Policy —

ComputerCOP: the dubious “Internet Safety Software” given to US families

245 police agencies in 35-plus states distribute a security program that's not so secure.

ComputerCOP: the dubious “Internet Safety Software” given to US families
This post originally appeared on the Electronic Frontier Foundation's website. The author, Dave Maass, is a media relations coordinator and investigative researcher for EFF.

For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the “first step” in protecting their children online.

Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to parents for free at schools, libraries, and community events, usually as a part of an “Internet Safety” outreach initiative. (You can see the long list of ComputerCOP outlets here.) The packaging typically features the agency’s official seal and the chief’s portrait, with a signed message warning of the “dark and dangerous off-ramps” of the Internet.

As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies using shady information.

The way ComputerCOP works is neither safe nor secure. It isn’t particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a “keylogger,” that could place a family’s personal information at extreme risk by transmitting those keystoke logs over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against.

Furthermore, by providing a free keylogging program—software that operates without even the most basic security safeguards—law enforcement agencies are passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers.

EFF conducted a security review of ComputerCOP while also following the paper trail of public records to see how widely the software has spread. Based on ComputerCOP’s own marketing information, we identified approximately 245 agencies in more than 35 states, plus the US Marshals, that have used public funds (often the proceeds from property seized during criminal investigations) to purchase and distribute ComputerCOP. One sheriff’s department even bought a copy for every family in its county.

In investigating ComputerCOP, we also discovered misleading marketing material, including a letter of endorsement purportedly from the US Department of Treasury, which has now issued a fraud alert in regards to the document. ComputerCOP further claims an apparently nonexistent endorsement by the American Civil Liberties Union (ACLU) and an expired endorsement from the National Center for Missing and Exploited Children (NCMEC).

Law enforcement agencies have purchased a poor product, slapped their trusted emblems on it, and passed it on to everyday people. It’s time for those law enforcement agencies to take away ComputerCOP’s badge.

Bo Dietl's One Tough Computer Cop
Enlarge / Bo Dietl's One Tough Computer Cop

What is ComputerCOP?

In an era where hackers use botnets, zero day exploits, and sophisticated phishing to compromise billions of online accounts, ComputerCOP is a software relic that not only offers little protection, but it may actually expose your child’s (and potentially your) most sensitive information to danger.

ComputerCOP’s interface is a throwback to an earlier, clunkier age of computing. Its origins trace back to the late 1990s, when software companies began to target a new demographic—parents worried about their children’s exposure to all manner of danger and inappropriate material on the Internet.

When ComputerCOP debuted in the late 1990s, its original title was “Bo Dietl’s One Tough ComputerCOP,” which capitalized on the fame of celebrity New York detective, Bo Dietl. He just had his career adapted into a major motion picture, One Tough Cop starring Stephen Baldwin. At the time, the program could only perform basic forensic searches of hard drives, but in the early 2000s, Dietl’s toughness was dropped from the title and a keylogger was added to the “deluxe” version of the package.

EFF obtained copies of ComputerCOP and related materials from law enforcement agencies on the East Coast, West Coast, and in Texas. Each one was branded to the specific department, but the underlying software package was otherwise the same. It containing two main elements:

ComputerCOP's image search turned up a haystack of 19,000 files.
Enlarge / ComputerCOP's image search turned up a haystack of 19,000 files.
Dave Maass, EFF

Standard Search Functions: ComputerCOP’s search utility does not require installation and can run right off the CD-ROM. The tool allows the user to review recent images and videos downloaded to the computer, but it will also scan the hard drive looking for documents containing phrases in ComputerCOP’s dictionary of thousands of keywords related to drugs, gangs, and hate groups. While that feature may sound impressive, in practice the software is unreliable. On some computer systems, it produces a giant haystack of false positives, including flagging items as innocuous as raw computer code. On other systems, it will only produce a handful of results, while typing keywords such as "drugs" into Finder or File Explorer will turn up a far larger number of hits.  While the marketing materials claim that this software will allow you to view what webpages your child visits, that's only true if the child is using Internet Explorer or Safari. The image search will potentially turn up tens of thousands of hits because it can't distinguish between images children have downloaded and the huge collection of icons and images that are typically part of the software on your computer.

Interface for installing ComputerCOP keylogger.
Enlarge / Interface for installing ComputerCOP keylogger.
Dave Maass, EFF

KeyAlert: ComputerCOP’s KeyAlert keylogging program does require installation and, if the user isn’t careful, it will collect keystrokes from all users of the computer, not just children. When running on a Windows machine, the software stores full key logs unencrypted on the user’s hard drive. When running on a Mac, the software encrypts these key logs on the user's hard drive, but these can be decrypted with the underlying software's default password. On both Windows and Mac computers, parents can also set ComputerCOP up to e-mail them whenever chosen keywords are typed. When that happens, the software transmits the key logs, unencrypted, to a third-party server, which then sends the e-mail. KeyAlert is in included in the "deluxe," "premium," and "presentation" versions of the software.

The keylogger is problematic on multiple levels. In general, keyloggers are most commonly a tool of spies, malicious hackers, and (occasionally) nosy employers. ComputerCOP does not have the ability to distinguish between children and adults, so law enforcement agencies that distribute the software are also giving recipients the tools to spy on other adults who use a shared computer, such as spouses, roommates, and coworkers. ComputerCOP addresses this issue with a pop-up warning that using it on non-consenting adults could run afoul of criminal laws, but that’s about it.

The lack of encryption is even more troubling. Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one’s hard drive, but that’s exactly what ComputerCOP does by placing everything someone types in a folder. The e-mail alert system further weakens protections by logging into a third-party commercial server. When a child with ComputerCOP installed on their laptop connects to public Wi-Fi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air.

Example of intercepted, unencrypted keylogs using Wireshark, a free packet sniffer.
Enlarge / Example of intercepted, unencrypted keylogs using Wireshark, a free packet sniffer.
Dave Maass, EFF

The software does not appear in any of the major malware/spyware databases we tested, so it can’t be detected with a normal virus scan.

Eight months ago, we contacted Stephen DelGiorno, the head of ComputerCOP operations, and informed him of the problem. He denied it was an issue.

“ComputerCOP software doesn’t give sexual predator [sic] or identity thieves more access to children’s computers, as our .key logger [sic] works with the existing e-mail and Internet access services that computer user has already engaged,” he wrote via e-mail.

That's an unacceptable, and fairly nonsensical, answer from a company that claims to be a leader in child safety software.

Some of the most common online services, such as Facebook, Twitter, and Gmail (as well as most financial sites) use HTTPS by default, automatically encrypting communications between users and those websites. In fact, one of the truly effective tools parents can use to protect their children is HTTPS Everywhere, an EFF plug-in that makes an Internet browser connect by default to secure versions of websites.

But that safety measure is rendered ineffective with ComputerCOP, because ComputerCOP captures text as it is being typed, before it has been encrypted. Then it stores that very same sensitive information. When a keyword is triggered, ComputerCOP passes this data along—again without encryption.

In EFF’s testing, security researchers were able to snatch passwords (faked ones, of course) with shocking ease.

Channel Ars Technica