UK Metro Police Sued Over Phone Malware Purchase
from the [devastatingly-accurate-rhyming-slang-TK] dept
Last spring, a hacker who had illicitly obtained data from malware/spyware company FlexiSpy shared some of it with Motherboard. In the trove of customer data, it was discovered that one purchase was linked to an officer in the UK Metro Police.
FlexiSpy is powerful malware, capable of gathering communications from multiple messaging services, as well as providing GPS location, emails, and phone call records. The purchase of this malware is questionable, considering it’s regulated under the UK’s Computer Misuse Act. The most obvious limitation of the malware is the fact that it requires physical access to targeted devices. But phones, tablets, and computers are seized all the time by law enforcement officers, and they’re sometimes returned to their owners after being searched. Malware like this would allow officers to hitch a virtual ride on someone’s phone or laptop, seeing everything they see.
Motherboard asked the Metro Police for more details on this spyware purchase. Unsurprisingly, the Police didn’t want to talk about it.
A Met spokesperson told Motherboard in an email “the MPS neither confirm nor deny engagement with FlexiSpy.”
The rest of statement was the usual “everything we do is lawful and subject to oversight” boilerplate that accompanies every leaked document or accusation of unlawful surveillance. The Met refused to discuss it further, even as Motherboard provided evidence that an officer had indeed purchased the spyware using a Metro Police email address.
Nearly a year has gone by and the Metro Police still refuse to provide any more details about this purchase. So, Motherboard — with the assistance of UK solicitors — is suing the Met for its refusal to discuss the FlexiSpy purchase.
Working on behalf of Motherboard, solicitors from Bindmans LLP filed a complaint with the Independent Police Complaints Commission (now called the Independent Office for Police Conduct, or IOPC).
In a December letter, the Directorate of Professional Standards at the MPS said a chief inspector concluded that Motherboard’s complaint did not need to be professionally recorded, meaning it would not be investigated. The reason given was that Motherboard was not a member of the public who claims have witnessed a piece of misconduct. Motherboard’s legal team for this complaint strongly disagrees with that finding, and has filed an appeal to the IOPC, urging it to call in an independent investigation.
Motherboard is seeking more info on the purchase, as well as how it may have been deployed. In most cases, the use of FlexiSpy would violate UK law, even if used by police officers. There’s also the possibility that an officer used his official status to obtain a copy for personal use. Or it could be the copy was purchased simply to observe the software in action and never deployed against any UK citizen. There’s no way of telling unless the Metro Police look into it. But so far, the Metro PD doesn’t seem very interested in policing its own.