Atir Raihan, the founder of FlexiSpy, a company that supplies malware to consumers and to surveillance companies. Photo from his Facebook page.
On three occasions this week, I asked a FlexiSpy salesperson a simple question: If I wanted to, could I use their spyware to snoop on my wife’s cellphone without her knowing? The answer each time was yes. When asked if it was legal, they responded with a canned disclaimer explaining it was necessary to get the permission of the target. But what if I didn’t want my wife to know? They could help me anyway. If I wanted to break the law, I could use their $68-a-month app and they’d walk me through the 5-10 minute process of installing FlexiSpy on my wife’s phone, hoovering up all her calls, WhatsApp and Facebook messages, and her location, whilst hiding the software so she’d never know.
That never happened. The enquiries were to find out how scrupulous FlexiSpy was and if it might be willing to help customers even if their actions were in breach of the U.S. Wiretap Act, which outlaws any surreptitious spying on another’s communications without their permission. Procurement of another person to intercept comms is also deemed illegal under the statute. And outside of legal problems with spyware, there are clear moral issues: often such spyware is used in abusive relationships. In 2014, NPR surveyed 70 women’s shelters; 85 per cent were working with victims who were tracked via GPS, or what’s commonly called “spouseware.”
Not that any of the three FlexiSpy salespeople appeared to care much about the Wiretap Act or the potential for abuse. Even though I started each conversation telling the FlexiSpy salesperson I was a FORBES reporter, they were happy to offer suggestions about how one could install the app without permission of the target. One said I could “sneak to get her phone” and then install, a process that FlexiSpy would guide me through. He sought to allay any fears about getting caught, noting there was no icon and it would operate silently.
I asked another, what if I didn’t get my wife’s permission? “That is okay, she will not know that the software is in the phone,” the salesperson responded. I moved on to morals. Wasn’t it bad to spy on your wife? “It is not bad. You just want to know the truth,” they said.
Towards the end of my third conversation, the online chat feature mysteriously crashed and then disappeared entirely from the FlexiSpy site. It has not returned since. The company didn’t respond to an enquiry about why.
A conversation with a FlexiSpy salesperson in which they suggest ways to install malware without a target knowing.
Another example of FlexiSpy offering advice of spying, despite legal questions.
I handed screenshots from all my conversations with the sales reps to FlexiSpy. It claimed I had pressed the salespeople “to force an unnatural response.” “To their credit, most of our support staff answers reiterated that they could only help you with installations on your own phone, and that for legal advice, you should consult your attorney,” a spokesperson said.
Despite that, FlexiSpy is looking into why I received responses that indicated they would help me install the spyware on another’s phone without them knowing. “We do take your comments seriously, so we will examine the response of our staff, and provide a full analysis of what happened, and make improvements where required, but I can assure you that our staff are trained to make sure that they only answer questions on the product features, because they all know that they cannot answer questions on legality, or provide advice for illegal use cases,” the spokesperson added.
Suspicions that FlexiSpy might be willing to help jealous husbands spy on their wives came from the firm’s own marketing. Whilst its competitors have toned down their marketing in fear of U.S. government action, Thailand-based FlexiSpy has continued to promote its tools for spying on a partner. On its Twitter feed last month, the company suggested it might be time to investigate a suspect partner:
A FlexiSpy tweet encourages jealous people to spy on their partner.
On its own website, FlexiSpy says that anyone in a committed relationship has a “right to know” and should “find out the truth, spy on their phone.”
FlexiSpy’s marketing isn’t the most subtle, even as competitors have toned down their aggressive marketing to jealous partners.
Who is behind FlexiSpy?
FlexiSpy was founded in Thailand by Atir Raihan in 2006. He had not responded to multiple requests for interviews over the last year, even amidst concerns about its risqué marketing. His Facebook profile shows a middle-aged man who has a penchant for dressing up like a rockstar, and a UK Companies House record for FlexiSpy’s parent company, Vervata, revealed his age: 53.
FlexiSpy founder Atir Rohan. Photo from his Facebook page.
His LinkedIn page indicated he’d moved on from FlexiSpy to other monitoring services aimed at businesses wanting to keep tabs on staff, though one ex-employee said he still headed up the firm. He appears to have his fingers in other pies too, registering a number of other domains for spyware businesses, including thaispybangkok.com in 2013 and filipinaspy.com in 2015.
As well as setting up a business for consumers, Raihan also created a new FlexiSpy business in 2012, a reseller program that allows anyone to take their software and relabel it, either as consumer or government spyware. That reseller program makes FlexiSpy a far more intriguing beast: its PC, iPhone and Android malware could be all over the internet, just under different banners.
FORBES found evidence of a reseller in Nigeria, where a LinkedIn user marketed the tool as part of his SpyWitch surveillance arsenal. But one past partner may have been one of the world’s best-known government malware suppliers, FinFisher. In 2012, its rival Hacking Team claimed FinFisher’s Android surveillance tool looked almost identical to FlexiSpy. As reported in a FORBES investigation last week, FlexiSpy expressed shock at the claim its software looked much the same as FinFisher’s tool. The latter did not respond to multiple emails and calls.
Is it legal?
After presenting my conversations with FlexiSpy salespeople to two lawyers, they both agreed that if the hypothetical scenario did go ahead, and the company helped me install spyware on another’s phone without them knowing, they’d have risked breaking the law.
One of those legal professionals was Marina Medvin, who represented the only ever person to have received a criminal penalty for spyware production by the U.S. government, StealthGenie creator Hammed Akbar. She said StealthGenie never went as far as assisting users with installation. “They are endeavoring to install illegal software, not just advertise it. They are technically engaging in a criminal conspiracy with the husband as well. There may be both civil liability and criminal culpability for the curious husband and the helpful company involved in the hypothetical you provided,” she said.
Nate Cardozo, the Electronic Frontier Foundation’s senior counsel, agreed: “He’s offering to be an accomplice to violating the Wiretap act. Under a American law he’d be guilty of a Wiretap violation.” FlexiSpy hadn’t responded for further questions about the legality of its operations.
Meanwhile, lawmakers are seeking to expand laws that punish unwarranted, secret surveillance. Last week, Senators Ron Wyden, Jason Chaffetz and John Conyers introduced The Geolocation Privacy and Surveillance (GPS) Act. Specifically, it creates criminal penalties for “surreptitiously using an electronic device to track a person’s movements that parallel the penalties that exist for illegal wiretapping.” As an example, Wyden’s office noted that if a woman’s ex-husband tapped her phone he was breaking the law.
Regardless of intentions, anyone thinking of installing spyware on another’s device for whatever purpose should consider the serious moral and legal implications.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.