Spyware distributed by US police to parents so they can check their precious little snowflakes aren't getting up to no good online is worse than useless, according to a new report by the Electronic Frontier Foundation (EFF).
The Windows and OS X software, dubbed ComputerCOP, has been purchased by 245 or so police departments in 35 US states. It is usually handed out for free to parents. The software, once installed on a PC, searches for suspicious activity in chat logs and other documents, and also installs a keystroke logger.
It is claimed that the logger sends supposed evidence of juvenile malfeasance to a remote server, unencrypted. This, if true, is bad news if the youngster is entering his or her password and other sensitive info.
"Law enforcement agencies have purchased a poor product, slapped their trusted emblems on it, and passed it on to everyday people. It's time for those law enforcement agencies to take away ComputerCOP's badge," said the EFF report's author Dave Maass.
On the most basic settings, ComputerCOP scans a computer's hard drive, and looks for keywords related to sex, drugs and violence in files. The EFF investigation showed it can return huge volumes of false positives, and only supports cached web pages created by Internet Explorer and Safari.
The deluxe version includes a key-logger, which – we're told – will ping a third-party server to email an alert to concerned parents if some keywords are typed on the PC. Unfortunately, on Windows systems, this information is put onto the wire unencrypted, and on Apple Macs it uses a known key for encryption. The EFF team claims it had no problems collecting typed-in passwords using standard packet-sniffing tools.
So, how safe do you feel?
The software boasts it has received the approval of the American Civil Liberties Union (ACLU) – although the civil rights body denies giving any such endorsement – and the National Center for Missing and Exploited Children, which said it gave the software one year's endorsement back in 1998 but not since.
The software's manufacturers also claim the program has been endorsed by the US Treasury Executive Office, which apparently called it an "effective law enforcement aid" and a "valid crime prevention tool." After the EFF drew up its report, the Treasury Department's Inspector General issued a fraud alert [PDF] over a fake letter in which this aforementioned praise was made: the Treasury has made clear it did not write and distribute that note.
ComputerCOP is actually an ancient piece of software, we're told, and was first marketed back in the late 1990s as "Bo Dietl's One Tough ComputerCOP," named after the New York policeman whose autobiography was turned into the film One Tough Cop.
It's sold to police forces across the country in lots of 1,000 CDs at a time at an unspecified price – it's impossible to check as the firm's online marketplace is borked. Since 2007, Suffolk County Sheriff Vincent DeMarco has bought 43,000 copies of the software and distributed it to his constituents. Totally coincidentally, the firm selling it has contributed nine times to his reelection campaign.
Many of the purchases are funded by special grants to fight computer crime, but the EFF found that large numbers of copies have been purchased with funds seized under civil forfeiture laws. These statutes allow police to seize any property found that they believe may be the proceeds of crime and spend it on their own budgets, regardless of any actual criminal convictions.
"We estimate somewhere between a few hundred thousand and more than a million copies of ComputerCOP have been purchased by law enforcement agencies across the United States, but it's difficult to say how many individual people have been exposed by the software's vulnerabilities," the report concludes.
"ComputerCOP was so unwieldy to use that it's possible that very few people actually use it. But even if it's a pointless giveaway from the police, it's still being purchased with our tax dollars."
Stephen DelGiorno, chief exec of ComputerCOP, told the EFF his biz will update the software's user license to say "no personal information is obtained nor stored by ComputerCOP." The website for the spyware insists the "forensic software continues to provide law enforcement agencies with a powerful yet easy to use tools designed to aid in the thorough retrieval of electronic evidence." ®