Thursday, April 05, 2012

More Kafka than Orwell: Police databases and negligent error

This morning, I read an excellent law-review article (no, not entirely an oxymoron) from Erin Murphy at NYU titled "Databases, Doctrine, and Constitutional Criminal Procedure," found via CrimProf Blog, related to a subject that comes up now and again on Grits: The way databases and their usually unintentional inaccuracies can create constitutional liberty violations for which the US Supreme Court in Herring v. United States (2009) ruled the exclusionary rule inapplicable. In Herring, the court held that "When police mistakes leading to an unlawful search are the result of isolated negligence attenuated from the search, rather than systemic error or reckless disregard of constitutional requirements, the exclusionary rule does not apply."

In that case, the defendant was arrested because of an error in a police database, and a search incident to arrest yielded drugs and a gun, which the Supreme Court said should not be excluded from evidence. Murphy's piece offers one of the best big-picture analyses on the implications of that decision vis a vis computer databases that this writer has seen, though it should be said the Texas Court of Criminal Appeals already had created the same exception to our statutory exclusionary rule years before. Anyway, suffice it to say the same issues arise in Texas state and federal law.

Murphy emphasizes a point I think very few people, even (perhaps especially) those working in the system, ever consider: Eighteenth-century constitutional restrictions in the Bill of Rights which are supposed to regulate modern police conduct were written decades before the first professional police department was ever created, even in London, much less the United States, and use of modern databases in law enforcement has transformed the profession in radical ways just since the turn of the 21st century. Here's a bit of a lengthy excerpt providing some of that little-discussed history:
The criminal justice system's reliance on databases is both old and new. As many know, the formal, organized, public police first emerged as a concept around 1829, when Robert Peel organized the London bobbies. The first detective unit in the United States was formed shortly after in 1846 in Boston, at a time when tracking down criminals largely remained a private sector gig. Dominated by companies such as the (in)famous Pinkertons, the unit's work consisted largely of pounding the pavement (and suspects). Indeed, many of the modem tools of detecting -- "[s]ophisticated criminal investigation techniques-well-organized crime records systems, fingerprints, crime labs -- did not appear until the twentieth century." Even Alphonse Bertillion's pioneer anthropometrical system of identification in the late 1800s depended largely upon manual recording and comparison of measurements.

The first primitive databases emerged around the same time, at the turn of the century. For instance, as early as 1919, the California State Bureau of Identification introduced a punch-card system for storing and retrieving modus operandi information. But perhaps the watershed moment of government databasing occurred in the early 1930s, around the time that J. Edgar Hoover opened the Federal Bureau of Investigation's first criminal evidence laboratory, which included fingerprint processing capacities, hair, blood, and firearm analysis. As part of the new emphasis on forensic science, FBI implemented its first fingerprint database-a card sorter that capitalized on the technology created to tabulate the census and that led to the formation of IBM."

Just a little over a decade later, the development of the mainframe computer in 1946 and the replacement of punch cards with magnetic tape significantly advanced databasing possibilities,'  but it remained a largely primitive technology. By as late as 1984, the federal fingerprint database the most advanced forensic database available-still depended primarily on manual recording and retrieval. At best, it served as an efficient means of organizing cards for retrieval, rather than for generating leads or links. Linking two fingerprints required manual comparison of an unknown scene sample with, for instance, the 23 million criminal cards on file with the FBI.'

The 1980s, however, initiated a period of rapid change. Personal computers became commonly available. Law enforcement began to recognize and harness the potential of electronic storage and retrieval. And then, remarkably, the Internet was born. Connectivity became possible in ways previously unimagined, and storage capacity reached new heights. The foundations for the modem criminal justice databases had been set.
The first truly modern, searchable databases, says Murphy, most prominently the one for fingerprints (AFIS), didn't appear till 1999, but they've quickly proliferated. These databases have transformed law enforcement, Murphy argues. Instead of developing suspicion, then using data held by law-enforcement to confirm, today suspicion is often developed based on the databases themselves, whether or not the information is accurate.

Why might that be a concern? Writes Murphy: "The true risk is a leaping-to-conclusions, or confirmation bias. It is the fear that the individual will be sucked into a morass of suspicion from which escape is arduous or impossible - Kafka's The Trial, not Orwell's Big Brother." You can't cross-examine a database and often the information they contain comes from many different, frequently untraceable sources that may not be correct or complete.

In Texas this is a particularly salient issue because many jurisdictions have a bad habit of reporting arrests to the statewide data system but fail to report the outcome of the cases. So if someone is arrested and charged with a crime but charges are later dismissed, the dismissal doesn't always make it into the system. The Governor's office recently threatened to withhold federal grant money from counties that don't quickly improve their data entry rates for dispositions in older cases.

The above history, writes Murphy, makes "two points abundantly clear: first, that there are an enormous number of databases in the criminal justice system, and second, that the database, as it exists today, has really only been around for ten or so years. Any person who has witnessed the past fifteen years of technological advancement knows, without reading a law review article, that online databases have transformed modem life. Yet surprisingly few changes have occurred in actual constitutional doctrine in response to widespread databasing."

Databases don't just record information like putting them in a file drawer but instead transform it, she argues:
the import and the impact of a database occurs less with regard to the moment of the information's acquisition than with all the moments that then may follow. Indeed, acquisition may not represent any kind of threat to individual liberty or privacy at all. Recall the criminal records database at issue in Reporters Committee [an early SCOTUS database-related case] - there, the Court acknowledged that the true significance of the database was not its contents, which were all technically a matter of public record, but the act of compiling and rendering that information accessible in a particular way.
For the most part, though, says Murphy, US courts have not applied or created constitutional doctrines to regulate law enforcement database use, but instead most cases focus on statutory interpretation in narrow, individual cases. Murphy argues that databases, by their nature, require structural instead of individualized, case-by-case oversight:
it is arguably impossible to regulate databases substantively - to truly inquire whether a particular series of tests or entries or searches were accurate, fair, and correct. But it is much easier to impose procedural requirements upon databases-to inquire into the existence and thoroughness of protocols for those processes and to presume inadequate or defective any database system maintained without them. Certain structural devices are demonstrably effective in minimizing mistakes, and with greater attention, others would be uncovered. A constitutional doctrine that looks for the signs of good management-think scrutiny of policies for access controls, or regular audits, or blind tests-is far more likely to improve database deployments in society than one that attempts to determine whether a database has failed or not in a case-specific context.
In her view:
regulation of databases require constitutional criminal procedure to focus less upon deliberate or intentional abuses of power than upon unintentional omissions, or mere benign neglect. There is always the risk that a malfeasant actor will corrupt or exploit a database system, to be sure. But constitutional regulation of databases aimed at ferreting out intentional harms will be very thin indeed; it is far easier to do harm, and far greater harm can be done, through mere benign neglect of database systems than through intentional manipulation.

The split among the Justices in Herring starkly illustrate this distinction. The majority viewed the sole purpose of the exclusionary rule to be deterrence and concluded that applying the rule yielded little deterrent benefit with regard to a negligent recordkeeping error. In contrast, Justice Ginsburg in dissent argued that more than marginal deterrence was possible, in the specific context of database entry, even when the complained of error constituted mere negligence in care.
If the exclusionary rule won't apply to negligent database errors, then there needs to be some other deterrent. Historically, civil liability is the other, obvious legal recourse, but police officers are immune from liability for most negligent, on the job errors. Otherwise, the only other option (and an entirely unsatisfying one) is a special-interest driven patchwork of database-by-database restrictions in statutes or agency rules created over time, which is precisely what we have now.

A more profound understanding of how databases are transforming law enforcement will inevitably require similarly transformative constitutional doctrines that the courts have so far refused to articulate, argues Murphy:
rather than follow an industrial age model reliant upon physical acquisition, constitutional doctrine would transition to an information age approach based on knowledge, creation, and dissemination. Such attentiveness would offer more effective safeguards around the creation and utilization of databases, and be responsive to concerns about insufficient auditing structures and function creep. Viewed as living, evolving organisms rather than as static repositories of discrete bits of information, the lawfulness and constitutionality of a database would more closely correspond to its actual use and deployment.
Grits wanted to raise these questions in some depth because, since federal and state courts have punted on the issues, governance of law-enforcement databases for the time being now falls almost exclusively to the states, or to the agencies operating the databases when the states eschew that responsibility. So it'd be appropriate, at this point, to see statutory regulation of law enforcement databases step up over the next few years to fill in the vacuum, probably driven both by episodic scandal and growing demands by the public for protection of electronic privacy. Murphy has performed a mitzvah by outlining the complexities of the problem and articulating underlying principles, if not specific details, for potential reforms.

RELATED: Database errors and the consequences of qualified immunity.


Anonymous said...

I have a case (in a neighboring state) where the police based their arrest on googling the defendant. I argue that unofficial databases/internet with no 'indicia of reliability' are not sufficient to creat probable cause. We'll see if it becomes an appeal issue.

In my case, the police said "the internet" (they could not be more specific) indicated that client might be a felon -- and they had found a firearm in the car. They stated they chose *not* to use NCIC because it was "too much hassle."

In addition, the cops (who have recently gotten official Ipads) are apparently using google, facebook, etc. to make decisions about who to stop, etc. For example, the extension of a traffic stop to ask about gang involvement because the guy had a photo on his facebook page that "might have been him throwing gang signs."

This stuff is coming up fast, let's hope the courts will at least attempt to put a cork in it.

Lee said...

Since the exclusionary rule does not apply in instances of data entry errors,what then stops DPS from entering warrants into their database for anyone or everyone so they can claim a valid reason to stop and then claim later in court that it was a data entry error and the evidence should come in? Shouldn't the errors of DPS be used against them (exclude evidence at the very least and maybe lawsuit for false arrest) just as the mistakes of civilians are used against them?


Prison Doc said...

Definitely not a new problem. My nurse and her husband were pulled over for a minor traffic stop; he was arrested for an "open DWI warrant". Of course, that case was long closed after he'd paid a fine and spent 90 days in jail--nobody bothered to remove it from the database. Of course, no apology or compensation for the night in jail, etc.

But my main fear has long been employment difficulties caused for folks by erroneous "criminal background check" databases.

My only hope is that with more and more things being criminalized, more and more people will be affected by law enforcement excesses and cause a sea-change in our world of Kafka and Orwell.

rodsmith said...

well sounds to me like if they REFUSE to make sure their databases are up to date and correct and the courts refuse to hold them LIABLE when it happnes.

Might be time for the public to say guess what. THEY ARE GONE!

Here's a pad and pencil. It's all you get till you can prove you can properly use anything more advanced.

Time to small their mainiframes!

Bobby Mcintire said...

And yet the vast majority of time the official databases are used, they are used correctly and without flaws. Were the problems eluded to frequent and common, more reform would be needed but the courts recognize this infrequency of error (and act accordingly).

As far as the use of social media in law enforcement, why is the use of such so problematic as a tool to investigate? If someone wants to portray a thug on their Facebook page, making claims of criminal activity, showing gang signs, and presenting themselves as dangerous, that is their choice, not that of some LEO. Is it that different from wearing established gang attire, acting in a certain manner, and otherwise elevating community awareness of your criminal status in "real life", then finding you have generated enough reasonable suspicious for the police to investigate?