An officer with the UK's Metropolitan Police Service purchased potent malware for mobile phones and computers that requires physical access to install, Motherboard has learned.
Although it is not clear whether the officer bought the software for personal or official use, the news raises questions around why someone from the Met would purchase malware that can intercept phone calls, remotely turn on microphones, and take photos with an infected device's camera, and whether the malware was used legally.
"The Met need to account for why one of their officers had a FlexiSpy account," Eric King, a visiting lecturer in surveillance law at Queen Mary University of London, told Motherboard in an email, referring to the specific brand of malware the officer bought. "The use of the tool in most circumstances would breach the Computer Misuse Act 1990, and even the sale of the tool could be a criminal offence if it's known it's subsequent use would be unlawful."
Last week, Motherboard reported a hacker had targeted FlexiSpy, a company that sells cheap but powerful malware to the everyday consumer. The hacker stole customer data, internal company files, and partial credit card information.
Included in that customer data is the email address and associated username for a Met officer. Motherboard independently confirmed the email address is genuine, and that it is linked to a FlexiSpy account.
Once a user installs FlexiSpy on an Android, jailbroken iOS or Windows or Mac desktop device they have physical access to they can monitor a wealth of activity. The user can sweep up Facebook, WhatsApp, and Skype messages, emails, phone calls, GPS locations, and much more.
FlexiSpy users log into an online dashboard, where they can see the data collected from a target's device.
It is not immediately clear which specific officer in the Met the email address belongs to, as several share the same name. One is based with the Met's High Tech Crime Unit, and another holds a senior position and worked extensively on the London 2012 Olympics.
Regardless, the officer would have purchased malware from FlexiSpy, as this is required to receive a username.
Posing as a potential buyer, Motherboard asked FlexiSpy support whether customers had to buy a subscription to the malware before getting hold of a username and password.
"Yes you need to pay first," the support staffer wrote in an online chat. (Various FlexiSpy employees have ignored or declined requests for comment over the past week).
Motherboard also found reference to another Met email address which appears to date from 2014 in the FlexiSpy data, but the email address does not include an identifiable name.
A Met spokesperson told Motherboard in an email "the MPS neither confirm nor deny engagement with FlexiSpy."
"The MPS as a Public Authority utilise the powers provided by Regulation of Investigatory Powers Act 2000 and The Police Act 1997. All utilisation and management of such authorities are inspected by the Office or Surveillance Commissioners and the Interception of Communications Commissioners Office. All associated complaints are managed by the Investigatory Powers Tribunal," the spokesperson added. (The UK recently introduced a new surveillance law called the Investigatory Powers Act; a power under that called equipment interference relates to hacking as well).
The Met has faced other hacking-related allegations recently. In March, The Guardian reported the UK's police watchdog was investigating whether officers from a secretive unit of the Met had used Indian-based hackers to break into the email accounts of journalists and activists.
And the Met has shown interest in acquiring malware before. In September 2013, the Met told Italian surveillance company Hacking Team it was ready to trial a hacking solution. (The Met ultimately declined to purchase the software).
"It's critical that the Met and other forces come clean about how they've used hacking tools in the past if they want to gain public acceptance for their deployment now," King, the surveillance lecturer, said.
Update: After the publication of this article, the Met provided a response. This article has been updated to include that comment.