"Riana Pfefferkorn, the cryptography fellow at the Stanford Center for Internet and Society, told Motherboard in an email, “Officers should not be buying malware on their own dime for use at work—and using their official email address in the process. Purchases of forensics software (already common in US police departments) should go through normal procurement processes, should have documentation (subject to public records laws), and should be subject to oversight.”
“If the malware was ‘used on a case,’ how exactly did he use it, and why did he apparently not document that? Did he get the appropriate court order? Given the functionality of FlexiSpy, it would seem to require a wiretap order, not just a search and seizure warrant,” she added."