Hundreds of US police forces have distributed malware as "Internet safety software"


Law enforcement agencies have been buying and distributing Computercop, advising citizens that the software is the "first step" for protecting their kids; one sheriff bought copies for every family in the county.

But Computercop isn't security software -- quite the opposite; it's classic malware. The software, made in New York by a company that markets to law enforcement, is a badly designed keylogger that stores thingstyped into the keyboard -- potentially everything typed on the family PC -- passwords, sensitive communications, banking logins, and more, all stored on the hard drive, either in the clear, or with weak, easily broken encryption. And Computercop users are encouraged to configure the software to email dumps from the keylogger to their accounts (to spy on their children's activity), so that all those keystrokes are vulnerable to interception by anyone between your computer and your email server.

The Electronic Frontier Foundation contacted Computercop to ask them about these vulnerabilities and received an incoherent and wholly inadequate reply. Hundreds of US law enforcement agencies have bought and distributed Computercop to citizens, often using money from auctions of property seized through civil forfeiture laws to buy thousands of copies at a time.

Computercop also falsely claims to have the endorsement of the ACLU. It does not.

The keylogger is problematic on multiple levels. In general, keyloggers are commonly a tool of spies, malicious hackers, and (occasionally) nosy employers. ComputerCOP does not have the ability to distinguish between children and adults, so law enforcement agencies that distribute the software are also giving recipients the tools to spy on other adults who use a shared computer, such as spouses, roommates, and coworkers. ComputerCOP addresses this issue with a pop-up warning that using it on non-consenting adults could run afoul of criminal laws, but that’s about it.

The lack of encryption is even more troubling. Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one’s hard drive, but that’s exactly what ComputerCOP does by placing everything someone types in a folder. The email alert system further weakens protections by logging into a third-party commercial server. When a child with ComputerCOP installed on their laptop connects to public Wi-Fi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air.



ComputerCOP: The Dubious 'Internet Safety Software' That Hundreds of Police Agencies Have Distributed to Families
[Dave Maass/EFF]


(via /.)