Three years ago, EFF exposed how hundreds of law enforcement agencies were putting families at risk by distributing free ComputerCOP “Internet safety” software that actually transmitted keystrokes unencrypted to a third-party server. Our report also raised serious questions about whether the company was deceiving government agencies by circulating a bogus letter of endorsement from a top official in the U.S. Treasury Department.
This month, our suspicions were confirmed. A document obtained through the Freedom of Information Act shows that, in response to EFF’s research, the Treasury Department’s Inspector General launched an investigation into ComputerCOP. The final report concluded that the company had, in fact, doctored a government letter to improperly convince law enforcement agencies to spend asset forfeiture funds to buy the product.
Read the Treasury Department's investigative report and exhibits.
Unfortunately, the report shows that ComputerCOP dodged criminal prosecution because the statute of limitations expired. Nevertheless, the records should serve as the final nail in the coffin for this software. It was bad enough that the software was proven dangerous; it is even worse for law enforcement agencies to do business with a company that federal investigators caught forging documents.
ComputerCOP is a CD-ROM (now also available on a USB storage stick) that promises to help parents protect their children from Internet predators. More than 240 agencies signed contracts with ComputerCOP, often worth tens of thousands of dollars. But the software was less about safety than it was about self-promotion. Elected law enforcement officials—including sheriffs, mayors and district attorneys—placed their images on the cover and recorded promotional videos about how the software was the “first step” to protecting children online. By and large, the “free” software giveaway was used to generate positive media coverage. In Arizona, for example, the software project was spearheaded by the Maricopa County District Attorney’s press officer, rather than a member of the Internet Crimes Against Children team. Marketing materials proclaimed that the software was a "Perfect Election and Fundraising Tool!"
EFF technologists dissected the software and discovered that it contained a keylogging feature that monitored everything a computer user typed. Whenever a keyword was entered, the software transmitted the text to a third-party commercial email server, which then sent alerts to the master user (often a parent) in real time. Not only was this feature invasive and easily abused, it also had a major technical vulnerability: the software transmitted communications openly and unencrypted, so that it could be easily intercepted and read by malicious actors. The San Diego County District Attorney, which had distributed the software, issued a warning to families about the keylogging feature after EFF published its findings.
Law enforcement agencies often paid for ComputerCOP with asset forfeiture funds, that is, money seized from suspected criminals during investigations. When agencies assist in federal investigations, they sometimes receive a portion of the money through a process called “equitable sharing.” As part of its marketing materials, ComputerCOP circulated a letter from the director of the Treasury Executive Office for Asset Forfeiture, which oversees equitable sharing spending, that seemed to endorse the product.
EFF obtained this letter through a state-level public records request, and it immediately struck us as odd. The letterhead seemed off-kilter, some of the text was misaligned, and the letter was undated, unsigned, and did not even include the full name of the person it was addressed to. (EFF separately discovered ComputerCOP had falsely claimed endorsements by the ACLU and National Center for Missing and Exploited Children.)
So, we filed a FOIA request with the Treasury Department to obtain the original letter, if one existed. Not long after, the Treasury Department issued a fraud alert for the letter, and the Treasury Department Inspector General launched a formal inquest.
New FOIA documents show that, after a multi-year investigation, the Inspector General concluded that ComputerCOP had indeed “altered the 2001 letter from TEOAF and made it appear to be blanket permission for all law enforcement agencies to use equitable sharing funds to purchase the software.” Indeed, ComputerCOP made this claim on the rate card it provided to agencies.
As part of its investigation into the letter, Treasury investigators sent questionnaires to 240 agencies that had purchased ComputerCOP. Of the few dozen that responded, three law enforcement agencies—the Peabody Police Department in Massachusetts, the Alaska Department of Public Safety, and the Greene County Sheriff's Office in Missouri—told Treasury that the fraudulent letter had directly influenced their decision to purchase the product.
The closed investigative report indicates the Treasury Inspector General was unable to send the case for prosecution “due to the fact that the three year statute of limitations on the offense had lapsed.” Instead, after discussions with the Justice Department and the U.S. Marshal Service, Treasury concluded it was enough for ComputerCOP to cease using the altered letter and to post a disclaimer on their website.
Unfortunately, it may be time for the Treasury Department to re-open the case. While ComputerCOP did once advertise the disclaimer, EFF could no longer find that language anywhere on its website.
Making matters worse, the company’s website now claims that the keylogging feature “is not intrusive in any way.” This is an outrageous claim considering that this type of technology is more commonly deployed by stalkers and malicious hackers, and, in certain circumstances, its use could violate wiretapping laws.
For the most part, law enforcement purchases of ComputerCOP have significantly declined since we issued our first report. However, the company does continue to find buyers. For example, the Lake County Sheriff's Office, Florida purchased 1,000 copies for $5,975 in 2017, according to SmartProcure. Meanwhile McGruff the Crime Dog was handing out copies as recently as this summer at a community screening of the film “Elf" in Islip, New York.
To law enforcement agencies, here’s some rock-solid advice: before you purchase so-called Internet safety software, spend a few moments on the Internet researching whether the software is actually safe and above board.
Or better yet, don't buy anything at all.