The Washington Post/Getty Images

On the morning of July 25, 13-year-old Lucy McHugh left her house in Redbridge, Southampton. Wearing a white-sleeved black jacket, with the logo of American rock band Falling in Reverse emblazoned across the front, she walked in the direction of Southampton General Hospital. At 09:28 she was captured on CCTV passing a Tesco Express. At 07:45 the next day, her body was found in woodland at Southampton Sports Centre just two miles from her home. She had been stabbed. In response, Hampshire Police launched Operation Refund in an attempt to track down her killer and the murder weapon – believed to be a knife, scissors or another sharp object.

On July 27, 24-year-old Stephen Nicholson was arrested in connection with the murder and suspicion of sexual activity with a child. Nicholson, a care worker, has been bailed on both charges but has been sentenced to 14 months in jail after refusing to fully help police with their investigation. In particular, police say, he failed to give them the password to his Facebook account. During a court hearing, prosecutors alleged that Nicholson had been staying at McHugh's family home until "several days" before she was killed and want to access messages he had sent.


Nicholson isn't the first person to be sentenced by UK courts for failing to provide login details or encryption keys to their devices or online accounts. Cressida Dick, the head of London's Metropolitan Police, has said law enforcement faces a "very protracted procedure" when it attempts to access data from social media companies. She said the systems should be more straightforward and when questioned on LBC agreed that they should be able to access information "within minutes".

But is that even possible? And how does the system work when the police want to get data from Facebook, Google, Twitter or any big tech firm? In short: it's a complicated, and potentially lengthy, process.

Read next The NHS Test and Trace app has two flaws: QR codes and people The NHS Test and Trace app has two flaws: QR codes and people

A file photo issued by Hampshire Constabulary of Lucy McHugh Hampshire Constabulary/Press Association Images

There are two main legal systems that UK law enforcement bodies can follow. In Nicholson's case, his 14 month sentence was issued after he pleaded guilty to a breach of the Regulation of Investigatory Powers Act (Ripa), after an order to hand over details was made. Ripa was introduced in 2000 and gives local authorities, including councils, the power to run surveillance operations when they suspect a crime has been committed. (In 2016, it was found councils had used Ripa to track dog walkers and members of the public on 2,800 separate occasions).


Part III of Ripa allows authorities to create orders that demand people hand over encryption keys. Neil Brown, a technology and internet lawyer with decoded:legal explains that Ripa disclosure notices can be made to any individuals and not just communications companies. He is skeptical as to whether Ripa can apply to online accounts such as Facebook.

Nicholson refused to give police details, according to The Guardian, as he believed they would find information about cannabis within his Facebook account. Brown says the law does not allow people to withhold requested details so as not to incriminate themselves in other crimes.

The use of Ripa in this case is not unique. In 2009, a man being investigated for terrorism offences was sentenced to nine months after refusing to give police encryption keys for his computer; a 19-year-old in a child sexual abuse case refused to give a 50-character encryption password to a locked file on his computer and was sentenced to 16 weeks in a young offenders institution, and in 2016 a London man had three months added to a six year jail term for not providing police with the passwords to his phone.

Read next These Chrome extensions protect you against creepy web tracking These Chrome extensions protect you against creepy web tracking

The UK's National Crime Agency tried to circumvent Ripa to get hacker Lauri Love to reveal his laptop passwords in 2016. But courts rejected the law enforcement agency's claims saying it had to use Ripa instead to ensure human rights were protected.


But the prosecution of Nicholson hasn't helped police get access to the details they believe may help explain what happened to McHugh. Nicholson is currently on bail and investigations into the death are ongoing. For police, getting Facebook to hand over details of an account will require a different approach.

So far, Facebook has frozen Nicholson's account so information within it can't be edited. "We are working closely with law enforcement and there are well established legal mechanisms that the police follow to obtain information in criminal investigations like this," a spokesperson for the company says, adding that its teams that work with law enforcement have a presence in the UK but did not explain how many people this includes.

For law enforcement and police outside of the US to get information from a company based there, a system of mutual legal aid exists. The US has Mutual Legal Assistance Treaties (MLATs) with more than 60 countries around the world, including the UK, and these set out how countries will work together to provide information about crimes that are being investigated. (Facebook has not responded to WIRED's questions about whether data of EU users is held in Europe at the time of publication).

But the MLAT system has been crippled by a rapid rise in requests for data from big tech companies. "The MLAT process is deeply problematic," says Alexa Koenig, the executive director of the Human Rights Center at the UC Berkley School of Law. US Department of Justice stats show there has been an increase of requests for computer records of more than 1,000 per cent since the year 2000. "The system is under-resourced and inefficient, often taking months, even years, for information to exchange hands," Koenig says.

Read next The best VPN services tested for speed, reliability and privacy The best VPN services tested for speed, reliability and privacy

And it is this that so frustrates law enforcement officials. "If the UK has complaints, it is with the US Department of Justice for failing to adequately staff and promptly process the requests," says Albert Gidari, the director of privacy at the Stanford Law School. In short: it isn't completely the fault of tech companies – Apple's encryption fight with the FBI in 2016 showed they are willing in some cases to stand up for the privacy rights of users.

In 2015, Gail Kent, who worked for the National Crime Agency at the time but is now Facebook's global policy lead, wrote a blog post outlining the messy nature of MLAT requests. The UK's Crown Prosecution Service, she explained, has to write a letter of request which is passed to the Home Office, this is then forwarded to the US Department of Justice, which will review it and then send it to where the region where the company is based, it will then be converted to a US legal document before going to the company concerned and then back through the entire progress.

"The length of this country-to-country process can be compounded by legislation requiring that communication should be via the traditional postal service," Kent wrote at the time. "In the UK, requests for communications data through MLA can take up to 13 months."


The system is slowly changing. Google has previously complained about the complicated system for providing data to law enforcement. Earlier this year the US enacted the Clarifying Lawful Overseas Use of Data Act (Cloud Act), which provides another way for data from US companies to be accessed. It allows for new agreements between countries to permit Facebook, Twitter, Google and other US tech companies to directly give data to trusted countries through domestic warrants. Facebook believes this will speed the process up.

But no agreements under the Cloud Act have been struck between the UK and US yet. In 2016, The Washington Post reported UK spy agencies wanted to be able to request direct wiretaps of Facebook and Google data. "What the world needs is a comprehensive, global framework for the exchange of digital information--ideally one that balances interests in law enforcement and legal accountability, with interests in privacy and freedom of expression," Koenig says.

But balancing the requirements of police and law enforcement with the privacy rights of individuals is a difficult situation. Koenig adds that the rights of both victims and the accused should considered, despite emotive legal cases.