recommended reading

Police Around the Country Are Distributing Software That Makes It Easier to Hack Your Computer

scyther5/Shutterstock.com

ComputerCOP's makers have long promised their program will protect children from online predators, and that promise has been enough to persuade local police forces nationwide to hand it out free to concerned parents.

But according to a new report from an Internet freedom group, the police have been had—and the parents using the program are actually putting their families' privacy at risk.

The report, published by the Electronic Frontier Foundation, found no evidence that the program is keeping kids safe. Instead, the report says, it serves as de facto spyware that takes private computer data and puts it online with woefully inadequate protections.

"I have not found a single example of where this program has helped," report author Dave Maass told National Journal, noting he had searched online press archives and spoken to several local law-enforcement agencies in order to determine the merits of ComputerCOP. "No one has made that claim."

Hundreds of thousands of copies of ComputerCOP have been given out to families around the county, as about 245 law-enforcement agencies in more than 35 states, in addition to the U.S. Marshals, have used public funds to buy and distribute the software. But Maass said he found only one claim that the program was working as intended, in a 2012 story from Jackson County, Mo. A follow-up inquiry to that county's police department clarified there was not enough evidence to merit a criminal investigation, Maass said.

ComputerCOP, which has been in use since the late 1990s, stores full key logs of a user's computer, but those logs are not protected by now-common encryption measures when used on a Windows computer. The program also allows parents to set up email alerts whenever certain keywords are typed on a computer, such as "pornography." But those email alerts, which contain full key logs, are also unprotected because they are sent via an unencrypted third-party server.

The widespread use of a key-logging program is "problematic on multiple levels," according to Maass, because it is a common tool exploited by "spies, malicious hackers, and (occasionally) nosy employers." By not distinguishing adult users from child users, ComputerCOP gives "recipients the tools to spy on other adults who use a shared computer, such as spouses, roommates and coworkers."

In an emailed statement, ComputerCOP CEO Stephen DelGiorno said his software's keystroke logging must be separately installed and noted it is not the main feature of the application.

"Previous to the installation, a window is displayed advising the user that the feature must only be used to monitor the activity of minor children, and that it is unlawful to be used on computers operated by adults without their knowledge and consent," DelGiorno wrote. "The user must agree to the terms of use in order for the feature to install. The feature does not surreptitiously install. And it is not hidden."

DelGiorno added that his product only monitors "limited" keystrokes selected by a parent and a "small subset" of words in ComputerCOP's keyword library, such as "meet me."

But the lack of encryption protection is particularly alarming, Maass writes:

Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one's hard drive, but that's exactly what ComputerCOP does by placing everything someone types in a folder. The email alert system further weakens protections by logging into a third-party commercial server. When a child with ComputerCOP installed on their laptop connects to public Wi-Fi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air.

In addition to the security programs, the report charges ComputerCOP with pushing misleading marketing materials. A 2011 document submitted to Texas's Harris County District Attorney's office states that the American Civil Liberties Union supported the software. But ACLU personnel contacted by Maass refuted the claim, saying, "Our position as an organization is not to endorse technology like this."

(Image via scyther5/Shutterstock.com)

Threatwatch Alert

Misplaced data

More Than 30 Million South Africans’ Personal Info Published to Public Internet

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov