It appears that the police and other law enforcement folks who spent department money on the awful ComputerCOP spyware
simply can't admit that they were handing out software that made kids less safe. Instead, they're sticking by their decision to do so. Given that the company personalized the software in the name of local law enforcement, and pitched it as the "perfect election and fundraising tool," you can understand their reticence to actually admit that they've been making kids a hell of a lot less safe. We already discussed San Diego District Attorney Bonnie Dumanis defending the software
, even while issuing an "alert" telling parents how to disable the keylogging feature. Even more bizarre was the response of Limestone County, Alabama, Sheriff Mike Blakely, who simply questioned EFF's credibility
in revealing the dangerous nature of the software.
Blakely appears to be doubling down on that argument. In an interview with Ars Technica
, he again bizarrely claims that the EFF wants to protect pedophiles and predators, and then also endorses spying on kids:
With respect to the EFF he said, “I'm not against their criticism but I just think they're probably more interested in protecting predators and pedophiles than in protecting our children.”
“As sheriff, I went down [to schools] and met with kids and I taught them about bicycle safety and not to talk to strangers,” Blakely said, adding that handing out ComputerCOP was just another branch of the department's efforts to keep kids from being solicited online.
“If you and I were married and had a 14-year-old daughter, then yeah I could check on who you're talking to online and you could check who I'm talking to,” he said. “But if [ComputerCOP is] used properly, it's something we whole-heartedly endorse. Now if you're of the persuasion of the people of the EFF who would rather not do anything, then that's something that I can't help.”
That ignores, of course, that the keylogging sends information unencrypted
, thus putting children much more at risk
. When Ars did ask him about that, Blakely said that they'd have to talk to his "IT people."
It appears that other police departments and district attorneys are similarly trying to defend the fact that they've been distributing dangerous keylogging software that can pass unencrypted cleartext of any information typed by kids. Some law enforcement folks are not just standing by their decision to hand out the spyware, but are continuing to do so
. Contra Costa District Attorney Dan Cabral, astoundingly, admits that he intends to continue distributing the software until after someone's been hurt
Contra Costa Assistant District Attorney Dan Cabral said Friday that the office has no plans to recall the software it distributed.
"If it turns up later that there's some sort of breach we will do so, but right now we feel it serves its purpose and it assists parents in what its supposed to do," Cabral said Friday.
Steve Moawad, the Senior Deputy District Attorney working for Cabral, ridiculously argues the fact that so many other law enforcement folks got duped is somehow proof that the software must be okay.
"I am aware of several law enforcement agencies that have looked at the product before and after this report," Moawad said. "I believe the EFF is overstating the risk and, the fact that this program has been handed out by hundreds of law enforcement agencies over a period of 10 years and there's been no reported incidents of identity theft as a result of the use of the software is indicative of that (fact)."
There are many, many problems with this. Just because a specific breach can't be traced back directly to this software doesn't mean breaches haven't happened (and happened regularly). Based on how the software itself works (sending cleartext over the internet), there's really not going to be any indication that when a breach happens it's because
of the software. Parents and kids just won't know how the leak of information happened.
Meanwhile, over in Loudon County, Virginia, the Sheriff's Office not only stood by the use of the software but announced plans to hand out more copies next year
In a statement issued by the Loudoun County Sheriff's Office today, the agency said “ComputerCOP is very similar to other parental monitoring systems available on the market. The program does not operate without the CD inserted in the computer disk drive and does not allow access from any outside parties, including the Loudoun County Sheriff’s Office or ComputerCOP. The disks are not distributed without explanation from Loudoun County Sheriff’s Office personnel during our Internet Safety: What Parents Need to Know presentations. Parents are made aware at these presentations of the programs limitations and how it is intended to be used. Parents with questions about ComputerCOP are encouraged to attend one of our upcoming Internet Safety courses that will begin in early 2015 at area schools.”
First of all, the claim is misleading to the point of being disingenuous. While the software, by itself, does not "allow access from any outside parties," by sending cleartext copies of keylogging output over the internet, it's revealing that content to many, many potential outside parties. It appears the Loudon County Sheriff's office doesn't even understand the problem -- and yet they claim that they've properly explained the software to parents? That seems difficult to believe.
I'd be curious if the presentation includes an explanation of keylogging, encryption and the dangers of sending cleartext over the internet. Again, it seems doubtful. Hopefully, some parents in Loudon County who do
understand this will head on over to the next set of Internet Safety classes, not to be educated, but to educate the police there.
Next up, there are the folks at the Maricopa County, Arizona, Attorney's Office. They, too, are not at all happy
with the EFF, while remaining pleased as punch with ComputerCOP's software, despite it putting kids in danger. In an email to CNET's Seth Rosenblatt
, the Maricopa County Attorney's Office says it's "ridiculous" to call the software spyware, and also (huh?) claims that EFF is only doing this because it offers "a competing product." Wait, what?
In short, this is a story ﬁlled with inaccurate information and numerous misrepresentations from an organization
that just so happens to be oﬀering a competing product. That fact alone warrants skepticism about its
conclusions. Unfortunately however, several news outlets (and I am not including CNET here) have accepted and
regurgitated the EFF report without making any eﬀort to verify the information it contains or talk to someone
who’s actually used the product, let alone checked it out ﬁrst hand.
To call ComputerCOP "spyware" is ridiculous. This product is fundamentally no diﬀerent than the parental
controls that are available on countless digital devices and so ware used by kids today. In fact, most parents
believe they have the right and responsibility to know what their children are doing online, and this product is a
simple tool that allows them to do that.
First off, I had no idea that EFF offered its own spyware product. Second, whether or not the product is "fundamentally no different" kind of misses the point. If all such software have serious security problems, that should be an issue.
Unlike what most experts would term "spyware," ComputerCOP does not surreptitiously send information to third parties. The hysterical claim that ComputerCOP sends notifications emails without encryption... is utterly fatuous and disingenuous. The software uses a user's existing e-mail service to send notifications. A ComputerCOP notification has no greater potential for being compromised than any other e-mail a user sends.
That suggests a level of technical ignorance that is, well, kinda scary. The fact
that ComputerCOP sends keylogger info without encryption is entirely accurate. It is neither fatuous nor disingenuous. In response to this bizarre claim from Maricopa County, the EFF's Dave Maass (who wrote the original report) asked Maricopa to hire an independent security team to evaluate the software. Also, despite its claims, Maass notes that over the weekend, Maricopa County appears to have removed their own website
promoting ComptuerCOP. Perhaps the Maricopa County's Attorneys Office isn't quite as confident in the software as they claimed.
Meanwhile, one of the security researchers who the EFF used in its original report, Jeremy Gillula, went a step further. On Twitter, he issued a challenge
to anyone defending ComputerCOP:
Challenge to all defending ComputerCOP as secure: you install it, connect to open wifi and login to your bank while I run wireshark. Any money I transfer out using your username and password from the packet logs gets donated to EFF. If I can't get any money, I retract all statements about ComputerCOP's keylogger being insecure. Sound like a deal?
Let's see if anyone takes him up on it.