In an effort to protect kids from the evils of the internet, hundreds of local families may well have put themselves at much greater risk of identity theft thanks to free software handed out by the Miami-Dade Public Schools Police Department. So says a new report, at least, from the Electronic Frontier Foundation.
The digital rights group tested the software, called ComputerCOP and handed out by hundreds of agencies around the nation, and found it to be basically worthless for protecting kids and potentially harmful by logging keystrokes -- and potentially passwords -- without proper encryption.
See Also: Cell-phone tracking: Miami cops know where you are
It's not clear when, exactly, Miami-Dade Schools cops gave out the software, but the EFF found copies branded to the department on eBay. The school district's police department distributed ComputerCOP as a part of the the U.S. Marshals Gang Resistance Education and Training (GREAT) program.
(MDPS officials haven't returned Riptide's call for comment on the report; we'll update the post when we hear back.)
The software was bought in bulk from a company which the EFF says markets its product directly to local government agencies. In turn, the agencies distributed hundreds of thousands of copies to families free of charge for the last several years at schools, libraries and community events as part of an internet outreach initiative, the EFF says.
The MDSPD was among the list of 245 police agencies from around the country who received the software the EFF identified. The only other local police agency was Palm Beach County, which distributed the program back in 2008.
The bulk quantities of ComputerCOP purchased from the company likely cost Miami taxpayers tens of thousands of dollars. One particular agency, the Highlands County Sheriff, spent $42,000 to purchase 10,000 copies, according to the report. Surplus copies can be found on eBay for as little as $2.50.
The software -- manufactured by a New York company with the same name -- is comprised of two components, but it is the key logging function and lack of encryption that the EFF found the most unsettling. Without encryption, a family's personal data could easily be intercepted by cyber thieves.
Alex Heid is the president of a group called HackMiami, a Miami-based group of hackers and security professionals. Reached by email, Heid says the security gap should worry anyone who installed ComputerCOP. The key logging feature captures and stores strokes made on a keyboard and could contain sensitive data such as passwords.
"The software boasts of keylogging features, so imagine what would happen if the banking or business login credentials were recorded by ComputerCOP and then sent off to the police station," he says. "Assuming there is no corruption of personnel at the law enforcement agency, there is a chance that they too may eventually get hacked and all of the sudden all of the ComputerCOP keystroke logs fall into unintended hands, it happens all the time."
Heid also likens the program to surveillance software that has been in use on thousands of family computers for several years.
"This is obviously a case where law enforcement is handing out surveillance software and social engineering people into installing it on their personal computers under the guise of keeping children safe," he says. "It's like LE wants to set up their own botnet, and they are spamming the payload with propaganda by asking people to download and install it."
EFF says it asked ComputerCOP's creators to respond to their concerns, but the group denied there was nothing wrong with with the software, noting "that no personal information is obtained nor stored by ComputerCOP."
The security gap isn't the only problem with ComputerCop, though. The EFF also found the company's promotional materials included a fake letter of endorsement from the U.S. Department of the Treasury, which has subsequently issued a fraud alert.
The software can be removed. The EFF provides a guide on how to delete the program.
In the meantime, Heid wants to obtain a copy of the software for hack-a-thons, which are held regularly within the HackMiami.
"I want a copy of this ComputerCOP malware so to play with it's various
functionalites, both intended and unintended," Heid said. "That would make for a fun
hack-a-thon."
Update: Lieutenant Raul Correa of the MDSPD reached out to Riptide by telephone for comment. Correa confirmed that his department distributed the software under an initiative started by former police chief Charles Hurley, though it has not been given away for at least two years. He said it was given out "in good faith" to families, many of whom sought the department's advice to better protect their kids online. Correa described the situation as unfortunate and wondered how many families had been affected by the software.
Send tips and feedback to author David Minsky at [email protected]
Follow Miami New Times on Facebook and Twitter @MiamiNewTimes.
