Access denied: How are the big tech players protecting our digital rights?

The world’s major tech companies have similar policies in handling our online accounts, even under threat of law or after our death

Newly implemented privacy policies and data-harvesting scandals have seen firms double down on their efforts to protect users’ data.

Take Twitter, for example, which won’t give up private user information without a subpoena or court order.

It also won’t allow access to tweets, direct messages, or photos without a search warrant.

Google and Apple have largely the same rules and regulations on the matter.

And Facebook, too, requires a subpoena to hand over a users’ password to a law enforcement agency – a move which was recently challenged in the UK.

In the year 2000, the Regulation of Investigatory Powers Act made it legal for the UK courts to jail someone for refusing to hand over their passwords or access to their accounts.

This has been exercised against suspected terrorists and those held on suspicion of possession child sexual abuse images, as well as against artists and hackers.

This week, a suspected child murderer was sentenced to prison for refusing to provide his Facebook password to police.

Stephen-Alan Nicholson is accused of killing 13-year-old Lucy McHugh and dumping her body in woodland last month, a day after the teen disappeared.

Nicholson, who was described as a family friend, was sentenced to 14 months in jail as Lucy’s mother criticized Facebook for not stepping in.

She argues that the social media giant should hand over his details, as messages on his account could provide further evidence about what happened to Lucy.

But what, if any, responsibility does Facebook bear? Zero, according to Zuckerberg’s team, unless they see a valid warrant.

Apple vs. FBI

Tech giant Apple has been embroiled in a dispute with US law enforcement over access to its products since 2015, arguing that it won’t decrypt customers’ passcodes just because the FBI wants it to.

Possibly the most notable case was when the bureau demanded the key for a phone used by terrorist Syed Rizwan Farook, who together with his wife shot and killed 14 people before they were killed in a shootout.

Following the tragedy, in February 2016 the FBI requested the passcode for Farook’s iPhone 5C, which Apple declined.

It finally gained using a third-party cracking system, though Apple later revealed it will bolster its security in an iOS update to protect against such tools.

Digital life after death

Protecting one’s account after death is much the same as in life: without a court order or search warrant, many companies won’t easily hand your details over.

But some go further to protect a person’s online presence – even after they’ve passed away.

“In terms of a company dealing with death, a lot of the major players have actually stepped up,” Malwarebytes’ Chris Boyd told an audience at BSides Manchester last month.

“There’s a surprising amount of services from some of the big players in the absence of the law being able to fully integrate properly.”

These services include Facebook’s ‘Memorialize’ option, which gives families the opportunity to turn their loved one’s profile into a digital shrine after their passing.

A nominated contact won’t be given full access to the account or to private messages, but will be able to change profile pictures and accept friend requests.

This can also be leveraged when someone becomes incapacitated through illness.

But this feature, too, was criticized in 2015 when the family of a British woman called Hollie Gazzard, who was murdered by her boyfriend, asked Facebook to delete pictures of the couple on her profile page.

Facebook refused as it wasn’t a main profile image, and only later took the images down after more than 11,000 people signed a petition.

Others have praised the function, which enables them with a way to remember their family member or friend.

What’s the solution?

The average person has hundreds of online logins, from bank accounts to social media to online shopping profiles.

There isn’t one sole solution on how to ensure families have easy access to our accounts when we die, but Boyd suggests that decent security hygiene is one of the main barriers.

He said: “One of the biggest problems is these things become so secure you’ve got no chance of getting into them.

“If everything’s protected with two-factor authentication on our phone but then the phone is locked out because there’s a biometric pass or they’ve forgot the pin code or the process for unlocking the phone doesn’t work, that generally tends to be the biggest headache.

“It’s the additional authentication which causes the problem.”

Disabling two-factor authentication, giving access to password managers, or simply just sharing password information is a huge red flag when it comes to security.

Many people wouldn’t – and shouldn’t – sacrifice basic security hygiene simply to allow their YouTube login details to be shared in the result of their passing.

Therefore, a law which considers the increasingly digitized international space needs to be adopted, both in the UK – where Boyd is from – and worldwide.

Boyd said: “There are some very specific laws around this area in the States, and I’m not an expert in US legal stuff… but there are some things that deal with this sort of problem, and make it easier to transfer certain specific online accounts into the official last will and testament, rather than try and guess passwords and hack into this phone, or find out if they wrote it down on a piece of paper somewhere.

“But as far as the UK goes, I think it will be a long time before the law catches up.”

He added: “So I’d urge anyone to have the conversation [with their families] about which things they use to login, and how best to get into these devices should it be required.”