Over the last couple of decades, internet safety has become as much if not more of a concern for many parents and families as physical safety. To help, many local police departments have given out free safety software to families as “the first step” to keeping their children safe online. Sounds great, right? Sure… except that “safety software” is really a keylogger that sends your family’s every word zipping unencrypted over the internet, ripe for anyone to steal. Oops.

The ComputerCOP software, as the Electronic Frontier Foundation reports in a detailed investigation, is usually handed out at “internet safety” events. Police, sheriffs, and district attorneys doing community outreach buy the software, then have it rebranded with their own agency name, logos, and imagery before handing it out to local families at schools and libraries.

However, as the EFF explains, “as official as it looks,” the contents of the disc are just spyware, purchased in bulk from a company in New York that exists solely market and distribute ComputerCOP to government agencies.

If it seems like a CD of supposed safety software is a relic of the era when you got “the internet” from an AOL 3.0 disc they handed out at Staples, you’re right. In the name of child safety, it has two major functions: a hard drive search and a keystroke logger. The idea is that parents can use the software to keep an eye on the images, text, and websites their children are encountering.

The search tool runs from the CD without installation, and checks out all the files on the hard drive for thousands of terms related to gangs, hate groups, drug use, and of course sex. The EFF tested the searches, however, and found them deeply unreliable. Results were routinely laden with false positives, including “items as innocuous as raw computer code.” Meanwhile, actual files that did have words like “drugs” in them were not found but still turned up on standard Mac or Windows searches.

And image searches, meanwhile, can’t differentiate between downloaded or cached content and all the images that exist on a computer as part of the software installed on it — that’s everything from Office clipart to the preview images some graphics card driver updaters use — and so returns so many tens of thousands of hits as to be useless.

ComputerCOP also claims that it will let you view a history of your child’s web visits, but as might be expected for a relic of an earlier age it’s extremely browser-limited and only works on Internet Explorer or Safari.

The keylogging program, however, does work — and that’s a problem. Once installed, the EFF writes, “if the user isn’t careful, it will collect keystrokes from all users of the computer, not just children.” On a Windows computer, ComputerCOP stores the full keystroke logs completely unencrypted on the hard drive. (On a Mac, the log is encrypted but can be decrypted with the ComputerCOP default password.)

Parents can set up the software to e-mail them an alert whenever a certain word, like “marijuana” or “sex,” is typed in. But to generate those e-mail alerts, the software sends the unencrypted key logs to a third-party server that then sends the e-mail.

So the police have been cheerfully handing out free keyloggers to anybody who wants one for over a decade, and it’s easy as pie to use them illegally on people who aren’t your kids. Which is a problem. But even aside from that, the unencrypted data itself is an enormous vulnerability. As the EFF explains:

Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one’s hard drive, but that’s exactly what ComputerCOP does by placing everything someone types in a folder. The email alert system further weakens protections by logging into a third-party commercial server. When a child with ComputerCOP installed on their laptop connects to public Wi-Fi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air.

The EFF contacted ComputerCOP by e-mail about these issues. Their head of operations, Stephen DelGiorno, responded, “ComputerCOP software doesn’t give sexual predator or identity thieves more access to children’s computers, as our .key logger works with the existing email and Internet access services that computer user has already engaged,” which is a completely useless non-answer that has nothing to do with the problems at hand.

ComputerCOP’s history, as unearthed by the EFF, is also not encouraging. DelGiorno also told the EFF that the keylogging feature was a recent addition to the software, but the EFF found references to it going back as far as 2001.

ComputerCOP also claims in its marketing materials to law enforcement agencies that it has received endorsements from the ACLU and the National Center for Missing and Exploited Children. The NCMEC did enter a one-year agreement allowing ComputerCOP to use their name in 1998. However, as a spokesperson told the EFF, the agreement was not renewed and the two organizations have had no contact with each other in the past 15 years. When the NCMEC found out, via the EFF’s queries, that ComputerCOP was still using their name, an attorney for the organization said that they would tell ComputerCOP to stop immediately.

But at least an agreement did once exist, back when the parents of today’s web-using children were themselves still kids in school. The ACLU, however, never endorsed it at all. The closest they came was a 2005 story in the Detroit Free Press where the head of the ACLU’s Michigan office “[endorsed] the idea that parents should take responsibility for monitoring their children as opposed to relying on the government to act as a babysitter,” the EFF reports.

The deputy director of the Michgan ACLU confirmed to the EFF, “I can say unequivocally that it was not an endorsement of the product. Our position as an organization is not to endorse technology like this.”

Being super-shady, however, has not stopped ComputerCOP from becoming widespread. The list of participating agencies that distribute copies is definitely not small, and agencies at every level — city, county, state, and federal — are among them. The EFF’s full listing includes over 245 agencies in 35 states, as well as the U.S. Marshals. And it’s not cheap: cash-strapped agencies are spending tens of thousands of of tax or grant dollars on every set of discs they order.

Adding up the purchased batches, the EFF estimates that anywhere from several hundred thousand to well over a million copies of ComputerCOP have been purchased by law enforcement. It’s impossible to say how many of those actually wound up being given to families, and then to guess how many of those families installed and regularly use the software. Still, if the number is greater than zero, it’s clearly too many.

Should you happen to use a computer that has this hot mess installed on it, the EFF also provides detailed instructions for removal.

ComputerCOP: The Dubious ‘Internet Safety Software’ That Hundreds of Police Agencies Have Distributed to Families [Electronic Frontier Foundation]