ComputerCOP: Keylogging Spyware, Distributed By Police And Federal Agents With Your Tax Dollars

from the expose dept

The EFF has put together a rather astounding bit of investigative reporting, digging into a program called "ComputerCOP" that is apparently handed out (in locally branded versions) by various law enforcement agencies -- generally local police, but also the US Marshals -- claiming to be software to "protect your children" on the computer. What the EFF investigation actually found is that the software is little more than spyware with weak to non-existent security that likely makes kids and your computer a lot less safe. Aren't you glad your tax dollars are being spent on it?

The way ComputerCOP works is neither safe nor secure. It isn’t particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a “keylogger,” that could place a family’s personal information at extreme risk by transmitting what a user types over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against.

Furthermore, by providing a free keylogging program—especially one that operates without even the most basic security safeguards—law enforcement agencies are passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers.

The software is ancient -- dating back about 15 years -- and it doesn't look like it's improved much over the years. Even the interface looks outdated. And it doesn't appear much actual thought has been put into the product and whether or not it does anything to actually keep people safe. Instead, from all appearances, it sounds like the organization behind it is just looking to figure out ways to get taxpayer money from law enforcement, promising "cybersecurity" when it's actually making things worse. The more innocuous, but still pointless part of the tool is the "search" feature:

The tool allows the user to review recent images and videos downloaded to the computer, but it will also scan the hard drive looking for documents containing phrases in ComputerCOP’s dictionary of thousand of keywords related to drugs, sex, gangs, and hate groups. While that feature may sound impressive, in practice the software is unreliable. On some computer systems, it produces a giant haystack of false positives, including flagging items as innocuous as raw computer code. On other systems, it will only produce a handful of results while typing keywords such as "drugs" into Finder or File Explorer will turn up a far larger number of hits. While the marketing materials claim that this software will allow you to view what web pages your child visits, that's only true if the child is using Internet Explorer or Safari. The image search will potentially turn up tens of thousands of hits because it can't distinguish between images children have downloaded and the huge collection of icons and images that are typically part of the software on your computer.

Sophisticated software, this is not.

Then there's the keylogger/spyware bit.

ComputerCOP’s KeyAlert keylogging program does require installation and, if the user isn’t careful, it will collect keystrokes from all users of the computer, not just children. When running on a Windows machine, the software stores full key logs unencrypted on the user’s hard drive. When running on a Mac, the software encrypts these key logs on the user's hard drive, but these can be decrypted with the underlying software's default password. On both Windows and Mac computers, parents can also set ComputerCOP up to email them whenever chosen keywords are typed. When that happens, the software transmits the key logs, unencrypted, to a third-party server, which then sends the email. KeyAlert is in included in the "deluxe," "premium," and "presentation" versions of the software.

The lack of encryption is somewhat astounding in this day and age:

Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one’s hard drive, but that’s exactly what ComputerCOP does by placing everything someone types in a folder. The email alert system further weakens protections by logging into a third-party commercial server. When a child with ComputerCOP installed on their laptop connects to public Wi-Fi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air.

Incredibly, when EFF approached the maker of ComputerCOP, the guy behind it, Stephen DelGiorno tried to deny any problems:

“ComputerCOP software doesn’t give sexual predator [sic] or identity thieves more access to children’s computers, as our .key logger [sic] works with the existing email and Internet access services that computer user has already engaged,” he wrote via email.

He further said that ComputerCOP would update the software's licensing agreement to say "that no personal information is obtained nor stored by ComputerCOP."

As the EFF notes, this is both unacceptable and "fairly nonsensical." EFF tested the software and found, of course, that it's quite easy to snatch passwords via the software.

The company appears to have some other difficulties with the truth as well:

In February, DelGiorno told EFF the keystroke-logging feature was a recent addition to the software and that most of the units he’s sold did not include the feature. That doesn’t seem to jibe with ComputerCOP’s online footprint. Archive.org’s WayBack Machine shows that keystroke capture was advertised on ComputerCOP.com as far back as 2001. Although some versions of ComputerCOP do not have the keylogger function, scores of press releases and regional news articles from across the country discuss the software’s ability to capture a child’s conversations.

Also, this:

In investigating ComputerCOP, we also discovered misleading marketing material, including a letter of endorsement purportedly from the U.S. Department of Treasury, which has now issued a fraud alert over the document. ComputerCOP further claims an apparently nonexistent endorsement by the American Civil Liberties Union and an expired endorsement from the National Center for Missing and Exploited Children.

You can see the Treasury Department fraud alert here, in which it states: "A falsified letter from the Treasury Executive Office for Asset Forfeiture is being circulated indicating that the Treasury approves or endorses this product: it does not." It also includes a link to a sample letter, which uses multiple fonts (which is common among faked letters). In fact, EFF got DelGiorno to admit to changing an original letter, saying he "recreated the letterhead to make it more presentable" and highlighted certain text. He claims that there was an original letter from 2001 (the date on the letter getting passed around has the date removed), but the Treasury Department has issued the fraud report and says it's unable to find the original document that ComputerCOP claims was sent.

There are some other dubious issues related to the software and getting police departments to buy it (often with federal grants). Here's one example from the county where I grew up:

Since 2007, Suffolk County Sheriff Vincent DeMarco’s office in New York, where ComputerCOP is based, has bought 43,000 copies of the software—a fact trumpeted in DeMarco’s reelection campaign materials. ComputerCOP’s parent company directly donated to DeMarco’s campaign at least nine times over the same period.

As EFF notes, ComputerCOP specifically promotes the tool as an "election and fundraising tool" telling politicians and law enforcement folks that handing it out will make them look good and even sending out camera crews "to record an introduction video with the head of the department."

The whole thing is incredibly sketchy. It's fairly ridiculous that at the same time that law enforcement folks are ridiculously claiming that encryption "harms" children, so many are actively out there spending taxpayer money on, and then distributing, an app that actively puts children (and everyone else) at risk while pretending to be done in the name of safety.

If you happen to have a computer where ComputerCOP was installed, the EFF has handy details on removing it.

Filed Under: computercop, keylogging, police, spyware, stephen delgiorno
Companies: computercop