Bad software analysis causes release of 450 dangerous Calif. inmates
For once, a huge, dangerous data breach isn't IT's fault
For once there has been a major security breach not directly attributable to weak network security or nonexistent data-loss protection – the kind of IT-related security breach that won't necessarily get some digital-security geek fired.
The bad news is that it might get some programmers or project-managers fired, or get other people killed.
Due to an error in the way it analyzes prisoner records, a program used by the California Bureau of Prisons made recommendations that led to the release of 450 felons whose records indicate a "high risk of violence."
Another 1,000 prisoners listed highly likely to commit drug crimes, property crimes or other offenses were also released as part of a court-ordered program to reduce the 143,335-prisoner population of California's overcrowded prisons by about 33,000.
The program, running since January, 2010, relied on a program that examined arrest records of prisoners, but not previous convictions or in-prison disciplinary actions, which prosecutors told the Los Angeles Times paint a far clearer picture of an inmate's proclivity for violence.
The application evaluates information in a database of 16.4 million arrests statewide, but had no access to data that would have given better indications of a prisoner's risk of committing further violence.
Its access to California juvenile-criminal records was spotty, the Inspector General's (IG) report concluded,(PDF) so only a prisoner's adult record was often considered.
It also lacked access to in-prison disciplinary records – which often identify gang affiliations and the likelihood a prisoner will become violent without being arrested.
Worst, the application had to use as its primary data source California's Automated Criminal History System (ACHS), which contains data on more than 16.4 million arrests, but is missing data on convictions for half those records, making it difficult to weight each incident accurately as an indicator for future violence, the IG's office concluded.
"Despite these significant shortcomings in the ACHS database, [California Department of Corrections and Rehabilitation] had no choice but to use that database, however inadequate, as the best available source of data," the IG's report concluded.
Even estimates of the number of potentially violent felons released are imprecise.
The Bureau of Prisons discovered the errors only after former prosecutor-turned-legislator State Sen. Ted Lieu (D-Torrance), asked for a review of the program.
Using humans rather than software to review a sample of 200 files from the pile of 10,134 released, prison officials found 31 who should not have been considered for release – an error rate of 15 percent.
Procedures require records to be reviewed by prison officials, but the state inspector general's report didn't say whether any potentially violent felons were refused release due to that review.
It also didn't say why the records-analysis application was unable to access conviction data.
By changing the application's criteria, the bureau was able to get the error rate down to 8 percent, but is not able to re-arrest those already released.
The program gave prisoners non-revocable, unsupervised parole – meaning they're free to do as they please without reporting to a parole officer or undergoing any other supervision. They can be sent back to prison for violating parole only if they're arrested for other reasons.
Even those legitimately listed as low risks for violence may not live up to expectations based on a profile.
In July, 2010 a former prisoner named Javier Joseph Rueda, whose record shows he did fit criteria for release, was shot to death after firing on two Los Angeles police officers, wounding one in the arm.