Future Tense

Cops Have Been Unwittingly Giving Dangerous Spyware to Parents for Years

It’s hard to keep kids safe online, and parents have been grappling with this issue since the 1990s. In an attempt to help, local law enforcement has handed out hundreds of thousands of copies of software called ComputerCOP that’s supposed to help parents supervise their children’s Internet use. But a report from the Electronic Frontier Foundation on Wednesday reveals that ComputerCOP is actually dangerous spyware.

EFF explains that sheriffs, police officers, and district attorneys around the country hand out copies of ComputerCOP as a tool for protecting kids online. The software is purchased in bulk from a New York-based company using taxpayer dollars from federal grants or state funds. It’s presented as official and handed out in communities by presumably well-meaning law enforcement agents.

But ComputerCOP is essentially spyware. It’s primarily a keylogger that captures everything that’s typed on a computer running the software. But the keylogger doesn’t just check for problem words against some type of list stored locally—it sends everything everyone is typing on a family computer, unencrypted to third-party servers. EFF notes, “That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against.”

The program also generally surveils the computers it runs on by sifting through everything on the hard drive in search of keywords relating to topics like drugs. EFF reports, though, that it is unreliable and sometimes brings up false positives. It will even pull out sections of raw code.

After the EFF report came out, ReadWrite talked to ComputerCOP about the allegations:

Stephen DelGiorno, the head of ComputerCOP operations, told ReadWrite that  ComputerCOP only captures 500 characters at a time when a trigger word is identified, and saves them on the computer’s local hard drive to be viewed by parents later. But even DelGiorno was unclear about how secure the data is.

“I’d have to ask the programmers, I’m not 100% sure,” DelGiorno said when asked whether or not key logs are encrypted on local hard drives. “I know you can’t find it, but I don’t want to say it’s encrypted at this point.”

ComputerCOP’s marketing claims that it is distributed by 245 agencies in 35 states plus by the U.S. Marshals. The irony is that as a keylogger, ComputerCOP is exactly the type of spyware that the Justice Department has been cracking down on because it can be used by stalkers and domestic abusers to surveil victims.

Meanwhile, proponents of ComputerCOP haven’t been reacting well to EFF’s report. For example, San Diego District Attorney Bonnie Dumanis, whose office used $25,000 from asset forfeiture funds to buy and distribute 5,000 copies of the software, issued a warning about ComputerCOP, but only advised people to turn off the keylogging feature.

Dumanis spokesman Steve Walker said in a statement to the U-T San Diego:

Our online security experts at the Computer and Technology Crime High-Tech Response Team continue to believe the benefits of this software in protecting children from predators and bullies online and providing parents with an effective oversight tool outweigh the limited security concerns about the product, which can be fixed.

In Limestone County, Alabama, Sheriff Mike Blakely was also frustrated by the EFF report. His office announced Tuesday (the day before the report came out) that it had purchased 1,000 copies of ComputerCOP using asset forfeiture funds. Limestone local news channel 48 WAFF reported, “Blakely referred to the EFF criticism politics as an ‘Ultra-liberal organization that is not in any way credible on this. They’re more interested in protecting predators and pedophiles than in protecting our children.’ ”

That last accusation in particular seems … unfounded. He also noted that, “We have had the key logger checked out with our IT people. They have run it on our computer system. … There is no malware.” But as TechDirt points out, “Dude. A keylogger is malware.” EFF notes that one especially dangerous aspect of ComputerCOP is that it’s not on anti-virus services’ malware lists (probably because it’s supposed to be legit), so if someone ran a malware scan on their computer—or if Limestone County’s IT people ran a malware scan—ComputerCOP wouldn’t be flagged as dangerous. In fact, it wouldn’t show up at all. That might be why Blakely is confused.

EFF notes that ComputerCOP touts a lot of misleading endorsements “including a letter of endorsement purportedly from the U.S. Department of Treasury, which has now issued a fraud alert over the document.” And overall, EFF writes, “Law enforcement agencies have purchased a poor product, slapped their trusted emblems on it, and passed it on to everyday people. It’s time for those law enforcement agencies to take away ComputerCOP’s badge.”

It certainly seems like ComputerCOP as a reaction to the perils of the Internet is outdated and potentially even more dangerous than the threats parents would be trying to mitigate by installing it.

Top video was posted on YouTube by the Paulding, Georgia County Sheriff’s department in August 2011.