the information security review portion of the audit. The audit scope and methodology are presented in Appendix I. Additional details on our review can be found in Appendices II through XI.
A victim is defined in the VNS as an individual upon whom a criminal act is perpetrated and who is directly and proximately harmed as a result of a crime that is charged as a federal offense. Victims can decide to designate another person as their primary (alternate) contact to receive notification. This alternate contact is someone who can be reached in lieu of the victim, such as a friend, attorney, relative, or business associate of the victim, who also has an interest in the case.
“Opt-in” is the status of a victim or contact allowing them to receive notification and access the VNS Inbound Phone Line and Internet web page. Throughout the report we also refer to these victims as “active” in the VNS.
Other federal criminal justice agencies, such as the Bureau of Alcohol, Tobacco, Firearms and Explosives, and the United States Secret Service, provide investigative phase notifications to victims without using the VNS.