ComputerCOP is a program that purports to help parents protect their children when online, and has been handed out for free to parents by approximately 245 Sheriffs departments, Police offices, Marshalls Services, and other law enforcement agencies across 39 states the US (a full list of outlets is available here). Often bought in batches of 5,000, one police department handed out 43,000 copies of the software!
The problem is that ComputerCOP is neither safe nor secure, and according to a report by the Electronic Frontier Foundation (EFF), it contains keylogging software almost identical to StealthGenie, a commercial spyware tool that was only last week criminally indicted on wiretapping charges. EFF investigator Dave Maas notes that,
‘It’s certainly ironic that law enforcement agencies are going after spyware makers while also distributing software that could be used for the same purposes. Obviously there’s a difference in how these were marketed by the maker. But certainly law enforcement needs to train their magnifying glasses on their own operations.’
There are two main problems with the keylogger:
1. It is very insecure – keystrokes recorded by ComputerCOP (which can be every keystroke made) are stored on the computer, which in Windows is in an unencrypted plaintext file that can be read by anyone with access to the computer. The Mac version of ComputerCOP uses the open source keylogging program logKext, and while OSX encrypts the logfile by default, its default password is listed in logKext’s online documentation.
Furthermore, if a computer user types in any keyword set by the ‘parent’ (such as ‘sex’ or ‘drugs’, but it could just be ‘the’) an email is sent to the ‘parent’ containing the text surrounding that keyword. This email is sent in unencrypted plaintext through ComputerCOP’s servers, which would make it easy for a ComputerCOP employee or WiFi hacker to collect passwords, bank details, and other sensitive information about users of the software. As the EFF, who were able to capture (faked) passwords with worrying ease observe,
‘Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one’s hard drive, but that’s exactly what ComputerCOP does by placing everything someone types in a folder. The email alert system further weakens protections by logging into a third-party commercial server. When a child with ComputerCOP installed on their laptop connects to public Wi-Fi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air.’
2. It’s keylogging software for fricks sake! – although the program does feature a pop-up notice during installation warning users that misuse can breach local laws, the police are ‘passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers.’ There is no-way to restrict who uses ComputerCOP, or on who it is used, and as noted earlier, it functions more or less identically to the illegal StealthGenie software.
Users are provided the option of displaying a police siren icon on the computer screen to show that the software is running but are not required to do so, which making it easy to surreptitiously spy on any user of the computer. Also, because ComputerCOP is not listed by the major malware spyware databases, most virus programs will not flag up it up.
In addition to these major problems, ComputerCOP used deliberately underhanded marketing techniques, including falsely telling police departments that the software was endorsed by the American Civil Liberties Union, and providing a forged letter from the Treasury Department approving the use of asset forfeiture funds to purchase the software (the Treasury Department has now issued a fraud alert over the issue, although it did authorise a request for such funds when asked by one police department).
In fairness, the whole affair does not demonstrate malicious intent by the police, but shows what happens when misinformed (and misled) individuals with limited technical competence are given responsibility for such important issues.
Ars Technica contacted various police departments over their endorsement of ComputerCOP (and many of whom have spent a great deal of money on it), but none were available for comment, although,
‘The District Attorney for the County of San Diego—which spent $25,000 in asset forfeiture funds on 5,000 copies of ComputerCOP in 2012—issued an alert to users of ComputerCOP, citing “potential security issues,” and telling parents to turn ComputerCOP’s keylogging features off .’
County Sheriff Mike Blakely of Limestone, Alabama, has taken a more bullish stance however, calling the EFF an ‘ultra-liberal organization that is not in any way credible on this. They’re more interested in protecting predators and pedophiles than in protecting our children,. He also argues that ComputerCOP would have prevented the Columbine High School massacre,
‘As sheriff, I went down [to schools] and met with kids and I taught them about bicycle safety and not to talk to strangers… If you and I were married and had a 14-year-old daughter, then yeah I could check on who you’re talking to online and you could check who I’m talking to… if [ComputerCOP is] used properly, it’s something we whole-heartedly endorse… There are some parents out in Columbine Colorado, if they had this kind of software, things would have turned out differently’.
For parents who have installed ComputerCOP and are now worried about the software, the EFF has published a guide to removing it.