This article was originally published on eff.org on 1 October 2014.
For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the “first step” in protecting their children online.
Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to families for free at schools, libraries, and community events, usually as a part of an “Internet Safety” outreach initiative. The packaging typically features the agency's official seal and the chief's portrait, with a signed message warning of the “dark and dangerous off-ramps” of the Internet.
As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies.
The way ComputerCOP works is neither safe nor secure. It isn't particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a “keylogger,” that could place a family's personal information at extreme risk by transmitting what a user types over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against.
Furthermore, by providing a free keylogging program—especially one that operates without even the most basic security safeguards—law enforcement agencies are passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers.
EFF conducted a security review of ComputerCOP while also following the paper trail of public records to see how widely the software has spread. Based on ComputerCOP's own marketing information, we identified approximately 245 agencies in more than 35 states, plus the U.S. Marshals, that have used public funds (often the proceeds from property seized during criminal investigations) to purchase and distribute ComputerCOP. One sheriff's department even bought a copy for every family in its county.
In investigating ComputerCOP, we also discovered misleading marketing material, including a letter of endorsement purportedly from the U.S. Department of Treasury, which has now issued a fraud alert over the document. ComputerCOP further claims an apparently nonexistent endorsement by the American Civil Liberties Union and an expired endorsement from the National Center for Missing and Exploited Children.
Law enforcement agencies have purchased a poor product, slapped their trusted emblems on it, and passed it on to everyday people. It's time for those law enforcement agencies to take away ComputerCOP's badge.
Click here for a list of agencies that have distributed ComputerCOP.
Click here for a guide to removing ComputerCOP from your computer.
What is ComputerCOP?
In an era when hackers use botnets, zero day exploits, and sophisticated phishing to compromise billions of online accounts, ComputerCOP is a software relic that not only offers little protection, but may actually expose your child's (and potentially your) most sensitive information to danger.
ComputerCOP's interface is a throwback to an earlier, clunkier age of computing. Indeed, its origins trace back 15 years, when software companies began to target a new demographic: parents worried about their children's exposure to all manner of danger and inappropriate material on the Internet.
When ComputerCOP debuted in the late 1990s, its original title was “Bo Dietl's One Tough ComputerCOP,” which capitalized on the fame of celebrity New York detective, Bo Dietl, who had just had his career adapted into a major motion picture, “One Tough Cop,” starring Stephen Baldwin. At the time, the program could only perform basic forensic searches of hard drives, but in the early 2000s, Bo Dietl's toughness was dropped from the title and a keylogger was added to the “deluxe” version of the package.
EFF obtained copies of ComputerCOP and related materials from law enforcement agencies on the East Coast, West Coast, and in Texas. Each one was branded to the specific department, but the software package was otherwise the same, containing two main elements:
"Basic" Search Functions: ComputerCOP's search utility does not require installation and can run right off the CD-ROM. The tool allows the user to review recent images and videos downloaded to the computer, but it will also scan the hard drive looking for documents containing phrases in ComputerCOP's dictionary of thousand of keywords related to drugs, sex, gangs, and hate groups. While that feature may sound impressive, in practice the software is unreliable. On some computer systems, it produces a giant haystack of false positives, including flagging items as innocuous as raw computer code. On other systems, it will only produce a handful of results while typing keywords such as "drugs" into Finder or File Explorer will turn up a far larger number of hits. While the marketing materials claim that this software will allow you to view what web pages your child visits, that's only true if the child is using Internet Explorer or Safari. The image search will potentially turn up tens of thousands of hits because it can't distinguish between images children have downloaded and the huge collection of icons and images that are typically part of the software on your computer.
KeyAlert: ComputerCOP's KeyAlert keylogging program does require installation and, if the user isn't careful, it will collect keystrokes from all users of the computer, not just children. When running on a Windows machine, the software stores full key logs unencrypted on the user's hard drive. When running on a Mac, the software encrypts these key logs on the user's hard drive, but these can be decrypted with the underlying software's default password. On both Windows and Mac computers, parents can also set ComputerCOP up to email them whenever chosen keywords are typed. When that happens, the software transmits the key logs, unencrypted, to a third-party server, which then sends the email. KeyAlert is in included in the "deluxe," "premium," and "presentation" versions of the software.
The keylogger is problematic on multiple levels. In general, keyloggers are commonly a tool of spies, malicious hackers, and (occasionally) nosy employers. ComputerCOP does not have the ability to distinguish between children and adults, so law enforcement agencies that distribute the software are also giving recipients the tools to spy on other adults who use a shared computer, such as spouses, roommates, and coworkers. ComputerCOP addresses this issue with a pop-up warning that using it on non-consenting adults could run afoul of criminal laws, but that's about it.
The lack of encryption is even more troubling. Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one's hard drive, but that's exactly what ComputerCOP does by placing everything someone types in a folder. The email alert system further weakens protections by logging into a third-party commercial server. When a child with ComputerCOP installed on their laptop connects to public Wi-Fi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air.
The software does not appear in any of the major malware/spyware databases we tested, so it can't be detected with a normal virus scan.
Eight months ago, we contacted Stephen DelGiorno, the head of ComputerCOP operations, and informed him of these problems. He denied there was an issue.
“ComputerCOP software doesn't give sexual predator [sic] or identity thieves more access to children's computers, as our .key logger [sic] works with the existing email and Internet access services that computer user has already engaged,” he wrote via email.
He further said that ComputerCOP would update the software's licensing agreement to say "that no personal information is obtained nor stored by ComputerCOP."
These are unacceptable, and fairly nonsensical, answers from a company that claims to be a leader in child safety software. Even if the company isn't storing data, as it claims, information captured by the keylogger still passes through a commercial server when the target types a keyword. Further, the keylogger actually may undermine other services' security measures.
Some of the most common online services, such as Facebook, Twitter, and Gmail (as well as most financial sites), use HTTPS by default, automatically encrypting communications between users and those websites. In fact, one of the truly effective tools parents can use to protect their children is HTTPS Everywhere, an EFF plug-in that makes an Internet browser connect by default to secure versions of websites.
But HTTPS is rendered ineffective with ComputerCOP, because ComputerCOP captures text as it is being typed, before it has been encrypted. While HTTPS is protecting the users' connection to a website, ComputerCOP separately transmits that same communication unprotected whenever a keyword is triggered.
In EFF's testing, we were able to snatch passwords (faked ones, of course) with shocking ease.
Law Enforcement and ComputerCOP
“The ComputerCOP outreach program is the best way for Parents/Guardians to monitor their children's activity online and bring positive media attention to your Office,” DelGiorno writes in the first line of the form letter his company sends to law enforcement agencies.
ComputerCOP's business model works like this: the company contracts with police and district attorneys around the country, particularly ones that have federal grants or special funds to spend, such as asset forfeiture windfalls (police often describe this as money seized from drug dealers). Agencies then buy the software in bulk, usually between 1,000 and 5,000 at a time, and give it out for free in their communities. Agencies often tell the press that the software has a value of $40, even though they pay only a few bucks per copy and the software is not available through any major online store other than eBay (where surplus new copies are going for as little as $.99). Even ComputerCOP's online store is currently broken.
There is no official central repository for data about which agencies have purchased the software, how many copies they've distributed, or how much they have spent. Based on ComputerCOP's own online map of agencies, as well as online searches and public records requests, we have identified approximately 245 agencies in more than 35 states that purchased ComputerCOP. (After we began our investigation, ComputerCOP took the map offline, promising an updated one soon.)
In February, DelGiorno told EFF the keystroke-logging feature was a recent addition to the software and that most of the units he's sold did not include the feature. That doesn't seem to jibe with ComputerCOP's online footprint. Archive.org's WayBack Machine shows that keystroke capture was advertised on ComputerCOP.com as far back as 2001. Although some versions of ComputerCOP do not have the keylogger function, scores of press releases and regional news articles from across the country discuss the software's ability to capture a child's conversations.
Among the most notable in the last two years: the Maricopa County Attorney's Office in Arizona, the San Diego District Attorney's Office in California, the Jackson County Sheriff's Office in Missouri and the Bexar County District Attorney's Office in Texas each purchased 5,000 copies at a cost of $25,000 per agency. Bexar County even has an interactive map on its website showing the dozens of locations where ComputerCOP can be picked up for free.
Other agencies have purchased the software in even larger quantities. In 2008, the Highlands County Sheriff in Florida spent $42,000 to purchase 10,000 copies, or, as one newspaper put it, “enough computer disks for every parent of every school child in Highlands County.” The Alaska Department of Public Safety bought enough copies for it to be available at every "school, public library and police agency" in the state.
Since 2007, Suffolk County Sheriff Vincent DeMarco's office in New York, where ComputerCOP is based, has bought 43,000 copies of the software—a fact trumpeted in DeMarco's reelection campaign materials. ComputerCOP's parent company directly donated to DeMarco's campaign at least nine times over the same period.
Indeed, ComputerCOP markets itself as the “perfect election and fundraising tool.” As part of the package, when a law enforcement agency buys a certain amount of copies, ComputerCOP will send out a camera crew to record an introduction video with the head of the department. The discs are also customized to prominently feature the head of the agency, who can count on a solid round of local press coverage about the giveaway.
Delgiorno also said he would contact his accountant to get a list of which agencies purchased which version of ComputerCOP (i.e. the versions with the keylogger versus those without). Eight months later, we're still waiting.
Through a public records act request, EFF obtained a copy of the marketing materials submitted by ComputerCOP to the Harris County District Attorney's office in Texas, which purchased 5,000 copies in 2011. The documents reveal several dubious and outdated claims.
For one, ComputerCOP claims that it is endorsed by the American Civil Liberties Union (ACLU) and that it is the only software product supported by the National Center for Missing and Exploited Children (NCMEC).
When asked about the origin of the ACLU endorsement, DelGiorno told EFF that someone from the ACLU recommended the software in a Newsday article as the “most non-intrusive of the products as it did not filter web pages nor block user access to them.” EFF contacted Newsday, which was unable to locate any such article, as well several branches of the ACLU, all of which denied any such endorsement.
On the eve of publication of this report, DelGiorno told reporter Alice Brennan at Fusion that the endorsement came from Kary Moss, executive director of the ACLU of Michigan, citing a 2005 story in the Detroit Free Press. However, in the article, Moss is endorsing the idea that parents should take responsibility for monitoring their children as opposed to relying on the government to act as a babysitter.
“I can say unequivocally that it was not an endorsement of the product," ACLU of Michigan Deputy Director Rana Elmir told EFF. "Our position as an organization is not to endorse technology like this.”
NCMEC told EFF that in 1998 it did allow ComputerCOP to use its name for a one-year period, but has not had any contact with the company over the last 15 years. A NCMEC attorney said the organization was unaware that ComputerCOP was still advertising its imprimatur and that it would tell ComputerCOP to stop using it immediately.
In its promotional packet, ComputerCOP includes a letter from the Treasury Executive Office for Asset Forfeiture, in which the head of the division calls the software an “effective law enforcement aid” and a “valid crime prevention tool” that will “identify and locate perpetrators and possibly missing children.” The uncharacteristically positive nature of the letter caused EFF to examine it closer and, as it turns out, the document had been significantly altered.
In an email exchange, DelGiorno acknowledged that ComputerCOP had taken a prior letter from the Treasury Department, highlighted text and “recreated the letterhead to make more it presentable for other agencies to view.” In doing so, ComputerCOP removed the 2001 date stamp from the letter. As a result, law enforcement agencies were unaware that the letter was outdated by more than a decade and that the agency head who signed it had long left office.1
Through the Freedom of Information Act, EFF is seeking the unaltered letter, as well as any material ComputerCOP submitted to the Treasury Department. So far the agency has been unable to locate those file and ComputerCOP would not provide a copy of the original letter to EFF.
However, after we submitted the suspicious letter to the Treasury Department, the Treasury Department's Inspector General issued a fraud alert over ComputerCOP, including a copy of the letter with the words “Fraudulent Document” stamped on it in red.
We estimate somewhere between a few hundred thousand and more than a million copies of ComputerCOP have been purchased by law enforcement agencies across the United States, but it's difficult to say how many individual people have been exposed by the software's vulnerabilities.
In our tests, ComputerCOP was so unwieldy to use that it's possible that very few people actually use it. But even if it's a pointless giveaway from the police, it's still being purchased with our tax dollars. As law enforcement agencies around the country face budgetary shortfalls, spending $25,000 on an ineffective product is not only unwise, but fiscally irresponsible.
Law enforcement agencies should cease distributing copies immediately and tell parents not to use it. Any local media outlet that reported on ComputerCOP should consider alerting parents to its dangers. The Treasury Department should reexamine its approval of ComputerCOP as a permissible use of funds from the federal equitable sharing program.
There are certainly risks for kids on the Internet, and indeed for adults too. Let's not make it easier for villains with bogus safeguards.
EFF Staff Technologist Jeremy Gillula and Web Developer Bill Budington conducted the security analysis of this software.
Dubious "internet safety software" distributed by hundreds of police agencies in U.S.
This article was originally published on eff.org on 1 October 2014.