

The current ComputerCOP Web site. (ComputerCOP)

The Internet can be a scary place. But a new investigation by the Electronic Frontier Foundation says that software distributed by law enforcement around the country aimed at protecting children online could actually make it worse.

Hundreds of thousands of copies of the ComputerCOP, a piece of software targeted at helping parents monitor the online activities of their children, have been handed out to families by local law enforcement, typically as part of "Internet Safety" initiatives and usually in packaging with the agency's official seal, according to EFF. But aspects of the software appear to mimic the functionality of malware, the privacy watchdog says, and could override protections in place to help minimize the risks online.

The way ComputerCOP works is neither safe nor secure. It isn’t particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a “keylogger,” that could place a family’s personal information at extreme risk by transmitting what a user types over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against.

Such keystroke logging could collect passwords or other sensitive information from adults as well as children -- although a pop-up on ComputerCOP warns that its use against unconsenting adults could be crime. According to EFF, while the Mac version of the software encrypts these logs on the users' hard drive, the Windows version stores them unencrypted. And parents can also set the software to e-mail them when certain keywords are typed, transmitting unencrypted keylogs to a third-party server which then sends the e-mail.

EFF further worries that ComputerCOP's keylogging could undermine HTTPS encryption on Web sites like Facebook and Google -- while HTTPS secures data users share with a website, depending on the configuration ComputerCOP would capture keystrokes before they're protected by the encryption and then transmit them it in the clear if a keyword is triggered.

Some copies of the software was packaged with a letter of apparent endorsement from the Treasury Executive Office for Asset Forfeiture, which EFF says was "significantly altered." After the group contacted the Treasury to inquire about the letter, the agency issued a fraud alert:

A falsified letter from the Treasury Executive Office for Asset Forfeiture is being circulated indicating that the Treasury approves or endorses this product: it does not. Neither the Treasury nor the Treasury Executive Office for Asset Forfeiture endorses this or any other particular product and the use of equitable sharing funds does not in any way imply such an endorsement.

ComputerCOP did not immediately respond to a Washington Post request for comment.

Update: Stephen DelGiornio, the head of ComputerCOP operations, told the Washington Post via e-mail that the keylogging capabilities must be specifically installed by parents and suggested that the issues associated with this aspect of the software are less serious than EFF implies: