0

Could UK law enforcement enforce s.49 of RIPA 2000 on a company outside the UK, say Snapchat, Facebook, or Google, in order to retrieve a user's hashed password from their database to log into that users account?

If they could, will the company comply and provide them with the user's details or just say no?

And even if law enforcement didn’t use section 49 from RIPA but still asked for the users password, what will the company say?

Improve this question
5
  • 2
    I'd honestly be concerned if they (even the owners of the data) could take a hashed password and turn it back into something they could log in with. It would be a lot easier for them to ask for a data-dump of all the user data, getting the hashed password then cracking it would take a lot longer. BTW, a lot of border security (US and AUS at least) can compel you to provide passwords or deny you entry.
    – Ron Beyer
    Commented Mar 16, 2021 at 19:23
  • Well now I’m confused, thank you all for the answers by the way. I thought this question was just going to die and no one would see it. However, I have one answer telling me YES it is possible but another answer telling me NO. Could I ask which is correct?
    – user37223
    Commented Mar 16, 2021 at 22:09
  • Re the now hidden and locked comments, below, you asked Do you think the company will provide it? I replied, within my comment explaining the process, The recipient company is legally obliged to comply just like everyone else who gets served with a lawful court order so I think they would - if the ILOR actually asked for the key, but it might not be required if the request is for a portion of, or the entirety of, the available stored data
    – user35069
    Commented Mar 17, 2021 at 0:09
  • You have also asked: Has there really been any instances where a US company or any company for that matter has given law enforcement a users password that is stored in their databases? I, nor anyone else, cannot answer this fully as this detail is either opertationally sensitive or has not been widely published. What I can say is that foreign companies have provided information requested by E&W ILORs which has included information relating to the user so the specific concerns about the key may be a red herring.
    – user35069
    Commented Mar 17, 2021 at 0:32
  • 1
    Note that unless the company is insanely, criminally, mindbogglingly incompetent, it is impossible to provide the password anyway.
    – Jörg W Mittag
    Commented Mar 18, 2021 at 20:17

2 Answers 2

Reset to default
2

Q: Could UK law enforcement enforce RIPA section 49 on a company outside the UK?

NO For two reasons:

  1. RIPA 2000 is not extraterritorial so only applies in England, Wales and Northern Ireland - there is no power to compel a foreign company to comply.

  2. The  procedure to obtain material in an evidential format from, say, a foreign service provider is not RIPA but usually via an International Letter of Request which may negate the need for the key if it can't be cracked by digital forensics investigators. The ILOR will specify what the UK authorities are seeking which may be just the key but will probably be a portion of, if not the entirety of, the available stored data relating to the username, IP or any other identifier therefore making the need for the key redundant. It's then up to the receiving jurisdiction to decide on the format with which to proceed (terminology varies around the world so it could be called a warrant, production order, writ etc). The recipient company is legally obliged to comply just like everyone else who gets served with a lawful court order.

(Also, for general interest, some countries have mandatory reporting for certain types of online offending, such as the American Cyber Tip Line operated by NCMEC which can legally share information (but not necessarily in an evidential format) with national law enforcement agencies - although it's highly unlikely, if not impossible, that this would include the key.)

Q: If law enforcement didn’t use section 49 from RIPA but still asked for the users password, what will the company say?

In my experience they don't usually say anything to requests that just ask for information, but if they do reply it's words to the effect NO, get a warrant (see point 2, above).

Improve this answer
4
  • I doubt that Facebook Snapchat or Google is a foreign company in the UK. Sure, their headquarters are elsewhere, but they have domestic subsidiaries.
    – phoog
    Commented Mar 17, 2021 at 13:45
  • It usually depends on where the servers etc are located
    – user35069
    Commented Mar 17, 2021 at 14:08
  • The location of a server is only one factor that could cause a company to fall within a jurisdiction. The existence of a subsidiary registered in a jurisdiction exposes the company to that jurisdiction's judicial authority, as does the presence of any assets, not limited to computer infrastructure or data storage (for example, if the company has a bank account in a jurisdiction, the funds in the account could be seized to satisfy a judgment).
    – phoog
    Commented Mar 17, 2021 at 18:36
  • Hence "usually" A subsidiary company is a seperate legal entity from its parent/holding company, so it may not be the (principal) owner of the material sought. This means it may not be in a position to lawfully produce it an evidential format and comply with the rules of evidence. One of my most recent cases was exactly this scenario - an ILOR was required for material held overseas by an international company despite it having a substantial footprint in the UK and using the same trading name around the world.
    – user35069
    Commented Mar 17, 2021 at 19:24
0

Yes

The law gives the nominated agencies the power to demand keys from anyone, anywhere. Refusal to hand them over is a crime punishable by imprisonment of up to 2 years (5 years for child abuse or national security reasons). People have been tried, convicted and gaoled for non compliance.

As a practical matter, enforcing this on people outside the jurisdiction of the UK would require the cooperation of the country the person was located in. Many countries have similar laws so extradition is a possibility.

Improve this answer
3
  • 1
    though only in cases where the company was able to provide the key in the first place. if they don't know the un-hashed password, they can'T be compelled.
    – Trish
    Commented Mar 16, 2021 at 21:10
  • @Dale Re: People have been tried, convicted and gaoled for non compliance. But only within E,W&NI and none as far as I can find have related to companies (or more properly company officials) withholding a key used by someone else.
    – user35069
    Commented Mar 16, 2021 at 22:25
  • I am downvoting. While you do address the extraterritorial issue in the 2nd paragraph, you muddy the waters too much in the 1st paragraph. The question is specifically about extraterritorial enforcement. If the law either applies or doesn't apply to the extraterritorial entities. RockApe's answer claims that it does not. If your answer reaches the opposite conclusion, please provide the relevant passage to show why you think it does.
    – grovkin
    Commented Mar 18, 2021 at 20:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .