What Happens When You Don’t Properly Vet Your Vendors
Law enforcement agencies across the country are smarting after a recent Electronic Frontier Foundation report revealed vulnerabilities in ComputerCOP software that carried their logos.
Keeping the public safe from the dangers of the internet sounds like a noble goal. And police departments around the country should be credited for trying to do that.
That said, a recent exposé by the Electronic Frontier Foundation (EFF) points out what can happen when, in pursuing your noble goal, you don’t do your homework.
Over the past 15 years or so, more than 245 law enforcement agencies in 35 states have paid a vendor tens of thousands of dollars for copies of the ComputerCOP software, which they handed out to the public for free with the agencies’ logos on the cover.
The software certainly sounds like a good idea. Parents install it on their home computers and can use it to take a look at what their children are doing online. But in practice, EFF reporter Dave Maass notes, the program is outdated, buggy, and limited in functionality compared to what already exists on most computers.
But more problematic is that a critical feature of ComputerCOP is a key logger—a piece of software that allows users to track every keystroke another person makes. To the tech-savvy, it’s a questionable way to track a child’s activity online, but what makes the implementation problematic is that the software does not encrypt the data it collects, meaning that anyone can technically access this information. Worse, if the software is not installed correctly, information from anyone using the computer could be tracked—putting bank accounts, passwords, and all the stuff you wouldn’t want collected at risk.
“When a child with ComputerCOP installed on their laptop connects to public WiFi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air,” EFF stated in its report.
To put it another way, police departments were unwittingly handing out spyware, according to EFF.
Know What You’re Getting
EFF’s report highlights two things: One, nonprofits are producing some killer investigative journalism that’s on the same scale as major newspapers, and two, failing to properly vet vendors is a major problem.
In this case, it seems apparent that the software was marketed to law enforcement agencies, putting it directly in front of a key audience and offering a convenient solution to a common problem. (To hear the EFF’s Maass tell it, the software largely worked as a good PR strategy for police departments. That strategy backfired for the Limestone County, Alabama, Sheriff’s Office, which announced its distribution of the software just a day before EFF’s report came out.)
When it comes to security, convenience should only be one part of the equation. It’s important, for example, to research how the software works in action, how it’s worked for other police departments, and what the public’s response has been. Your IT department should do a round or two with the software as well, analyzing it and seeing if it fits your needs—or if it’s actually a need of yours at all.
And even beyond the security issues, if the police departments had done their research, they would have discovered that the software’s purported endorsements appear to have been either outdated or nonexistent. The American Civil Liberties Union denied ever endorsing ComputerCOP, though the National Center for Missing and Exploited Children did—for a one-year period, back in 1998, when surfing the internet meant firing up Netscape and a dial-up modem.
Close Relationships Essential
Think of it this way: If you’re so unfamiliar with what a vendor is providing to your association that the holes can be that gaping, do you really want that vendor as a face of your organization? It’s the sign of a weak relationship.
A while back, discussing the changing landscape of the association management system market, ASAE CIO Reggie Henry made what I thought was a pretty impressive point about vendor relationships. “Don’t hold your vendors at arm’s length,” Henry said. “If that’s the case, get them out of there!”
If you’re spending tens of thousands of dollars on something that has your logo on it—an app, a private community, a website—and your association is not intimately familiar with the details that led to the final decision to work with that vendor, something’s wrong.
When a vendor screws up, it’s not just their reputation that gets tarnished.