Cop buys mobile spyware, says he can’t remember why

FlexiSpy: it’s a nasty little piece of work. The company makes stalkerware, once marketed to jealous people who covertly installed it on their partners’ phones.

“Once marketed to,” since that’s actually illegal. Nowadays, smart spyware makers tend to stick to marketing that mentions the legally permissible surveillance targets of children and employees, though there are plenty of jealous people who still use the tools for illegal spying on partners.

Former marketing from its site:

Many spouses cheat. They all use cell phones. Their cell phone will tell you what they won’t.

At any rate, regardless of how the marketing has been smoothed over, the fact remains that covert surveillance tools such as FlexiSpy that log keystrokes and tap into mics, calls, stored photos, text messages, email and even WhatsApp messages, are cited by an overwhelming majority of survivors of domestic violence who report that their exes trained such tools on their whereabouts, communications and activities. A 2014 NPR investigation found that 75% of 70 surveyed domestic violence shelters in the US had encountered victims whose abusers had used eavesdropping apps. (Another 85% helped victims whose abuser used GPS to track them.)

So what’s a tool like FlexiSpy doing in the hands of a Florida state law enforcement officer, who apparently purchased it without the knowledge of his own agency, according to data obtained by Motherboard?

As Motherboard reports, this is the first known case of a U.S. regional agency purchasing what it called “malware.”

Jim Born, an ex-DEA cop and retired Florida Department of Law Enforcement agent (now a crime novelist), can’t quite recall why he bought FlexiSpy. He says that he thinks he “used on a case or tried it to understand how it worked.” Motherboard quotes Born:

 Nothing nefarious. Need a court order to use on someone without consent.

The state has no record of Born being granted approval to buy the spyware or to use it in an investigation. None of the people Born busted were told that evidence against them had been gathered with FlexiSpy, either.

So how did Motherboard learn of the purchase, if the state itself has no record of it?

The discovery can be traced back to April 2017, when two hackers stole details from 130,000 accounts they hacked out of Retina-X and FlexiSpy, which both market covert surveillance tools. Then, the hackers handed the stolen information to Motherboard, in part via the leaking platform SecureDrop.

The data set held details of the predictable type of customers: jealous people spying on partners. But it also held evidence of FlexiSpy’s government and law enforcement customers. Motherboard said it wasn’t clear whether the spyware was purchased for official or personal use in those cases.

Born’s purchase, done outside normal procurement processes, raises questions. Motherboard spoke with Riana Pfefferkorn, the cryptography fellow at the Stanford Center for Internet and Society, who said that none of this should be going on under the table:

Officers should not be buying malware on their own dime for use at work – and using their official email address in the process. Purchases of forensics software (already common in US police departments) should go through normal procurement processes, should have documentation (subject to public records laws), and should be subject to oversight.

If the malware was ‘used on a case,’ how exactly did he use it, and why did he apparently not document that? Did he get the appropriate court order? Given the functionality of FlexiSpy, it would seem to require a wiretap order, not just a search and seizure warrant.

Needing physical access to a phone in order to install FlexiSpy is no great hurdle, she said, given that police confiscate devices:

The police may have many mobile devices in custody, taken from crime scenes, suspects, victims, etc. Or an officer may take a device away only temporarily before returning it to the owner. There are ample opportunities for physical access to install this malware.

Motherboard itself, which has tested consumer spyware, has found that installing it could likely be done “in less than a minute.”