How refusing to give police your Facebook password can lead to prison

A 24-year-old murder suspect was sentenced to 14 months in prison on Friday for refusing to hand over his Facebook account password to detectives who are investigating the death of 13-year-old schoolgirl Lucy McHugh.

As The BBC reports, Lucy had been missing for two days last month before her body was found in the woods near a sports center in Southampton, UK. She was stabbed to death.

Stephen Nicholson, a friend of the family who’d been staying with them, was allegedly in contact with Lucy the morning of her disappearance. Police took him into custody and asked him – twice – for his password so they could check out the alleged conversation and whatever other content might help the investigation.

Nicholson has been jailed not for the murder, but for his refusal to cooperate with the detectives and let them into his account.

On Friday, he pleaded guilty to failing to disclose access codes to an electronic device under the Regulation of Investigatory Powers Act 2000 (RIPA).

According to the Independent, Nicholson argued that giving police access to his private Facebook messages could expose information relating to cannabis.

The judge scoffed, describing the excuse as “wholly inadequate”, considering the severity of the case.

Part 3 of RIPA empowers UK authorities to compel the disclosure of encryption keys or decryption of data. Refusal to comply can result in a maximum sentence of two years’ imprisonment, or five years in cases involving national security or child indecency.

Nicholson isn’t the first to be prosecuted under RIPA for refusing to decrypt devices for British authorities. The first case, in 2009, was that of a then-33-year-old man whom the Register described as a “schizophrenic science hobbyist with no previous criminal record.” He was detained after sniffer dogs picked up the scent of a model rocket in his belongings. He was then jailed for nine months for refusing to decrypt files.

Then, in 2010, 19-year-old Oliver Drage was sentenced to four months in jail after refusing to hand over his 50-character encryption key to detectives who were investigating a child exploitation network.

At the time, Detective Sergeant Neil Fowler said that Drage’s sentence showed how serious his offense was, according to the Independent, which quoted Fowler:

Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime. It sends a robust message out to those intent on trying to mask their online criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence.

RIPA is one of two laws that can be used to compel password/encryption key disclosure in the UK. The second is the Terrorism Act 2000, which was used against Muhammad Rabbani: a year ago, the international director for campaign group CAGE was found guilty of withholding his PIN, saying that his devices contained confidential data connected to the case of a man he’d just met in Qatar and who alleged he’d been tortured while in US custody.

Password disclosure in the US

In contrast with the UK’s RIPA and Terrorism Act, the US has a patchwork of laws governing password disclosure. Judges can and do order disclosure, such as in the case of a former policeman accused of storing child abuse images who is in jail indefinitely, until he lets authorities into his hard drive.

The legal landscape in the US seems to change by the minute, though. Within the past two weeks, a Court of Appeals ruled that forcing a woman to unlock her iPhone violates Fifth Amendment protection against self-incrimination, for example.

Does that mean that the US has turned the corner when it comes to compelled disclosure?

Hardly. The ongoing legal debate keeps getting swatted from one end of Fifth Amendment interpretation to the other, as in: Is a password something we know, which would be protected versus a fingerprint, which is something we are, and hence isn’t? And are files on a phone, or content within a Facebook post, similar to paper files in a cabinet, the unlocking of which the authorities can compel?

That most recent Court of Appeals majority decision was written by Judge Paul Mathias, who hopes that Fifth Amendment protection will, indeed, cover passwords and encryption keys. He went so far as to create a blueprint “for resolving decryption requests from law enforcement authorities” and asked reviewing courts of last resort to consider following it.

Regardless of legal interpretations of UK and/or US law, it would be nice to think that the most important aspect of Lucy McHugh’s case is that justice is served.

As he serves his jail term with his password safely hidden from detectives, Stephen Nicholson will not be helping to bring anybody that justice. But as legal firm Saunders Law pointed out to the Independent, that could be a self-protecting course for him to take: if disclosure of his Facebook password led to incriminating data, the 14 months jail time for his RIPA offense might look like chump change in comparison to what such incriminating data might lead to.

The news publication printed this statement from Saunders Law:

There could be a completely disproportionate result if someone is imprisoned for not providing a password but not the crime they are originally under investigation for, of which they might be innocent.