Combined DNA Index System Operational and Laboratory Vulnerabilities
Audit Report 06-32
May 2006
Office of the Inspector General
The Federal Bureau of Investigation (FBI) has provided the law enforcement community with the Combined DNA Index System (CODIS), a national DNA‑profile matching service comprised of databases containing DNA profiles from crime scenes, convicted offenders, and missing persons. CODIS began as a pilot project in 1990. The DNA Identification Act of 1994 formalized the FBI’s authority to establish a National DNA Index System (NDIS) for law enforcement purposes and NDIS became operational in 1998.1 The Act authorized the FBI to establish an index of DNA identification records of persons convicted of crimes, and analyses of DNA samples recovered from crime scenes and from unidentified human remains. The Act further specified that the index include only DNA information that is based on analyses performed in accordance with the FBI’s Quality Assurance Standards (QAS). The FBI implemented CODIS as a database with three hierarchical levels that enables federal, state, and local crime laboratories to compare DNA profiles electronically. As illustrated on the following page, the three distinct levels are: NDIS, managed by the FBI as the nation’s DNA database containing DNA profiles uploaded by participating states; the State DNA Index System (SDIS), serving as each state’s DNA database containing DNA profiles from local laboratories; and the Local DNA Index System (LDIS), used by local laboratories. DNA profiles originate at the local or state level and flow upward to the state (if from the local level) and national levels. For example, the local laboratory in the Palm Beach, Florida, Sheriff’s Office sends its profiles to the state laboratory in Tallahassee, which then uploads the profiles to NDIS. A laboratory’s profiles need to be uploaded to NDIS before they benefit the system as a whole. NDIS is the highest level in the CODIS hierarchy and enables the laboratories participating in the CODIS Program to compare DNA profiles on a national level. Each state participating in CODIS has one designated SDIS laboratory. The SDIS laboratory maintains its own database and is responsible for overseeing NDIS communications for all CODIS-participating laboratories within the state. Figure 1 – Example of System Hierarchy within CODIS2
The FBI has distributed CODIS software free of charge to state or local law enforcement laboratory performing DNA analysis. Before a laboratory is allowed to participate at the national level and upload DNA profiles to NDIS, a Memorandum of Understanding (MOU) must be signed between the FBI and the applicable state’s SDIS laboratory. The MOU defines the responsibilities of each party, includes a sublicense for the use of CODIS software, and delineates the standards that laboratories must meet in order to utilize NDIS. Although officials from LDIS laboratories do not sign an MOU, LDIS laboratories that upload DNA profiles to an SDIS laboratory are required to adhere to the MOU signed by the SDIS laboratory. As of November 2005, NDIS contained nearly 2.9 million profiles in the following five indices (or databases): (1) the Convicted Offender database, (2) the Forensic database, (3) the Unidentified Human Remains database, (4) the Missing Persons database, and (5) the Relatives of Missing Persons database. The first two databases work together to form CODIS’ crime-solving capabilities, since they can be searched against one another to assist law enforcement personnel in solving crimes. The remaining three databases can be searched against one another in order to identify missing and unidentified persons. The Convicted Offender database contains DNA profiles from persons convicted of qualifying federal or state crimes where the applicable jurisdiction requires the creation of a DNA record for the convicted person. The Forensic database contains DNA profiles from persons whose identity is not known with certainty; these DNA profiles come from evidence either left at or removed from a crime scene. The DNA profiles in the two databases are compared to determine if a convicted offender can be linked to a crime or if crimes can be linked to each other. The Unidentified Human Remains database contains DNA profiles from the remains of individuals that cannot be identified by fingerprint, dental, medical, or anthropological examinations, and of individuals who are living, but are unidentifiable using typical investigative methods (such as children and others who cannot or refuse to identify themselves). The Relatives of Missing Persons database contains DNA profiles generated from the relatives of known missing individuals, while the Missing Persons database contains DNA records of missing persons obtained from their effects or deduced from their relatives’ profiles. Profiles in these two databases are compared to DNA profiles from unidentified remains or unidentified individuals in an attempt to make an identification. CODIS has been expanded through various means since NDIS first became operational in 1998, as described below. Laws governing which profiles can be included in NDIS have expanded at both state and federal levels, creating additional databases within CODIS. Further, the number of participating and contributing laboratories has grown significantly. These factors have caused the number of profiles in NDIS to increase dramatically. Expanding Federal Legislation The DNA Identification Act of 1994 authorized the FBI to establish NDIS but did not authorize the collection of DNA samples from federal offenders. Enactment of the DNA Analysis Backlog Elimination Act of 2000 remedied this by authorizing collection of DNA samples from federal offenders and from those who commit qualifying crimes in the District of Columbia, the military, and on tribal reservations.3 Additionally, in response to the events of September 11, 2001, the USA Patriot Act of 2001 expanded the list of offenses for which offender samples would be collected to include acts of terrorism and all crimes of violence.4 The Justice for All Act, signed into law on October 30, 2004, authorized the FBI to expand NDIS to include an additional index for DNA profiles of indicted persons.5 As a result, those state and local laboratories located in a state where the law authorizes the collection of DNA samples from indicted persons may include the DNA profiles of indicted persons in NDIS. Accordingly, the FBI added the Indicted Persons Index to NDIS in January 2005. The Act also required the state to have expungement procedures in place for removing the implicated profiles in the event that charges are dismissed or prosecution of the charges results in an acquittal. In addition, the Act expanded the list of offenses that require collection of a DNA sample when committed in the District of Columbia, the military, and on tribal reservations to include all felony and comparable military offenses. The Justice for All Act also authorized the FBI to permit NDIS‑participating laboratories to perform a one-time search of certain DNA profiles, which were not allowed to be stored in NDIS, against NDIS databases. Specifically, NDIS-authorized users “may also access that index [NDIS] for purposes of carrying out a one-time keyboard search on information obtained from any DNA sample lawfully collected for a criminal justice purpose except for a DNA sample voluntarily submitted solely for elimination purposes.” The Act further defines keyboard searches as “a search under which information obtained from a DNA sample is compared with information in the index [NDIS] without resulting in the information obtained from a DNA sample being included in the index [NDIS].” The FBI concluded that “DNA samples lawfully obtained for a criminal justice purpose” included: (1) DNA samples obtained by a state in accordance with applicable state law that are not otherwise authorized for inclusion in NDIS, such as an arrestee sample; or (2) DNA samples obtained by a state or relevant law enforcement agency in accordance with a judicial court order, such as a suspect exemplar obtained pursuant to court order. Finally, on January 5, 2006, the DNA Fingerprint Act of 2005 was signed into law, and further changed the scope of NDIS as follows:
According to the CODIS Unit Chief, in January 2006, the FBI assessed the implications of this new law, and made changes to the NDIS procedures to reflect this expansion of NDIS. As a result of this new law, and in conjunction with additional administrative changes, the following indices were added to NDIS in January 2006:
Expanding State Legislation Individual states also have gradually expanded legislation, particularly as it pertains to the offenses for which, if convicted, a person must supply a DNA sample to that state’s CODIS convicted offender database. States also have moved toward requiring a DNA sample from all convicted felons, rather than limiting their collections to offenders convicted of sexual or violent offenses. Figure 2 displays three snapshots, showing the dramatic increase in offender DNA sample collection legislation across the United States.
These legislative expansions at the state level have resulted in a dramatic increase through the years in the NDIS offender DNA database, as shown on page 7. Increasing Number of CODIS Participants Another means of expansion to NDIS has been the increasing number of participating and contributing state and local laboratories. For example, in May 1999, 32 laboratories in 12 states and 1 federal agency (the FBI) participated in NDIS. At the start of our audit in May 2005, 176 laboratories in 50 states and 2 federal agencies (the FBI and the Army) participated in NDIS.6 These numbers translate to a 450-percent increase in the number of NDIS-participating laboratories in a 6-year period. Within these numbers is a secondary area of increase in the number of contributing NDIS laboratories. For a variety of reasons, not every “participating” laboratory was able to immediately contribute profiles to NDIS in the past.7 For example, as of May 1999, only 10 of 12 participating states had contributed offender DNA profiles to NDIS, and only 28 of 32 laboratories had contributed forensic DNA profiles to NDIS. However, as of May 2005, all 176 NDIS-participating laboratories had contributed profiles to NDIS. Increasing Number of Profiles in NDIS The preceding factors of expansion, including federal and state legislation and increasing numbers of participants, have caused a dramatic increase in the number of profiles contained in the NDIS databases. The following figures and data demonstrate the increases observed. Figure 3 – NDIS Offender Database
Figure 3 illustrates the significant increase from less than 500,000 profiles in 2000 to over 2.7 million profiles by November 2005. Just as dramatic is the increase in forensic profiles, from approximately 22,000 in 2000 to nearly 122,000 by November 2005, as shown in Figure 4. Figure 4 – NDIS Forensic Database
CODIS Management and Measurements The FBI’s CODIS Unit has only existed since June 2003, following a reorganization within the FBI Laboratory Division. The predecessor of the CODIS Unit, the Forensic Science Systems Unit, managed other Laboratory Division databases in addition to the CODIS Program. The reorganization transferred those other databases to the operational unit counterparts to which they pertained. The Forensic Science Systems Unit, encompassing the CODIS Program and NDIS, was transferred from the Forensic Science Support Section, Operational Support Branch to the Scientific Analysis Section, Forensic Analysis Branch, effective June 2003. With this transfer came the name change to the CODIS Unit. The CODIS Unit is charged with overseeing CODIS and NDIS operations and administration and ensuring that those operations comply with applicable requirements. As part of those efforts, the FBI contracted with Scientific Applications International Corporation (SAIC) in 1995 to develop CODIS software and software upgrades, to provide training and technical assistance to software users, and to physically maintain and secure NDIS. SAIC continues to maintain and operate the CODIS software and system. According to the CODIS Unit Chief, as of November 2005, 175 laboratories were participating in NDIS.8 These laboratories collectively uploaded nearly 2.9 million profiles to NDIS, of which 96 percent were convicted offender profiles. Specifically, NDIS includes:
The success of CODIS is primarily measured through the number of cases that CODIS assists through a “hit” (a match between DNA profiles produced by CODIS that would not otherwise have been developed), also referred to as “investigations aided.” Through November 2005, CODIS aided 29,666 investigations in 49 states and 2 federal laboratories, as shown in Figure 6.
The FBI also provides CODIS software to foreign law enforcement agencies with DNA capabilities to aid in criminal justice investigations. As of November 2005, 39 sites in 24 countries had received CODIS software.9 The Department of Justice Office of the Inspector General (OIG) previously conducted an audit to determine the extent of state and local laboratory participation in CODIS, particularly for those entities receiving laboratory grants, and to evaluate the FBI’s implementation and monitoring of CODIS.10 At the time of that audit, the FBI did not have the resources to directly evaluate laboratory compliance with the QAS and NDIS requirements. Consequently, oversight was limited to self-certification with the QAS and NDIS participation requirements on the part of each laboratory. We deemed self-certifications to present a high risk that FBI management would not detect instances of non-compliance by NDIS-participating laboratories. Consequently, we audited eight individual laboratories to determine compliance with applicable standards.11 The collective results of these efforts were described in the OIG’s 2001 audit report. In that report we concluded that:
As a result of these findings, we made the following recommendations to the FBI:
When we issued the report, we considered the status of each recommendation resolved because the FBI and the OIG agreed on the finding noted, and the FBI had planned but not completed its corrective action. In resolving the findings, we relied on:
Since the issuance of that audit report, the FBI has implemented several corrective action measures, which are further analyzed in Finding III. In addition, since that time, the OIG has completed an additional 24 CODIS laboratory audits. (See Appendix V for a complete listing of these audits.) This audit was designed to determine the present status of CODIS operations. The objectives of our audit were to:
To accomplish these objectives, we reviewed various data and documentation provided to us by FBI officials, evaluated the results of past OIG CODIS laboratory audits, interviewed members of the CODIS Unit staff, and collected documentation from select NDIS-participating laboratories to analyze:
Additionally, to obtain the viewpoints of state and local NDIS‑participating laboratories, we surveyed CODIS administrators at NDIS‑participating laboratories (not including the FBI). The results of our audit are detailed in the Findings and Recommendations section of this report, and the audit objectives, scope, and methodology are presented in Appendix I. Footnotes
|
« Previous | Table of Contents | Next » |