Motherboard Files Legal Complaint Against Metropolitan Police for Malware Purchase

Motherboard has filed a formal complaint with the Metropolitan Police Service (MPS) and an independent government body, calling for an investigation into why an MPS officer purchased powerful malware that can intercept Facebook messages, steal passwords, and remotely turn on a smartphone’s camera.

So far, the MPS has refused to investigate the claim, leaving questions about why exactly an MPS officer bought the technology.

In April 2017, Motherboard reported that an MPS official had purchased a piece of malware called FlexiSpy. Depending on the version purchased, FlexiSpy can be installed on desktop, Android, or jailbroken iOS devices.

The report was based on data obtained by a hacker and provided to Motherboard. Contained in FlexiSpy customer records was the official email address and username for an MPS officer. It was not immediately clear which specific officer the email address belonged to, as several shared the same name. However, shortly after the publication of the original report, one of the officers, based within the MPS’ High Tech Crime Unit, deleted or tweaked the privacy settings on his LinkedIn account.

Eric King, a visiting lecturer in surveillance law at Queen Mary University of London, previously told Motherboard that “The use of the tool in most circumstances would breach the Computer Misuse Act 1990, and even the sale of the tool could be a criminal offence if it’s known it’s subsequent use would be unlawful.”

Working on behalf of Motherboard, solicitors from Bindmans LLP filed a complaint with the Independent Police Complaints Commission (now called the Independent Office for Police Conduct, or IOPC).

In a December letter, the Directorate of Professional Standards at the MPS said a chief inspector concluded that Motherboard’s complaint did not need to be professionally recorded, meaning it would not be investigated. The reason given was that Motherboard was not a member of the public who claims have witnessed a piece of misconduct. Motherboard’s legal team for this complaint strongly disagrees with that finding, and has filed an appeal to the IOPC, urging it to call in an independent investigation.

We don’t know why a Metropolitan Police officer, likely from the force’s hi-tech crime unit, purchased FlexiSpy. Did the officer deploy it in an investigation? Was its use proportionate and appropriate for the type of crime being investigated? Or, more worryingly, was the malware for personal, illegal use to monitor their spouse, as FlexiSpy’s marketing at the time made heavy reference to? It’s also possible the officer purchased FlexiSpy simply to better understand how the software worked.

Filling that gap in the public’s knowledge is essential at a time when law enforcement use of malware, which can obtain a wealth of personal information from a target device, is only on the rise. Last year, UK police forces formally received the explicit power of hacking technology—known as ‘equipment interference’—after another agency’s use had been governed for years under an antiquated law from the ‘90s.

“The Met need to account for why one of their officers had a FlexiSpy account,” King previously said.

Motherboard will continue to cover any developments in the case.