Why won’t Facebook hand over the password?

Facebook cannot hand over the password to the account of either the murdered schoolgirl Lucy McHugh or the suspect Stephen Nicholson, because the company does not store user passwords. Instead, it stores a “hash” of those passwords, which lets it check whether an entered password is correct without needing to store the password itself.

What are police looking for?

Police say they want to see whether or not Nicholson and Lucy McHugh exchanged Facebook messages with each other before the 13-year-old was killed. Nicholson has refused to give them access to his account voluntarily, claiming it contains evidence of drugs offences.

Can police force Nicholson to hand over his password?

They have tried to. The Regulation of Investigatory Powers Act (Ripa) allows for investigators to demand suspects hand over passwords to “protected information” if that information is necessary for the purposes of preventing or detecting crime. Nicholson refused to, and was charged under the act, pleading guilty last week.

The use of Ripa in this way is controversial, with some cybersecurity experts arguing that a Facebook account is not “protected information” in the same way that an encrypted hard drive is, since the information is readily accessible on Facebook’s servers, which the police can demand through other legal channels.

Could Facebook hand over the data itself?

Technically, yes. Unlike previous cases of deadlock between law enforcement and tech companies, such as the conflict between Apple and the FBI over the iPhone of a suspect in the San Bernardino shooting, Facebook is perfectly able to access the data in question.

But the company says it is restricted from doing so by US law and international treaties, which require it to only hand over private information when it receives a legal request valid under US law.

What does Facebook require before it will hand over information?

The company needs requests from foreign investigators to go through a complicated process described in an international agreement called the mutual legal assistance treaty (MLAT). Requests are escalated through the UK government before being handed over to the US, at which point they need to be sanctioned by a number of American government bodies before finally arriving at Facebook’s doorstep in the form of a valid notice from the FBI.

How long would that take?

A valid MLAT request typically takes several months to be completed. It can be sped up in emergency circumstances, when the company is told there is an “imminent threat to life” – such as a terrorist incident, or an abduction – but in this case, the police have not used that clause, Facebook says.

Is that too long?

One thing everyone agrees on is the process needs to be speeded up. Cressida Dick, the Metropolitan police commissioner, has said Facebook should respond inminutes. In turn the company argues that it does do that, in the extraordinary circumstances when it is allowed to by law.

Facebook agrees the MLAT process is too slow. The company has supported a new US law, the Clarifying Lawful Overseas Use of Data Act, which lets the US government enter into bilateral treaties with foreign governments to simplify the process. A bilateral agreement with the UK is expected later this year.

What can police do now?

On this avenue of investigation, they have little choice but to sit and wait for the MLAT process to finish.