August 2016 The CalGang Criminal Intelligence System As the Result of Its Weak Oversight Structure, It Contains Questionable Information That May Violate Individuals’ Privacy Rights Report 2015-130 COMMITMENT INTEGRITY LEADERSHIP The first five copies of each California State Auditor report are free. Additional copies are $3 each, payable by check or money order. You can obtain reports by contacting the California State Auditor’s Office at the following address: California State Auditor 621 Capitol Mall, Suite 1200 Sacramento, California 95814 916.445.0255 or TTY 916.445.0033 OR This report is also available on our website at www.auditor.ca.gov. The California State Auditor is pleased to announce the availability of an online subscription service. For information on how to subscribe, visit our website at www.auditor.ca.gov. Alternate format reports available upon request. Permission is granted to reproduce reports. For questions regarding the contents of this report, please contact Margarita Fernández, Chief of Public Affairs, at 916.445.0255. For complaints of state employee misconduct, contact the California State Auditor’s Whistleblower Hotline: 1.800.952.5665. Elaine M. Howle State Auditor Doug Cordiner Chief Deputy August 11, 2016 2015-130 The Governor of California President pro Tempore of the Senate Speaker of the Assembly State Capitol Sacramento, California 95814 Dear Governor and Legislative Leaders: As requested by the Joint Legislative Audit Committee, the California State Auditor presents this audit report concerning the CalGang database and how law enforcement has implemented requirements for adding juveniles to CalGang. This report concludes that CalGang’s current oversight structure does not ensure that law enforcement agencies  (user agencies) collect and maintain criminal intelligence in a manner that preserves individuals’ privacy rights. Although the California Department of Justice funds it, CalGang is not established in state statute and consequently receives no state oversight. Instead, the CalGang Executive Board and the California Gang Node Advisory Committee (CalGang’s governance) oversee CalGang and function independently from the State and without transparency or meaningful opportunities for public input. Inadequate oversight contributed to the numerous instances in which the four user agencies we examined could not substantiate the validity of CalGang entries. Specifically, the agencies lacked adequate support for 13 of 100 people we reviewed in CalGang and for 131 of 563 (23 percent) of the CalGang criteria entries we reviewed. Although a person’s CalGang record must be purged after five years unless updated with subsequent criteria, we found more than 600 people in CalGang whose purge dates extended beyond the five-year limit, many of which were more than 100 years in the future. Finally, the user agencies have poorly implemented a 2014 state law requiring notifications before adding a juvenile to CalGang. Two agencies we reviewed did not provide juveniles and parents with enough information to reasonably contest the juveniles’ gang designations, thereby denying many people their right to contest a juvenile’s gang designation. Although it asserts compliance with federal regulations and state guidelines—standards designed to protect privacy and other constitutional rights—little evidence exists that CalGang’s governance has ensured these standards are met. As a result, user agencies are tracking some people in CalGang without adequate justification, potentially violating their privacy rights. Further, by not reviewing information as required, CalGang’s governance and user agencies have diminished the system’s crime-fighting value. Although CalGang is not to be used for expert opinion or employment screenings, we found at least four appellate cases referencing expert opinions based on CalGang and three agencies we surveyed confirmed they use CalGang for employment screenings. Although these practices do not appear to be common place, they emphasize the effect CalGang can have on a person’s life. We believe that CalGang needs an oversight structure that ensures that information is reliable and that users adhere to requirements that protect individuals’ rights. Thus, we recommend that the Legislature adopt state law assigning Justice the responsibility for CalGang oversight and specifying that CalGang must operate under defined requirements, such as supervisory and periodic record reviews. Respectfully submitted, ELAINE M. HOWLE, CPA State Auditor 621 Capitol Mall, Suite 1200 S a c r a m e n t o, C A 9 5 8 1 4 916.445.0255 916.327.0019 fax w w w. a u d i t o r. c a . g o v Blank page inserted for reproduction purposes only. California State Auditor Report 2015-130 August 2016 Contents Summary 1 Introduction 9 Audit Results Due to an Inadequate Leadership Structure, CalGang Has Failed to Comply With Requirements Designed to Protect Individuals’ Rights to Privacy 23 Law Enforcement Agencies Could Not Always Demonstrate That They Had Established Reasonable Suspicion That Groups Were Gangs Before Entering Them Into CalGang 28 Law Enforcement Agencies Do Not Have Adequate Support for Some of the Individuals and Many of the Criteria They Entered Into CalGang 31 Law Enforcement Agencies Lack Appropriate Safeguards to Ensure the Accuracy and Security of CalGang Records 36 Law Enforcement Agencies Have Failed to Appropriately Notify Necessary Parties Before Entering Juveniles Into CalGang 46 Governmental Oversight and Increased Public Participation Could Strengthen CalGang’s Usefulness and Better Ensure It Protects Individuals’ Rights 52 Recommendations 55 Appendix A Summary of Selected CalGang Survey Responses 61 Appendix B Demographics of Individuals in CalGang by Location, Type, Gender, Age, and Race 65 Response to the Audit California Department of Justice 69 Los Angeles Police Department 77 California State Auditor’s Comments on the Response From the Los Angeles Police Department 81 v vi California State Auditor Report 2015-130 August 2016 Santa Ana Police Department 83 Santa Clara County Sheriff’s Office 87 California State Auditor’s Comments on the Response From the Santa Clara County Sheriff’s Office Sonoma County Sheriff’s Office California State Auditor’s Comments on the Response From the Sonoma County Sheriff’s Office 89 91 103 California State Auditor Report 2015-130 August 2016 Summary Results in Brief Audit Highlights . . . CalGang is a shared criminal intelligence system that law enforcement agencies (user agencies) throughout the State use voluntarily. User agencies enter information into CalGang on suspected gang members, including their names, associated gangs, and the information that led law enforcement officers to suspect they were gang members. User agencies have noted that CalGang’s benefits include directing them to information about gang members’ interactions with law enforcement officers throughout the State and facilitating cross‑agency collaboration when investigating and prosecuting gang‑related crimes. However, CalGang’s weak leadership structure has been ineffective at ensuring that the information the user agencies enter is accurate and appropriate, thus lessening CalGang’s effectiveness as a tool for fighting gang‑related crimes. Further, the inaccurate data within CalGang may violate the privacy rights of individuals whose information appears in CalGang records but who do not actually meet the criteria for inclusion in the system. Our audit concerning the CalGang database and how law enforcement agencies (user agencies) have implemented requirements for adding juveniles to CalGang revealed the following: Both the United States Constitution and the California Constitution recognize the right to privacy—the former implicitly and the latter explicitly. However, CalGang’s current oversight structure does not ensure that user agencies collect and maintain criminal intelligence in a manner that preserves individuals’ privacy rights. Specifically, although the California Department of Justice (Justice) funds a contract to maintain CalGang, the system is not established in state statute and consequently receives no state oversight. Instead, CalGang’s user agencies elect their peers to serve as members of two entities—the CalGang Executive Board (board) and its technical subcommittee called the California Gang Node Advisory Committee (committee)—that oversee CalGang. These oversight entities function independently from the State and without transparency or meaningful opportunities for public engagement. When the committee and the board established CalGang’s policies and procedures (CalGang policy), they asserted CalGang’s voluntary compliance with two different standards: the criminal intelligence requirements in Title 28, Code of Federal Regulations, Part 23 (federal regulations) and Justice’s Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities, November 2007 (state guidelines)—which were promulgated to protect privacy and other constitutional rights. However, in practice, we found little evidence that the committee and the board have ensured that user agencies comply with either the federal regulations or the state guidelines. »» CalGang’s current oversight structure does not ensure that user agencies collect and maintain criminal intelligence in a manner that does not invade individuals’ privacy rights. »» The CalGang Executive Board and the California Gang Node Advisory Committee act without statutory authority, transparency, or meaningful opportunities for public engagement. »» The four user agencies we examined could not substantiate numerous CalGang entries they had made, demonstrating weaknesses in the processes for entering, evaluating, and auditing the data in CalGang. • Three user agencies were unable to adequately support that many of the groups they entered into CalGang met the criteria for inclusion. • All four user agencies lacked support for CalGang entry criteria suggesting they inappropriately included in CalGang 13 of the 100 individuals we reviewed. • More than 600 individuals in CalGang had purge dates extending beyond the five-year limit, many of which were not scheduled to be purged for more than 100 years. continued on next page . . . 1 2 California State Auditor Report 2015-130 August 2016 »» The user agencies have not fully implemented state law requiring notification to juveniles and their parents or guardians before adding the juveniles to CalGang. »» CalGang needs an oversight structure that better ensures that CalGang’s information is reliable and that its users adhere to the requirements that protect individuals’ rights. A lack of adequate oversight likely contributed to the numerous instances we found in which the four user agencies we examined— the Los Angeles Police Department (Los Angeles), the Santa Ana Police Department (Santa Ana), the Santa Clara County Sheriff ’s Office (Santa Clara), and the Sonoma County Sheriff ’s Office (Sonoma)—could not substantiate CalGang entries they had made.1 Specifically, Los Angeles, Santa Ana, and Sonoma, which add gangs to the system, were able to demonstrate that only one of the nine gangs we reviewed met the requirements of CalGang policy before entry; Santa Clara does not add gangs to the system. We also found that all four user agencies lacked adequate support for including 13 of the 100 individuals we reviewed in CalGang. Further, we reviewed more than 560 criteria related to these 100 individuals and determined that the user agencies lacked adequate support for 131, or 23 percent. Our review uncovered numerous examples demonstrating weaknesses in the user agencies’ approaches for entering information into CalGang. For example, Sonoma included a person in CalGang for allegedly admitting during his booking into county jail that he was a gang member and for being “arrested for an offense consistent with gang activity.” However, the supporting files revealed that this person stated during his booking interview that he was not a member of a gang and that he preferred to be housed in the general jail population. Further, his arrest was for resisting arrest, an offense that has no apparent connection to gang activity. Throughout our audit, law enforcement officials offered their perspective that inclusion in CalGang is of little impact to individuals because CalGang only points to source documentation. According to CalGang policy, information in the system itself should not be the basis of expert opinion or statement of fact in official reports, nor should it be used for any purposes unrelated to law enforcement, such as employment screenings. However, we found that these prohibitions are not always followed. In fact, our search of California appellate cases that included the terms CalGang or gang database uncovered at least four unpublished cases that referred to CalGang as support for expert opinions that individuals were or were not gang members. Further, three law enforcement agencies that responded to our statewide survey admitted to using CalGang for employment or military‑related screenings. These instances emphasize that inclusion in CalGang has the potential to seriously affect an individual’s life; therefore, each entry must be accurate and appropriate. 1 Because multiple law enforcement agencies can add information to a gang member’s CalGang record, some of the deficiencies we found relate to information other law enforcement agencies added to these CalGang records. California State Auditor Report 2015-130 August 2016 The four user agencies we reviewed might have been able to avoid making inappropriate CalGang entries had they fully followed the federal regulations and state guidelines that the committee and the board voluntarily adopted. For example, the state guidelines require supervisory reviews of all information for CalGang entries and annual reviews of all CalGang records to ensure their accuracy and relevance. However, we found that none of the four user agencies have the necessary processes in place to perform these reviews. Further, by requiring only minimal audits of the information in CalGang, the committee has limited its own accountability in ensuring that user agencies comply with the federal regulations and state guidelines. These self‑administered audits review less than 1 percent of CalGang’s total records. The committee does not document the audit results, which CalGang administrators present orally at committee meetings. The limited nature of these audits is especially concerning because they are the committee’s only oversight tool, yet they are not robust enough to ensure that user agencies are maintaining valid and accurate criminal intelligence records, adhering to security protocols, and upholding individuals’ rights to privacy. In addition to the errors we found in the 100 records we reviewed, our use of an electronic analysis of all CalGang records uncovered a number of problems that highlight the importance of both supervisory and ongoing reviews of CalGang information. For example, we found 42 individuals in CalGang who were supposedly younger than one year of age at the time of entry—28 of whom were entered for “admitting to being gang members.” We also found a significant number of individuals with illogical record purge dates—the dates by which the individuals’ records must be deleted from CalGang. Mirroring the federal regulations, CalGang policy requires that individuals’ records be purged five years after their dates of entry unless user agencies have entered subsequent criteria which resets the five-year period. Nevertheless, we found more than 600 individuals with purge dates that were well beyond the five year limit; in fact, more than 250 individuals in CalGang had purge dates more than 100 years in the future. By failing to review information before and after its entry into CalGang, the committee and user agencies diminish the system’s crime‑fighting value and do not adequately protect the privacy of those who have been entered into the system. Further, the user agencies we reviewed have not fully implemented a state law that took effect in January 2014 that generally requires law enforcement agencies to notify juveniles and their parents or guardians (parents) before adding the juveniles to a shared gang database such as CalGang. As a result, many juveniles and their parents were not afforded the right to contest the juveniles’ gang designations. Los Angeles and Santa Ana continued to add 3 4 California State Auditor Report 2015-130 August 2016 juveniles to CalGang after January 2014, but these two user agencies failed to provide proper notification for more than 70 percent of the 129 juvenile records we reviewed. Further, the two agencies did not provide the juveniles and parents who were sent notices with enough information to reasonably contest the juveniles’ gang designations. Possibly as a result of insufficient information, we found that few juveniles or parents have contested juveniles’ inclusion in CalGang. The other two user agencies we reviewed— Santa Clara and Sonoma—did not add juveniles to CalGang once the notification law took effect. Because of its potential to enhance public safety, CalGang needs an oversight structure that better ensures that the information entered into it is reliable and that its users adhere to requirements that protect individuals’ rights. To this end, we believe the Legislature should adopt state law that specifies that CalGang, or any equivalent statewide shared gang database, must operate under defined requirements that include the federal regulations and key safeguards from the state guidelines, such as supervisory and periodic record reviews. Further, we believe the Legislature should assign Justice the responsibility for overseeing CalGang and for ensuring that the law enforcement agencies that use CalGang comply with the requirements. Establishing Justice as a centralized oversight entity responsible for determining best practices and holding user agencies accountable for implementing such practices will help ensure CalGang’s accuracy and safeguard individuals’ privacy protection. Moreover, we recommend that the Legislature create a technical advisory committee to provide Justice with information about database best practices, usage, and needs to ensure that CalGang remains a useful law enforcement tool. Figure 6 on page 54 illustrates what, in our view, would be a stronger oversight structure for CalGang. Recommendations The Legislature To ensure that CalGang, or any equivalent statewide shared gang database, has an oversight structure that supports accountability for proper database use and for protecting individuals’ rights, the Legislature should do the following: • Designate Justice as the state agency responsible for administering and overseeing CalGang or any equivalent statewide shared gang database. California State Auditor Report 2015-130 August 2016 • Require that CalGang or any equivalent statewide shared gang database adhere to federal regulations and relevant safeguards from the state guidelines. • Specify that Justice’s oversight responsibilities include developing and implementing standardized periodic training as well as conducting—or hiring an external entity to conduct— periodic audits of CalGang or any equivalent statewide shared gang database. To promote public participation in key issues that may affect California’s citizens and help ensure consistency in the use of any shared gang database, the Legislature should require Justice to interpret and implement shared gang database requirements through the regulatory process. This process should include public hearings and should address the following: • Adopting requirements for entering and reviewing gang designations. • Specifying how user agencies will operate any statewide shared gang database, including requiring the agencies to implement supervisory review procedures and regular record reviews. • Standardizing practices for user agencies to adhere to the State’s juvenile notification requirements, including guidelines for documenting and communicating the bases for juveniles’ gang designations. To ensure transparency, the Legislature should require Justice to publish an annual report with key shared gang database statistics— such as the number of individuals added to and removed from the database—and summary results from periodic audits conducted by Justice or an external entity. Further, the Legislature should require Justice to invite and assess public comments following the report’s release. Subsequent annual reports should summarize any public comments Justice received and actions it took in response. To help ensure that Justice has the technical information it needs to make certain that CalGang or any equivalent shared gang database remains an important law enforcement tool, the Legislature should establish a technical advisory committee to advise Justice about database use, database needs, database protection, and any necessary updates to policies and procedures. 5 6 California State Auditor Report 2015-130 August 2016 Justice As the Legislature considers creating a public program for shared gang database oversight and accountability, Justice should guide the board and the committee to identify and address the shortcomings that exist in CalGang’s current operations and oversight. The guidance Justice provides to the board and the committee should address, but not be limited to, the following areas: • Developing best practices based on the requirements stated in the federal regulations, the state guidelines and state law, and advising user agencies on the implementation of those practices by June 30, 2017. • Instructing user agencies to complete a comprehensive review of all the gangs documented in CalGang to determine if they meet the necessary requirements for inclusion and to purge from CalGang any groups that do not meet the requirements. Justice should guide the board and the committee to ensure that user agencies complete this review in phases, with the final phase completed by June 30, 2018. • Instructing user agencies to complete a comprehensive review of the records in CalGang to determine if the user agencies have adequate support for the criteria associated with all the individuals they have entered as gang members. If the user agencies do not have adequate support, they should immediately purge the criteria—and, if necessary, the individuals—from CalGang. In addition, the user agencies should ensure that all the fields in each CalGang record are accurate. Justice should guide the board and the committee to ensure that user agencies complete this review in phases, with the final phase completed by September 30, 2019. To promote transparency and hold the board, the committee, and user agencies accountable for implementing and adhering to criminal intelligence safeguards, Justice should post quarterly reports on its website beginning June 30, 2017, that summarize how it has guided the board and the committee to implement and adhere to criminal intelligence safeguards; the progress the board, the committee, and the user agencies have made in implementing and adhering to these safeguards; the steps these entities still must take to implement these safeguards; and any barriers to the board’s and the committee’s success. California State Auditor Report 2015-130 August 2016 To promote transparency and encourage public participation in CalGang’s meetings, Justice should post summary audit results, meeting agendas, and meeting minutes to its website, unless doing so would compromise criminal intelligence information or other information that must be shielded from public release. Law Enforcement Agencies Until they receive further direction from the board, the committee, or Justice, the law enforcement agencies we reviewed—Los Angeles, Santa Ana, Santa Clara, and Sonoma—should address the specific deficiencies we found by taking the following actions: • Begin reviewing the gangs they have entered into CalGang to ensure the gangs meet reasonable suspicion requirements. They should also begin reviewing the gang members they have entered into CalGang to ensure the existence of proper support for each criterion. They should purge from CalGang any records for gangs or gang members that do not meet the criteria for entry. Individuals who are independent from the ongoing administration and use of CalGang should lead this review. • Develop or modify as necessary, and fully implement by March 31, 2017, all their policies and procedures related to CalGang to ensure they align with state law, CalGang policy, the federal regulations, and the state guidelines. Agency Comments Justice responded to the audit stating that it agreed with all of the recommendations. Justice expressed that it will work with the board and the committee in various capacities to implement the recommendations. However, Justice stated that it believes it needs express authority and additional resources from the Legislature to assume oversight of CalGang. Los Angeles, Santa Ana and Santa Clara all indicated that they agreed with the recommendations and would take the steps necessary to implement them. Sonoma disagreed with the audit’s findings and took exception to the criteria the audit relied upon. Sonoma stated that it believes it has met or exceeded the statutory guidelines for administering a model criminal intelligence system. Sonoma also stated that if it follows the report’s recommendations it will be forced to stop operating as a node administrative agency. 7 8 California State Auditor Report 2015-130 August 2016 Blank page inserted for reproduction purposes only. California State Auditor Report 2015-130 August 2016 Introduction Background Criminal street gangs in California commit a multitude of crimes and employ violence to expand their criminal enterprises. The Federal Bureau of Investigation’s 2011 National Gang Threat Assessment states that gang members are responsible for an average of 48 percent of violent crime in most jurisdictions and up to 90 percent in others. According to a report the California Attorney General released in 2014 titled Gangs Beyond Borders, gang membership increased by 40 percent nationally between 2009 and 2011, leading to higher levels of violent crime within California— particularly assault, extortion, home invasion, homicide, intimidation, and shootings—as well as increases both in arrests for human trafficking offenses and in seizures of drugs, weapons, and cash. Although gang populations are heavily concentrated in Southern California counties—Los Angeles, Orange, Riverside, San Bernardino, and San Diego—gangs exist in communities across the State, as Figure 1 on the following page shows. The CalGang Criminal Intelligence System With funding from the Office of Criminal Justice Planning, CSRA International, Inc. (CSRA) developed the proprietary CalGang software in 1997.2 The system provides current gang information to law enforcement agencies that choose to use it (user agencies), ideally allowing those agencies to improve the efficiency of their criminal investigations, enhance officer safety, and better protect the public. Because CalGang allows user agencies to collect, store, and share intelligence information about individuals suspected— but not necessarily convicted—of being involved in criminal activity, it qualifies as a criminal intelligence system under Title 28, Code of Federal Regulations, Part 23 (federal regulations). These federal regulations—which CalGang’s oversight entities voluntarily choose to follow—state that criminal intelligence entries must be supported by reasonable suspicion that an individual or organization is involved in criminal conduct or activity and that the information entered into the system must be relevant to that criminal conduct or activity. 2 CalGang is also known as GangNet, a system that federal law enforcement agencies, other states, and Canada use. 9 California State Auditor Report 2015-130 August 2016 Figure 1 CalGang Regional Nodes and California Counties’ Gang Member and Affiliate Populations DEL NORTE SISKIYOU MODOC Number of Gang Members and Affiliates HUMBOLDT SHASTA TRINITY More than 10,000 LASSEN 5,001–10,000 2,501–5,000 501–2,500 TEHAMA Less than 500 PLUMAS MENDOCINO BUTTE GLENN LAKE SIERRA DA VA NE PLACER TER SUT Sonoma County Sheriff’s Office YU BA COLUSA EL DORADO TO YOLO SONOMA Node Administrator Agency SAN FRANCISCO CONTRA COSTA SAN JOAQUIN ALAMEDA S US SAN MATEO ALPINE RA OR AD AM LA VE SOLANO CA MARIN CR AM EN NAPA SA LA SANTA CLARA TUOLUMNE MONO MARIPOSA IS ST AN 10 MERCED MADERA Fresno County Sheriff’s Office SANTA CRUZ FRESNO INYO SAN BENITO TULARE San Jose Police Department KINGS MONTEREY Kern County Sheriff’s Office San Bernardino County Sheriff’s Office KERN SAN LUIS OBISPO SAN BERNARDINO Santa Barbara Police Department SANTA BARBARA VENTURA LOS ANGELES Los Angeles County Sheriff’s Department with the Los Angeles Police Department Orange County District Attorney’s Office RIVERSIDE Riverside County Sheriff’s Department, Riverside County District Attorney’s Office, and Riverside Police Department ORANGE San Diego Police Department IMPERIAL SAN DIEGO Sources:  California State Auditor’s analysis of CalGang data obtained from the California Department of Justice as of November 23, 2015, and documents obtained from the California Gang Node Advisory Committee. Note:  We assigned gang members and affiliates based on the location of the law enforcement agency that initially entered them into CalGang. We excluded 1,797 individuals for whom we did not have valid county information. California State Auditor Report 2015-130 August 2016 A person can be entered into CalGang either as a documented gang member or as an affiliate (an individual who is known to associate with active gang members and whom a law enforcement officer reasonably suspects may be involved in criminal activity or enterprise). As of November 2015, more than 150,000 people were in CalGang, and the average length of time they had been in CalGang was five and a half years. Table 1 summarizes the number of people that law enforcement agencies added and removed from CalGang since January 2010 and shows that more people have been removed from than added to CalGang since 2011. Table 1 Number of Gang Members and Affiliates Added to and Removed From CalGang From 2010 Through 2015 ADDITIONS Affiliates Gang members Total additions Affiliates purged REMOVALS Affiliates manually deleted Gang members purged Gang members manually deleted Total removals 2010 2011 2012 2013 2014 2015* 3,534 3,419 2,337 1,829 1,717 1,444 26,518 21,269 18,209 15,331 15,890 13,490 30,052 24,688 20,546 17,160 17,607 14,934 2,946 3,238 4,142 4,617 4,043 3,801 63 55 43 15 15 19 16,790 23,102 25,391 28,275 30,695 29,461 769 374 221 152 184 150 20,568 26,769 29,797 33,059 34,937 33,431 Source:  California State Auditor’s analysis of CalGang data obtained from the California Department of Justice as of November 23, 2015. * Our analysis for 2015 was limited to additions and removals that occurred as of November 23, 2015. CalGang is what is called a pointer system; the records within it point—or refer—to documents outside of CalGang that contain information about suspected gang members and their affiliates, such as arrest reports, reports of interactions with law enforcement officers in the field, and booking photographs. Using those documents and in‑person observations, law enforcement agency staff—generally gang enforcement officers or administrative staff—record in CalGang various data points about gang members, including their names, birth dates, races, genders, known addresses, vehicles, physical descriptors, and personal markings such as tattoos. CalGang also captures information specific to gang culture, such as monikers, aliases, gang symbols, gang colors, gang territories, weapons, drugs, and gang affiliates. However, law enforcement agencies must use the information contained in records external to CalGang as the bases for any official actions, such as arrests or applications for search warrants, rather than the entries in CalGang itself. Figure 2 on the following page shows demographic information for individuals in CalGang by race, gender, and age. 11 12 California State Auditor Report 2015-130 August 2016 Figure 2 Proportion of Gang Members and Affiliates in CalGang by Race, Gender, and Age 8.2% WHITE 2.3% ASIAN/PACIFIC ISLANDER 0.6% OTHER* 3.5% NOT IDENTIFIED 20.5% BLACK RACE 64.9% HISPANIC GENDER 0.1% NOT IDENTIFIED 6.8% FEMALE 93.1% MALE 1.7% 7.4% Under 18 years Over 45 years 33.6% 31–45 years AGE 57.3% 18–30 years Source:  California State Auditor’s analysis of CalGang data obtained from the California Department of Justice as of November 23, 2015. * Other includes African, American Indian, and people of two or more races. California State Auditor Report 2015-130 August 2016 CalGang is the primary shared gang database law enforcement agencies use throughout the State. When we surveyed law enforcement agencies statewide, 92 percent of respondents asserted that CalGang was the only shared gang database their agencies used. When we reviewed information provided by the remaining 8 percent of respondents, we were able to verify only one additional shared gang database: the Sacramento County Known Persons File. However, just one law enforcement agency reported that many agencies within Sacramento County use this shared gang database. We describe our survey approach and analyze selected responses in Appendix A beginning on page 61. CalGang’s Oversight Entities and Costs Several different entities are responsible for aspects of CalGang’s funding, operation, and oversight. Specifically, the CalGang Executive Board (board) and the California Gang Node Advisory Committee (committee) are the system’s two informal governing bodies. These two governing bodies work with 10 local agencies called node administrator agencies, as we discuss below. In addition, the California Department of Justice (Justice) helps to administer CalGang by funding its annual software maintenance contract with CSRA and providing technology and infrastructure support. CalGang’s board is composed of 15 total voting members representing node administrator agencies, Justice, and three statewide law enforcement associations.3 According to the board’s bylaws, its objectives and purposes include providing oversight and policy direction, ensuring CalGang performs its intended functions, facilitating funding, and ensuring compliance with local, state, and federal standards. According to the board’s bylaws, the board elects a chairperson annually from the 15 voting members, and that chairperson appoints a vice chairperson. The board’s officers may serve consecutive terms. The bylaws direct the board to meet in conjunction with the committee or as needed. Members of the committee act as CalGang operational subject matter experts. The committee’s bylaws establish that each node administrator agency can designate one voting committee member and that the Justice representative also acts as a voting committee member.4 Only voting members may serve as the committee’s chairperson, vice chairperson, and sergeant at 3 The Los Angeles node has two voting members—the Los Angeles County Sheriff’s Department and the Los Angeles Police Department. 4 California Emergency Management Agency (CalEMA) is listed as a voting member in the committee’s bylaws. However, CalEMA has not been represented at committee meetings since 2011, and the board voted to remove it as a voting member in 2014. 13 14 California State Auditor Report 2015-130 August 2016 arms. The committee’s objectives include developing, reviewing, and approving standardized training for CalGang user agencies; recommending changes to CalGang; exploring and developing funding strategies; recommending new legislation to reduce California’s criminal street gang problem; and evaluating requests from agencies that wish to serve as node administrator agencies. As shown in Figure 1 on page 10, node administrator agencies are mainly local law enforcement agencies. The node administrator agencies are responsible for providing training and overseeing CalGang user agencies—which may be local law enforcement agencies, probation departments, or district attorney’s offices—within a specified geographic area. They are also responsible for managing CalGang’s technical and administrative requirements, including auditing user agencies to ensure their compliance with federal laws and safeguards related to the storage of information. The committee’s policies and procedures (CalGang policy) outline the requirements that node administrator agencies oversee, including CalGang operations and user agency access. Figure 1 on page 10 depicts each node administrator agency and the county or counties within its region. Justice, the node administrator agencies, and CalGang user agencies all incur costs to support CalGang. For example, Justice entered into a sole‑source contract with CSRA for maintenance of the CalGang proprietary software. The value of this contract was about $283,000 for fiscal year 2015–16. In addition, Justice runs CalGang through its existing information technology network, purchases necessary hardware to store CalGang data, and pays its staff to provide necessary system support. Similarly, the node administrator agencies and CalGang user agencies are responsible for their own hardware and staffing costs. In response to our statewide survey, node administrators reported that they spent a total of about $1 million between fiscal years 2012–13 and 2014–15 for CalGang‑related costs, including purchasing required equipment, maintaining network communication lines, providing training to CalGang user agencies, and participating in required committee and board meetings. CalGang user agencies reported that they spent a total of about $78,000 over the same three fiscal years for personnel and travel costs. CalGang Requirements CalGang policy outlines system operations and requirements that have their foundation in the federal regulations and in Justice’s Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities, November 2007 (state guidelines). Although the federal regulations are not directly applicable to CalGang, the board and committee adopted requirements for operating CalGang that they based on the California State Auditor Report 2015-130 August 2016 federal regulations and state guidelines.5 The requirements include node administrator agency and CalGang user agency training, system audit and record purges, and information security and dissemination. CalGang policy also states that only properly trained individuals may access CalGang. We describe these requirements in more detail in the Audit Results. CalGang policy also specifies the criteria that individuals must meet before user agencies can add them to CalGang. Before a CalGang user can add an individual to CalGang as a gang member, a trained law enforcement officer generally must affirm that the individual meets at least two gang membership criteria. As shown in Table 2, these criteria include admitting to gang membership, being affiliated with known gang members, and exhibiting gang clothing or behavior. As previously discussed, a user can also add an individual as a gang affiliate if a law enforcement officer suspects the individual is involved in criminal activity and he or she affiliates with a documented gang member. According to CalGang policy, users must have sufficient source documentation to support CalGang entries. Table 2 The Frequency With Which Law Enforcement Agencies Used Criteria When Initially Entering Individuals Into CalGang  CRITERIA (REASONS FOR ENTERING AN INDIVIDUAL INTO CALGANG) FREQUENCY OF USE FOR INITIAL ENTRY 1. Subject has admitted to being a gang member. 58% 2. Subject has been seen associating with documented gang members. 44 3. Subject is known to have gang tattoos. 43 4. Subject has been seen frequenting gang areas. 30 5. Subject has been seen wearing gang dress. 25 6. In-custody classification interview.* 24 7. Subject has been arrested for offenses consistent with usual gang activity. 11 8. Subject has been seen displaying gang symbols and/or hand signs. 7 9. Subject has been identified as a gang member by a reliable informant/source. 6 10. Subject has been identified as a gang member by an untested informant. 1 Sources:  Policy and Procedures for the CalGang System, California Gang Node Advisory Committee; and California State Auditor’s analysis of CalGang data obtained from the California Department of Justice as of November 23, 2015. * Admission of gang membership during a custody classification interview is the one exception to the two‑criteria requirement. 5 According to Los Angeles, at the May 2016 committee meeting, the committee voted to remove the State guidelines from its requirements. However, as of July 28, 2016 the board had not voted on this recommendation. 15 16 California State Auditor Report 2015-130 August 2016 Effective January 1, 2014, state law requires that if law enforcement agencies wish to enter juveniles—defined as individuals younger than 18 years of age—into a shared gang database such as CalGang, the user agencies must first notify the juveniles and their parents or guardians in writing. Because those who receive the letters have a right to contest the gang designation, this notification should explain the juveniles’ rights to contest the gang designation. However, if the user agencies determine that notifications will compromise active criminal investigations or the juveniles’ health or safety, they are not required to provide the notifications or supply information to juveniles or their parents or guardians. We address the law’s requirements in more detail in the Audit Results. Privacy Protections for Californians Justice stated in the state guidelines that law enforcement agencies can collect criminal intelligence information for legitimate law enforcement purposes; the trade‑off, however, is that doing so potentially violates individuals’ privacy and other constitutional rights. The right to privacy is an implied constitutional right under the United States Constitution and an express constitutional right under the California Constitution. Therefore, both the federal regulations and the state guidelines establish certain standards for how law enforcement agencies may collect, maintain, and share criminal intelligence in a way that protects the privacy rights of the individuals in the intelligence files. Because the board and committee adopted requirements indicating that CalGang will comply with the federal regulations and state guidelines, these two bodies have a responsibility to develop processes to ensure CalGang operates according to those requirements. In addition, CalGang user agencies have a responsibility to thoroughly understand and follow the requirements. Academics and citizen advocacy groups have expressed concerns about how collecting and storing criminal intelligence in a database such as CalGang can impinge on individuals’ rights. Many of these concerns relate to the discretion law enforcement agencies have in classifying groups of individuals as gangs and individuals as gang members. In particular, academic literature suggests that the broad criteria used to label gangs and gang members may make it difficult for youth living in gang‑heavy communities to avoid meeting the qualifying criteria and that gang labeling can stigmatize minority, inner‑city youth, limiting their social and economic opportunities. In addition, other critics have expressed concerns that collecting and disseminating criminal intelligence may infringe upon individuals’ constitutional rights, including the rights to free speech, to peaceably assemble, to protection from illegal search and seizure, and to equal protection under the law. California State Auditor Report 2015-130 August 2016 Ultimately, California’s law enforcement agencies must balance the need to protect individuals’ rights with the need to protect the public from crime caused by gangs. The law enforcement agencies can achieve this balance only through rigorous processes designed to ensure the information they maintain in CalGang is accurate and lawfully obtained. Scope and Methodology The Joint Legislative Audit Committee (Audit Committee) directed the California State Auditor to conduct an audit to understand the State’s adherence to relevant laws related to protecting the rights of individuals for whom information is entered into and removed from CalGang. It also asked us to determine the extent to which agencies across the State use CalGang. Table 3 on the following pages lists the 15 objectives that the Audit Committee approved and the methods we used to address them. Assessment of Data Reliability In performing this audit, we obtained electronic data files extracted from CalGang as of November 23, 2015. The U.S. Government Accountability Office (GAO), whose standards we are statutorily required to follow, requires us to assess the sufficiency and appropriateness of computer‑processed information that we use to support our findings, conclusions, or recommendations. To accomplish this assessment, we performed data‑set verification and electronic testing of key data elements and identified significant issues. As we discuss in the Audit Results, we found many instances of questionable data entries related to individuals’ birthdates, criteria dates, purge dates, and individuals’ location information. We also conducted accuracy testing for a selection of 563 criteria entries pertaining to 100 individuals in the CalGang data and found that 23 percent were not adequately supported. Moreover, we identified concerns over the existing controls that safeguard CalGang information from inappropriate access and man‑made or natural disasters. Due to these deficiencies, we did not perform further testing of the CalGang data, such as completeness testing. Consequently, additional weaknesses may exist that we did not identify during our review. As a result of the pervasive deficiencies identified, we determined that the CalGang data are not sufficiently reliable. Although our determination may affect the precision of the numbers we present, sufficient evidence in total exists to support our audit findings, conclusions, and recommendations in this report. 17 18 California State Auditor Report 2015-130 August 2016 Table 3 Audit Objectives and the Methods Used to Address Them AUDIT OBJECTIVE METHOD 1 Review and evaluate the laws, rules, and regulations significant to the audit objectives. We identified relevant federal regulations; state laws and guidelines; CalGang agreements; CalGang Executive Board (board) bylaws; the California Gang Node Advisory Committee (committee) bylaws; CalGang policies and procedures; and other background materials. 2 Identify the number of gang database systems that exist in California and the extent to which they are used by agencies. See Method related to Audit Objective 13. 3 Identify and evaluate the roles and responsibilities of the California Department of Justice (Justice), the committee, the board, and any other agencies involved in the management and oversight of CalGang, including the level of training provided to program administrators and operators to implement the CalGang program and ensure it complies with the law. • We reviewed relevant federal regulations, state guidelines, CalGang agreements, the board’s and the committee’s bylaws, and CalGang policies and procedures. • We interviewed key officials with Justice, the board, the committee, and with the four law enforcement agencies we selected for review—Los Angeles Police Department (Los Angeles), Santa Ana Police Department (Santa Ana), Santa Clara County Sheriff’s Office (Santa Clara), and Sonoma County Sheriff’s Office (Sonoma). • In selecting the four law enforcement agencies, we considered the following factors: agency location, number of gang members and CalGang users based on the CalGang data set described in Method related to Audit Objective 4, and whether the agency responded to our survey. The survey is described further in Method related to Audit Objective 13. • We assessed CalGang’s oversight structure in relation to key requirements specified in the federal regulations and in other pertinent requirements. • We assessed whether the committee fulfilled its responsibilities related to training materials per the CalGang policies and procedures. • We determined whether two node administrator agencies—Los Angeles and Sonoma—fulfilled their responsibilities related to training materials per the CalGang policies and procedures, including reviewing their training materials to determine whether the materials covered all required topics. 4 Assess whether and to what extent access to and the release of data in CalGang is tracked and monitored to ensure all applicable laws, regulations, and policies and procedures are consistently followed. To the extent possible, determine the following for the latest year such information is available: a.  The number of requests for information and the purpose of each request. b.  The number of juveniles added to the system since January 1, 2014, and the number of related notifications made in accordance with Senate Bill 458 (Chapter 797, Statutes 2013) (SB458). c.  The length of time each individual has been in CalGang. • We reviewed relevant federal regulations, state guidelines, and CalGang policies and procedures. We interviewed key officials at Justice, the board, the committee, and the four law enforcement agencies we selected for review. • We reviewed requests for information Justice and the four law enforcement agencies received and responded to generally between January 1, 2011, and early March 2016, to determine whether they released CalGang data in accordance with applicable requirements. • We obtained a filtered extract of data entered by California law enforcement entities into CalGang as of November 23, 2015. We conducted all of the analyses of the CalGang data we describe throughout this report using this limited data set. • We identified individuals in CalGang data whose birthdates indicated that they were under the age of 18 upon initial entry into the system. • CalGang data does not track all juvenile notifications. For review purposes, we relied on the notifications each law enforcement agency we reviewed had in its files. Also, as part of our statewide survey, we asked law enforcement agencies to report the number of juvenile notifications they made between January 1, 2014, and October 31, 2015. • We calculated the average length of time individuals were in CalGang as of November 23, 2015. California State Auditor Report 2015-130 August 2016 AUDIT OBJECTIVE 5 For the most recent five years that data are available and to the extent possible, determine the following: a.  The number of people added to and removed from CalGang by year and whether they were notified of such action. b.  Demographics of individuals in CalGang, including age, gender, race, ethnicity, and geographic location. METHOD • We calculated the number of individuals added to and removed from CalGang data annually from January 1, 2010, through November 23, 2015. • We reviewed relevant federal regulations, state guidelines, and CalGang policies and procedures. We determined that no requirements pertaining to notifying adults added to or removed from CalGang currently exist. • We analyzed available demographics for individuals in the CalGang data. • We reviewed policy and procedures as available from the four law enforcement agencies as well as other pertinent documents. c.  Number of requests for removal from CalGang received and the outcome of each. • We interviewed key officials at the four law enforcement agencies and determined that those agencies generally do not track or keep records of adult or juvenile requests for removal from the CalGang system. Also, as part of our statewide survey, we asked law enforcement agencies to report the number of requests for removal they received and the outcome of each. d.  Number of juvenile appeals for removal received and the outcome of each. • We analyzed the frequency of the criterion used by law enforcement agencies to initially enter individuals into CalGang. e.  The criteria used for adding each individual to the system during this period. 6 Determine whether individuals are removed from CalGang consistent with any guidelines established in law, regulations, and policies. • We reviewed the relevant federal regulations, state guidelines, CalGang policies and procedures, and policies and procedures of the law enforcement agencies, as well as other pertinent documents. • We interviewed key officials at the four law enforcement agencies. • We assessed whether CalGang automatically removes individuals from CalGang after five years if individuals do not meet additional entry criteria. 7 Review and assess any evaluations of CalGang that have been conducted to determine its effectiveness in achieving its intended purpose. • We reviewed the relevant federal regulations, state guidelines, CalGang policies and procedures, and committee meeting minutes. • We interviewed key officials at Justice, the board, the committee, and the four local law enforcement agencies we selected for review and other key local officials. • We performed web searches to determine whether CalGang studies, reviews, evaluations, or audits have been performed and reported. • We assessed committee audits and the committee’s audit processes to determine whether the audits were effective. • We reviewed committee meeting minutes to determine what information node administrators reported and documented, including audit findings and how those findings were resolved. 8 Determine the annual cost of CalGang and identify the major categories of expenditure. • We interviewed key officials at Justice. • We reviewed CalGang contracts and project cost documentation for fiscal years 2012–13 through 2014–15. • As part of our statewide survey, we asked law enforcement agencies to report their costs for administering and using CalGang. 9 Determine whether policies and procedures exist to prevent, detect, and address possible conflicts of interest specific to contracting and spending related to the administration of CalGang. • We reviewed the relevant federal regulations, state guidelines, CalGang policies and procedures, and the State Contracting Manual. We also reviewed Justice’s purchasing authority and pertinent documentation it maintained related to its contract with CSRA International, Inc. • We determined that Justice’s contract with CSRA International is low risk and that the contract itself is over twenty years old. continued on next page . . . 19 20 California State Auditor Report 2015-130 August 2016 AUDIT OBJECTIVE 10 At a selection of law enforcement agencies, evaluate law enforcement’s compliance with relevant laws and policies governing gang database systems. METHOD • We reviewed the relevant federal regulations, state guidelines, and CalGang policies and procedures, and other pertinent documents. • We interviewed key officials with the four selected law enforcement agencies. • At the law enforcement agencies we selected for review, we assessed their compliance with selected administrative safeguards outlined in federal regulations, the state guidelines, and other pertinent requirements. • At Sonoma, Los Angeles, and the node administrators for Santa Clara and Santa Ana— the San Jose Police Department and the Orange County District Attorney’s Office respectively—we reviewed compliance with selected technical and physical safeguards outlined in federal regulations. • At the four law enforcement agencies, we reviewed a selection of gangs to determine whether they met gang criteria when law enforcement entered them into CalGang and whether they currently meet gang criteria. 11 At a selection of local law enforcement agencies and for the most recent five years, identify the criteria being used to designate a person as a gang member for inclusion in CalGang and determine if the criteria align with the intended purpose of CalGang and with the definition of gang or gang member codified in Section 186.22 of the California Penal Code. To the extent possible, determine how frequently each criterion has been used to identify someone as a gang member. • We reviewed the relevant federal regulations, state law, state guidelines, CalGang policies and procedures, and policies and procedures of the law enforcement agencies, as well as other pertinent documents. 12 Determine how those with oversight responsibility ensure the following: • We interviewed key officials with Justice, the board, and the committee. a.  CalGang operates in compliance with all relevant laws, regulations, and policies and procedures. b.  The information included in CalGang is current, accurate, and reliable. • We interviewed key officials with the four selected law enforcement agencies and reviewed pertinent documents to determine what criteria the agencies use for designating individuals as gang members. • We assessed whether CalGang criteria the four local law enforcement agencies use align with CalGang’s purpose and with the definition of “criminal street gang.” We determined the four local law enforcement agencies are not using additional criteria to enter individuals into CalGang. • We analyzed the frequency of the criteria used by law enforcement agencies to initially enter individuals into CalGang. • We reviewed the relevant federal regulations, state law, state guidelines, CalGang policies and procedures, and board and committee meeting minutes. • We evaluated CalGang’s oversight structure against common characteristics of government programs. • We assessed committee audits and the committee’s audit processes to determine whether the audits were effective. • We reviewed committee meeting minutes to determine what information node administrators reported and documented, including audit findings and how those findings were resolved. California State Auditor Report 2015-130 August 2016 AUDIT OBJECTIVE 13 Survey local law enforcement agencies and visit selected local law enforcement agencies to determine the following: METHOD • We surveyed 329 local and state law enforcement agencies, including county sheriff’s offices, city police departments, school district police departments, and selected state agencies. Appendix A on page 61 further describes how we selected agencies to survey. a.  Whether the law enforcement employees who use CalGang are adequately trained to implement the program and ensure full compliance with the law. • The survey questions covered topics such as the extent of the agencies’ use of CalGang; their training; their processes for adult and juvenile entry, notification, and removal from CalGang; their information requests; and their use of other shared gang databases. b.  Whether the policies and procedures local law enforcement agencies have put in place are adequate for ensuring compliance with SB 458 and other applicable laws. • The survey responses were self-reported, and, except as noted, we did not verify the accuracy of the responses. We clarified survey responses agencies provided about shared gang databases and information requests related to employment. • We performed related analyses, including items a through d for this objective. c.  How many requests for removal from CalGang have been submitted over the past five years and the outcomes of these requests. d.  How many juvenile appeals have been made since the approval of SB458 and how many names have been removed through this appeal process. 14 To the extent possible, evaluate the accuracy and completeness of the CalGang data, as well as the types of documentation maintained to support information entered into CalGang. We selected 100 individuals (25 from each of the local law enforcement agencies we reviewed) recorded in CalGang and evaluated the accuracy of criteria entries by analyzing supporting documentation. As we discuss in the Assessment of Data Reliability on page 17, we did not test the completeness of CalGang. 15 Review and assess any other issues that are significant to the audit. We did not identify any other issues that were significant to the audit. Sources:  California State Auditor’s analysis of Joint Legislative Audit Committee audit request number 2015-130, and information and documentation identified in the Table column titled Method. 21 22 California State Auditor Report 2015-130 August 2016 Blank page inserted for reproduction purposes only. California State Auditor Report 2015-130 August 2016 Audit Results Due to an Inadequate Leadership Structure, CalGang Has Failed to Comply With Requirements Designed to Protect Individuals’ Rights to Privacy The California Department of Justice (Justice) funds CalGang. However, two bodies composed of law enforcement officials—the CalGang Executive Board (board) and its technical subcommittee, the California Gang Node Advisory Committee (committee)—are responsible for overseeing the CalGang database. These bodies operate free from the typical safeguards that are the foundation of government programs. When the board and the committee voluntarily adopted federal and state criminal intelligence requirements, they expressed a commitment to protect individuals’ privacy rights and maintain a high‑quality tool for law enforcement to use to suppress and solve gang crime. However, these entities lack the organizational structure and processes necessary to ensure that CalGang achieves these objectives. Since state funding supports CalGang and law enforcement agencies statewide use it, we expected to find in place a state law establishing the powers, legal authority, and responsibilities that would ensure CalGang’s leadership structure and processes reflect the characteristics common to public programs. However, CalGang was not created in statute, and Justice is not statutorily required to oversee it. Thus, the board and the committee have assumed responsibility for managing and overseeing CalGang and its user agencies. Because of the value of CalGang to local law enforcement agencies, Justice voluntarily funds it and provides technical support as needed. Nonetheless, Justice’s involvement with those bodies is inconsistent despite holding a voting seat on both the board and the committee. For example, since 2010 Justice has not been represented at one‑third of the board’s meetings. We asked Justice about its not attending certain board meetings, and Justice officials explained that it found limited value in attending these meetings because board members viewed Justice’s role narrowly and as limited to providing technical support and funding for CalGang. Justice’s views on policy and governance were not given meaningful consideration by the board or the committee. Although Justice could have refused to renew the CalGang maintenance contract, this was not viewed as a viable option because it would likely have caused the program to shut down. Justice told us that it did not at that time have any other leverage over CalGang to ensure that its input was given any weight. The board and the committee act without statutory authority, transparency, or meaningful opportunities for public engagement. Table 4 summarizes the characteristics common to government 23 24 California State Auditor Report 2015-130 August 2016 agencies and demonstrates the degree to which CalGang operates outside of those characteristics. Government agencies exhibit these characteristics as a means to gain the public’s trust and to engage the public in their decision‑making processes. Because CalGang’s oversight entities operate outside these parameters, their decisions lack transparency and public input. Specifically, the board and the committee do not conduct open meetings: They do not provide public notice of their meetings, post agendas and minutes, or accept public testimony. Thus, they limit the opportunity for public understanding and input. For example, Justice posted some of the board meetings’ minutes and agendas on its website, but the most recent document is dated May 2014—more than two years ago, despite there being more recent meetings. Table 4 Common Characteristics of Government Entities Compared to CalGang’s Current Framework COMMON CHARACTERISTICS OF GOVERNMENT ENTITIES CALGANG’S FRAMEWORK SCORECARD Statutorily defined authority and responsibilities. No responsibilities or authority defined in state law; CalGang is subject only to rules the CalGang Executive Board (board) and the California Gang Node Advisory Committee (committee) have adopted and established. 5 Transparency and opportunities for public participation. Limited transparency and opportunities for public participation. s Direct reporting to a government agency or department that has policy, operations, and administrative oversight. Limited oversight of policies and operations. State government is a participant with no decision-making authority. s Public input through elections, through an elected body, or through the composition of governing bodies. The board and the committee determine their own membership and leadership. 5 Accountability established by clearly defining the roles of oversight entities. Individuals serve in multiple roles, creating situations in which they oversee themselves. 5 Independently audited. Not audited by an external, independent body. User agencies evaluate their own records. 5 Specified revenue sources and, if appropriate, the ability to collect fees. No designated revenue source and no authority to collect fees from user agencies. 5 Legal representation. No legal representation. 5 Sources:  California State Auditor’s analysis of documentation from the Institute of Internal Auditors’ Public Sector Definition, excerpts from Strategic Planning for Public and Nonprofit Organizations by John Bryson, excerpts from Understanding and Managing Public Organizations by Hal Rainey, and analysis of the board’s and the committee’s bylaws and minutes and the committee’s policies and procedures. 5 = CalGang’s framework does not meet this common characteristic of government entities. s = CalGang’s framework only partially meets this common characteristic of government entities. In addition, CalGang’s leadership structure does not provide adequate accountability or oversight. Because the board and the committee determine which law enforcement agencies (also referred to as user agencies) will be node administrator agencies, they control the composition of their own membership: Once the board approves a law enforcement agency to be a node administrator agency, that agency designates individuals to sit California State Auditor Report 2015-130 August 2016 on the board and the committee. Moreover, the members of the board and the committee elect their own leadership. Thus, no opportunities exist for public input through elections or elected bodies. Accountability is further compromised because individuals can serve many roles within the CalGang framework. Table 5 outlines selected responsibilities of these bodies and illustrates how individuals can serve in multiple oversight roles. For example, in the Sonoma County Sheriff ’s Office (Sonoma), the sergeant who serves on the committee also acts as a node administrator and as a CalGang user. In fact, the sergeant stated that he enters approximately 95 percent of CalGang records for his agency, yet this same sergeant is also responsible for conducting any audits of CalGang records for the region because he is the node administrator. The sergeant’s conflicting roles highlight the current weaknesses in CalGang’s oversight framework. Table 5 Selected Responsibilities of CalGang Oversight Entities and User Agencies COMPOSITION CalGang Executive Board (board) The chief executive or his or her designee from each of the following: the 11 node administrator agencies, the California Department of Justice, the California District Attorneys Association, and the California State Sheriff’s Association. RESPONSIBILITIES • Provide oversight and policy direction. • Approve the creation or abolition of a node. • Elect a chairperson annually. California Gang Node Full-time law enforcement officers or support staff Advisory Committee designated by node administrator agencies, usually (committee) the node administrators. • Oversee the operations of law enforcement agencies (user agencies). • Evaluate requests from agencies interested in becoming nodes. • Elect a chairperson, vice chairperson, and sergeant of arms every other year. Node administrator agencies Designated node administrator. • Ensure that all users in the node adhere to committee policies. • Conduct triannual audits. • Examine gangs before they are added to CalGang. User agencies Law enforcement or support staff who enter CalGang data. • Comply with committee policies. • Ensure data are legal, relevant, accurate, timely, and complete. Sources:  Board and committee bylaws, committee policies, and interviews with the committee chair. Although the board and committee voluntarily committed to adhere to Title 28, Code of Federal Regulations, Part 23 (federal regulations), which establishes requirements to ensure the privacy of those whose data is maintained in criminal intelligence systems such as CalGang, their protocols for implementing the federal regulations allude to stronger oversight than the entities actually provide. Specifically, the federal regulations—which are viewed as the national standard for protecting and handling criminal intelligence systems—require rules and processes that implement administrative, technical, and physical safeguards to protect 25 26 California State Auditor Report 2015-130 August 2016 criminal intelligence data and individuals’ rights. On the surface, the committee’s policies and procedures (CalGang policy) appear to address some of these requirements. However, the board and the committee have not implemented or followed all of the necessary processes, as summarized in Table 6. For example, federal regulations require audits and inspections to ensure that the user agencies have necessary processes in place to make key decisions, such as determining that reasonable suspicion exists to support CalGang entries. However, as we discuss later, we found that the committee’s audits are neither independent nor robust and that CalGang policy does not include a provision for on‑site inspections of records or facilities. Table 6 CalGang’s Oversight Entities’ Adherence to Federal Regulations for Protecting Criminal Intelligence SELECTED REQUIREMENTS UNDER TITLE 28, CODE OF FEDERAL REGULATIONS, PART 23 CALGANG’S IMPLEMENTATION SCORECARD Audit and inspect properly trained participating agencies to ensure that reasonable suspicion exists and that users are following federal, state, and local laws. Audits do not adequately review the establishment of reasonable suspicion or compliance with laws. CalGang’s oversight entities do not perform on-site inspections. 5 Adopt procedures to ensure that all information retained in the database has relevancy and importance. Procedures do not exist. 5 Develop rules to implement authority to remove personnel authorized to access the system. CalGang’s oversight entities have adopted rules to sanction users.  At the time of our review, the four nodes lacked policies or procedures for ensuring that user accounts are disabled when employees transfer or separate from employment.* 5‡ Restrict access to its facilities. The four nodes we reviewed stored the servers containing CalGang information in locked buildings with limited physical access.  Institute procedures to protect criminal intelligence information from fire, flood, or other disasters. CalGang information is regularly backed up to protect from data loss. † Administrative Safeguards Technical Safeguards Store information in a manner such that it cannot be accessed without authorization. Physical Safeguards Sources:  California State Auditor’s analysis of Title 28, Code of Federal Regulations, Section 23; CalGang’s administrative, technical, and physical oversight processes; and the California Gang Node Advisory Committee’s policies and procedures. = No significant issues identified. 5 = Did not adhere to requirements. * We visited four law enforcement agencies—the Sonoma County Sheriff’s Office (Sonoma), the Santa Clara County Sheriff’s Office (Santa Clara), the Los Angeles Police Department (Los Angeles), and the Santa Ana Police Department (Santa Ana). Two of these agencies—Sonoma and Los Angeles—are node administrator agencies. The other two agencies—Santa Ana and Santa Clara—are part of the nodes overseen by the Orange County District Attorney’s Office and the San Jose Police Department, respectively. † Although we did not identify any significant issues related to protecting criminal intelligence information from fire, flood, or other disasters, the nodes we visited did not have adequate plans for restoring the information following a disaster. ‡ Subsequent to our review, Santa Ana’s node administrator provided us with a new procedure for evaluating the validity of its node’s CalGang user accounts. California State Auditor Report 2015-130 August 2016 Moreover, as Table 6 shows, we have concerns about the user agencies’ compliance with federal regulations related to safeguarding CalGang information from unauthorized access. At the node administrator agencies for each of the four law enforcement agencies that we reviewed—Sonoma, the Santa Clara County Sheriff’s Office (Santa Clara), the Los Angeles Police Department (Los Angeles), and the Santa Ana Police Department (Santa Ana)—we attempted to review the policies and procedures for removing or modifying employee CalGang user accounts when the employees transfer or separate from employment.6 However, none of the node administrator agencies had such policies or procedures at the time of our review. We found 65 active user accounts across Santa Clara, Los Angeles, and Sonoma for individuals who no longer worked for the agencies. Two of these accounts may have been vulnerable to inappropriate access for more than 11 years following the employees’ departures. Subsequent to our review, Santa Ana’s node administrator provided us with a new procedure for evaluating the validity of its node’s CalGang user accounts. In addition, although each of the node administrator agencies we reviewed asserted that they protect their data against loss by implementing practices such as performing regular backups of data as federal regulations require, we found that none of the node administrator agencies have fully documented plans for restoring CalGang information after a man‑made or natural disaster. Specifically, neither Santa Ana’s node administrator agency nor Los Angeles has a contingency plan in place for restoring CalGang information after a loss of this nature. In contrast, the node administrators for Sonoma and Santa Clara provided written agreements with service providers for restoring CalGang information after a man‑made or natural disaster. However, these service agreements did not specify how quickly the information would need to be restored in order to minimize the impact of the interruption. Industry best practices state that organizations should develop contingency plans that identify maximum acceptable time frames during which critical business applications can be inoperable. Without sufficient planning, the node administrator agencies risk losing the capability to process and retrieve CalGang information, which could significantly affect user agencies’ timely access to gang‑related intelligence information. Ultimately, the board and the committee have not effectively communicated the federal regulations and state guidelines to user agencies. CalGang’s policies state that CalGang will comply with federal regulations and Justice’s Model Standards and Procedures 6 Two of the law enforcement agencies that we reviewed—Sonoma and Los Angeles—are node administrator agencies. The other two agencies—Santa Ana and Santa Clara—are parts of the nodes overseen by the Orange County District Attorney’s Office and the San Jose Police Department, respectively, which both function as node administrator agencies. We have concerns about how law enforcement agencies safeguard CalGang information from unauthorized access. We found 65 active user accounts for former employees; two accounts were left open for more than 11 years. 27 28 California State Auditor Report 2015-130 August 2016 for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities, November 2007 (state guidelines). The state guidelines provide similar safeguards as the federal regulations but in certain areas are more restrictive. We expected that CalGang policy or the agreements that user agencies and their respective node administrator agencies sign would provide direction on implementing the requirements for safeguarding data and ensuring they are reliable. However, CalGang policy does not contain such guidance, and the user agreements do not reference the specific requirements—in fact, the agreements are very broad and simply state that user agencies must comply with all applicable laws, rules, and regulations. Consequently, the four law enforcement agencies we reviewed did not understand these requirements. For example, the sergeant at Santa Clara who is solely responsible for determining whether individuals meet the criteria for entry into CalGang stated that he was not familiar with the state guidelines. As we discuss later, we found that the four agencies had not implemented many of the processes the state guidelines require. The remainder of this report explores the many examples of broken and fragmented processes we identified related to CalGang and how these processes weaken the database and create opportunities for violations of individuals’ rights. Law Enforcement Agencies Could Not Always Demonstrate That They Had Established Reasonable Suspicion That Groups Were Gangs Before Entering Them Into CalGang Law enforcement agencies are required to analyze legally obtained information to establish reasonable suspicion of organizations’ criminal activity before adding those organizations to criminal intelligence databases. Although CalGang policy requires that all user agencies maintain sufficient source documentation to support their CalGang entries, we found that the law enforcement agencies we reviewed were unable to demonstrate that many of the groups they entered into CalGang met the criteria necessary for identification as gangs. The federal regulations and the state guidelines require that law enforcement agencies analyze legally obtained information to establish reasonable suspicion of organizations’ criminal activity before adding those organizations to criminal intelligence databases. To establish reasonable suspicion for entry into CalGang, the committee requires that law enforcement agencies ensure that groups meet the definition of a gang in CalGang policy. Figure 3 illustrates in part the criteria a group of three individuals must meet to be considered a gang. These criteria are important because after entering a gang into CalGang, a user agency may add individuals to that gang as gang members.7 An individual’s right to privacy is jeopardized if a law enforcement agency justifies collecting personal information about that individual by stating that he or she is a gang member when the agency has not yet established that such a gang exists through a documented pattern of criminal activity. 7 Throughout this report, we use the term gang member to refer to both gang members and gang affiliates unless specifically stated otherwise. California State Auditor Report 2015-130 August 2016 Figure 3 The CalGang Record Lifecycle Required for Establishing Reasonable Suspicion for Gangs and Suspected Gang Members Is it a GANG? Requirement 1 Do members individually or collectively engage in a pattern of criminal gang activity? Requirement 2 Law enforcement has contact with an individual potentially involved in gang activity. GANG MEMBER? d into ere Quality control reviewer reviews documentation.* Gang Member? Supervisor reviews officer’s documentation. NOT ent lGang Ca d into ere lGang Ca NOT ent Is the individual a Gang Member? A BC Gang Member? How Many? Three or more members? Gang Review Individual Review om d fr Ca ng lGa Law enforcement agency periodically reviews the gang’s record. It purges the record from CalGang when it no longer meets criteria. Law enforcement agency creates the gang and/or an individual's record in CalGang. Purge Common sign, symbol, or name? Analyst determines if the individual meets the gang criteria for entry into CalGang. Law enforcement agency reviews the individual’s record at least annually.† The record is purged from CalGang when it no longer meets criteria or if a law enforcement agency has not added gang criteria for five years. Sources:  California State Auditor’s analysis of the California Department of Justice’s Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities, November 2007 (state guidelines); the Title 28, Code of Federal Regulations, Part 23 (1993); and the California Gang Node Advisory Committee’s policies and procedures, September 2007. * The state guidelines recommend that law enforcement agencies perform quality control reviews; they require supervisory reviews. † The state guidelines require reviewing information stored in a criminal intelligence file to determine whether it is current, accurate, relevant, and complete, and whether it continues to meet the needs and objectives of the responsible agency. 29 30 California State Auditor Report 2015-130 August 2016 We reviewed a total of nine gangs that Sonoma, Santa Ana, and Los Angeles had entered into CalGang to determine whether the user agencies had appropriately established reasonable suspicion according to the criteria in CalGang policy when the law enforcement agency entered them.8 We identified problems with Sonoma’s and Santa Ana’s processes for adding new gangs. We expected that these two agencies would be able to direct us to the records they analyzed to determine that the group of three or more individuals had a common sign, symbol, or name and demonstrated a pattern of criminal gang activity, as depicted in Figure 3. However, we found that Sonoma and Santa Ana generally relied on summary statements agency staff provided on forms or in emails that described how groups met the reasonable suspicion requirements for CalGang entry. Although through subsequent follow up we found that these groups currently meet the definition of a gang, neither agency was able to demonstrate which individuals—at the time of the groups’ initial entry into CalGang—supported the agencies’ conclusions that the groups met the necessary criteria. Therefore, neither agency could prove that it performed the analysis required to establish reasonable suspicion. In contrast, we found that Los Angeles could support the gang we reviewed. Specifically, before Los Angeles added the gang into CalGang, it supported that reasonable suspicion existed by maintaining a list of individuals and their associated arrests, which together established gang criteria. Sonoma’s node administrator adds gangs for 30 other counties, yet he does not collect or analyze the source documents that support his gang entries. Sonoma’s process for adding new gangs to CalGang is of particular concern to us. The sergeant acting as Sonoma’s node administrator is responsible for adding gangs for the 30 counties that make up the Sonoma node, yet he does not collect or analyze the source documents that support his gang entries. Moreover, he destroys the summary documentation the agencies within those counties provide after transferring the information into CalGang. Therefore, the sergeant could not provide supporting documentation for any of the four gangs we examined from Sonoma. This approach increases the risk that he will add groups to CalGang even when user agencies have not established reasonable suspicion according to CalGang policy. Once a gang is added to CalGang, all user agencies in the node, which encompasses Northern California, are free to collect and share information about individuals they believe are gang members, potentially violating those individuals’ rights. Additionally, the committee has not ensured that user agencies periodically assess gangs to determine whether they continue to meet the criteria in CalGang policy. The minutes from board and committee meetings show that nodes periodically query 8 Santa Clara does not add gangs to CalGang; rather, it links suspected gang members to gangs already existing in the database. Consequently, it did not have a process for us to review. California State Auditor Report 2015-130 August 2016 CalGang data to identify and remove gangs with fewer than three members. However, this type of limited review does not confirm that reasonable suspicion continues to exist for larger gangs, creating the risk that CalGang contains information on individuals who are alleged members of groups that no longer meet the gang criteria. Guidance provided by the Institute for Intergovernmental Research—the criminal intelligence training vendor with which the federal government contracts—indicates that law enforcement agencies should periodically validate that reasonable suspicion exists for a gang within a specified time frame, called a retention period. According to this guidance, the gang and its members should generally be purged at the end of this retention period. However, no retention period for gangs exists in CalGang if reasonable suspicion can no longer be validated. As a result, Los Angeles had no information since 2008 in its gang history records demonstrating that one gang had engaged in a pattern of criminal activity. To determine whether Los Angeles had simply neglected to update its history for this gang, we analyzed CalGang records for its members between 2010 and 2015 and found Los Angeles’ officers documented only one arrest for offenses consistent with gang activity. However, we determined through a review of that individual’s criminal history records that he was not arrested on the date documented in CalGang. As a result, based on our review, Los Angeles no longer had sufficient reasonable suspicion in its gang records or in CalGang to continue to categorize this group as a gang and the node administrator would not have reviewed the gang until its membership in CalGang fell below three members. After we brought this problem to the attention of Los Angeles, its node administrator researched the gang’s members and provided us with records of arrests of gang members that law enforcement officers did not include in the gang’s history or accurately enter into CalGang. Although some of the offenses Los Angeles directed us to are consistent with gang activity, we question why Los Angeles failed to enter this information into CalGang and update its internal gang history. This example demonstrates why it is important for CalGang user agencies to establish a retention period and periodically assess whether a gang continues to meet reasonable suspicion requirements in order to ensure system accuracy and the protection of individuals’ rights. Law Enforcement Agencies Do Not Have Adequate Support for Some of the Individuals and Many of the Criteria They Entered Into CalGang When law enforcement agencies cannot provide adequate support for the inclusion of individuals in CalGang, documenting those individuals’ whereabouts, appearance, and associates in a shared database could constitute or lead to a violation of their privacy or It is important for CalGang user agencies to establish a retention period and periodically assess whether a gang continues to meet reasonable suspicion requirements in order to ensure system accuracy and the protection of individuals’ rights. 31 32 California State Auditor Report 2015-130 August 2016 other constitutional rights. Further, the inclusion of inaccurate or unsupported information in CalGang reduces the system’s value to law enforcement agencies. Nonetheless, when we reviewed a selection of 100 people included in CalGang, we found that law enforcement agencies did not have adequate support for inclusion of 13 of these individuals. Additionally, because user agencies can identify numerous reasons, or criteria, for entering or retaining individuals in CalGang, we reviewed more than 500 items of criteria associated with these 100 individuals and found that the user agencies lacked adequate supporting documentation, such as field notes or arrest report narratives, for 23 percent of the criteria. CalGang policy requires, with one exception, that a user agency identify two documented criteria for initially entering a person into CalGang.9 For the individual to remain in CalGang longer than five years from the date of original entry, a user agency must enter subsequent criteria, which will reset the five‑year period from that date. User agencies generally enter criteria when they have additional contacts with the individuals. Because user agencies may have entered numerous criteria for some individuals, those individuals’ inclusion in CalGang may be justifiable even if some of these criteria are unsupported. As shown in Table 7, we found that 131 of the 563 (23 percent) items of criteria we reviewed lacked support. Ultimately, this led us to conclude that law enforcement agencies did not have adequate support for inclusion in CalGang for 13 of the 100 individuals we reviewed. Table 7 Four Law Enforcement Agencies’ Support for a Selection of 100 Individuals in CalGang INDIVIDUALS LAW ENFORCEMENT AGENCY NUMBER REVIEWED NUMBER ADEQUATELY SUPPORTED GANG CRITERIA NUMBER NOT ADEQUATELY SUPPORTED NUMBER REVIEWED NUMBER ADEQUATELY SUPPORTED NUMBER NOT ADEQUATELY SUPPORTED Los Angeles Police Department 25 23 2 213 165 48 Santa Ana Police Department 25 22 3 104 89 15 Santa Clara County Sheriff’s Office and the San Jose Police Department* Sonoma County Sheriff’s Office† 25 24 1 127 107 20 Totals 25 18 7 119 71 48 100 87 13 563 432 131 Source:  California State Auditor’s review of four law enforcement agencies’ support for 100 people included in CalGang. * The San Jose Police Department is responsible for the majority of the entries we reviewed and the criteria we found to not be adequately supported. † Other agencies in the Sonoma County node—excluding Sonoma County Sheriff’s Office—were responsible for nearly half of the criteria we found to not be adequately supported. 9 The only exception to the two‑criteria requirement is when an individual admits to his or her gang membership during an in‑custody classification interview for jail or prison housing. California State Auditor Report 2015-130 August 2016 As indicated in Table 8, 31 of the unsupported criteria related to the criterion “subject has admitted to being a gang member,” while three related to “in-custody classification interview,” which are admissions of gang membership when individuals are brought into custody and will be confined with other individuals. In these instances, we found that the source documents either contained no record of gang membership admissions or, in some instances, indicated that the individuals said they were not—or not currently— gang members. For example, Sonoma justified entering a person into CalGang in part because he supposedly admitted to being a gang member during a custody classification interview at the county jail. However, when we obtained a record of this interview, we found that the person said he was not currently a member of the gang to which he was later connected in CalGang. In fact, he specifically requested to not be housed with this gang. The only criterion for this individual’s inclusion in CalGang for which we found support was that he had been seen associating with documented gang members. However, even that circumstance consisted of no more than an officer’s observation that the individual was in the garage of a residence that a documented gang member had left. Given that Sonoma did not have adequate support for any other criteria for this individual, we concluded that his inclusion in CalGang was inappropriate. Table 8 Number and Types of CalGang Criteria Entries That Lacked Adequate Support CRITERIA NUMBER OF CRITERIA NOT SUPPORTED NUMBER OF CRITERIA REVIEWED Subject has admitted to being a gang member. 31 136 Subject has been arrested for offenses consistent with usual gang activity. 29 70 Subject has been seen associating with documented gang members. 28 98 Subject is known to have gang tattoos. 16 104 Subject has been identified as a gang member by a reliable informant/source. 8 11 Subject has been seen wearing gang dress. 7 33 Subject has been seen frequenting gang areas. 6 63 Subject has been seen displaying gang symbols and/or hand signs. 3 12 In-custody classification interview. 3 35 Subject has been identified as a gang member by an untested informant. Totals 0 1 131 563 Source:  California State Auditor’s review of four law enforcement agencies’ support for 100 people included in CalGang, as listed in Table 7 on page 32. When we asked about these admission‑related entries that did not match source documents, representatives of the law enforcement agencies often agreed that the criteria were not accurate and even purged the information from CalGang. At times they explained that 33 34 California State Auditor Report 2015-130 August 2016 they could have used other field observations they did not record in CalGang but that were present in the source documents to justify the individuals’ inclusion in CalGang. However, admitting that they could or should have entered other criteria into CalGang does not negate the fact that the system inaccurately reflects individuals’ statements regarding gang membership. For CalGang to be useful to law enforcement personnel, it should be both complete and accurate. Selection of Offenses Used to Establish a Pattern of Criminal Gang Activity • Assault with deadly weapon. • Robbery, burglary, and carjacking. • Homicide and manslaughter. • Sale, or possession for sale, of a controlled substance. • Shooting at an inhabited dwelling or occupied motor vehicle. • Arson. • Rape, torture, and kidnapping. • Money laundering and counterfeiting. • Intimidation of witnesses and victims. • Prohibited possession of firearm. • Felony vandalism. Source:  Penal Code 186.22, Section (e). We also found 29 instances in which user agencies were unable to support the criterion “subject has been arrested for offenses consistent with usual gang activity.” In fact, in nine of these instances, we could not find that the person had been arrested for any offense—despite the use of this criterion to justify putting the individual in CalGang. For the remaining 20 entries, we found that the individuals had been arrested for common crimes that did not necessarily have any connection to gang activity, such as probation violations and drug possession. Although the committee established the 10 criteria listed in Table 8 on page 33, it did not implement any policies or procedures further describing what offenses are consistent with gang activity. However, the Penal Code contains a list of offenses that can be used to determine that a group is a criminal street gang for the purpose of prosecuting its members, a selection of which are listed in the text box. Absent any further definition from the committee or from the user agencies we reviewed, we used the Penal Code’s categories as a benchmark for whether individuals’ offenses were, in fact, consistent with gang activity. In response to our concern regarding the offenses law enforcement agencies used for this criterion, Santa Ana agreed to remove one criteria entry related to loitering and two related to drug possession. Conversely, the node administrator in Sonoma stated that we misunderstood the concept of “subjective reasonable suspicion” and maintained that some of the offenses we were questioning—violating probation and resisting arrest—are common among gang members. When we questioned a criteria entry because the associated offense was the prohibited possession of ammunition, which the Penal Code does not identify as a gang‑related offense, the Sonoma node administrator responded that “possession of ammunition by a gang member is a gang crime.” The problem presented by both of these responses is that they presuppose that the individuals in question are gang members and therefore the offenses for which they were arrested are gang crimes. California State Auditor Report 2015-130 August 2016 In our view, offenses need to be indicative of gang activity for user agencies to justify including individuals in CalGang. Although we understand law enforcement officers must exercise judgment in making certain criteria determinations, the results of our testing suggest that the exercise of this judgment needs to be informed by specific regulations. The user agencies were also frequently unable to support the criterion “subject has been seen associating with documented gang members.” Specifically, we found 28 criteria entries in which the law enforcement agencies did not document that the people with whom the individuals in question were associating were gang members. In fact, at times we found no record of anyone else even being present during the events leading to the particular field observations. In regard to the other unsupported criteria listed in Table 8 on page 33, we did not question the validity of the law enforcement officers’ field observations but rather only identified criteria as unsupported if the source documents lacked such observations altogether.10 For example, if the law enforcement officers indicated in source documents that geographical locations, tattoos, symbols, or manner of dress were gang‑related, we accepted these statements. However, we identified criteria entries as unsupported if no such statements were present. For example, Los Angeles used the criterion “subject has been identified as a gang member by a reliable informant/source” to justify the inclusion of an individual in CalGang. Upon hearing our concern that the source document made no mention of an informant or other source, the node administrator for Los Angeles responded that the “reliable source would be the officer making the determination.” This interpretation of what constitutes a “reliable informant/source” is inappropriately broad and would allow officers to enter this criterion absent any evidence other than their own views that individuals are gang members. We found two primary causes for the inaccurate criteria entries we identified. Based on their descriptions of their processes for entering information into CalGang, the user agencies we reviewed often have administrative staff or other designated officers enter information into CalGang rather than the officers who made the field observations. CalGang policy does not prohibit this approach and we recognize that it can be efficient. However, it may also be the cause of some of the discrepancies between CalGang entries and the corresponding source documents. Another contributing 10 For the criterion “subject has been seen frequenting gang areas,” we accepted the judgment of those administering CalGang even when the field officers did not specifically record this observation. Given their unique position of regularly recording or observing CalGang entries, these administrators are likely to know the geographical locations that gangs frequent. Although law enforcement officers must exercise judgment in making certain criteria determinations, the results of our testing suggest that the exercise of this judgment needs to be informed by specific regulations. 35 36 California State Auditor Report 2015-130 August 2016 factor to the deficiencies we found is the lack of strong oversight of CalGang. No independent party regularly scrutinizes CalGang criteria—a condition we detail later in the report. As a result of these inaccurate criteria entries, law enforcement agencies are tracking people in CalGang who do not appear to justifiably belong in the system. Further, the inaccuracies weaken its value to law enforcement because many of the descriptions in CalGang do not match the support to which the system is pointing. If law enforcement agencies later attempt to use this support as evidence in convictions or sentencing enhancements—years added to a prison term when an individual commits a crime to promote or assist a gang—they will find that the information was not worth the time and resources they used to locate and analyze it. Inclusion in CalGang has the potential to seriously affect a person’s life and therefore the accuracy and appropriate use of CalGang is of critical importance. Throughout the audit, law enforcement officials offered their perspective that inclusion in CalGang is of little impact to an individual because CalGang only points to source documentation. CalGang policy prohibits using the system as the basis for expert opinion or statements of fact in official reports or for non‑law enforcement purposes, such as employment screenings. However, we found that neither of these prohibitions is always followed. In fact, when we searched California appellate cases that contained the terms CalGang or gang database, we found at least four unpublished cases that referred to CalGang as support for expert opinions or conclusions in official reports that individuals were or were not gang members. Further, we found one case in which a CalGang printout was apparently provided to a jury. We found numerous other instances in which the unpublished decisions by the appellate courts cited or otherwise contained references to CalGang or a gang database. As we discuss later in this report, three user agencies admitted that they use CalGang for employment or military‑related screenings. These examples emphasize that inclusion in CalGang has the potential to seriously affect a person’s life and therefore the accuracy and appropriate use of CalGang is of critical importance. Law Enforcement Agencies Lack Appropriate Safeguards to Ensure the Accuracy and Security of CalGang Records Law enforcement agencies have failed to ensure that CalGang records are added, removed, and shared in a way that maintains the accuracy of the system and safeguards individuals’ rights. We found that the agencies we examined did not review records before and after entering them in CalGang and that committee audits of the information within CalGang lacked independence and transparency. Moreover, flaws in CalGang’s controls caused many individuals to remain in the system longer than federal California State Auditor Report 2015-130 August 2016 regulations allow; in fact, some individuals are currently scheduled to remain in CalGang for hundreds of years. Finally, in response to our survey, three agencies reported using CalGang for employment or military-related screenings, which represent an inappropriate use of the system. We believe that the committee’s failure to implement standardized training has contributed to user agencies’ inappropriate and inconsistent use of CalGang. In addition, the committee’s lack of oversight and the user agencies’ lack of sound processes has increased the risk of inaccuracies in CalGang, which could jeopardize the effectiveness of investigations and lead to violations of individuals’ privacy rights. Law Enforcement Agencies Have Not Established Necessary Processes for Reviewing and Purging Records The federal regulations and state guidelines that CalGang adopted outline the requirements for maintaining individuals’ criminal intelligence records. The requirements that relate to reviewing records accomplish two objectives: They ensure that the information in CalGang is accurate, which helps make CalGang a valuable tool for solving and preventing crimes, and they help ensure that inaccurate information is not added and that unreliable and unnecessary information is purged, which protects individuals’ rights. As Figure 3 on page 29 indicates, the federal regulations and state guidelines require that law enforcement agency supervisors review and approve criminal intelligence data before entry. The state guidelines also recommend periodic quality control reviews of such data and permanently removing data from CalGang if they are misleading, obsolete, or otherwise unreliable. However, as Table 9 on the following page shows, the four law enforcement agencies we reviewed did not have processes in place to ensure that agency supervisors and quality control reviewers evaluated records before their entry into CalGang. In fact, three of the four agencies followed a practice of allowing one law enforcement officer or analyst to decide unilaterally which suspected gang members to add to CalGang. In contrast, Los Angeles has established and generally followed a process requiring that a supervisor review records before their entry. However, none of the four agencies annually assessed CalGang records as the state guidelines require. The Sonoma node administrator explained that his agency had not implemented these requirements because they would add unnecessary levels of review that would delay the entry of information into CalGang. He further stated that until the agency enters the information, it is not usable intelligence. However, if Sonoma or other agencies believed that the safeguards in the state guidelines were too onerous, they should have at least established other, compensating processes that would ensure the The committee’s failure to implement standardized training has contributed to user agencies’ inappropriate and inconsistent use of CalGang. 37 38 California State Auditor Report 2015-130 August 2016 information they entered into CalGang was sound. We found no such mechanisms at Sonoma or the other three agencies we examined, the lack of which likely contributed to the numerous unsupported criteria entries in CalGang. Table 9 Law Enforcement Agencies’ Adherence to State Record Review Requirements LOS ANGELES POLICE DEPARTMENT SONOMA COUNTY SHERIFF’S OFFICE SANTA ANA POLICE DEPARTMENT SANTA CLARA COUNTY SHERIFF’S OFFICE  5 5 5 5 5 5 5 5 5 5 5 Required Supervisory Review Ensures law enforcement agencies lawfully collected criminal intelligence and that information conforms to the California Department of Justice’s (Justice) guidelines (state guidelines*). Recommended Quality Control Review Ensures compliance with state guidelines. Required Annual Review Ensures intelligence remains current, accurate, relevant, and complete. Sources:  California State Auditor’s analysis of Justice’s Model Standards and Procedures for Maintaining Criminal Intelligence Files and processes at four law enforcement agencies. * State guidelines refers to Justice’s Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities, November 2007.  = Agency generally implemented review process. 5 = Agency did not implement review process. In addition, the committee’s periodic audits of CalGang records are weak and do not ensure that CalGang contains only valid, accurate information. The federal regulations require that criminal intelligence information must be periodically reviewed and destroyed if it no longer meets certain standards and that records must be reviewed and validated for continuing compliance with submission criteria before the end of their retention period. CalGang policy implements this requirement from the federal regulations by stating that each node administrator agency will be audited no less than twice a year. However, the policy does not specify who will conduct these audits, how they are to be documented, or who will review the results. The current committee chairperson stated that the node administrator agencies conduct the audits—meaning that node administrators audit their own records—and that their representatives orally report the results at committee meetings. Nevertheless, our review of this process suggests that these audits are not adequate to determine the accuracy of the information in CalGang. California State Auditor Report 2015-130 August 2016 Specifically, the audits are limited in focus and it is difficult to determine if any change resulted. Board meeting minutes dated January 2006 indicate that the board directed each node administrator agency to audit 30 records a year, resulting in the annual review of 330 records statewide. However, this level of review appears inadequate given that CalGang contains in excess of 150,000 individuals’ records. Further, the minutes from the committee’s meetings document that the node administrator agencies report on the results of their audits, but the minutes lack sufficient detail of how the agencies addressed the problems they uncovered. Thus, for the majority of its audits, the committee was unable to demonstrate the value of its audit process and the related outcomes. The limited focus of these audits is especially concerning because they are the only oversight tool that the committee uses, yet the audits are self‑reported with no independent verification of the results, resulting in a process that is not robust enough to ensure that user agencies are maintaining valid and accurate criminal intelligence records, adhering to security protocols, and upholding individuals’ rights to privacy. The lack of an appropriate audit process potentially weakens CalGang’s value as a law enforcement tool and may contribute to the public’s concern that law enforcement agencies are mishandling private, sensitive information. Our review of CalGang records statewide identified a significant number of errors that demonstrate the need for stronger controls over the processes for entering, evaluating, and auditing the data in CalGang. For example, we found 42 individuals in CalGang whose birthdates indicated that they were less than one year old at the time their information was entered, 28 of whom were entered into the system in part because they admitted to being gang members. CalGang also contained information that was unusable for meaningful data analysis, such as telephone numbers, zip codes, or random characters in the data field intended to capture a city name. Additionally, we found instances in which city names were misspelled or abbreviated in inconsistent ways. For example, we identified more than 100 variations for Los Angeles, including “Los Angels” and “Los Angeleses.” We expected that the law enforcement agencies we examined would be familiar with the state guidelines that the committee adopted and have the necessary safeguards in place to implement the related requirements. However, key officials and CalGang users from Los Angeles, Santa Ana, and Santa Clara were all unaware of the state guidelines and the requirements therein. At Sonoma, the sergeant who functions as the node administrator stated that the processes the state guidelines outline were either not applicable to CalGang, did not have value, or would be too resource‑intensive to fully implement. We disagree with the Our review of CalGang records statewide identified a significant number of errors that demonstrate the need for stronger controls over the processes for entering, evaluating, and auditing the data in CalGang. 39 40 California State Auditor Report 2015-130 August 2016 sergeant’s assertions because CalGang policy explicitly requires user agencies to follow the state guidelines. Further, if Sonoma or other agencies had concerns regarding the processes in the state guidelines, they should have reconciled them with processes that were similarly robust but more efficient to implement. Disregarding the guidelines designed to enhance CalGang’s accuracy and to preserve individuals’ rights degrades the database and calls into question user agencies’ commitment to CalGang’s mission— to provide an accurate resource for law enforcement. The programming underlying CalGang may jeopardize individuals’ privacy rights because it did not purge all records within the required time frames. The programming underlying CalGang also may jeopardize individuals’ privacy rights because it did not purge all records within the required time frames. User agencies rely upon CalGang’s automatic purge function to comply with the requirement in the federal regulations to remove criminal intelligence records if user agencies have not added new information indicating gang membership within five years. However, when we searched 104 records for individuals in CalGang to ensure that they had been purged on schedule, we found that 12 remained in CalGang even though they did not contain new information that would have warranted extending their purge dates. In fact, these 12 records reflected purge dates that should have taken effect in the past. Santa Clara, which is within the San Jose node, had created all 12 records, but neither Santa Clara’s gang sergeant nor the sergeant in the gang investigations unit at the San Jose node could offer an explanation as to why the automatic purge function had exhibited this operational deficiency. When we checked CalGang again about three weeks later, the 12 records had been purged. CSRA International, Inc. (CSRA)—the company that developed the proprietary CalGang software—indicated that errors with the San Jose node’s server caused the automatic purge function to run improperly for approximately two months. CSRA asserted that it resolved this error and has implemented procedures to quickly identify similar issues in the future. Further, as of November 2015, we identified records for three additional individuals who should have been purged in 2002, 2003, and 2008, respectively. When we asked CSRA why these individuals were still in CalGang, it identified a programming error that caused the automated purge process to overlook the three individuals. Consequently, these individuals’ records remained in CalGang from seven to 13 years beyond when they should have been purged. CSRA asserted that it subsequently corrected this error and would report these three individuals to the appropriate law enforcement agency for review. As of June 2016, CSRA reported that these individuals were no longer in CalGang. California State Auditor Report 2015-130 August 2016 Finally, CalGang’s programming has not at times had sufficient controls to prevent future dating of entries related to gang membership or affiliation. This lack of controls—coupled with law enforcement’s failure to establish a thorough review process to ensure the accuracy of data entries—could cause individuals to inappropriately remain in CalGang for several decades, or even centuries. Specifically, we identified 628 individuals whose records had purge dates beyond the standard five‑year time period, including 257 whose records were not scheduled to be purged for more than 100 years. When we inspected these individuals’ criteria dates—which is the information CalGang software uses to calculate purge dates—we found that the entries were future‑dated. For example, one individual had a criteria entry dated in the year 9992, which resulted in a purge date in the year 9997, or nearly 8,000 years from now. Although these future dates are most likely the result of data entry errors, an incorrect entry has significant implications for the timely removal of the individual from CalGang. When we asked CSRA how such errors could occur, it stated that before 2009, and then again between 2011 and 2014, CalGang user agencies could enter future‑dated criteria. CSRA asserted that it implemented controls in 2014 designed to prevent users from future‑dating criteria. In addition, CSRA indicated that it would report the individuals we identified to the appropriate node administrators for review and possible deletion. However, as of June 2016, CSRA stated that 115 individuals with future‑dated criteria remained in CalGang. Absent a robust review process, the committee has relied completely on the CalGang software to remove individuals within the time frames federal regulations specify. Software deficiencies have allowed some records to remain in CalGang and accessible to law enforcement agencies far beyond their purge dates. Retaining records in CalGang for longer than the federal regulations allow potentially violates individuals’ rights and pollutes CalGang with outdated information that may hinder law enforcement agencies’ efforts to suppress gang activity. Law Enforcement Agencies Lack Processes to Ensure They Share CalGang Information Properly and Limit CalGang Access as CalGang Policy Requires To preserve individuals’ privacy rights, numerous requirements contained in the federal regulations, the state guidelines and CalGang policy exist around sharing CalGang information. These requirements are generally rooted in the concept that CalGang information should be shared only for a law enforcement purpose and only with requesters that have a “need and right to know.” We identified 628 individuals whose records had purge dates beyond the standard five-year time period, including 257 whose records were not scheduled to be purged for more than 100 years. 41 42 California State Auditor Report 2015-130 August 2016 The four local law enforcement agencies we reviewed each lack necessary policies and procedures for sharing CalGang information. Nevertheless, we found that CalGang’s oversight entities and user agencies have not taken all the steps necessary to ensure CalGang information is shared only when appropriate. Specifically, the four local law enforcement agencies we reviewed each lack necessary policies and procedures for sharing CalGang information. Further, responses to our statewide survey suggest that at least three law enforcement agencies may have inappropriately used CalGang as an employment screening tool. The information‑sharing policies of all four user agencies we reviewed omit some of the safeguards that CalGang policy requires. Requests for CalGang information can come either from within user agencies or from external parties, such as law enforcement agencies that do not use CalGang, media outlets, and researchers. CalGang policy requires that each user agency establish written policies and procedures for accessing CalGang information that ensure that they only share information in accordance with existing laws, regulations, and guidelines. However, we identified weaknesses in the policies of each of the four law enforcement agencies we reviewed. For example, Los Angeles’s policy addresses releasing information for discovery motions and requests for records, and it also specifies the parties that must approve information releases. Nonetheless, it is silent about documenting the requestors’ need and right to know and tracking to whom it releases criminal intelligence—both of which are requirements in federal regulations and state guidelines. As a result of similar types of omissions at all four user agencies, the users at the agencies lack the guidance necessary to ensure they share criminal intelligence only with authorized recipients and only for law enforcement purposes. We attempted to assess Justice’s and the four user agencies’ past decisions to share information, but we have little assurance that they identified all of the CalGang requests they received. Specifically, Justice and the four agencies could identify requests for CalGang information made pursuant to the Public Records Act, but none of these law enforcement agencies had processes to capture internal requests or requests from other law enforcement agencies. Justice, Los Angeles, Santa Clara, and Santa Ana identified a combined total of 16 information requests they received between January 2011 and early March 2016; in contrast, the sergeant who functions as the Sonoma node administrator asserted that Sonoma did not receive any requests for information during that time frame. Table 10 shows the information requests categorized by requestor type and by the nature of the CalGang information requested. We found that requestors sought criminal intelligence information in four instances and that the agencies declined to provide the information because the requestors did not have a right to know it. California State Auditor Report 2015-130 August 2016 Table 10 Summary of CalGang Information Requests Received Between January 2011 and March 2016 by Requestor Type and the Nature of the Information Requested NATURE OF INFORMATION REQUEST CRIMINAL INTELLIGENCE RECORDS CALGANG STATISTICS POLICY AND PROCEDURES/ OPERATIONAL INFORMATION Media 0 5 3 Researchers 2 3 3 Legal counsel 2 1 1 Private party 0 1 1 4 10 8 REQUESTOR Totals Source:  California State Auditor’s analysis of public records requests received by the California Department of Justice, Santa Ana Police Department, Santa Clara County Sheriff’s Office, and Los Angeles Police Department. Note:  The Table reflects the nature of all the information the requests specified. Requests may have covered more than one category of information; thus, the nature of the requests will not correlate with the 16 total requests the four agencies asserted they received. Conversely, our statewide survey revealed that, of the 190 law enforcement agencies that responded to this question, three may have inappropriately shared information because they used CalGang to screen for employment or military recruitment purposes. Screenings of these types are not apparent law enforcement activities—they are not related to preventing or solving crimes—and thus do not meet the standard of need or right to know for a law enforcement purpose. Specifically, an administrative aide from Ventura County Sheriff ’s Department (Ventura) asserted that she reviewed CalGang to determine if individuals who applied for employment with Ventura were listed as gang members. Similarly, a sergeant from Thousand Oaks Police Department (Thousand Oaks) asserted that the agency reviewed CalGang to assist the military in determining whether a candidate was a gang member. Finally, a detective from Santa Barbara County Sheriff ’s Office (Santa Barbara) reported using CalGang to screen for employment and to assist the military. Although each of the three agency officials asserted that they did not print or distribute any hard‑copy CalGang information resulting from their searches, using the system in this manner does not appear appropriate. On three separate occasions dating back to 2006, the board or the committee determined that user agencies should not use CalGang for employment background checks or in response to requests from the military. The board established that military recruiters do not have the need or right to know CalGang information and therefore users should not fill those information requests. Nevertheless, based on our review 43 44 California State Auditor Report 2015-130 August 2016 of their respective minutes, neither the board nor the committee disseminated these decisions to the CalGang users. Moreover, the committee did not clarify in CalGang policy that these uses are prohibited. Consequently, two of the three agencies asserted that using CalGang to screen employment or military candidates was appropriate. For example, according to a Thousand Oaks sergeant, using CalGang to respond to requests from military recruiters is appropriate because the military does not want to train gang members in the use of weapons and tactics, thus making those individuals more dangerous to the public. Alternatively, the Santa Barbara detective agreed that using CalGang to screen candidates for internal positions or for the military was inappropriate and planned to suggest the agency change its practices. The mix of interpretations is concerning to us and suggests that user agencies need better, and perhaps more frequent, training, as we describe in the next section. The Committee and Node Administrators Cannot Demonstrate They Follow CalGang Training Policy or Best Practices As previously discussed, the board and the committee delegate important tasks to user agencies, such as determining whether reasonable suspicion of criminal activity exists to warrant entering individuals into CalGang. However, the agencies’ abilities to effectively perform these tasks depends in large part on the training their staff Training Topics for CalGang User Agencies receives. Consequently, CalGang policy states The CalGang Node Advisory Committee requires that that the committee will develop, review, and training for user agencies must address the following topics, approve standardized trainings for the staff at at a minimum: user agencies. Although the text box shows the committee’s required training topics for user • The definition of a criminal street gang. agencies, neither the committee nor the two node • The accepted criteria for identifying gang members, administrator agencies we reviewed could affiliates, and adding photos. demonstrate that the committee had developed • The definition of criminal predicate and or approved standardized training materials for reasonable suspicion. statewide use. Instead, each node administrator agency develops its own materials. In addition, we • Local, state, and federal statutes and policies regarding expected to find that the committee had processes criminal intelligence information. in place to identify needed changes and updates to • Physical and technical security. the content of the training materials. For example, • Data dissemination protocols. changes to state law that took effect in 2014 regarding notifying juveniles and their parents or • Practical, hands‑on database use. guardians before entering juveniles into CalGang Source:  California Gang Node Advisory Committee Policy and presented the committee with an opportunity to Procedures for the CalGang System (2007). update CalGang training materials, but we found no evidence that the committee had done so. California State Auditor Report 2015-130 August 2016 The lack of standardized training may have created inconsistencies in how user agencies apply the criminal intelligence requirements the committee has adopted. Specifically, as discussed previously, we found that law enforcement agencies we reviewed did not have adequate support for including 13 individuals within CalGang. Moreover, three agencies responded to our survey that they used CalGang to screen for potential employment, even though this use does not appear to meet the standard of need and right to know for a law enforcement purpose. The appropriate adding to and sharing of information in CalGang is critical to protecting individuals’ right to privacy, yet the committee has failed to fulfill its responsibility to ensure user agencies are effectively trained in those two functions. We also found deficiencies with the committee’s approval of training content for instructors. CalGang policy requires potential instructors to attend a committee‑approved, train‑the‑trainer course and requires node administrators to verify potential instructors’ experience using CalGang. However, neither the committee nor Sonoma and Los Angeles—which are both node administrator agencies—could demonstrate that the committee had approved an instructor training course. In fact, the committee chair—who is also the Los Angeles node administrator—stated that a formalized train‑the‑trainer course does not exist. CalGang policy further states that instructors must complete the 24‑hour user course in addition to a train‑the‑trainer course. However, CalGang instructors cannot obtain the requisite number of training hours because the user training the nodes provide is just 16 hours in length, not the required 24. Finally, the committee has not required users to take periodic refresher trainings so that their skills remain up to date. The committee does not require such trainings, regardless of how long users have maintained CalGang access. In our statewide survey, 86 (46 percent) of the 186 CalGang user agencies that responded to this question indicated that their users could benefit from periodic refresher training. Further, a separate analysis we performed revealed that half of CalGang’s users have had accounts allowing their access to CalGang for six years or more. The full distribution of the length of time users have maintained their accounts is depicted in Figure 4 on the following page. By requiring only an initial training for users, the committee risks that users’ knowledge of CalGang policy will fade over time or not keep pace with changes, thereby jeopardizing the integrity and accuracy of CalGang’s information. CalGang instructors cannot obtain the requisite number of training hours because the user training the nodes provide is just 16 hours in length, not the required 24. 45 46 California State Auditor Report 2015-130 August 2016 Figure 4 Age of Users’ CalGang Accounts 21% 0–2 years 50% USER ACCOUNT AGE 2.01–4 years 4.01–6 years 14 % > 6.01 years 15% Source:  California State Auditor’s analysis of CalGang data obtained from the California Department of Justice as of November 23, 2015. Note:  Because CalGang did not capture user account creation dates until 2009, we were unable to determine the exact age of user accounts older than six years. Law Enforcement Agencies Have Failed to Appropriately Notify Necessary Parties Before Entering Juveniles Into CalGang Because two of the four law enforcement agencies we reviewed did not send all legally required notices before entering juveniles into CalGang, many juveniles and their parents or guardians (parents) were not afforded the right to contest the juveniles’ gang designations. Further, the two agencies that sent the necessary notifications did not provide the juveniles and their parents with adequate information to contest the designations. In fact, responses to our statewide survey of law enforcement agencies revealed that less than 3 percent of juveniles or their parents contested these designations, possibly as a result of their notification letters not containing adequate information. Because the two law enforcement agencies have not complied with state law related to these notifications, they have limited the effectiveness of the juvenile notification process as a means to identify juveniles whom they may have mistakenly added to CalGang as gang members. State law effective January 1, 2014, generally requires law enforcement agencies to send juveniles and their parents notices before adding juveniles to a shared gang database, such as CalGang. Figure 5 depicts the juvenile notification process the state law established. This process requires notifying juveniles and parents or guardians of the basis for the juveniles’ gang designations and of their right to contest the gang designations. The process also describes the limited circumstances in which law enforcement agencies do not have to notify the juveniles and the parents. California State Auditor Report 2015-130 August 2016 Figure 5 The Required Juvenile Notification and Contestation Process as Applied to CalGang A law enforcement officer determines a juvenile meets the minimum criteria required to be designated as a gang member (designation).* DOES AN EXCEPTION EXIST? The law enforcement agency (agency) sends written notice of the designation to the juvenile and his/her parent or guardian (parent). A juvenile or parent contests in writing the juvenile’s designation. The agency has 60 days to review the contestation and respond to the juvenile and parent with written verification of the agency’s decision. The agency adds the juvenile to CalGang and the law enforcement officer affirms that the notice was sent or an exception applied.† The agency does not send a written notice because the notice would do one of the following: • Compromise an ongoing criminal investigation. • Compromise the juvenile’s health or safety. Juvenile’s record remains in CalGang. The agency disagrees with contestation. The agency agrees with contestation. Juvenile’s record deleted from CalGang. Sources:  California State Auditor’s analysis of the Penal Code and the CalGang juvenile-notification process. * A juvenile is defined as an individual who is under 18 years of age. A juvenile can be designated as a gang member or gang affiliate. † If a law enforcement officer indicates in CalGang that the agency did not send a notification because of an exception, the officer must document a detailed reason for the exception. Between January 1, 2014, and November 23, 2015, user agencies added more than 2,200 juveniles to CalGang. Following January 2014, the number of juveniles that user agencies added to CalGang dropped significantly; from 2013 to 2014, the number decreased by 1,134, or 48 percent. In fact, the number of juveniles Sonoma and Santa Clara each added dropped to zero. Officers at each agency asserted that they 47 48 California State Auditor Report 2015-130 August 2016 stopped adding juveniles to CalGang in direct response to the new notification requirements. Specifically, the Sonoma gang enforcement sergeant asserted that Sonoma stopped adding juveniles for reasons that included the administrative burden and his perception that parents frequently refuse to believe their children are associated with a gang and would attack the agency’s motives. On the other hand, Santa Clara’s gang sergeant asserted that his agency no longer adds juveniles to CalGang because it does not have a notification process in place and wants to learn from the processes other agencies have established. However, when user agencies choose not to add juveniles to CalGang to avoid notifying juveniles and their parents or to wait and learn from other agencies’ processes, CalGang becomes a less useful tool for protecting the public from gang violence. As indicated in Table 11, the two user agencies we reviewed—which were limited to Los Angeles and Santa Ana for the reasons just described— were unable to demonstrate that they properly sent letters before adding juveniles to CalGang for all but 35 of the 129 records we reviewed. Specifically, we found that Santa Ana did not send letters to juveniles, but rather only to their parents. Based on interviews with a number of officials, we determined that Santa Ana misinterpreted the law’s requirements. In contrast, Los Angeles has a policy that describes a process that meets the law’s notification requirement, but we found that officers in the five divisions we reviewed—Los Angeles has 21 divisions in total—did not follow the policy. Consequently, Los Angeles could not demonstrate that it sent letters to 29 juveniles and their parents. Moreover, Los Angeles sent notices for 50 juveniles after entering them into CalGang instead of before, as required; in fact, in several instances, it did not send the letters for more than a month after entering the juveniles into CalGang. As reasons for not following state law, officials for Los Angeles cited turnover in officer and administrative staff positions as well as agency staff misunderstanding the requirements. Table 11 Rates of Adherence to State Law Requiring Juvenile Gang Designation From January 2014 Through November 2015 Santa Ana Police Department Los Angeles Police Department Totals TOTAL NUMBER OF JUVENILES’ RECORDS REVIEWED RECORDS FOR WHICH NOTIFICATION REQUIREMENTS WERE MET RECORDS FOR WHICH NOTIFICATION LETTERS WERE NOT SENT [JUVENILE AND/OR THEIR PARENTS*] 15 0 15 RECORDS FOR WHICH NOTIFICATION LETTERS WERE SENT AFTER CALGANG ENTRY [JUVENILE OR THE PARENTS] 0 114 35 29 50 129 35 44 50 Percent of total juveniles’ records reviewed ————————> 27% 34% 39% 73% Sources:  California State Auditor’s analysis of juvenile notification letters and other documents for the law enforcement agencies listed. * Because state law requires law enforcement agencies to send notification letters to the juvenile and their parents or guardians (parents), this column represents instances in which law enforcement agencies did not send letters to either party and both parties. California State Auditor Report 2015-130 August 2016 We also determined that Los Angeles’s and Santa Ana’s notices were inadequate because they did not provide the bases the agencies used for the juveniles’ gang designations. Although state law requires law enforcement agencies to provide the bases for gang designations, the law does not specify what information the agencies need to include to fulfill that requirement. A bill analysis on the juvenile notification law states that the basis for a gang designation would be source documents, such as arrest reports and field interview cards, indicating that the person met the criteria for being considered a gang member. However, the notification letters Los Angeles and Santa Ana sent offered only conclusory language that was so vague it did not fully inform the juveniles and parents of the contacts or analyses that led to the designations. The text box cites the relevant language the agencies included in their letters to parents. Although the Los Angeles letters invite juveniles and parents to contact an officer with their questions, neither letter cites the specific criteria the agency used for identifying juveniles as members of gangs. Excerpts From Juvenile Notification Letters Law Enforcement Agencies Sent to Parents Los Angeles Police Department (Los Angeles) On __[date]__, your son/daughter, __[name]_, was involved in a field contact by officers from the Los Angeles Police Department. As a result, information relative to __[name]___ participation in or association with an active street gang was discovered. The contact met the minimum criteria required by state law to identify him/her as an active gang member or active affiliate gang member. Therefore, his/her name and gang affiliation will be entered into the department’s computerized shared gang database. Santa Ana Police Department (Santa Ana) On __[date]__, your son/daughter, __[name]__, was contacted by Officers from the Santa Ana Police Department. As a result of a law enforcement officer’s investigation, your child’s participation in or association with an active criminal street gang has been included in our files based upon two or more of the following criteria, including but not limited to: arrest and/or associating with criminal street gang members, frequenting gang area, gang indicia, statements made by a contacted individual. Sources:  Los Angeles’s and Santa Ana’s juvenile notification letter templates. Without knowing law enforcement agencies’ bases for suspecting gang membership, juveniles and their parents do not have sufficient information to meaningfully challenge those agencies’ decisions to add the juveniles to CalGang. Part of the Legislature’s intent in developing the notification process was to ensure that user agencies did not incorrectly enter juveniles into CalGang. However, parents and juveniles cannot contest juvenile gang designations effectively, if at all, without knowing the criteria user agencies determined the juveniles met. Because of the lack of information in the juvenile notification letters, parents sometimes submitted letters that simply stated that their children were not gang members. Other parents submitted character references from school principals and church leaders or descriptions of their own efforts to keep their children away from gangs. These types of responses—which are the result of the lack of information the user agencies provided—do not help the agencies identify mistakes they may have made when concluding that juveniles met the criteria for entry into CalGang. Thus, the insufficient notification letters have disadvantaged the law enforcement agencies, juveniles, and parents. We found that few juveniles and parents contested gang designations and that—contrary to state law—the two user agencies generally responded only to the party that contested the designation which only partially fulfilled the law. Table 12 on the following page 49 50 California State Auditor Report 2015-130 August 2016 summarizes the number and rate of contested juvenile gang designations for Los Angeles and Santa Ana, as well as the results from our survey of 329 law enforcement agencies. Santa Ana’s higher rate of contestations may be the result of its notification process. Specifically, it sends notices to parents each time a contact with a law enforcement officer results in an update to a juvenile’s CalGang record. This process, which results in multiple letters to parents, exceeds the requirements of state law. Although the law requires that agencies inform both juveniles and parents of their decisions in response to contestations, we found that the two user agencies generally responded only to the party that contested the designation. Table 12 Contestations of Juvenile Gang Designations at Two Law Enforcement Agencies and Statewide From January 1, 2014, Through October 31, 2015 Number of juveniles LOS ANGELES POLICE DEPARTMENT (LOS ANGELES) SANTA ANA POLICE DEPARTMENT (SANTA ANA) STATEWIDE SURVEY RESULTS* 381 140 1,705 5 19† Contestation rate 1% 14%† Number of juveniles removed from CalGang in response to a contestation 0 Number of contestations received 7 47 3% 15 Sources:  California State Auditor’s analysis of Los Angeles’s and Santa Ana’s juvenile notification records and other documents, and unaudited statewide survey results. * These numbers represent self‑reported data from our statewide survey. † Santa Ana’s process requires it to send a letter to a juvenile’s parents for each law enforcement contact the juvenile has that results in it creating or updating a CalGang record. Sending multiple letters to parents likely contributed to the higher contestation rate in Santa Ana. Although the law provides two reasons to justify law enforcement agencies’ decisions not to notify juveniles and their parents before adding the juveniles into CalGang, we found that the user agencies rarely use these options. Specifically, as Figure 5 on page 47 illustrates, law enforcement agencies can choose not to notify juveniles and their parents if they believe doing so will compromise either ongoing criminal investigations or the juveniles’ health or safety. However, based on our reviews of Santa Ana and Los Angeles, as well as the responses from our statewide survey, we determined that law enforcement agencies rarely choose not to send notices for these two reasons. In fact, Santa Ana has not used either option since the law went into effect in 2014, and Los Angeles documented using these options for just five juveniles. Further, the responses from our survey suggest that user agencies statewide documented only 10 additional instances in which the agencies justified not sending notices for the exceptions provided in law. California State Auditor Report 2015-130 August 2016 In response to our concerns about their juvenile notification practices, officials with Los Angeles and Santa Ana asserted they would take corrective actions. A detective who serves as the Los Angeles node administrator is working to implement a juvenile notification review process in which staff will review all juveniles Los Angeles officers entered since January 1, 2014 and document whether officers fulfilled the requirements of state law. If juveniles do not meet the law’s requirements, the detective’s plan is to delete the juvenile, send proper notification, and reenter the juvenile into CalGang. The detective is also planning to implement a process in which he will review some juveniles each month to ensure adherence to the law’s requirements. Similarly, a commander from Santa Ana provided updated letter templates for both juveniles and their parents. However, the letters’ text still does not provide the bases for the juvenile’s designation as a gang member. According to the commander, Santa Ana chose not to include more specific information because it believes the letter gives parents and juveniles a sense of the behavior that led to the juveniles’ contacts with the law enforcement officers. He also stated that providing specifics about contacts would focus arguments on the contacts or incentivize juveniles to stop certain behaviors purely to prevent police detection, which are outcomes he does not believe would be productive. He stated that the benefit of the juvenile notification law is the conversations it can initiate among parents, juveniles, and law enforcement officers related to the resources the agency may provide to keep the juveniles away from and out of gangs. However, we believe that for these conversations to be productive, parents need specific information about the nature of their children’s contacts with law enforcement officers. Notwithstanding Los Angeles’s and Santa Ana’s failures to properly implement state law, we recognize that both agencies have demonstrated a commitment to the juveniles they suspect are gang members. Los Angeles has contacted parents about juveniles’ gang designations through letters, calls, or in‑person meetings since at least 1998. Moreover, the letters Los Angeles currently sends to parents and juveniles invite them to contact officers about questions and to learn about community programs. Similarly, since about 1989 Santa Ana has notified juveniles that their involvement with gangs could subject them to criminal prosecution. Although this notice does not reference CalGang, it makes very clear that the agency has determined the juveniles are a part of or associated with specific gangs; in fact, the agency uses documentation from these notices to add individuals to CalGang. After the implementation of the juvenile notification law in 2014, Santa Ana exceeded the law’s requirements by notifying parents after each contact juveniles had with police that resulted in updates to their records. In response to our concerns about their juvenile notification practices, officials with Los Angeles and Santa Ana asserted they would take corrective actions. 51 52 California State Auditor Report 2015-130 August 2016 Moreover, Santa Ana’s process when it receives a contestation letter represents a best practice that we believe could be the basis for statewide standards. Specifically, at Santa Ana a police investigator assembles background information on the juvenile’s case, and a corporal calls the family to discuss the juvenile’s entry into CalGang. Following the review and conversation, the corporal decides whether the juvenile should remain in CalGang. Santa Ana’s approach has resulted in it removing from CalGang more than a third of the juveniles who were the subject of contestations by the juveniles or their parents. This approach establishes relationships that can lead to a better understanding of juveniles’ situations for both the officers and the families, and it also achieves greater data accuracy for the law enforcement agencies using CalGang. Governmental Oversight and Increased Public Participation Could Strengthen CalGang’s Usefulness and Better Ensure It Protects Individuals’ Rights State and local law enforcement officials assert that CalGang is an important tool because it helps them to quickly identify information necessary to solve or prosecute gang crimes. User agencies’ success stories chronicle how they used CalGang to identify homicide victims and suspects through physical descriptions, like their tattoos, and to link local crimes to suspects or to crimes in other communities. For example, an officer in Salinas posted a testimonial in CalGang noting that he used CalGang to identify a murder suspect using a name, physical description, and believed gang affiliation. Witnesses then verified the suspect in a photo lineup, leading to his arrest for murder. Upon conviction, the courts sentenced the man with gang enhancements—years added to a prison term when an individual commits a crime to promote or assist a gang. The officer praised CalGang and encouraged other CalGang users to provide as much information as possible in their CalGang entries because even a minor gang contact could help solve a murder. We believe state law should be adopted that assigns Justice the responsibility for overseeing CalGang and for ensuring user agencies meet all the relevant requirements. However, because of its potential to enhance public safety, CalGang needs an oversight structure that better ensures that the data entered into it are reliable and that its users adhere to the requirements that protect individuals’ rights. To this end, we believe the Legislature should adopt state law that specifies that CalGang, or any equivalent statewide shared gang database, must operate under defined requirements. We believe these requirements should encompass the federal regulations and key safeguards from the state guidelines, including supervisory and periodic record reviews. Further, we believe state law should assign Justice the responsibility for overseeing CalGang and for ensuring user agencies meet all the relevant requirements. Establishing Justice as a centralized oversight entity California State Auditor Report 2015-130 August 2016 responsible for establishing best practices and holding user agencies accountable for implementing these practices will help ensure CalGang’s accuracy and safeguard individuals’ privacy protections. Moreover, we believe state law should create a technical advisory committee to provide Justice information about CalGang’s use and user agencies’ needs. Figure 6 on the following page illustrates what, in our view, would be a stronger oversight structure for CalGang. The Legislature also has an opportunity to set standards for transparency and public participation where none currently exist. Generally, CalGang’s current operations are outside of public view. As previously discussed, we found that the CalGang users self‑administer the committee’s audits and that they do not meaningfully report the results to the board, the committee, or the public. Further, CalGang’s governance does not meet in public, and neither the board nor the committee invites public participation by posting meeting dates, agendas, or reports about CalGang. Increased transparency in CalGang’s governance and operations could strengthen the public’s confidence in the system. For example, although the proposed technical advisory committee would likely need to close parts of its meetings to protect criminal intelligence information, we believe other parts of its meetings should be open and should comply with open‑meeting requirements. Further, requiring Justice either to conduct or to hire an external entity to conduct periodic audits would shed light on aspects of CalGang’s privacy safeguards that do not operate effectively and should help lead to necessary corrective actions. In addition, we recommend that the Legislature require Justice to develop annual reports that include CalGang statistics and summary‑level audit results. Justice should make these reports available for public comment and, in subsequent annual reports, summarize public concerns and the actions Justice has taken to address them. Finally, establishing CalGang as a public program would create opportunities for public participation through the legislative and regulatory processes. As the Legislature drafts the bill that will provide for CalGang’s new oversight structure and framework, law enforcement officials and the public will have opportunities to express their concerns and needs. Using the regulatory process to establish requirements for user agencies will provide the public and law enforcement agencies an opportunity to comment on and help guide how the requirements are developed. Increased transparency in CalGang’s governance and operations could strengthen the public’s confidence in the system. 53 54 California State Auditor Report 2015-130 August 2016 Figure 6 A Model for More Transparent and Accountable Oversight for a Shared Gang Database Public process Non-public process THE LEGISLATURE Key Legislative Actions Establish requirements for CalGang, or any equivalent statewide shared gang database, in state law as detailed below. Require the database to comply with federal regulations and important safeguards from the state guidelines.* LAW Make the California Department of Justice (Justice) responsible for the database Create a technical advisory committee TECHNICAL ADVISORY COMMITTEE JUSTICE Key Requirements to be Specified in Law Key Requirements to be Specified in Law Engage in a regulatory process to define important requirements like gang member criteria. Conduct or hire an external entity to conduct periodic audits. Advise Justice of best practices, database use, and database needs. Collaborate Periodically review policies and procedures to provide suggestions to Justice for their improvement. Standardize training and ensure it is periodically provided to all end users. Obtain public input when appropriate. Publish an annual report with key statistics and summary audit results. Invite, assess, and act on public comments. USERS Voluntarily participate Key Requirements to be Specified in Law Oversee Implement supervisory review procedures. Implement periodic record reviews and report the results to Justice. Source:  Based on the California State Auditor’s recommendations to the Legislature. * State guidelines refers to Justice’s Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities, November 2007. California State Auditor Report 2015-130 August 2016 Recommendations The Legislature To ensure that CalGang, or any equivalent statewide shared gang database, has an oversight structure that supports accountability for proper database use and for protecting individuals’ rights, the Legislature should do the following: • Designate Justice as the state agency responsible for administering and overseeing CalGang or any equivalent statewide shared gang database. • Require that CalGang or any equivalent statewide shared gang database adhere to federal regulations and relevant safeguards from the state guidelines, including supervisory reviews of database entries and regular reviews of all records. • Specify that Justice’s oversight responsibilities include developing and implementing standardized periodic training as well as conducting—or hiring an external entity to conduct— periodic audits of CalGang or any equivalent statewide shared gang database. To promote public participation in key issues that may affect California’s citizens and to help ensure consistency in the use of any shared gang database, the Legislature should require Justice to interpret and implement shared gang database requirements through the regulatory process. This process should include public hearings and should address the following: • Adopting requirements for entering and reviewing gang designations, including establishing a retention period for gangs. • Adopting criteria for identifying gang members. These criteria should define which offenses are consistent with gang activity. • Specifying how user agencies will operate any statewide shared gang database, including requiring user agencies to implement supervisory review procedures and periodic record reviews. The user agencies should report the results of the reviews to Justice. • Standardizing practices for user agencies to adhere to the State’s juvenile notification requirements, including guidelines for documenting and communicating the bases for juveniles’ gang designations. 55 56 California State Auditor Report 2015-130 August 2016 To ensure transparency, the Legislature should require Justice to publish an annual report with key shared gang database statistics— such as the number of individuals added to and removed from the database—and summary results from periodic audits conducted by Justice or an external entity. Further, the Legislature should require Justice to invite and assess public comments following the report’s release. Subsequent annual reports should summarize any public comments Justice received and actions it took in response. To help ensure that Justice has the technical information it needs to make certain that CalGang or any equivalent shared gang database remains an important law enforcement tool, the Legislature should establish a technical advisory committee to advise Justice about database use, database needs, database protection, and any necessary updates to policies and procedures. The Legislature should specify the qualifications for membership in the technical advisory committee, which should include representatives from local and state agencies that use the shared gang database. Further, it should require that the committee meet at least twice a year and adhere to the Bagley‑Keene Open Meeting Act and other relevant open‑meeting laws. Justice As the Legislature considers creating a public program for shared gang database oversight and accountability, Justice should guide the board and the committee to identify and address the shortcomings that exist in CalGang’s current operations and oversight. The guidance Justice provides to the board and the committee should address, but not be limited to, the following areas: • Developing best practices based on the requirements stated in the federal regulations, the state guidelines and state law, and advising user agencies on the implementation of those practices. The best practices should include, but not be limited to, reviewing criminal intelligence, appropriately disseminating information, performing robust audit practices, establishing plans to recover from disasters, and meeting all of the State’s juvenile notification law requirements. Justice should guide the board and the committee to develop these best practices by June 30, 2017. • Instructing user agencies that use CalGang to complete a comprehensive review of all the gangs documented in CalGang to determine if they meet the necessary requirements for inclusion and to purge from CalGang any groups that do not California State Auditor Report 2015-130 August 2016 meet the requirements. Justice should guide the board and the committee to ensure that user agencies complete this review in phases, with the final phase to be completed by June 30, 2018. • Instructing all user agencies to complete a comprehensive review of the records in CalGang to determine if the user agencies have adequate support for the criteria associated with all the individuals they have entered as gang members. If the user agencies do not have adequate support, they should immediately purge the criteria—and, if necessary, the individuals—from CalGang. In addition, the user agencies should ensure that all the fields in each CalGang record are accurate. Justice should guide the board and the committee to ensure that user agencies complete this review in phases, with the final phase to be completed by September 30, 2019. • Instructing all user agencies to report to Justice every six months, beginning in January 2017, on their progress toward completing their gang and gang member reviews. • Developing standardized periodic training content for all CalGang users and training instructors. Justice should guide the board and the committee to develop such standardized training content by June 30, 2017. • Establishing a plan to recertify all CalGang users and training instructors on the new training content. Justice should guide the board and the committee to complete the draft plan by June 30, 2017, and the recertification training by June 30, 2018. • Developing policies and procedures requiring the disabling of user accounts for all individuals who no longer have a need to or right to access CalGang because they have separated from their employment with user agencies or for other reasons. Justice should guide the board and the committee to identify and disable all such accounts by September 30, 2016. • Determining what steps must be taken to upgrade CalGang’s controls to ensure that CalGang will automatically purge all individuals whose records have not been updated by user agencies for five years. To promote transparency and hold the board, the committee, and user agencies accountable for implementing and adhering to criminal intelligence safeguards, Justice should post quarterly reports on its website, beginning June 30, 2017, that summarize how it has guided the board and the committee to implement and adhere to criminal intelligence safeguards; the progress the board, the committee, and the user agencies have made in implementing 57 58 California State Auditor Report 2015-130 August 2016 and adhering to these safeguards; the steps these entities still must take to implement these safeguards; and any barriers to the board’s and the committee’s success in achieving these goals. To promote transparency and encourage public participation in CalGang’s meetings, Justice should post the following information to its website unless doing so would compromise criminal intelligence information or other information that must be shielded from public release: • Summary results from the committee’s audits of CalGang records. • The agendas, minutes, and referenced attachments for all future board and committee meetings, as well as all other documents of significance such as letters, memos, or agreements. • From the past five years, all available agendas, minutes, and referenced attachments from scheduled and ad hoc board and committee meetings, as well as all other documents of significance. Justice should post these materials by October 31, 2016. If Justice believes it needs additional resources to guide the board and the committee to identify and address the shortcomings that exist in CalGang’s current operations and oversight, to report on the board and committee’s progress in addressing CalGang’s shortcomings, and to post necessary information to its website, Justice should take steps to secure the resources it needs. Law Enforcement Agencies Until they receive further direction from the board, the committee, or Justice, the law enforcement agencies we reviewed—the Los Angeles Police Department, the Santa Ana Police Department, the Santa Clara County Sheriff ’s Office, and the Sonoma County Sheriff ’s Office—should address the specific deficiencies we found by taking the following actions: • Begin reviewing the gangs they have entered into CalGang to ensure the gangs meet reasonable suspicion requirements. They should also begin reviewing the gang members they have entered into CalGang to ensure the existence of proper support for each criterion. They should purge from CalGang any records for gangs or gang members that do not meet the criteria for entry. Individuals who are independent from the ongoing administration and use of CalGang should lead this review. The agencies should complete the gang and gang member reviews California State Auditor Report 2015-130 August 2016 in phases, with the final phase for gangs to be completed by June 30, 2018, and the final phase for gang members to be completed by June 30, 2019. • Develop or modify as necessary all their policies and procedures related to CalGang to ensure they align with state law, CalGang policy, the federal regulations, and the state guidelines. In particular, the law enforcement agencies should implement appropriate policies and procedures for entering gangs; performing supervisory reviews of gang and gang member entries; performing periodic CalGang record reviews; sharing CalGang information; and complying with juvenile notification requirements. The law enforcement agencies should complete this recommendation by March 31, 2017. We conducted this audit under the authority vested in the California State Auditor by Section 8543 et seq. of the California Government Code and according to generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives specified in the Scope and Methodology section of the report. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Respectfully submitted, ELAINE M. HOWLE, CPA State Auditor Date: August 11, 2016 Staff: Benjamin M. Belnap, CIA, Deputy State Auditor Sharon L. Fuller, CPA Kathryn Cardenas, MPPA Brianna J. Carlson Lisa J. Sophie, MPH IT Audits: Michelle J. Baur, CISA, Audit Principal Lindsay M. Harris, MBA, CISA Ben Ward, ACDA, CISA Ryan P. Coe, MBA, CISA Legal Counsel: Stephanie Ramirez‑Ridgeway, Senior Staff Counsel For questions regarding the contents of this report, please contact Margarita Fernández, Chief of Public Affairs, at 916.445.0255. 59 60 California State Auditor Report 2015-130 August 2016 Blank page inserted for reproduction purposes only. California State Auditor Report 2015-130 August 2016 Appendix A SUMMARY OF SELECTED CALGANG SURVEY RESPONSES The Joint Legislative Audit Committee requested that we survey local agencies for information about their CalGang use. We surveyed 329 agencies statewide, which we selected without regard to whether they used CalGang. As shown in Figure A on the following page, we surveyed a wide variety of law enforcement and related agencies. For example, we surveyed police departments, sheriff ’s offices, probation departments, and school district police departments. We generally selected police departments based on the number of identified gang members or gangs in the counties in which they were located. Finally, we surveyed three state agencies: the California Department of Justice, the Department of Corrections and Rehabilitation, and the California Highway Patrol.11 Our survey population encompassed all the agencies the California Gang Node Advisory Committee identified as participating in maintaining CalGang nodes as of September 2015, two of which were district attorney’s offices. Figure A summarizes the response rate by agency type for the agencies we surveyed. We received 252 responses (77 percent) to the 329 surveys we sent. Seventy‑seven agencies we surveyed did not respond. Table A.1 on page 63 lists those agencies. Summary of Survey Results Related to Adults’ Requests for Removal From CalGang In our survey, we asked the agencies how many requests by adults for removal from CalGang they had received from 2010 through 2014 and how they had handled these requests.12 Currently no requirement exists that agencies remove adults from CalGang upon their request. Of the 191 agencies that answered this question, only six reported having received requests from adults who believed they were in CalGang. Those six agencies estimated that they had received a total of between seven and eight requests each year from adults asking to be removed from CalGang. However, they stated that none of these requests resulted in removals. 11 The California Highway Patrol consists of a headquarters and eight divisions, and we surveyed each. 12 We discuss juvenile notifications and requests for removal from CalGang in the Audit Results beginning on page 46. 61 62 California State Auditor Report 2015-130 August 2016 Figure A Rate of Survey Response by Agency Type 178 180 Sent 160 Responded 138 140 120 100 80 59 60 57 46 45 40 22 20 0 2 District Attorney’s Offices* 11 11 1 Police Departments Probation Departments School District Police Departments Sheriff’s Offices 11 State Agencies† Source:  California State Auditor’s analysis of agencies that responded to the survey. * We surveyed two district attorney’s offices because each participated in maintaining a CalGang node. † We surveyed the California Highway Patrol’s headquarters and its eight divisions as well as the California Department of Justice and the Department of Corrections and Rehabilitation. We also asked the agencies that we surveyed if they notified adults when they removed them from CalGang. Although CalGang policy does not require such notifications, a number of agencies responded that they provide them. Table A.2 on page 64 summarizes the survey questions and the responses. The Table shows that at least 188 agencies responded to each of the three questions about notifying adults, and between 4 percent and 11 percent of respondents indicated that they notify adults regarding various actions that they take to remove the adults from CalGang. As shown in the Table, 21 agencies responded that they notify adults when they remove them from CalGang in response to requests for removal, which seems inconsistent with the fact that only six agencies responded that they had received such requests between 2010 and 2014. One possible explanation for the discrepancy may be that some agencies did not receive requests for removal from adults but responded to our question in terms of the processes they have in place to notify adults if they were to receive requests for removal. California State Auditor Report 2015-130 August 2016 Table A.1 Agencies That Did Not Respond to the CalGang Survey AGENCY NAME AGENCY NAME Alameda Police Department Petaluma Police Department Amador County Probation Department* Palo Alto Police Department Baldwin Park School Police Department Plumas County Probation Department Banning Police Department Plumas County Sheriff’s Office Barstow Police Department Pomona Unified School District Security Department Calaveras County Sheriff’s Office Redwood City Police Department California City Police Department Riverbank Police Department Citrus Heights Police Department Riverside Police Department Clovis Unified School District Police Department San Benito County Probation Department Coronado Police Department San Benito County Sheriff’s Office Covina Police Department San Bernardino Unified School District Police Department Del Norte County Sheriff’s Office San Clemente Police Department El Rancho Unified School District Police Department San Jacinto Police Department Firebaugh Police Department San Luis Obispo Police Department Fontana Unified School District Police Department* San Mateo County Sheriff’s Office Glenn County Sheriff’s Office San Mateo Police Department Goleta Police Department Sanger Police Department Huntington Park Police Department Santa Clara County Probation Department Inglewood Unified School District Police Department* Santa Clara Police Department Inyo County Probation Department Santa Cruz Police Department Kern High School District Police Department Shafter Police Department Lake County Probation Department Shasta County Probation Department Livingston Police Department Sierra Madre Police Department Lodi Police Department Siskiyou County Probation Department* Los Angeles County Probation Department Siskiyou County Sheriff’s Office Los Angeles School Police Department* Solano County Sheriff’s Office Los Banos Police Department Soledad Police Department Madera County Probation Department South Gate Police Department Madera County Sheriff’s Office South Lake Tahoe Police Department McFarland Police Department South Pasadena Police Department Mendocino County Probation Department Taft Police Department Modoc County Probation Department Tehachapi Police Department* Montebello Unified School District Police Department Tehama County Sheriff’s Department Monterey Park Police Department Tuolumne County Probation Department Orange County District Attorney’s Office Ukiah Police Department Orange County Sheriff’s Department West Contra Costa Unified School District Police Department Oroville Police Department Windsor Police Department Palos Verdes Estates Police Department Yolo County Sheriff’s Department Perris Police Department Source:  California State Auditor’s analysis of the agencies we surveyed compared to the agencies that submitted responses. * These agencies contacted the California State Auditor’s Office to explain that they missed the survey deadline; generally, they asserted that this was a result of mail delays within the agencies. 63 64 California State Auditor Report 2015-130 August 2016 Table A.2 Summary of the Number of Agencies That Reported Notifying Adults Regarding Their Removal From CalGang RESPONSES YES NO PERCENTAGE RESPONDING YES . . . It removes them from CalGang in response to a request for removal? 188 21 167 11% . . . They are removed from CalGang as part of the automatic five-year system purge? 190 8 182 4 . . . It removes them from CalGang for any other reason, such as the result of an audit? 190 9 181 5 DOES YOUR AGENCY NOTIFY ADULTS WHEN . . . Source:  California State Auditor’s analysis of survey responses. Summary of Survey Results Related to Requests for CalGang Information Table A.3 summarizes the estimated number of requests for CalGang information our survey respondents received and responded to between January 1, 2014, and October 31, 2015. According to the survey responses, they most commonly received internal requests from law enforcement officials. We discuss the employment- and military‑related screening requests in the Audit Results on pages 43 and 44. Table A.3 The Number of Requests for CalGang Information Agencies Estimated They Received and Responded to Between January 1, 2014, and October 31, 2015 TYPE OF INFORMATION REQUEST NUMBER OF REQUESTS RECEIVED NUMBER OF REQUESTS RESPONDED TO Public Records Act request for CalGang aggregate data 8 38* Public Records Act request for specific information on a CalGang subject 20 7 169 169 Legal request by a court, attorney, or judge Internal request by a law enforcement official within an agency External request by a local, state, or federal law enforcement official 5,633 5,641* 513 606* Media request by a newspaper, radio station, television station, etc. 3 2 Public-benefit‑related request for public housing, financial assistance, or school financial aid 3 0 238 210 6,587 6,673 Employment-related request for background checks or hiring decisions Totals Source:  California State Auditor’s analysis of survey responses. * For this information category, the agencies reported responding to more information requests than they received. The data presented in this Table is based on the agencies’ responses, and thus, we do not know the exact reasons for the differences; it is possible that the agencies counted information requests that they responded to during our audit period but received in an earlier period. California State Auditor Report 2015-130 August 2016 Appendix B DEMOGRAPHICS OF INDIVIDUALS IN CALGANG BY LOCATION, TYPE, GENDER, AGE, AND RACE In the Introduction, we present two figures summarizing information about individuals in CalGang as of November 23, 2015. Specifically, Figure 1 on page 10 summarizes the number of gang members and affiliates by county based on the location of the law enforcement agency that entered the individuals into CalGang, and Figure 2 on page 12 shows the demographic breakdown of individuals by race, gender, and age. We present this information in more detail in Table B on pages 66 and 67. In total, more than 150,000 individuals had records in the CalGang system as of November 23, 2015, more than 64,000 of which were entered by the law enforcement agencies in Los Angeles County alone. Eleven California counties—Alpine, Del Norte, Glenn, Imperial, Mariposa, Modoc, Mono, Plumas, San Benito, Sierra, and Trinity— do not appear in the Table because the law enforcement agencies in those counties had not created the records for any of the individuals who were in CalGang as of November 23, 2015. However, some of the individuals in CalGang may reside in these counties. For example, if a law enforcement officer in Los Angeles County entered an individual who resides in Imperial County into CalGang, our analysyis presented in the Table on the following pages would assign that individual’s record to Los Angeles County. 65 11 Amador 5 99 3,740 14 96 33 Kern Kings Lake Lassen 10,434 Orange Riverside 9,618 292 18 Placer 412 Nevada 1,296 Napa 1,018 86 Mendocino Monterey 177 Marin Merced 95 Madera 64,384 3 Los Angeles 3 Inyo 10,205 Humboldt Fresno El Dorado 1,023 Colusa Contra Costa 1 Calaveras 1,075 4,513 Alameda Butte 150,432 Statewide COUNTY † TOTAL NUMBER OF INDIVIDUALS 94.29 98.97 5.71 1.03 10.22 5.56 89.78 4.13 94.44 0.31 2.26 5.81 2.82 – 9.17 – – – 7.35 – – 0.23 7.07 0.98 – – 13.49 – 10.86 7.60% AFFILIATES 95.87 99.69 97.74 94.19 97.18 100.00 90.83 100.00 100.00 100.00 92.65 100.00 100.00 99.77 92.93 99.02 100.00 100.00 86.51 100.00 89.14 92.40% GANG MEMBERS TYPE 93.97 94.86 93.26 94.44 92.72 94.29 95.68 98.84 93.79 100.00 92.14 96.97 97.92 100.00 95.43 66.67 100.00 94.70 91.92 97.07 80.00 100.00 92.28 100.00 91.96 93.09% MALE 6.03 5.14 6.74 5.56 7.28 5.71 4.32 1.16 6.21 – 7.86 3.03 2.08 – 4.57 33.33 – 5.30 8.08 2.93 20.00 – 7.72 – 8.04 6.78% FEMALE GENDER – – – – – – – – – – – – – – – – – – – – – – – – – 0.14% NOT IDENTIFIED 1.27 0.34 4.67 – 9.95 0.08 3.54 1.16 1.13 – 1.71 – – – 1.02 – – 0.24 – 1.17 – – 3.16 9.09 2.33 50.64 47.60 67.26 50.00 83.50 62.73 77.31 65.12 82.49 49.47 56.89 42.42 46.88 71.43 52.51 66.67 – 47.54 61.62 65.69 100.00 – 58.14 90.91 60.12 57.26% 18–30 30.05 – 29.36 33.61% 31–45 39.02 43.15 23.66 44.44 5.83 32.48 17.58 26.74 14.69 42.11 33.67 51.52 47.92 21.43 39.28 33.33 100.00 43.20 31.31 27.37 – 100.00 AGE* 9.07 8.90 4.41 5.56 0.73 4.71 1.57 6.98 1.69 8.42 7.73 6.06 5.21 7.14 7.19 – – 9.02 7.07 5.77 – – 8.65 – 8.20 7.42% 46+ PERCENTAGE OF INDIVIDUALS BY CATEGORY 1.72% 0–17 Table B Demographics of Individuals in CalGang by Location, Type, Gender, Age, and Race 0.55 2.74 5.23 11.11 0.24 0.62 3.73 – 0.56 – 1.71 – 1.04 – 0.27 – – 3.55 – 1.27 – – 4.74 – 3.66 2.27% ASIAN/ PACIFIC ISLANDER 16.8 6.16 1.90 – 0.97 2.08 9.82 1.16 12.99 5.26 29.99 6.06 3.13 7.14 18.10 – – 12.53 5.05 17.11 – – 5.02 9.09 15.87 20.54% BLACK 65.21 50.00 80.53 55.56 89.08 93.90 78.78 59.30 73.45 81.05 60.15 39.39 52.08 85.71 65.40 – 66.67 71.66 48.48 63.83 40.00 100.00 42.51 54.55 67.16 64.93% HISPANIC RACE 12.68 36.64 6.78 33.33 7.77 2.31 6.09 15.12 9.60 12.63 4.06 39.39 36.46 7.14 15.91 – 33.33 10.60 44.44 14.66 60.00 – 34.05 36.36 11.85 8.17% WHITE 0.49 1.03 0.21 – – 0.31 0.39 24.42 1.69 – 0.37 6.06 5.21 – 0.11 100.00 – 0.76 2.02 0.98 – – 2.60 – 0.66 0.57% OTHER‡ 4.26 3.42 5.35 – 1.94 0.77 1.18 – 1.69 1.05 3.72 9.09 2.08 – 0.21 – – 0.89 – 2.15 – – 11.07 – 0.80 3.53% NOT IDENTIFIED 66 California State Auditor Report 2015-130 August 2016 697 572 1.40 3.01 96.99 – 5.38 – 1.28 4.88 – 23.84 32.16 5.20 12.50 – 3.31 5.02 17.10 0.82 2.87 1.01 0.29 4.75 5.42 1.67% AFFILIATES 98.60 100.00 94.62 100.00 98.72 95.12 100.00 76.16 67.84 94.80 87.50 100.00 96.69 94.98 82.90 99.18 97.13 98.99 99.71 95.25 94.58 98.33% GANG MEMBERS 96.99 90.38 100.00 96.02 100.00 96.42 100.00 83.10 88.28 75.52 96.53 87.50 94.00 97.24 94.16 96.08 96.81 94.12 97.83 95.37 95.98 94.58 94.98% MALE 3.01 9.62 – 3.98 – 3.58 – 16.90 11.72 13.99 3.47 12.50 6.00 2.76 5.84 3.79 3.19 5.88 2.17 4.63 4.02 5.42 5.02% FEMALE GENDER – – – – – – – – – 10.48 – – – – – 0.13% – – – – – – – NOT IDENTIFIED 0.28 9.62 – 0.86 – 1.35 – 5.76 1.25 2.09 1.16 – 2.80 2.39 1.55 0.39 0.64 6.89 1.45 – 1.96 0.31 2.93% 0–17 46.13 61.89 28.57 73.41 – 75.73 70.73 60.82 69.11 67.84 80.35 75.00 51.60 77.16 62.28 66.58 75.39 61.69 75.69 48.63 70.81 42.68 66.03% 18–30 AGE* 46.19 24.48 57.14 22.82 75.00 20.96 26.83 28.94 24.45 24.12 16.18 25.00 38.40 17.86 28.81 30.16 22.24 26.83 21.42 41.24 24.61 45.39 22.43% 31–45 7.40 4.02 14.29 2.91 25.00 1.96 2.44 4.48 5.20 5.95 2.31 – 7.20 2.58 7.35 2.87 1.73 4.59 1.45 10.13 2.63 11.62 8.62% 46+ PERCENTAGE OF INDIVIDUALS BY CATEGORY 4.28 5.42 – 0.22 – 3.38 2.44 0.64 3.26 1.48 – – 0.80 – 3.68 0.13 1.00 0.57 3.62 1.01 6.37 0.64 5.36% ASIAN/ PACIFIC ISLANDER 22.98 8.39 – 1.18 – 2.64 – 5.51 4.51 5.60 6.94 12.50 8.00 1.66 2.07 2.09 2.19 1.00 5.35 22.58 25.27 26.48 16.65% BLACK 63.55 56.47 85.71 90.74 100.00 87.96 65.85 67.09 71.45 55.78 85.55 37.50 28.40 80.48 85.75 91.12 61.71 69.44 81.91 22.43 60.96 58.40 50.71% HISPANIC RACE 7.12 27.80 14.29 5.17 – 3.92 29.27 24.71 17.64 22.65 5.20 37.50 58.40 14.36 6.35 3.92 4.01 25.97 8.25 3.62 3.18 12.23 25.52% WHITE 0.11 1.05 – 0.11 – 0.20 – 1.02 0.32 2.44 1.16 12.50 3.60 – 0.36 0.26 0.36 0.57 0.43 4.49 0.80 0.99 0.50% OTHER‡ 1.95 0.87 – 2.58 – 1.89 2.44 1.02 2.82 12.06 1.16 – 0.80 3.50 1.80 2.48 30.72 2.44 0.43 45.88 3.42 1.26 1.26% NOT IDENTIFIED Source:  California State Auditor’s analysis of CalGang data obtained from the California Department of Justice as of November 23, 2015. Note:  Some percentages may not sum to 100 due to rounding. * Because the CalGang data may include multiple birthdates for an individual, we used the birthdate that was confirmed by a law enforcement agency to determine the age of the individual. If a confirmed birthdate did not exist, we used the most recent birthdate entered into CalGang for that individual. † We assigned gang members and affiliates based on the location of the law enforcement agency that initially entered them into CalGang. The counties of Alpine, Del Norte, Glenn, Imperial, Mariposa, Modoc, Mono, Plumas, San Benito, Sierra, and Trinity do not appear in this Table because law enforcement agencies in those counties did not create records for any of the individuals that were in CalGang as of November 23, 2015. ‡ Other includes African, American Indian, and people of two or more races. 1,797 Yuba Unknown 7 929 Ventura Yolo 4 Tuolumne 1,479 41 Tulare 781 2,483 Stanislaus Tehama 1,965 Sonoma Sutter 8 173 Solano 250 Shasta Siskiyou 543 Santa Cruz 766 5,276 Santa Clara Santa Barbara 1,097 San Luis Obispo San Mateo 691 691 6,015 San Diego San Francisco 14,321 San Bernardino San Joaquin 1,195 TOTAL NUMBER OF INDIVIDUALS Sacramento COUNTY † TYPE California State Auditor Report 2015-130 August 2016 67 68 California State Auditor Report 2015-130 August 2016 Blank page inserted for reproduction purposes only. California State Auditor Report 2015-130 August 2016 KAMALA D. HARRIS Attorney General State of California DEPARTMENT OF JUSTICE 1300 I Street SACRAMENTO, CA 95815-4524 Telephone: (916) 227-3043 E-Mail: Joe.Dominic@doj.ca.gov Telephone: (916) 319-8269 Email: Larry.Wallace@doj.ca.gov July 22, 2016 Elaine M. Howle, CPA California State Auditor 621 Capitol Mall, Suite 1200 Sacramento, CA 95814 RE: CSA Report 2015-130 Dear Ms. Howle: Dear Ms. Howle, The Department of Justice (DOJ) has reviewed the California State Auditor’s (CSA) draft report titled “The CalGang Criminal Intelligence System: As the Result of Its Weak Oversight Structure, It Contains Questionable Information That May Violate Individuals’ Privacy Rights” and appreciates the opportunity to respond to the report. CSA has made several recommendations to DOJ and the Legislature with regard to creating a public program for shared gang database oversight and accountability, specifically recommending that DOJ guide the board and committee to identify and address the shortcomings that exist in CalGang’s current operations. DOJ would be charged with providing oversight and development of new policies and procedures to ensure proper management and transparency of the CalGang system or any equivalent statewide shared gang database. In response to the CSA’s specific recommendations to DOJ identified in the draft report, DOJ submits the following responses: CSA Recommendation: Developing best practices based on the requirements stated in the federal regulations, the state guidelines, and state law, and advising user agencies on the implementation of those practices. The best practices should include, but not be limited to, reviewing criminal intelligence, appropriately disseminating information, performing robust audit practices, establishing plans to recover from disasters and meeting all of the State’s juvenile notification law requirements. Justice should guide the board and committee to develop these best practices by June 30, 2017. 69 70 California State Auditor Report 2015-130 August 2016 Elaine M. Howle, CPA California State Auditor July 22, 2016 Page 2 DOJ Response: DOJ agrees with this recommendation. The CSA recommends that the Legislature require DOJ to implement state regulations that adhere to federal regulations and state guidelines. The best practices developed by DOJ should align with these regulations to avoid confusion. As DOJ will not have the authority to begin the state regulations process until the Legislature grants express authority through legislation, the CSA’s recommended implementation date of June 30, 2017 will likely be impacted. DOJ recommends that the date to develop the best practices be determined by the Legislature through statute. DOJ currently has no existing resources or program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to implement this recommendation. CSA Recommendation: Instructing law enforcement agencies that use CalGang to complete a comprehensive review of all the gangs documented in CalGang to determine if they meet the necessary requirements for inclusion and to purge from CalGang any groups that do not meet the requirements. Justice should guide the board and the committee to ensure that user agencies complete this review in phases with the final phase to be completed by June 30, 2018. DOJ Response: DOJ agrees with this recommendation and will work with the board, committee, and user agencies to provide instruction as recommended. However, until the Legislature grants DOJ express authority, DOJ cannot compel user agencies to complete a comprehensive review and purge groups from CalGang that lack criterion. Once legislation is passed to authorize DOJ to enforce the requirements and compel user agencies to comply, DOJ can assume oversight of CalGang. DOJ currently has no existing resources or program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to implement this recommendation. CSA Recommendation: Instructing all law enforcement agencies that use CalGang to complete a comprehensive review of all records in CalGang to determine if the user agencies have adequate support for the criteria associated with all the individuals they have entered as gang members. If the user agencies do not have adequate support, they should immediately purge the criteria---and, if necessary, the individuals--from CalGang. In addition, the user agencies should ensure that all the fields on each CalGang record are accurate. Justice should guide the board and the committee to ensure that user agencies complete this review in phases with the final phase to be completed by September 30, 2019. DOJ Response: DOJ agrees with this recommendation and will work with the board, committee, and user agencies to provide instruction as recommended. However, until the Legislature grants DOJ express authority, DOJ cannot compel user agencies to complete the comprehensive review of all records in CalGang, purge individuals lacking adequate support for cited criteria, and ensure the accuracy of all fields on each record. Once legislation is passed to authorize DOJ to enforce the requirements and compel user agencies to comply, DOJ can assume oversight of CalGang. DOJ currently has no existing resources or program in place to California State Auditor Report 2015-130 August 2016 Elaine M. Howle, CPA California State Auditor July 22, 2016 Page 3 handle oversight or administration of CalGang; thus, additional resources and funding will be needed to implement this recommendation. CSA cited several unsupported criteria for individuals entered into CalGang, DOJ will need to further develop how the required support documentation for criterion is maintained in its regulations. As such, all records tied to this criterion for inclusion in CalGang will need to be reviewed after the implementation of regulations. This may impact the deadline recommended by the CSA for completion of the review of records. DOJ recommends that the final review date be determined by the Legislature through statute. CSA Recommendation: Instructing all user agencies to report to Justice every six months, beginning in January 2017, on their progress toward completing their gang and gang member reviews. DOJ Response: DOJ agrees with this recommendation and will work with the board, committee, and user agencies to provide instruction as recommended. However, until the Legislature grants DOJ express authority, DOJ cannot compel user agencies to report their review progress to the DOJ biannually. DOJ recommends that the commencement of the biannual reporting be determined by the Legislature through statute. CSA Recommendation: Developing standardized periodic training content for all CalGang users and training instructors. Justice should guide the board and committee to develop such standardized training content by June 30, 2017. DOJ Response: DOJ agrees with this recommendation and will work with the board and committee to develop standardized training for CalGang users and training instructors. However, until the Legislature grants DOJ express authority, DOJ cannot compel the board and committee to participate in the development, implementation, and enforcement of the training. Once legislation is passed to authorize DOJ to enforce the requirements, and user agencies are compelled to adhere to DOJ’s requirements, DOJ will ensure that the training content is implemented and participation by user agencies is enforced. DOJ currently has no existing resources or program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to implement this recommendation. DOJ recommends that the date for DOJ to develop the standardized training be determined by the Legislature through statute. CSA Recommendation: Establishing a plan to recertify all CalGang users and training instructors on the new training content. Justice should guide the board and the committee to complete the draft plan by June 30, 2017, and the recertification training by June 30, 2018. DOJ Response: DOJ agrees with this recommendation and will work with the board and committee to develop and implement a plan to recertify all CalGang users and training instructors. However, until the Legislature grants DOJ express authority, DOJ cannot compel the board and committee to participate in the development, implementation, and enforcement of the recertification. Once legislation is passed to authorize 71 72 California State Auditor Report 2015-130 August 2016 Elaine M. Howle, CPA California State Auditor July 22, 2016 Page 4 DOJ to enforce the requirements and user agencies are compelled to comply, DOJ will ensure that the recertification plan is implemented and participation by user agencies is enforced. DOJ currently has no program or existing resources in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to implement this recommendation. DOJ recommends that the date for DOJ to establish a training plan for recertification be determined by the Legislature through statute. CSA Recommendation: Developing policies and procedures requiring the disabling of user accounts for all individuals who no longer have a need to or right to access CalGang because they have separated from their employment with user agencies or for other reasons. Justice should guide the board and the committee to identify and disable all such accounts by September 20, 2016. DOJ Response: DOJ agrees with this recommendation and will work with the board, committee, and user agencies to identify and disable accounts for those who no longer have a need or right to access CalGang as outlined. However, until the Legislature grants DOJ express authority, DOJ cannot compel the board, committee, and user agencies to comply with the disabling requirements. Once legislation is passed to authorize DOJ to enforce the requirements, DOJ will ensure that the policies and procedures are established and enforced. DOJ currently has no existing resources or program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to implement this recommendation. DOJ recommends that the date for DOJ to develop policies and procedures be determined by the Legislature through statute. CSA Recommendation: Determining what steps must be taken to upgrade CalGang’s controls to ensure that CalGang will automatically purge all individuals whose records have not been updated by user agencies for five years. DOJ Response: DOJ agrees with this recommendation, but currently has no authority to mandate CSRA International, Inc. (CSRA), the developer of the proprietary CalGang software, to upgrade CalGang’s controls to do automatic purges, nor does DOJ have existing resources or a program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to implement this recommendation. For immediate implementation, DOJ suggests that CSA make this recommendation to the CalGang Executive Board and California Gang Node Advisory Committee that currently oversees CalGang and CSRA. It would be beneficial to DOJ for CSRA to begin making enhancements to CalGang before oversight and administration is assumed by DOJ. CSA Recommendation: To promote transparency and hold the board, the committee, and user agencies accountable for implementing and adhering to criminal intelligence safeguards, Justice should post quarterly reports on its website beginning June 30, 2017, that summarize how it has guided the board and the committee to implement and adhere to criminal intelligence safeguards: the progress the board, the committee, and user agencies have made in implementing and adhering to these safeguards; the steps these entities still must take to implement these safeguards; and any barriers to the board’s and the committee’s success in achieving these goals. California State Auditor Report 2015-130 August 2016 Elaine M. Howle, CPA California State Auditor July 22, 2016 Page 5 DOJ Response: DOJ agrees with this recommendation, but currently has no program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to implement this recommendation. DOJ also does not have authority to require user agencies to conduct external audits to assess implementation and adherence to criminal intelligence safeguards and report their progress to DOJ. Until the Legislature grants DOJ express authority, DOJ cannot compel the board, committee, and user agencies to comply with the requirements. DOJ recommends that the date to start posting quarterly reports be determined by the Legislature through statute. CSA Recommendation: To promote transparency and encourage public participation in CalGang’s meetings, Justice should post the following information to its website unless doing so would compromise criminal intelligence information that must be shielded from public release:  Summary results from the committee’s audits of CalGang records.  The agendas, minutes, and referenced attachments for all future board and committee meetings, as well as other documents of significance such as letters, memos, or agreements.  From the past five years, all available agendas, minutes, and referenced attachments from scheduled and ad-hoc board and committee meetings, as well as all other documents of significance. Justice should post these materials by October 31, 2016. DOJ Response: DOJ agrees with this recommendation and will work with the board and committee to post all referenced information that we are successful in acquiring to the Attorney General’s website. However, until the Legislature grants DOJ express authority, DOJ cannot compel the board and committee to make all components available to DOJ. Once legislation is passed to authorize DOJ to enforce the requirements, DOJ will ensure that all available and future referenced information are made available to the public through the Attorney General’s website. DOJ currently has no existing resources or program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to implement this recommendation. CSA Recommendation: If Justice needs additional resources to guide the board and committee to identify and address the shortcoming that exist in CalGang’s current operations and oversight, to report on the board and committee’s progress in addressing CalGang’s shortcomings, and to post necessary information to its website, Justice should take steps to secure the resources it needs. DOJ Response: DOJ agrees with this recommendation and will work with the Legislature and the Department of Finance to identify and obtain the additional resources and funding necessary for DOJ to implement the recommendations outlined in the CSA audit of CalGang. 73 74 California State Auditor Report 2015-130 August 2016 Elaine M. Howle, CPA California State Auditor July 22, 2016 Page 6 The following recommendations by CSA were made to the Legislature with regard to CalGang, but have a direct impact to DOJ. As such, DOJ has provided the following responses to these recommendations: CSA Recommendation: Designate Justice as the state agency responsible for administering and overseeing CalGang or any equivalent statewide shared gang database. DOJ Response: DOJ agrees with this recommendation. Express authority from the Legislature is needed before DOJ can fully enforce the recommendations made by the CSA. DOJ currently has no existing resources or program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to implement this recommendation. CSA Recommendation: Require that CalGang or any equivalent statewide shared gang database adhere o federal regulations and relevant safeguards from the state guidelines, including supervisory reviews of database entries and regular reviews of all records. DOJ Response: DOJ agrees with this recommendation. Express authority from the Legislature is needed for DOJ to fully enforce CalGang’s adherence to federal regulations and state guidelines regarding criminal intelligence systems and compel user agencies to comply. DOJ currently has no program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to enable DOJ to adequately administer and oversee CalGang. CSA Recommendation: Specify that Justice’s oversight responsibilities include developing and implementing standardized periodic training as well as conducting---or hiring an external entity to conduct-periodic audits of CalGang or any equivalent statewide shared gang database. DOJ Response: DOJ agrees with this recommendation. Express authority from the Legislature, and funding to either DOJ or the user agencies to hire an external entity to conduct periodic audits is needed before DOJ can fully enforce the recommendations made by the CSA. DOJ currently has no program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to enable DOJ to adequately administer and oversee CalGang. CSA Recommendation: To promote public participation in key issues that may affect California’s citizens and to help ensure consistency in the use of any shared gang database, the Legislature should require Justice to interpret and implement shared gang database requirements through the regulatory process. This process should include public hearings and should address the following:  Adopting requirements for entering and reviewing gang designations, including establishing a retention period for gangs.  Adopting criteria for identifying gang members. These criteria should define which offenses are consistent with gang activity. California State Auditor Report 2015-130 August 2016 Elaine M. Howle, CPA California State Auditor July 22, 2016 Page 7   Specifying how user agencies will operate any statewide shared gang database, including requiring user agencies to implement supervisory review procedures and periodic record reviews. The user agencies should report the results of the reviews to Justice. Standardizing practices for user agencies to adhere to the State’s juvenile notification requirements, including guidelines for documenting and communicating the bases for juveniles’ gang designations. DOJ Response: DOJ agrees with this recommendation. Express authority from the Legislature is needed before DOJ can fully enforce the recommendations made by the CSA and ensure user agency compliance with policies and procedures. DOJ currently has no program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to enable DOJ to adequately administer and oversee CalGang. CSA Recommendation: To ensure transparency, the Legislature should require Justice to publish an annual report with key shared gang database statistics---such as the number of individuals added to and removed from the database---and summary results from periodic audits conducted by Justice or any external entity. Further, the Legislature should require Justice to invite and assess public comments following the report’s release. Subsequent annual reports should summarize any public comments Justice received and actions it took in response. DOJ Response: DOJ agrees with this recommendation. Express authority from the Legislature is needed before DOJ can fully enforce the recommendations made by the CSA. DOJ currently has no program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to enable DOJ to adequately administer and oversee CalGang. CSA Recommendation: To help ensure that Justice has the technical information it needs to make certain that CalGang or any equivalent shared gang database remains an important law enforcement tool, the Legislature should establish a technical advisory committee to advise Justice about the database use, database needs, database protection, and any necessary updates to policies and procedures. The Legislature should specify the qualifications for membership in the technical advisory committee, which should include representatives from local and state agencies that use the shared gang database. Further, it should require that the committee meet at least twice a year and adhere to the Bagley-Keene Open Meeting Act and other relevant open meeting laws. DOJ Response: DOJ agrees with this recommendation and would welcome feedback from a Legislative technical advisory committee with regard to CalGang. DOJ would also like to be a member of the committee, if established. 75 76 California State Auditor Report 2015-130 August 2016 Elaine M. Howle, CPA California State Auditor July 22, 2016 Page 8 Again, thank you for the opportunity to review and comment on the draft audit report. If you have any questions or concerns regarding this matter, you may contact me at the telephone number listed above. Sincerely, JOE DOMINIC Director, California Justice Information Services Division LARRY J. WALLACE Director, Division of Law Enforcement cc: Nathan R. Barankin, Chief Deputy Attorney General Venus D. Johnson, Associate Attorney General Tammy Lopes, Director, Division of Administrative Support Andrew J. Kraus III, CPA, Director, Office of Program Review and Audits California State Auditor Report 2015-130 August 2016 * *  California State Auditor’s comments begin on page 81. 77 78 California State Auditor Report 2015-130 August 2016 Page 2 8.4 e. The ?nal phase for gang members to be completed by June 30, 2019. Response: The LAPD is currently monitoring approximately 40,000 gang member entries into CalGang. The LAPD will audit a statistically valid sample. If ?ndings reveal a signi?cant de?ciency, a larger sample would be utilized and this recommendation will be revisited. If a statistically valid sample is utilized for gang member entries the completion date of June 30, 2019, is reasonable. Recommendation No. 2 a. DeveIOp or modify as necessary all policies and procedures related to CalGang to ensure they align with state law, CalGang Policies, federal regulations, and when appropriate, the state guidelines [California Attorney General?s Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities]; ReSponse: The LAPD is currently performing a comprehensive review of all Department related policies and procedures related to CalGang. In May of 2016, the CalGang Node Advisory Committee (CGNAC) voted to eliminate the requirement to follow the California Attorney General?s Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities. The LAPD is conducting an examination into the feasibility of maintaining compliance with the Attorney General?s guidelines. However, the CalGang Executive Board took no action with regard to the CGNAC Board recommendation. The LAPD has current CalGang policies and procedures in place, which all Department CalGang users are expected to adhere to. The draft audit report did not ?nd the LAPD de?cient with following state law or federal regulations. The LAPD will continue to maintain this high standard of compliance with all applicable laws. Implement appropriate policies and procedures for entering gangs; Response: All CalGang policies and procedures will be reviewed and any de?ciencies identi?ed will be corrected by revising existing policies and procedures. c. Perform supervisory reviews of gangs and gang member entries; Response: All source documents used to establish a gang or gang member entry into CalGang require a supervisor to review and approve. Existing LAPD CalGang policy will be revised to include an expanded ?Supervisor Responsibilities? section outlining required supervisor duties. (1. Implement policies and procedures for performing periodic CalGang record reviews; sharing CalGang information; and complying with Juvenile noti?cation requirements; Response: The LAPD will ensure that appropriate policies and procedures exist for performing periodic CalGang record review; sharing CalGang information; and, complying with juvenile letter noti?cation requirements. It should be noted that LAPD Audit Division has Department wide audit reSponsibility. They will be consulted to establish an expanded Department CalGang audit to ensure compliance with CalGang policies and procedures. The draft audit report did not ?nd LAPD de?cient with the sharing of CalGang information; however, in response to this audit, LAPD is in the process of completing a Detective Bureau Notice to all LAPD Commanding Of?cers titled ?CalGang Proxy Login?. California State Auditor Report 2015?130 79 August 2016 Page 3 8.4 This Notice will establish LAPD policies and procedures for sharing CalGang information with outside agencies and non?users of CalGang. A new Telephonic Information Request Form will be created, which must be completed by non- CalGang users when making GalGang information requests. This will enhance and support the CalGang Proxy Login feature in CalGang, which tracks all second party requests. e. Recommendation No. 2 should be completed by March 31, 2017. Response: The LAPD is in agreement. Other Related Matters: The draft audit report discusses the following other related matters: - LAPD Police Of?cers not being viable ?reliable sources? in determining the identi?cation of an individual as a gang member to be included in CalGang; Response: The LAPD asserts that its Gang Enforcement Detail (GED) of?cers are not only viable reliable sources, but also have the gang training, expertise, ?eld experience, and time on the job to make the determination as to whether an individual meets the criteria to be identified as an active gang member or an active af?liate gang member as per CalGang requirements and LAPD policy. The GED officers are required to attend a week long Gang Awareness course and Q) a one or two-day CalGang course. The GED of?cers go through an extensive background review, complete a ?nancial disclosure, and receive continuous gang training from a variety of sources. 0 Process for removing separated employees from CalGang; Response: In response to this audit, a formalized process will be implemented where an of?cial project will be generated whereby the Department?s Personnel Division will provide the LAPD CalGang Node Administrator a separation list identifying employees who have separated from the Department. The Node Administrator will then disable these individuals from using CalGang. The LAPD did not have fully documented plans for restoring CalGang information after a man-made or natural disaster; Response: The LAPD does not house the server where CalGang information is stored. The Los Angeles Sheriff?s Department (LASD) houses three servers and houses another. The LASD data center has a generator backup system. Once a month, the generator is tested by transferring the full operations of the data center to the generator for 30 minutes. The data on the CalGang servers is backed up once a day to an external drive that is housed in the same rack as the primary servers. The CalGang data is continuously replicated to a central server. The CGGN Replication Document from the LASD details this information; however, LAPD was not authorized to release this information due to LASD security protocols. There is no Disaster Recovery or Incident Response plan Speci?c to the CalGang data or servers. However, the building that houses the data center does have a Disaster Recovery Plan that pertains to the entire building, including the data center. The Norwalk Data Center?s Disaster Recovery Plan does not include CalGang. If there is a Disaster Recovery incident at the Norwalk Data Center and the Los Angeles CalGang servers are lost, users will be directed to the replicated DOJ CalGang server. 80 California State Auditor Report 2015-130 August 2016 Page 4 8.4 Users may view all of the Los Angeles data on the DOJ server but they will be unable to add/update records until the Los Angeles servers are restored. The Los Angeles servers will be restored via local backups located at the Norwalk Data Center. The LASD document LosAngeles CalGang Backup Information should be referred to for further information as LAPD was not authorized to release this information due to LASD security protocols. The LASD informed the LAPD that they already provided the CGGN Replication Document and the Los Angeles CalGang Backup Information document to the State Auditor?s Of?ce. A note can be added to forthcoming and revised CalGang policies and procedures pointing personnel to LASD and in the event that LAPD loses access to CalGang information after a disaster. Process for documenting letters of contest: 0 The LAPD will include a check box in CalGang indicating if a letter of contest was received for a juvenile. Stated CalGang rules in User Agreement: I The LAPD will revise its CalGang User Agreement to include: language that CalGang is not to be used for employment, housing, or military background check purposes; CalGang rules; and, requirement(s) for safeguarding GalGang data. It should be noted that the audit found no evidence of LAPD sharing information for the purposes of employment, housing or military. After complete review ot'the draft audit ?ndings, which were provided to the LAPD, the Department is asking that consideration of the audit title be reconsidered. The wording ?As the Result of Its Weak Oversight Structure, lt Contains Questionable Information That May Violate Individuals? Privacy Rights? is misleading and volatile. We strongly believe the title to this report should re?ect exactly what it did, which was provide insight on how to strengthen internal controls and improve upon our overall CalGang system. In essence, this title appears to be contentious, particularly in a time in which law enforcement agencies are facing great challenges with public trust. Moreover, the draft audit report does not identify nor specifically indicate what privacy rights have been violated and how. Should you have any questions or concerns regarding this matter, please contact Captain Charles P. Hearn, Commanding Of?cer, Gang and Narcotics Division, at (213) 833?3700. Very truly yours, CHARLIE BECK Chief of Police Deputy Chief ives California State Auditor Report 2015-130 August 2016 Comments CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM THE LOS ANGELES POLICE DEPARTMENT To provide clarity and perspective, we are commenting on the Los Angeles Police Department’s (Los Angeles) response to our audit. The number below corresponds to the number we have placed in the margin of Los Angeles’s response. Los Angeles erroneously concludes that our report does not identify the department as deficient in following state law or federal regulations or with sharing CalGang information. We did, in fact, find that Los Angeles is deficient in numerous areas. For example, it is deficient in supporting gang member criteria entries, as summarized in Table 7 on page 32; it lacks processes to properly share CalGang information and limit CalGang assess as described on pages 41 and 42; and it has failed to appropriately notify juveniles and their parents as state law requires, as summarized in Table 11 on page 48. 1 We are not questioning the training, expertise, and field experience of Los Angeles’s gang enforcement officers. They are uniquely qualified to evaluate potential gang tattoos, gang areas, gang dress, gang symbols and hand signs, and to conduct interviews of suspected gang members and informants—all of which are criteria they can use to justify a person’s inclusion in CalGang. Because this criteria is available, we find it inappropriate, as we discuss on page 35, that Los Angeles would allow an officer to justify a person’s inclusion in CalGang based on the criteria—“Subject has been identified as a gang member by a reliable informant/source”, when the only support for this criteria is a circular reference back to this officer’s conclusion that the individual is a gang member. In our view, “reliable informant/source” indicates that the law enforcement agency received reliable information from outside its agency, and not simply a determination made by an officer inside its agency. 2 Los Angeles misunderstands our concern. We received and reviewed the documents that Los Angeles refers to and found that these documents outline processes for backing up CalGang data. We acknowledge on page 27 that each of the node administrator agencies that we reviewed— including Los Angeles—asserted that they protect their data against loss by implementing practices such as regular backups of data. However, Los Angeles seems to overlook our concern that it does not have an agreed-upon plan with its service provider—the Los Angeles County Sheriff ’s Department, in this case—for restoring CalGang information within a specified time frame after a man-made or natural disaster. As Los Angeles 3 81 82 California State Auditor Report 2015-130 August 2016 points out, in the event of such a disaster, users will be unable to add or update records until the Los Angeles servers are restored. As such, it is important that Los Angeles and its service provider formally agree on an acceptable recovery strategy to minimize the impact of an interruption. 4 The audit’s title is derived from the conclusions we drew from the evidence we collected and examined over the course of the audit. We believe the title aptly summarizes the audit conclusions and that those conclusions are soundly supported by audit evidence. California State Auditor Report 2015-130 August 2016 MAYOR Miguel A. Pulido MAYOR PRO TEM Vicente Sarmiento COUNCILMEMBERS Angelica Amezcua P. David Benavides Michele Martinez Roman Reyna Sal Tinajero CITY MANAGER David Cavazos CITY ATTORNEY Sonia R. Carvalho CLERK OF THE COUNCIL Maria D. Huizar CITY OF SANTA ANA POLICE DEPARTMENT 60 Civic Center Plaza ● P.O. Box 1981 Santa Ana, California 92702 www.santa-ana.org OFFICE OF THE CHIEF OF POLICE July 28, 2016 Elaine M. Howle, CPA California State Auditor 621 Capitol Mall, Suite 1200 Sacramento, CA 95814 Re: Response to Audit of “The CalGang Criminal Intelligence System” Dear Ms. Howle, In 2015, the Joint Legislative Audit Committee requested the California State Auditor’s Office conduct an audit on the use of CalGang, a shared criminal intelligence database. The Santa Ana Police Department is an end-user of the CalGang system and was one of several agencies throughout the state to be audited. The Santa Ana Police Department welcomed the audit as an examination of this magnitude had never been conducted. During the audit, Santa Ana Police Department and State Auditor personnel interacted in a transparent and professional manner. The Department was eager to learn how to improve internal processes and ensure industry-best practices have been employed. On July 18, 2016 the State Auditor’s Office released their preliminary audit report. The report primarily focuses on law enforcement’s process deficiencies. However, when scrutinizing the Department’s juvenile notification process, the State Auditor’s Office indicated, “… Santa Ana exceeded the law’s requirement by notifying parents after each contact juveniles had with police that resulted in updates to their records.” More impressive was the State Auditor’s Office recognizing the Department’s efforts to provide education and intervention for juveniles and their parents during the contestation process. The State Auditor’s report states, “Santa Ana’s process when it receives a contestation letter represents a best practice that we believe could be the basis for statewide standards.” 83 84 California State Auditor Report 2015-130 August 2016 July 28, 2016 Page 2 The State Auditor’s Office recommended the following actions to address the specific deficiencies:  Begin reviewing the gangs they have entered into CalGang to ensure the gangs meet reasonable suspicion requirements. They should also begin reviewing the gang members they have entered into CalGang to ensure the existence of proper support for each criterion. They should purge from CalGang any records for gangs or gang members that do not meet the criteria for entry. Individuals who are independent from the ongoing administration and use of CalGang should lead this review. The agencies should complete the gang and gang member reviews in phases with the final phase for gangs to be completed by June 30, 2018, and the final phase for gang members to be completed by June 30, 2019. The Santa Ana Police Department has a clear understanding of the State Auditor’s recommendation and intends to fulfill the recommendation without modification or delay. The Department will begin reviewing the gangs we have entered into CalGang immediately. The Department will then review the gang members we have entered to ensure proper criterion has been documented and entered. Any gangs or its members not meeting requirements will be purged from CalGang. The Department intends to complete this review within the recommended timelines.  Develop or modify as necessary all their policies and procedures related to CalGang to ensure they align with state law, CalGang policy, the federal regulations, and the state guidelines. In particular, the law enforcement agencies should implement appropriate policies and procedures for entering gangs; performing supervisory reviews of gangs and gang member entries; performing periodic CalGang record reviews; sharing CalGang information; and complying with juvenile notification requirements. The law enforcement agencies should complete this recommendation by March 31, 2017. The Santa Ana Police Department, with assistance from legal counsel, will establish a standalone policy and procedure for CalGang. This policy and procedure will support state law, CalGang policy, federal regulations, and state guidelines. The Department will ensure CalGang entries meet all criteria, supervisory reviews are conducted, a system to track CalGang information sharing will be created, and juvenile compliance notification requirements will be met. The Department intends to fully comply with these recommendations on or before March 31, 2017. California State Auditor Report 2015-130 85 August 2016 July 28, 2016 Page 3 The Santa Ana Police Department would like to thank the staff from the California State Auditor’s Office for their professionalism during the audit process. There is no question their review and recommendations will assist the Santa Ana Police Department in the implementation of process improvements related to criminal intelligence files. Sincerely, CARLOS ROJAS Chief of Police SANTA ANA CITY COUNCIL Miguel A. Pulido Mayor MPulido@santa-ana.org Vicente Sarmiento Mayor Pro Tem, Ward 1 VSarmiento@santa-ana.org Michele Martinez Ward 2 MMartinez@santa-ana.org Angelica Amezcua Ward 3 AAmezcua@santa-ana.org P. David Benavides Ward 4 DBenavides@santa-ana.org Roman Reyna Ward 5 RReyna@santa-ana.org Sal Tinajero Ward 6 STinajero@santa-ana.org 86 California State Auditor Report 2015-130 August 2016 Blank page inserted for reproduction purposes only. California State Auditor Report 2015-130 August 2016 * *  California State Auditor’s comments appear on page 89. 87 88 California State Auditor Report 2015-130 August 2016 Response: 0 The Santa Clara County Sheriff?s Of?ce Special Operations Division Administration will review and update existing policies and procedures related to CalGang to ensure they align with state law, CalGang policy, federal regulations, and the state guidelines. Additionally, the Sheriffs Of?ce will implement an additional layer of supervision to conduct reviews of gang member entries and perfomi periodic CalGang record reviews. (It is important to note, the Sheriff?s Of?ce only enters gang members into the system, not gangs as speci?ed in the report.) 0 Regarding Juvenile Noti?cations, the Sheriff?s Of?ce is not out of compliance. Our of?ce has not entered juveniles into the system due to the fact that there are not clear guidelines speci?cally for those juveniles that are wards of the court. The Santa Clara County Sheriff?s Of?ce looks forward to working with the State Auditor, the CalGang Executive Board, and the California Gang Node Advisory Committee to improve the CalGang Intelligence System and in turn safeguard the rights of those in the system. If you need additional information regarding this response, please contact Captain Dalia Rodriguez, Santa Clara County Sheriff 5 Of?ce Special Operations Division, at 408-808-4764. Thank you for the opportunity to respond to this audit. Sincerely, Laurie Smith, Sheriff California State Auditor Report 2015-130 August 2016 Comments CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM THE SANTA CLARA COUNTY SHERIFF’S OFFICE To provide clarity and perspective, we are commenting on the Santa Clara County Sheriff ’s Office (Santa Clara) response to our audit. The numbers below correspond to the numbers we have placed in the margin of Santa Clara’s response. In footnote 8 on page 30 of the audit report, we note that Santa Clara does not add gangs to CalGang; rather, it links suspected gang members to gangs already existing in the database. Consequently, it did not have a process for adding gangs to CalGang for us to review. 1 Nowhere in the audit report do we conclude that Santa Clara is not in compliance with juvenile notification requirements. On pages 47 and 48 of the audit report, we acknowledge that Santa Clara stopped adding juveniles to CalGang in direct response to the notification requirements. 2 89 90 California State Auditor Report 2015-130 August 2016 Blank page inserted for reproduction purposes only. California State Auditor Report 2015-130 August 2016 Sonoma County Sheriff’s Office STEVE FREITAS Sheriff-Coroner ROBERT GIORDANO Assistant Sheriff Law Enforcement Division RANDALL WALKER Assistant Sheriff Detention Division July 22, 2016 Elanie M. Howle, CPA* California State Auditor 621 Capitol Mall Suite 1200 Sacramento, CA 95814 Dear Ms. Howle, Attached please find the Sonoma County Sheriff’s Office response to the State Auditor’s Report about CalGang® and the Sonoma County Sheriff’s Office’s regional role in the administration of this gang crime intelligence system. Included are several attachments for your review. If you have any questions, please contact me at 707-565-2781. Sincerely, STEVE FREITAS Sheriff-Coroner SF/wh Administration Division 2796 Ventura Avenue Santa Rosa, CA 95403 707.565.2781 Law Enforcement Division 2796 Ventura Avenue Santa Rosa, CA 95403 707.565.2511 *  California State Auditor’s comments begin on page 103. Detention Division 2777 Ventura Avenue Santa Rosa, CA 95403 707.565.1422 Coroner 3336 Chanate Road Santa Rosa, CA 95404 707.565.5070 91 92 California State Auditor Report 2015-130 August 2016 SONOMA COUNTY SHERIFF’S OFFICE RESPONSE TO CALGANG® AUDIT REPORT The Sonoma County Sheriff’s Office is pleased to have the opportunity to respond to the State Auditor’s Report about CalGang® and the Sonoma County Sheriff’s Office’s regional role in the administration of this important gang crime intelligence system (“Report”). The Report was compiled after a months-long audit during which the auditor team was given unprecedented access to staff and materials. Volumes of information were presented, procedures were explained, and full cooperation was provided to the auditor team by the Sonoma County Sheriff’s Office. 1 The Report highlights the importance of CalGang® which provides a shared database to law enforcement agencies with current gang information, allowing agencies to improve the efficiency of their criminal investigations, enhance officer safety, and better protect the public 2. The Sonoma County Sheriff’s Office shares those important values and has been committed to supporting CalGang® for the benefit and safety of our communities and law enforcement agencies. The statewide gang problem knows no jurisdictional boundaries and the Sonoma County Sheriff’s Office believes that effective intelligence sharing is essential to protect the public from dangerous gang crimes. The gathering of data in a criminal intelligence system often includes sensitive and private information. The Sonoma County Sheriff’s Office understands that this may raise concerns about individual’s privacy rights. The Sonoma County Sheriff’s Office acknowledges that an appropriate level of auditing is necessary, and is committed to administering the CalGang® database in a responsible and appropriate way, while balancing the need to protect individuals’ rights with the need to protect the public from crimes caused by gangs. 1 2 3 The Sonoma County Sheriff’s Office’s administration of CalGang® has always been appropriate and lawful. Despite the Report’s title which suggests a potential for privacy rights violations state-wide, the audit did not unearth any actual privacy violations by the Sonoma County Sheriff’s Office. In fact, the Sonoma County Sheriff’s Office believes that it has met or exceeded the statutory guidelines for administering a model Criminal Intelligence System that is used nation-wide. Indeed, since the CalGang® program’s inception, it was been used as the template for other regional and nation-wide criminal intelligence databases. Sonoma County’s administration of CalGang® fully complies with federal auditing requirements, contained in Title 28, section 23 of the Code of Federal Regulations (28 CFR §23). Importantly, any information contained in CalGang® is subject to multiple levels of scrutiny before it is entered into CalGang®. First, the source information comes from law enforcement officers in the field. Before any information is transmitted to a CalGang® node agency (like Sonoma County) for entry into 4 1 The Sonoma County Sheriff’s Office was provided a redacted version of the Report that contained only information about the Sonoma County Sheriff’s Office. Further, the Sonoma County Sheriff’s Office was prohibited by the Auditor’s Office from discussing the Report with CalGang’s governing board or other local agencies who administer CalGang – despite the fact that CalGang is a state-wide program. The Sonoma County Sheriff’s Office hopes and anticipates that CalGang’s state-wide governing board will subsequently issue a comprehensive response to the Report once all agencies involved in operating the state-wide CalGang system have had an opportunity to review the entire Report. 2 The legislature recognized that gang crimes presented a “clear and present danger” to the public when it enacted the Street Terrorism and Prevention Act (Penal Code §§186.20 et.seq.). Page 1 93 California State Auditor Report 2015-130 August 2016 CalGang®, it is generally reviewed by the local law enforcement officer’s supervisor. Then, once the information is transmitted to a CalGang® node administrator, the source information is again vetted to ensure it meets the CalGang® criteria. 5 Sonoma County Sheriff’s Office has supported CalGang® for over 20 years. The staff from all involved agencies assigned to the California Gang Node Advisory Committee (Committee) and CalGang® Executive Board (Board) have done a phenomenal job developing and deploying a system that has become the gold standard around the county and beyond. This work was done primarily by local law enforcement, with very little support from the state of California and largely at the expense of the committee and board member agencies. The exceptional value of the CalGang® system is evidenced by more than 500 success stories written by end users praising the ability of CalGang® to assist in the investigation of crimes up to and including multiple capital murders. The Report focuses on the 2007 version of the California Attorney General’s Model Standards and Procedures for Maintaining Criminal Intelligence Files (AG’s Model Standards) regarding heightened audit requirements. What the Report fails to acknowledge is that CalGang® was created more than 20 years ago in full compliance with the prior version of the AG’s Model Standards. The CalGang® Board and Committee never agreed to comply with the 2007 version of the AG’s Model Procedures. The Sonoma County Sheriff’s Office believes that the current level of CalGang® oversight, which was originally recommended by John Gordiner, Senior Assistant Attorney General assigned to CalGang®, remains appropriate. It is above and beyond what is employed in other Criminal Intelligence Systems we are familiar with, it is proactive, forward looking, and holds end users accountable. It also, within the permissible confines of 28CFR23, promotes transparency through its Executive Board which has met in public for decades. CalGang® does not violate individual privacy rights, in fact, it protects those rights by operating strictly within the confines of 28CFR23. The overly onerous annual auditing requirements of the 2007 version of the AG’s Model Standards would make administering the CalGang® system as a node administrator unfeasible for Sonoma County. The Sonoma County Sheriff’s Office, as a node agency, would have to hire multiple high-level law enforcement personnel to fully comply with the Report’s interpretation of the 2007 version of the AG’s Model Procedures. This highlights Sonoma County’s fundamental concern about this Report. The Auditors acknowledged that they had never audited a criminal intelligence database before. The Sonoma County Sheriff’s Office is concerned that given the limited time the Auditors had to review the CalGang® system, and become familiarized with how criminal intelligence databases are maintained and the national standards that govern such databases, the Report contains recommendations that are not grounded in either the correct interpretation of the law or the reality of operating a criminal intelligence database. The ongoing resources necessary to operate the state-wide system has been an issue for 20 years. CalGang® has never been appropriately funded by the State, leaving stake holders, local communities, and law enforcement agencies to fund the staff and equipment. However, if CalGang® is forced to comply with the recommendations put forth by the auditor’s report, the Sonoma County Sheriff’s Office will not be able to provide the additional resources it would take to support the 35 other counties of the Node. Ultimately, Sonoma County will be forced to stop operating as a Node agency. Page 2 6 7 6 8 9 10 94 California State Auditor Report 2015-130 August 2016 Recommendation #1 Begin reviewing the gangs they have entered into CalGang® to insure that the gangs meets reasonable suspicion requirements. They should also begin reviewing the gang members they have entered into CalGang® to insure the existence of proper support for each criterion. They should purge from CalGang® any records for gangs or gang members that do not meet the criteria for entry. Individuals who are independent from the on-going administration and use of CalGang® should lead this review. The agencies should complete the gang and gang member reviews in phases with the final phase for gangs to be complete June 30, 2018, and the final phase for gang members to be completed by June 30, 2019. Recommendation #2 Develop or modify as necessary all their policies and procedures related to CalGang® to insure they align with state law, CalGang® policy, the federal regulations, and the state guidelines. In particular, the law enforcement agencies should implement appropriate policies and procedures for entering gangs; performing supervisory reviews of gang and gang member entries; performing periodic CalGang® record reviews; sharing CalGang® information; and complying with juvenile notification requirements. The law enforcement agencies should complete this recommendation by March 31, 2017. The Sonoma County Sheriff’s Office simple response to the auditor’s recommendations is: CalGang® is a state-wide program, and funding and staffing is a state-wide issue. 11 If we follow the recommendations of the auditor’s report, the Sonoma County Sheriff’s Office will be forced to stop operating as a Node agency. We will operate for a reasonable amount of time for a replacement to be identified; if no other agency steps forward, our stored criminal intelligence data in CalGang® will be purged, pursuant to 28CFR23. Page 3 95 California State Auditor Report 2015-130 August 2016 ATTACHMENT A: SPECIFIC RESPONSES A major challenge with the auditor’s document was that significant portions, including titles and some complete sections were redacted. It is unclear exactly what areas of concern must be attended to. 4 The Sonoma County Sheriff’s Office would eagerly work to correct actual issues, but specifics are redacted, leaving only broad, non-specific allegations. There is nothing to identify the offender and specific questionable record(s). Generally: The auditors have never audited a criminal intelligence system. The very title of the report, ”The CalGang Criminal Intelligence System: As a result of Weak Oversight Structure, It contains Questionable Information That May Violate Individuals’ Privacy Rights” draws conclusions that are subjective and misleading. 12 The CalGang® policies and procedures and the end use agency agreements were originally drafted by the Attorney General’s representatives, Senior Assistant Attorney General John Gordiner until his retirement; then Deputy Attorneys General Rob Nash and Harry Colombo. Specifically: Section Concerns (C) and Sonoma County Sheriff’s Office Response (R) “Scope and Methodology [REDACTED]” The portion titled Scope and Methodology is redacted entirely. We cannot respond to the contents without knowing the materials and process with which the auditors are relying upon to complete their tasks and reach their conclusions. “Leadership Section [TITLE REDACTED]” The paragraph title is redacted. C1: The auditor takes exception to our senior detective sergeant, with 35 years of law enforcement experience, serving as node administrator, committee member, and end user. R1: SCSO – Attachment A  Every node administrator is a committee member. Every node administrator is an end user. Every node administrator is an instructor.  This is far from a weakness in the framework; rather, it is an overwhelming strength. It makes sense to use our best, brightest, most experienced personnel to fill these crucial positions.  The node administrators have in excess of 250 years of combined law enforcement experience. The collective expertise of these dedicated personnel is an asset and an integral part of the CalGang® system. Page 1 13 13 96 California State Auditor Report 2015-130 August 2016 C2: The auditor has concern that end users are not disabled when they separate or transfer. R2: 14  The auditor has redacted the identity of the sole end user they take exception to. Due to this omission we are unable to correct the issue.  Sonoma County Sheriff’s Office has procedures in place for the modifying and removing separated employees. An office-wide message, generated from the Personnel Bureau, is distributed whenever a person is moved to a different position or separates from the agency. It is at that time that person’s CalGang® access is reevaluated. 15 C3: The auditor believes that our written policy for the re-establishment of CalGang® services after a disaster or other catastrophic failure is lacking. R3:  CalGang® data is replicated in near-real time to the central node at the DOJ in Sacramento. It is backed up nightly both locally and off-site. If the Sonoma Node (or any other California Node) is unavailable, the data remains searchable at DOJ, or visa-versa.  We believe that our Service Level Agreement with the County Information Systems Department, which is responsible for the data center, addresses the re-establishment of all Sheriff’s services, including CalGang® as part of the County-Wide Continuity of Operations Plans.  All eventualities cannot be anticipated, nor do disasters fit neatly into boxes. Re-establishment of services is dependent on many issues which the Sheriff’s Office cannot control.  Sonoma County Sheriff’s Office has evaluated the ability to return the CalGang® system’s functionality after a disaster and we are implementing a plan to restore services.  CalGang® is not a mission-critical application, restoration can take a lesser priority following a disaster. Should we experience a catastrophic event, we could restore the system to full functionality with 90 days subject to priority. 16 C4: The auditor noted a discrepancy between CalGang® Policy and a since rewritten DOJ Guideline. SCSO – Attachment A Page 2 97 California State Auditor Report 2015-130 August 2016 R4:  CalGang® fully complies with Federal standard as required in Title 28, section 23 of the Code of Federal Regulations as is evidenced in the compliance letter from the Institute for Intergovernmental Regulations dated February 7, 2006.  The committee policies dated September 27, 2007 were based on the California Criminal Intelligence File Guidelines dated July 1, 1994. This version of the State Guidelines does not include the overly onerous review requirements outlined in the updated Model Standard and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities, dated November 2007.  The November 2007 version, was revised by Deputy Attorneys General (DAG) Harry Colombo and Rob Nash. DAGs Colombo and Nash were the two Deputy Attorney Generals assigned as representatives to the Committee.  These additional requirements were never recommended by Colombo and Nash to be included into CalGang®. C5: A peace officer can make an arrest, depriving a person of their actual liberty, based on probable cause. However the threshold for entry into CalGang® is much lower, subjective reasonable suspicion, as defined pursuant to 28CFR23. R5:  The detention, arrest and possibly their subsequent incarceration (or release on their promise to appear, a citation) of a person only requires the eventual sergeant’s review. There are considerably more personal liberties and rights at stake. C6: The recommendation of this audit is that there are two or three more levels of review to meet a much lower burden of proof. R6: “Gangs Section [REDACTED]” In May 2016, the Committee and the Board chose to exclude the reference to the November 2007, DOJ guideline, Model Standard and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities, in favor of 28CFR23 statute. C7: The auditor takes exception to how Gangs are documented in CalGang®. R7: SCSO – Attachment A   The auditor states that “[Sonoma] could [NOT] prove that it performed the analysis required to establish reasonable suspicion.” However, in Page 3 17 6 98 California State Auditor Report 2015-130 August 2016 the corresponding footnote, the report acknowledges, “Through our review, we determined that Sonoma was able to demonstrate that the gangs we reviewed currently meet CalGang® policy requirements.” 18 19 19 20 “[SONOMA DOES] Not Have Adequate Support for Sonoma of the Individuals and Many of the Criteria They Entered into CalGang” The process is started by a communication from an end user to the administrator requesting the gang be created. That communication can be a standard form, an email, a phone call or face-to-face, as often occurs in training classes when we bring new agencies onto CalGang®.  That gang can only be entered into CalGang® by the administrator. The name, title, agency, contact information of the requestor is noted and is available for follow up contact if necessary in CalGang®. If there is a paper copy of the request, it historically has not been retained, as all that information is included in the digital record.  Since this was discussed during the audit, those written requests are being electronically attached to the Gang record, thus preserving the request.  The status of that gang is then monitored at least three times a year by the administrator to make sure the end user agency populates the gang with members. If this population doesn’t occur, the gang is purged.  As a gang is not an individual it has no privacy rights. The individual’s connection to the gang is fully documented. C8: A fundamental flaw in the report is the inaccurate use of the term “support,” instead of “supporting documentation,” e.g. the report reads that data entries lacked support, instead of data entries lacked supporting documentation. This improper terminology leads to a series of assumptions that data entries were unsupported or inaccurate simply because no documentation was available at the time of the audit to prove the entry criteria. R8: 20   While this may be a legitimate point to encourage better documentation procedures (where practical and feasible), the mere lack of documentation (which the report explains by virtue of current processes) does not necessarily mean that the entries were, in fact, materially unsupported or inaccurate. The report includes numerous conclusions that “inaccurate criteria entries” existed, which resulted in a finding that “Sonoma is tracking people in CalGang who do not appear to justifiably belong in the system.” This is not the case. C9: The auditors were offered a stand-alone, fully functioning laptop version of CalGang® to audit. Instead they chose to look at the raw data in the database. This caused numerous conflicts since the auditors “version” was incomplete. 21 SCSO – Attachment A Page 4 99 California State Auditor Report 2015-130 August 2016 This was communicated to the auditor and they believed they at one point had remedied the issue; however our CalGang® version still did not reconcile with the auditors view. We were not consulted after that. R9:  The report states only 40% of records were in compliance. In actuality, only 40% were reviewed, and all of those were in compliance. The balance were never reviewed because the auditor did not correctly reconcile their version. 22 C10: The auditor seems to accept our end users expert opinion(s) that certain tattoos are gang related and specific locations are gang areas, but we continue to disagree on what crimes are “gang related.” R10:  “CalGang Records Section [REDACTED] [SONOMA HAS] Not Established Necessary Processes for Reviewing and Purging Records” SCSO – Attachment A We contend that crimes are gang related if they are in support of, for the benefit of, or in association with a criminal street gang or its members. The auditor insists that only the crimes in penal code section 186.22(e) are gang related.  We hold that for intelligence purposes, beyond a subjective reasonable suspicion many crimes can be gang related, based on the support of, benefit, or association with doctrine.  Conversely, the crimes enumerated in 186.22(e) might NOT be gang related.  We believe each incident is viewed in the totality of the circumstances based on the 28CFR23 subjective reasonable suspicion standard. 23 23 23 C11: The auditor notes that some of the aspects of the November 2007 version of the Model Standard and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities, specifically expanded review of data entry, is not incorporated into Sonoma County and CalGang® policy. This is specifically addressed earlier in this response paper. R11:  The Sonoma County Sheriff’s Office believes that the current level of CalGang® oversight, which was originally recommended by the Senior Assistant Attorney General assigned to CalGang®, remains appropriate, in fact it is above and beyond what is employed in other Criminal Intelligence Systems we are familiar with. It is proactive, forward looking, and holds end users accountable. It also, as much as is possible within the confines of 28CFR23, is transparent via the CalGang® Executive Board which has for decades met publicly. Page 5 1 7 2 100 California State Auditor Report 2015-130 August 2016 1 24 “[SONOMA] Lacks Processes to Ensure They Share CalGang Information Properly and Limit CalGang Access as CalGang Policy Requires”  CalGang® does not violate individual privacy rights; in fact, it protects those rights by operating strictly within the confines of 28CFR23.  Records are purged automatically when they have not been substantially updated within the five year statutory requirement. The Sonoma County Sheriff’s Office responds generally, that end users are trained that releases of criminal intelligence information is only to Law Enforcement Personnel with a specific right and need to know. Military recruiters and any other potential employers are specifically discussed and are examples of those who may not receive CalGang® criminal intelligence information, as are Attorneys (both prosecuting and defense, see Brady v Maryland, 373 US 83(1963) and generally any member of the public. 25 Additionally, end users must affirmatively acknowledge these caveats EVERY TIME they log into CalGang®, please refer to the attached document, “EndUserPerso.pdf” 26 C12: The auditor suggests that staff was not truthful when identifying external requests. R12:  26  25 27 “[SONOMA] Cannot Demonstrate They Follow CalGang Training Policy or Best Practices.” SCSO – Attachment A Our Sonoma County Sheriff’s Office policy is attached as criminalstreet-gang.pdf and the Sonoma County Chiefs’ Association policy CRIMINAL STREET GANG INTELLIGENCE FILES is attached. 92-2.pdf C13: The auditor alleges that our Training curriculum is not approved by the Committee and/or Board. R13:   27 The Sonoma County Sheriff’s Office does track Public Records Acts requests and Discovery requests. Those records are maintained in our Central Information Bureau. End user auditing is maintained within the CalGang® application. Our administrator did not receive any other external requests for CalGang® information during the time frame specified. All requests were made directly into the CalGang® system and are tracked there in the systems extensive audit trail. Our training curriculum was originally developed 20 years ago in a collaboration between our node administrator and another qualified node administrator and used by all trainers state-wide and presented as a model for our interstate and federal partners. It has always been certified by the California Commission on Peace Officers Standards and Training (POST) and the California Board of Page 6 101 California State Auditor Report 2015-130 August 2016 State Community Corrections, Division of Standards and Training for Corrections (STC). SCSO – Attachment A  Every end user has attended that Committee developed training.  We discussed the perceived discrepancy between CalGang® policy and actual practice as it refers to our Committee developed, state certified, Train the Trainer course.  20 years ago, our committee developed a state certified training course that was 24 hours (three full days.) This was in an era that end users needed to be trained in the basic use of a computer. Currently, computer usage and familiarity is commonplace and instruction in such basics is unwarranted.  Since then, the Committee agreed that this could be shortened to 16 hours. The Committee developed a Train the Trainer class as an eight hour POST and STC certified course.  One of the pre-requisites for the Train the Trainer class is the attendance of the FULL end user class, which was originally 24 hours, and later shortened to 16 hours.  The intent of the policy is that a node administrator/trainer originally trained the Train the Trainer student in the FULL class. The policy said a full class was 24 hours and was not corrected to 16 hours. This is a simple oversight and policy has since been corrected to reflect FULL end user class.  This was explained to the auditors but not conveyed in their findings. Page 7 27 27 27 102 California State Auditor Report 2015-130 August 2016 Blank page inserted for reproduction purposes only. California State Auditor Report 2015-130 August 2016 Comments CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM THE SONOMA COUNTY SHERIFF’S OFFICE To provide clarity and perspective, we are commenting on the response that the Sonoma County Sheriff ’s Office (Sonoma) provided to our audit. The numbers below correspond to the numbers we have placed in the margin of Sonoma’s response. Sonoma states that the audit did not unearth any actual privacy violations it had committed. An actual violation of privacy is a question for a court of law to decide and not one that this audit was designed to answer. What the audit did reveal is that Sonoma’s process for adding information to CalGang does not comply with standards designed to protect individuals’ right to privacy. Further, as Table 7 on page 32 shows, we reviewed 25 individuals associated with Sonoma and found that seven did not have adequate support for their inclusion in CalGang. As we state on page 31, when law enforcement agencies cannot provide adequate support for the inclusion of individuals in CalGang, documenting those individuals’ whereabouts, appearance, and associates in a shared database could constitute or lead to a violation of their privacy or other constitutional rights. 1 Sonoma’s use of the term “statutory guidelines” is misleading in that neither CalGang, nor its applicable guidelines, are contained in statute. Rather, CalGang’s governance bodies voluntarily adopted certain federal and state criminal intelligence guidelines. Sonoma is mistaken in its belief that it meets or exceeds these guidelines for administering a criminal intelligence system. For example, as stated on page 30, Sonoma could not demonstrate that it established reasonable suspicion for four gangs it entered into CalGang. Further, on page 32, Table 7 summarizes the number of individuals and criteria for which Sonoma could not provide adequate support. Finally, as we describe on pages 37 through 40, Sonoma lacks necessary processes for reviewing CalGang entries for accuracy and relevance. 2 On page 38 we describe that the node administrator agencies audit at the committee’s direction and conclude that the committee’s audit approach is weak and does not ensure that CalGang contains only valid, accurate information. Of specific concern was that the node administrator agencies audit their own records and only orally report the results. On page 25 we describe how one sergeant at Sonoma acts as a committee member, the Sonoma node administrator, and as a CalGang user. He asserted to us that he enters at least 95 percent of CalGang records for Sonoma. 3 103 104 California State Auditor Report 2015-130 August 2016 We conclude that playing multiple, conflicting roles highlights the current weaknesses in CalGang’s oversight framework of which the audits are a key part. 4 Sonoma points out that it was provided a redacted copy of the audit report containing only information about Sonoma and prohibited from discussing the report with outside parties including the board and the committee. Our enabling statutes require us to keep all substantive audit related information confidential while an audit is ongoing. To comply with the law, we did not share draft report text concerning other entities with Sonoma, just as we did not share text concerning Sonoma with the other entities that were also the subjects of the audit. We twice explained our confidentiality requirements and protocols to Sonoma; once at the beginning of the audit and again at the end. Moreover, we briefed pertinent Sonoma staff repeatedly about our preliminary conclusions before we drafted the report. We are confident that Sonoma was aware of all the issues related to it that this audit report contains. 5 Sonoma is confusing law enforcement reviews of source information, such as arrest reports or other field observations, with the scrutiny needed to add information to CalGang. As we state on page 35, we did not question the field observations of law enforcement officers; rather, we questioned the accuracy of the corresponding entries in CalGang. As stated on page 25, by his own admission, Sonoma’s node administrator enters at least 95 percent of CalGang entries for Sonoma. No other person reviews these entries and we found that 48 of the 119 criteria we reviewed (40 percent) were not supported by source information as shown in Table 7 on page 32. In some instances, Sonoma could not locate the corresponding source information but in many other instances we located the source information and it did not match the entry included in CalGang, which is something a supervisory or quality control review would ostensibly catch—if Sonoma actually had these processes in place. 6 For nearly nine years since it published its September 2007 policies and procedures manual, the California Gang Node Advisory Committee’s (committee) manual indicated that CalGang will comply with the California Attorney General’s intelligence file guidelines—guidelines that were updated in November 2007 and have remained unchanged. At no time has the committee clarified that it was only the former Attorney General guidelines to which the committee’s policies and procedures were referring. Only until this audit began to question why CalGang users were not complying with—and in some cases not even aware of—the Attorney General guidelines, did committee members such as Sonoma begin saying that it was only the former guidelines to which the committee had agreed to follow. This revisionist view neglects the plain language California State Auditor Report 2015-130 August 2016 of the committee’s policies and procedures, which offers no caveat as to a particular version of the guidelines it indicates CalGang will follow. Sonoma is mischaracterizing board meetings as public. As we state on page 24 neither the board nor the committee meet in public; they do not post public notice of their meetings, post agendas and minutes, or accept public testimony. All of these actions are accepted as standard for public meetings government and quasi‑government bodies hold. For Sonoma to maintain that these meetings are “public”, despite the board not having any processes to make them truly public, is further evidence to us that the statutory changes we recommend are greatly needed. 7 The length of time to complete this audit was entirely sufficient for us to understand CalGang and all related requirements. The State Auditor’s Office has extensive experience reviewing the reliability of all types of databases and examining the support for all types of assertions, including those made by law enforcement agencies. 8 The audit’s recommendations are grounded in the evidence we collected and examined over the course of the audit. That evidence clearly undermines Sonoma’s continued belief that its administration of CalGang is not deficient in any manner—despite having the highest deficiency rate of any of the four agencies we reviewed, as evidenced by Table 7 on page 32. 9 Given the emphasis Sonoma places on the value of CalGang to protect its citizens, we find it disconcerting that Sonoma will only use the system if it can continue to do so in its present manner, an approach that our audit report demonstrates puts at risk individuals’ rights to privacy and which is not in accordance with safeguards necessary for a criminal intelligence system. 10 As indicated in Note 5, 40 percent of the Sonoma-related criteria entries we reviewed were not adequately supported by appropriate source information. Our recommendations are designed to reduce this deficiency rate and thereby help CalGang be a reliable tool that law enforcement can use to fight gang crime. If Sonoma cannot accept a fair and honest critique of its current processes, and even attempt to improve its procedures without threatening to walk away from CalGang altogether, then Sonoma may not be suited to be a CalGang node administrator. 11 The audit’s title is derived from the conclusions we drew from the evidence we collected and examined over the course of the audit. We believe the title aptly summarizes the audit conclusions and that those conclusions are soundly supported by audit evidence. 12 105 106 California State Auditor Report 2015-130 August 2016 13 Sonoma has failed to understand the issue at hand. On page 25 we describe a lack of accountability and oversight because too few people play too many roles. We use Sonoma’s one sergeant who acts as a committee member, the node administrator and as a CalGang user to make our point. As stated on this same page, he asserted to us that he enters at least 95 percent of CalGang records for Sonoma and then he audits his own work as node administrator. We conclude that playing multiple, conflicting roles highlights the current weaknesses in CalGang’s oversight framework. 14 We typically do not disclose the names of individuals in our published audit reports. We discussed the account in question with Sonoma staff during our fieldwork and have provided the account user’s information to Sonoma. 15 As we discussed on page 27, Sonoma has not documented its policy or procedure for modifying or removing CalGang user access rights. In addition, we identified an active user account for an individual that no longer worked for Sonoma. 16 As discussed on page 27, Sonoma’s agreement with its service provider does not specify how quickly the CalGang information would need to be restored in order to minimize the impact of an interruption, as industry best practices indicate. Although Sonoma’s assertion that it is implementing a plan to restore the system within 90 days is encouraging, it is important that Sonoma and its service provider formally agree on this time frame to ensure that the service provider is able to meet Sonoma’s needs. 17 Sonoma has mischaracterized the 2006 letter from the Institute for Intergovernmental Research (institute), which predates CalGang’s current policy and, thus, is no longer relevant to CalGang. We introduce the institute on page 31 as the criminal intelligence training vendor with which the federal government contracts. The letter the institute issued to Sonoma opines on CalGang’s policy; it concludes that the policies and procedures are in compliance with federal regulations. However, the institute’s opinion is not relevant presently because the committee updated the policy in 2007, after the institute issued its opinion. 18 Based on Sonoma’s comment, we conclude that it did not understand the report text. To avoid any further misunderstanding we expanded the text on page 30 and removed the footnote. The word ‘currently’ is italicized in that text as a way to stress that in our subsequent review the gangs we initially reviewed met the CalGang criteria as a gang. We thought it was important to draw a distinction between the past and the present so that our stakeholders do not conclude that the gangs we reviewed do not presently meet the CalGang criteria. The fact that these groups California State Auditor Report 2015-130 August 2016 presently meet gang criteria does not mean that law enforcement agencies were justified in not maintaining support for why these groups were originally added to CalGang. Sonoma fails to understand that law enforcement agencies must be prepared to demonstrate that a group meets gang criteria before it can be entered into CalGang. In Figure 3 on page 29 we depict the process that must be followed to add a gang to CalGang. Federal requirements state that reasonable suspicion must be established and CalGang policy requires, among other items, that the group must have three or more members. Sonoma is further mistaken that the monitoring it mentions are an effective tool to identify gangs that do not meet CalGang criteria. We describe the weaknesses in the committee’s audit process on pages 30 through 31 and 38 through 39. 19 Sonoma is failing to hear and adjust its understanding to the plain language of our audit report. Criteria entries from Sonoma did not just lack supporting documentation; many of its criteria entries in CalGang inaccurately reflected the documentation that should have supported the entry. On page 33 we provided an example of a supposed gang member that, according to a Sonoma CalGang entry, admitted to being a gang member during a custody classification interview at a county jail. We obtained the written record of this interview and found that he said he was not a gang member and desired to not be housed with the gang to which he was later connected in CalGang. We found similar problems with another individual in our Sonoma selection and brought this to the attention of the node administrator. He agreed that in three separate instances the admission referenced in CalGang was not documented in the relevant reports and he purged these criteria entries from CalGang. Because we provided information on all deficiencies we found to Sonoma, we do not understand why Sonoma would continue to misunderstand what we are clearly communicating. 20 Although we appreciated Sonoma’s offer of a laptop version of CalGang, obtaining raw data from CalGang allowed us to conduct electronic analyses that would have otherwise been impossible using a laptop version of CalGang. We obtained all CalGang data to which we had legal access and that was necessary to conduct our electronic analyses. We did not obtain certain documents available in CalGang, such as photos and reports, because these items typically make electronic files prohibitively large and because we knew these items could be obtained from the law enforcement agencies as needed. The only “conflicts” that occurred were when we could not verify from the source documents we obtained that CalGang criteria entries were supported. In these instances, we asked the law enforcement agency or the applicable node administrator for additional documentation or perspective. 21 107 108 California State Auditor Report 2015-130 August 2016 22 This response has no clear relationship to the redacted draft report we provided to Sonoma. As we show in Table 7 on page 32, we found that 48 of the 119 criteria we reviewed (40 percent) for Sonoma did not have adequate support. In roughly half of these instances, the deficiency we found was that Sonoma could not provide the supporting document. For the remainder, we located the document but the information contained therein was not supportive of the conclusion indicated in the CalGang criteria entry. 23 As we describe on page 34, we used Penal Code 186.22(e) as a benchmark for whether offenses were consistent with gang activity because no other standard is offered in the committee’s policies and procedures. Throughout its response, Sonoma continues to add the term “subjective” to any description of the reasonable suspicion standard described in federal regulations. By doing so, Sonoma reveals its predisposition to reject any objective standard for which offenses would actually be consistent with gang activity. Sonoma provides an alternative definition in its response but, in practice, does not attempt to prove that the offenses for which it entered criteria into CalGang were indicative of gang activity. Sonoma used offenses such as resisting arrest and violating probation to justify including individuals in CalGang but did nothing to prove that such offenses were in support of a gang or its members, unless by “members” Sonoma is arguing that the offenders were in support of themselves. If so, then Sonoma presupposes that these individuals are gang members and therefore any offense they commit is in support of that gang. 24 As we state on pages 40 through 41 we identified three separate weaknesses with CalGang’s purge function including over 250 records that were not scheduled to purge from CalGang for more than 100 years. 25 The attachments referred to in Sonoma’s response are available upon request. 26 Sonoma has mischaracterized the audit report and is further demonstrating its misunderstanding of CalGang policy. On page 42 we state that Sonoma has no processes in place to capture requests it receives for CalGang records that are internal to its organization or from other law enforcement agencies. Sonoma’s comment suggests that we consider staff to be untruthful when in reality our audit standards require that we gather evidence to support our work. An individual’s assertion is a form of evidence, but considered less reliable than records or documents supporting an entity’s actions. On page 42 we describe that the state guidelines require Sonoma to have written policy regarding information sharing, but that Sonoma’s written policy lacks all of the necessary safeguards the CalGang policy specifies. California State Auditor Report 2015-130 August 2016 Sonoma is making statements that it could not support during the audit and thus, we dismissed as not relevant. The audit report concludes that Sonoma could not demonstrate that the committee approved the training materials that it follows. Sonoma was not able to provide evidence of the committee’s approval as we state on page 44; thus, we stand by our conclusion. The fact that POST and STC certified the training is irrelevant given that the CalGang policy states that the committee must approve the training and neither the committee nor Sonoma could evidence that approval. Moreover, Sonoma describes committee agreements that it could not evidence and which are in direct conflict with current CalGang policy. 27 109