A 24-year-old murder suspect was sentenced to 14 months in prison on Friday for refusing to hand over his Facebook account password to detectives who are investigating the death of 13-year-old schoolgirl Lucy McHugh.
As The BBC reports, Lucy had been missing for two days last month before her body was found in the woods near a sports center in Southampton, UK. She was stabbed to death.
Stephen Nicholson, a friend of the family who’d been staying with them, was allegedly in contact with Lucy the morning of her disappearance. Police took him into custody and asked him – twice – for his password so they could check out the alleged conversation and whatever other content might help the investigation.
Nicholson has been jailed not for the murder, but for his refusal to cooperate with the detectives and let them into his account.
On Friday, he pleaded guilty to failing to disclose access codes to an electronic device under the Regulation of Investigatory Powers Act 2000 (RIPA).
According to the Independent, Nicholson argued that giving police access to his private Facebook messages could expose information relating to cannabis.
The judge scoffed, describing the excuse as “wholly inadequate”, considering the severity of the case.
Part 3 of RIPA empowers UK authorities to compel the disclosure of encryption keys or decryption of data. Refusal to comply can result in a maximum sentence of two years’ imprisonment, or five years in cases involving national security or child indecency.
Nicholson isn’t the first to be prosecuted under RIPA for refusing to decrypt devices for British authorities. The first case, in 2009, was that of a then-33-year-old man whom the Register described as a “schizophrenic science hobbyist with no previous criminal record.” He was detained after sniffer dogs picked up the scent of a model rocket in his belongings. He was then jailed for nine months for refusing to decrypt files.
Then, in 2010, 19-year-old Oliver Drage was sentenced to four months in jail after refusing to hand over his 50-character encryption key to detectives who were investigating a child exploitation network.
At the time, Detective Sergeant Neil Fowler said that Drage’s sentence showed how serious his offense was, according to the Independent, which quoted Fowler:
Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime. It sends a robust message out to those intent on trying to mask their online criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence.
RIPA is one of two laws that can be used to compel password/encryption key disclosure in the UK. The second is the Terrorism Act 2000, which was used against Muhammad Rabbani: a year ago, the international director for campaign group CAGE was found guilty of withholding his PIN, saying that his devices contained confidential data connected to the case of a man he’d just met in Qatar and who alleged he’d been tortured while in US custody.
Password disclosure in the US
In contrast with the UK’s RIPA and Terrorism Act, the US has a patchwork of laws governing password disclosure. Judges can and do order disclosure, such as in the case of a former policeman accused of storing child abuse images who is in jail indefinitely, until he lets authorities into his hard drive.
The legal landscape in the US seems to change by the minute, though. Within the past two weeks, a Court of Appeals ruled that forcing a woman to unlock her iPhone violates Fifth Amendment protection against self-incrimination, for example.
Does that mean that the US has turned the corner when it comes to compelled disclosure?
Hardly. The ongoing legal debate keeps getting swatted from one end of Fifth Amendment interpretation to the other, as in: Is a password something we know, which would be protected versus a fingerprint, which is something we are, and hence isn’t? And are files on a phone, or content within a Facebook post, similar to paper files in a cabinet, the unlocking of which the authorities can compel?
That most recent Court of Appeals majority decision was written by Judge Paul Mathias, who hopes that Fifth Amendment protection will, indeed, cover passwords and encryption keys. He went so far as to create a blueprint “for resolving decryption requests from law enforcement authorities” and asked reviewing courts of last resort to consider following it.
Regardless of legal interpretations of UK and/or US law, it would be nice to think that the most important aspect of Lucy McHugh’s case is that justice is served.
As he serves his jail term with his password safely hidden from detectives, Stephen Nicholson will not be helping to bring anybody that justice. But as legal firm Saunders Law pointed out to the Independent, that could be a self-protecting course for him to take: if disclosure of his Facebook password led to incriminating data, the 14 months jail time for his RIPA offense might look like chump change in comparison to what such incriminating data might lead to.
The news publication printed this statement from Saunders Law:
There could be a completely disproportionate result if someone is imprisoned for not providing a password but not the crime they are originally under investigation for, of which they might be innocent.
17 comments on “How refusing to give police your Facebook password can lead to prison”
Facebook should be granting access to the detectives!! Why oh why does this not get sorted once and for all? Facebook are not gods and are inhumane! How dare they fail to immediately provide access when police ask for it! I’d heard on the radio this morning that the mother of this poor girl has urged Facebook to provide the police with access. Hasn’t she been through enough already?
Facebook should not hand out passwords except under warrent. That I can get behind. But demanding the password and jailing people just for that, that’s like demanding a confession or telling you to open your house to search without cause.
Good luck to them, i don’t have a facebook or twitter anymore. people should follow as well and delete all their social media presence. too much at stake now.
Did facebook refuse a subpoena for this same information? Or did they even attempt to go that route?
not committing a crime might be the best thing
The state has a right to reasonable search and seizures. Just because you think differently for whatever reason, or find some very imagined logic to justify not, is irrelevant. That applies to the big tech companies as well. They will lose this fight. Thankfully.
The state has not right of “reasonable” search or seizure, who determines the reasonable? They have the right to search under probable cause, they can even search to prevent harm with a preponderance of evidence. When investigating a murder they do not, they must obtain a warrant and respect the 5th amendment (the murder has already taken place.)
Isn’t this the point: That the innocent have nothing to hide?
The old argument, “if you’ve done nothing wrong, then you have nothing to fear” simply does not work any more. Neither does the principle of never committing anything self-incriminating to electronic media; the dates and times of log-ins, and information contained in posts and server logs can situate someone at a time and location (if not a great deal more). Best to not use social media at all, and maintain communications using end-to-end encryption, hosted outside of the United States and close allies (especially since the CLOUD Act), and even then, use electronic communications sparingly and with established intelligence. And the last people one should ever trust, are law enforcement and elected officials.
Facebook should pass on information when it is backed up by a court order, and not before – they certainly shouldn’t do so after a quick phone call from the police. Today in Britain the chief of the Met police tried to fly that kite, saying that confidential data should be only a call away.
(partly responding to you, the rest is me rambling) Yep, in the US it’s called a search warrant. Which requires the person asking a judge to show reasonable cause to issue, not just because. It usually also states what they are allowed to look for. I am very anit-spy, but a search warrant is a responsible tool, and does not require a willing suspect to be processed. FB should allow access when a judge approves a warrant. Now getting a password out of someone, that’s not realistic, especially if a dirty LE dept/agen (yes there are some) accuses you of having an encrypted file, and you don’t – there for can’t give up a password that doesn’t exist – should be locked up for life – you know it will happen, if not already.
If all the police want is the conversation history they should have applied to FB for Lucy face book information. It’s personal and private even though the police want to ignor human rights, and rights to not incriminate yourself. I’m sure if he’s guilty he will get what he deserves.
To all of you going on about Facebook giving them access, the problem is secret conversations. They are encrypted and only available from one device to another if I remember correctly.
here in the US I believe a recent court decision stipulated that unlocking a cell phone or retrieving social media account information requires a judge’s consent and pertains to the legality of search and seizure code (correct me if I am mistaken). as for the case in Southampton, I would think a subpoena of the accused person’s Facebook password could be obtained using the proper channels. the cannabis ruse is a red herring….still I wonder what other dodgy deeds Nicholson may be involved in. I agree with a previous comment posted in this thread – social media is a double edged sword with thorny issues continually being debated. I admire the folks that “share” in the blink of an eye, however I continue to be very apprehensive about such data and its usefulness.
This seems like a no brainer. Can the police or anyone force you to provide them with information that could be used against you in a criminal complaint in violation of your 5th amendment right not be a witness against yourself? If the police threaten you with arrest if you don’t waive your 5th amendment right, then you simply state under threat of imprison and under duress and NOT by voluntarily consent of waiving any of your rights, you will provide, by objection, that which they seek. You can then motion to dismiss any complaint based on evidence acquired under threat of imprisonment. This is not legal advice, it is legal information found in any law library.
Shouldn’t any conversation they are looking for also be visible in the victims account? Why did they not just access that? Surerly the court could easily compell Facebook to give access to the victims account, especially with the parents consent with her being a minor. I really don’t see the problem and I am rather confused why this article doesn’t mention the other account, or any attempts at accessing it.
The best thing to do (in my opinion) is encrypt your phone/computer, wipe it on a weekly basis so that unused or deleted data is permanently destroyed using a DOD approved algorithm (at least a 7 pass wipe), and if the police do bust down the door – simply invoke your right to speak with an attorney and decline to provide your password or biometrics. Of course, the best thing to do is do not things that may get your door knocked off the hinges.
Of course, be careful for the smart cop who uses a ruse. For example, police show up at your door and say “Your ex girlfriend said you sent her a bunch of threatening texts last night, but if I see you messages and do not see any such messages in your sent folder you won’t go to jail.” Knowing you are innocent you unlock your phone and the cop snatches it. It turns out it was a federal agent in a cops uniform investigating you for something else. If you fall for the ruse, whatever evidence you allowed them to gain is admissible.
Keep in mind counter-forensic methods such as full disk encryption, wiping internet browsing history, and unused space are used for every day purposes by legitimate companies, law enforcement, and every day common folk who value his/her privacy. In United States v. Otero, 563 F.3d 1127, 1132 (10th Cir. 2009), the court found what most of know: “The modern development of the personal computer and its ability to store and intermingle a huge array of one’s personal papers in a single place increases law enforcement’s ability to conduct a wide-ranging search into a person’s private affairs[.]”).
Best to everyone here regardless of your views – Darren Chaker