The Dangerously Faulty Spyware Police Have Given America's Parents for 10 Years

Hundreds of law enforcement agencies around the United States have spent hundreds of thousands of dollars buying and distributing sketchy, outdated spyware to parents and members of their communities, an investigative report from the Electronic Frontier Foundation has uncovered.

The software, called "ComputerCOP," comes on a CD-ROM and bills itself as "parental internet monitoring software."It is produced by a private company that goes by the same name, and comes with a search function designed to find out if kids have been looking at porn, talking to predators, or trying to learn about drugs.

It also has a key logging program that stores unencrypted logs of every keystroke registered on a computer—these logs can also be automatically emailed to parents' accounts, but they first are sent to a completely unencrypted server elsewhere where they could easily be scraped, EFF's Dave Maass learned.

Maass was able to intercept these keystroke logs from the server, he said.

At least 245 police agencies in 35 states had purchased and distributed ComputerCOP; at least four agencies had spent $25,000 on the software within the past two years. There was even a local news story in Alabama that trumpeted the software just two days ago.

Beyond that, ComputerCOP has evidently been outright lying to law enforcement agencies, stamping old or fraudulent endorsements from the American Civil Liberties Union and the National Center for Missing and Exploited Children on the software and brazenly doctoring or forging a letter from the US Treasury Department that suggests that the software "provides direct support to law enforcement."

The Treasury Department confirmed to Maass that the letter was fraudulent.

ComputerCOP head of operations, Stephen DelGiorno, told me in a phone interview that any security concerns are ones that "are more to do with the email service provider."

"If a parent decides to have the information emailed to themselves, [EFF] is saying that information is not encrypted, but it would be no more dangerous than any other email that would be sent to a person," DelGiorno said.

Pressed on how people might be typing different information in private correspondences and when logging into websites, DelGiorno said that, by default, the keystroke logger only turns on when a keyword is triggered.

"It only logs if inappropriate words are being used, according to the database," he said. "We've been doing this for 10 years, we haven't had any feedback or issues with the product."

DelGiorno said the Treasury Department letter wasn't forged, but said it was "recreated" digitally from a black-and-white fax that he refused to immediately share with me.

Maass told me that law enforcement agencies and ComputerCOP have formed a symbiotic relationship, where ComputerCOP makes money off of police funds that are earmarked for a specific purpose (often from stolen property seizure sales), while police get a public relations win for distributing "internet security" software that is essentially useless and could potentially be harmful.

Maass noted that, using the key logger, it was extremely easy to get passwords for bank accounts and the like. The software has been barely updated since 1998, but police agencies are still buying it en masse.

"Police see this company at a conference or hear about it on the internet and the company says 'We'll put your name on it, we can put a video of you on it,'" Maass told me. "That's very alluring for a police department. Virtually every single [department] I researched, I found super positive local news stories. The TV broadcasters do a puff piece."

Beyond being a colossal expense for taxpayers (Maass says he believes the money spent on this reaches into the millions), there is, of course, the fact that there's the very real chance this software makes those who use it more vulnerable to identity theft and snooping from a spouse or roommate.

Maass says there's no real evidence that any police department wanted to use this as a surveillance tool and, in fact, said that the police departments and, indeed, the company itself, don't really have any idea how it works.

"This is a product of the late 90s—you load the software and it's difficult to use, it's clunky, it really is a relic," he said. "This is not a company constantly developing new security tools. They have the one security tool that they keep marketing to people. [DelGiorno] didn't even have a good idea what his software does or how it works."