Cops Are Handing Out Spyware to Parents—With Zero Oversight

Mere days after a government crackdown on a spyware manufacturer comes the startling revelation that law enforcement agencies have been purchasing commercial spyware themselves and handing it out to the public for free. Police departments around the country have been distributing thousands of free copies of spyware to parents to monitor their children’s activity, a […]
Computer Cop Promotional Poster
Computer Cop Promotional PosterEFF

Mere days after a government crackdown on a spyware manufacturer comes the startling revelation that law enforcement agencies have been purchasing commercial spyware themselves and handing it out to the public for free.

Police departments around the country have been distributing thousands of free copies of spyware to parents to monitor their children's activity, a fact that's come to light in the wake of a federal indictment this week against the maker of one commercial spyware tool on wiretapping charges.

The tool being distributed by agencies, known as ComputerCOP, has been purchased in bulk by more than two hundred police departments in thirty-five states as well as by sheriff's offices and district attorneys. It's designed to search computers for files and videos based on a keyword dictionary that comes with the software and also can log every keystroke on a computer, sending some of that data---in an unsecured manner---to a server belonging to the company that makes the software.

But according to the Electronic Frontier Foundation, which examined the spyware and uncovered the arrangement with law enforcement agencies, the spyware works badly and there is nothing to prevent parents who receive it from using it against other adults.

"It’s certainly ironic that law enforcement agencies are going after spyware makers while also distributing software that could be used for the same purposes," says Dave Maas, an investigator with the EFF. "Obviously there’s a difference in how these were marketed by the maker. But certainly law enforcement needs to train their magnifying glasses on their own operations."

By providing a free key logging program to the public, law enforcement agencies are "passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers," Maas notes in his report about the software.

Earlier this week, federal authorities announced an indictment against the creator of a different spyware program, called StealthGenie, which performs some of the same operations as CyberCOP but is marketed specifically to people interested in surreptitiously tracking their spouses or other partners whom they believe may be cheating. The CEO of the company that markets StealthGenie was indicted on wiretapping charges because his spy tool is completely stealth and is designed to intercept phone calls and text messages from mobile phones, among other things.

In the case of the CyberCOP software, a pop-up notice appears to anyone installing the tool to be mindful of who they're targeting lest they run afoul of local laws. But Maas says the spy tool can be installed on the system stealthily so that users do not know it's there. Parents and others who install the software can choose an option that displays an icon for the spyware---a police siren---in the computer's toolbox to indicate its presence, but they're not required to do so. The software also is not listed in major malware spyware databases used by top antivirus products, so it won't be detected with a normal virus scan of the system, according to Maas.

Many law enforcement agencies purchased the software in batches of 5,000 copies---and in one case a department bought 43,000 copies of the spyware---and used asset-forfeiture money to make the purchases. Asset forfeiture is money either seized from suspects in criminal cases or obtained through the sale of seized assets by law enforcement agencies.

If the user isn’t careful, it will collect keystrokes from all users of the computer, not just children. When running on a Windows machine, the software stores full key logs unencrypted on the user’s hard drive.

EFF

"All of the [law enforcement] agencies are clear to say it’s not tax dollars, which is true for the most part," says Maas. "But asset forfeiture money still belongs to the public and needs to be spent responsibly."

The civil liberties group also discovered that the company that makes the spyware fabricated endorsements for its product to convince police departments to purchase it. The company falsely told police departments that the spyware had the approval and recommendation of the American Civil Liberties Union and gave police departments a doctored letter from the Treasury Department.

There are strict rules governing how police departments can spend asset forfeiture funds. Departments are required to get approval from the Treasury Department before making a purchase. But ComputerCOP handed out a modified Treasury Department letter to prospective law enforcement customers implying that the Treasury Department gave blanket approval for purchase of the software. Most police departments appeared to take the letter at face value, though one did inquire directly with the federal agency in 2010 about purchasing the software with asset-forfeiture funds and was given approval. The Treasury Department, upon learning about the letter ComputerCOP was handing out to customers, has issued a fraud alert about it, according to EFF.

Aside from the issue of police departments distributing spyware to the public, there are security issues with the product. According to EFF, the open-source keystroke logger records every keystroke made on the computer---either by specified users or by every user---and stores it on the computer. On Windows machines, it stores this data unencrypted. On machines using Mac operating systems, it encrypts the keylog files, but uses a default password to decrypt the file---a password (logKext) that is readily available for anyone to see in documentation available online for the open-source key logging tool.

The system transmits logged keystrokes whenever the targeted user on the machine types a keyword that parents, or anyone who installed the software, sets. These can be the email address of a user, a name, or any term such as "drug," "sex" or even "the". Once a user types a designated keyword, the software sends an email containing the typed sentence or text around the keyword to the person monitoring the target. That email, however, is sent unencrypted through ComputerCOP's servers, making it possible for ComputerCOP or others who may be sniffing the unencrypted traffic across a wireless network to capture the content---including usernames, passwords, Social Security numbers and credit card numbers that the target may have typed.

"Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one’s hard drive, but that’s exactly what ComputerCOP does by placing everything someone types in a folder," EFF notes in its report. "The email alert system further weakens protections by logging into a third-party commercial server. When a child with ComputerCOP installed on their laptop connects to public Wi-Fi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air."

Update 3:30pm: The San Diego District Attorney's office issued an alert today to parents who received copies of ComputerCOP from its office that they should not use the keystroke logging feature, due to the privacy and security issues uncovered by eff.