Apple’s strict data protection policies sparked debate over so-called “digital legacy” issues this week, as the company refused to supply a recently widowed Canadian woman with her late husband’s Apple ID password.
According to a report from CBC News, Apple refused to furnish 72-year-old Peggy Bush with her husband David’s Apple ID password after he died in August, saying that to do so would require a court order.
Bush, who was unaware of Apple’s stringent security policies, knew the hardware passcode for David’s iPad, but not his Apple ID. She first encountered a problem when attempting to reload an unnamed card game from the App Store.
Bush’s daughter, Donna, reportedly spoke to an Apple representative who said it would be possible to retrieve the lost password with her father’s will, death certificate and verbal confirmation from her mother. Donna called back after acquiring the requested documents, but the customer service representative denied knowledge of the matter.
Following two months of back-and-forth correspondence, Apple told the Bush family that recovering David’s password would not be possible without a court order.
“I finally got someone who said, ‘You need a court order,'” she said. “I was just completely flummoxed. What do you mean a court order? I said that was ridiculous, because we’ve been able to transfer the title of the house, we’ve been able to transfer the car, all these things, just using a notarized death certificate and the will.”
Because a user’s Apple ID and password are tied to payment information and other sensitive data, Apple implements strong safeguards to protect the data from falling into the wrong hands, going so far as to offer optional two-factor authentication via SMS or push notification. Apple IDs are also used to protect against hardware theft via activation lock, though it appears the feature was not activated on Bush’s iPad.
“I then wrote a letter to Tim Cook, the head of Apple, saying this is ridiculous. All I want to do is download a card game for my mother on the iPad,” Donna said. “I don’t want to have to go to court to do that, and I finally got a call from customer relations who confirmed, yes, that is their policy.”
After being contacted by CBC News, Apple apologized for what it characterized as a “misunderstanding” and reached out to the Bush family to fix the issue. The company did not comment on current or future contingencies for transferring ownership of digital property after death.
“I thought it was ridiculous. I could get the pensions, I could get benefits, I could get all kinds of things from the federal government and the other government. But from Apple, I couldn’t even get a silly password. It’s nonsense,” 72-year-old Peggy Bush told Go Public.
Experts warn this is a growing problem, as more people die leaving important information and valuable digital property on computers and electronic devices.
Bush lost her husband David to lung cancer in August. The couple owned an iPad and an Apple computer. Bush knew the iPad’s log-in code, but didn’t know the Apple ID password.
The Bushes could get a new Apple ID account and start from scratch, but that would mean repurchasing everything they had already paid for.
After many phone calls and two months of what she describes as the “runaround,” Donna provided Apple with the serial numbers for the items, her father’s will that left everything to his wife, Peggy, and a notarized death certificate — but was told it wasn’t enough.
“I finally got someone who said, ‘You need a court order,'” she said. “I was just completely flummoxed. What do you mean a court order? I said that was ridiculous, because we’ve been able to transfer the title of the house, we’ve been able to transfer the car, all these things, just using a notarized death certificate and the will.
A court order can cost hundreds or thousands of dollars, depending on if a lawyer’s services are required.
Peggy Bush said she couldn’t believe it either. After waiting months to get that password reset, she bought herself a laptop. It’s not an Apple MacBook.
That’s when the family contacted Go Public.
Apple won’t talk policy
“More and more people are transferring their lives online and it’s going to become a greater and greater proportion of one’s estate … [it could be] a gambling account, video game account — all have value — tremendous value in some cases,” he said.
Nelson said the problem is that while users own the material online for the most part, access to it is controlled by providers like Apple. Therefore, those companies have the right to set the rules when it comes to accessing what we put online and the content we buy.
Nelson said Apple’s demand for a court order seems heavy-handed in Bush’s case, especially considering the low monetary value of the Apple account.
He also said providers need clear policies when it comes to dealing with digital property and access, and Canadian laws need to be more clear about who owns or controls what is put online after someone dies.
“When it’s digital property it gets murky. While that photograph on Google cloud or on Facebook belongs to you, the access belongs to the service provider,” Nelson said.
“It would be useful for legislation to clarify that … executors have authority to log into accounts and extract digital assets, including changing passwords.”
His advice is that until laws are updated and service providers change their policies, Canadians should include clauses in their wills that allow the executor to deal with digital assets.
Nelson said wills should include information on where to find passwords, but not the passwords themselves, for security reasons.
In January 2015, security researcher and beloved, prolific geek Michael “Hackerjoe” Hamelin died in a head-on collision that also hospitalized his widow, Beth Hamelin.
Hackerjoe had not done anything to prepare for his unexpected death, and he had an exceptionally complex tangle of IT systems and obligations that no one else was prepared to run — or even rescue.
As the widowed Beth Hamelin recovered from her own injuries, she was faced with the task of untangling Michael Hamelin’s affairs, which ranged from the data needed to pay the household bills to the crypto-keys to access the family photographs and archives, to the authentication tokens and knowledge necessary to gracefully wind down the many hosting/IT businesses he ran without leaving his customers in the lurch.
Andrew Kalat — a close friend of the Hamelins and an IT expert himself — stepped in to help, booting Hamelin’s systems with “crash-carts,” begging companies like Apple, Facebook, Twitter and Goolge to let him recover Hamelin’s data, and trying (unsuccessfully) to recover the keys to unlock the Hamelin family’s personal memories. As of the time of the talk, all of the Hamelins’ photos were considered unrecoverable.
Kalat’s talk is a brilliant example of the premise that “we can’t make back doors than only good guys can get through.” When Hamelin hardened his systems against the attackers who might target him or his customers, he also hardened it against his loved ones.
That incident prompted me to create my own digital death plan, which, now that I think of it, is woefully out of date, and, having seen Kalat’s presentation, I realize is also inadequate.
I like Kalat’s proposal that once a year, couples should switch household roles, each paying the bills and taking care of the paperwork the other deals with, just to “stress test” your family’s preparedness for these terrible, unexpected calamities — to make your family a system that fails well, as well as working well.
Most hackers have a massive digital footprint: social media, servers at co-location sites, servers at home, overly-complicated IT infrastructure, and various other IT gear connected in crazy ways. What happens when one of us suddenly dies? How do our loved ones pick up the pieces, figure out all of our random IT crap that we’ve setup, and move forward? This talk explores the challenges, opportunities, and lessons learned as I aided in figure out the IT gear after the passing of a dear friend to the hacking community, HackerJoe, aka Michael Hamelin. I will share details of the challenges Michael’s widow and I faced, how we overcame them, and advice to better prepare your loved ones if you were to suddenly shake off the mortal coil…
Our readers were more than happy to answer them and to pose a few of their own in our first CBC Forum — a live hosted discussion where readers can talk about stories of national interest and the issues that arise from them. We’ll have a new topic every day — sometimes two.
Below you’ll find 10 of the best comments from readers during our discussion about the ownership of digital property after death, followed by the complete discussion in our live blog.
Many readers were happy to know Apple was being strict about privacy.
(Note that usernames are not necessarily the commenters’ names. Some comments have been altered slightly to correct spelling and to conform to CBC style.)
Tom Aaron: I don’t want anyone requesting my passwords and receiving them. Talk about opening up another level of scams — especially on the elderly.
Michael Tea: There should indeed be a process available to next of kin, but it should absolutely require opting-in from the account holder. It would be concerning if Apple and other technology firms provided access to all of your data after your death. They are private documents. I applaud Apple for being this firm about digital privacy. With that said, there needs to be an improvement in the way digital ownership is explained to older customers; it should have been made clear that the private account holder maintains ownership of their purchase history and data. Perhaps introduce a properly shared account with delegated access similar to financial accounts?
Voice_Of_Reason: I don’t disagree with Apple’s reluctance here. I’d rather have high security than lax controls over access. Online accounts and emails are incredibly sensitive — it isn’t just about games. Your account is often your entire identity. An email gives you access to almost everything you do online.
Others (a smaller group) took Apple to task.
Rational Voice: Why in the world should Apple require a court order when the transfer of real estate, pensions and other much more critical items have rational requirements. My bet is that this is purely a dollar-based move on Apple’s part. If you can’t hand it down then you can sell the same items (or bits/bytes) again. The article says they’re working on it, not that it has been resolved and this “generous” solution only came to be after the issue was brought to light on a national news source. As for the reset-the-device crowd — you’d still have lost access to everything he had stored after resetting.
CCGodin: I was fortunate that my husband left me a coded list of all of his, my and our children’s passwords. I refer to it often. I sometimes felt companies were insensitive. A spouse has a legal right to her husband’s property; Apple could be kinder.
Some readers raised interesting questions about what it means to “own” anything digitally.
Nepgear: When you buy something online, aren’t you basically renting a service? The company still owns everything, the games and services and all, and all you’ve done is buy the right to access them and specifically for yourself. The games and servers aren’t inherited by you since the deceased person didn’t buy them, and the licence never pertained to more than one user in the first place. Now, if it did pertain to multiple users, that’s a different issue. However, one can argue that the account was licensed to one user, but that user can then authorize access to another limited set of users.
Tim Smith: Software and online media have always been sold as you “having access to” but not “owning” the media. Maybe this is part of protecting the copyrights because owning it means you can alter it, etc. etc. but it’s a restriction consumers have never really understood. There will have to be a complete rewrite of copyright laws soon, I think, and we need to start taking into account the 21st century reality, instead of the 19th century when they were written.
Others noted that it matters what exactly is being accessed.
Jdev: There are two parts to this really:
Property rights. Digital assets are no different than any other sort of asset, they have value and must be transferable as part of the estate/will
Accounts and internet history. This is very different and engages privacy. Unless specifically granted access as part of the estate, all accounts should be deleted once any property is transferred out.
Unfortunately, very few, if any, companies have the ability to do this or the desire to make it part of their operating procedure, as it’s a logistical nightmare that requires expert staff who can tell the difference between phishing attempts and legitimate death certificates. It also bumps up their bottom line to have people re-purchase assets they’ve already purchased on a spouse’s account.
deemi: It seems that a lot of comments fixate on “passwords.” The client in question wanted access to apps/tools that were used in the household. This does not apply to the deceased person’s personal correspondence, search history, purchasing history, etc. It’s pretty clear that they were married, and shared a household (including computer apps and tools.) Restrict the personal data, allow access to the apps/tools.
Finally, some offered advice to keep others from facing a similar situation.
D. Rand Rowlands: Perhaps the will is out of date. I did mine three years ago, and they have a form requesting passwords to accounts and what should be done with each account. That said, common IT practice is to change accounts every three months if not more frequently, and you do not want to constantly update the will for that.
One solution is a password-keeper application to store all other passwords. If you don’t want it in the cloud, passwords can be stored offline as a Word file on a USB key which is only used to update the other accounts. The will can then list this password keeper account information.
Big hassle? You bet. It’s like keeping the spare key to your front door in a locked box buried under the gnome on the left as you approach the door and then keeping the key to the box in the cap of the garden light near the rose bush that died last summer. Damn, now I have to move the box.
News that Apple demanded a Victoria widow obtain a court order in order to retrieve her dead husband’s password is a good reminder to consider your digital assets when preparing or reviewing your estate plan, says Toronto trusts and estates lawyer Suzana Popovic-Montag.
According to the CBC, Apple initially demanded that 72-year-old Peggy Bush obtain a court order to retrieve her dead husband’s Apple ID.
Bush told CBC, “I thought it was ridiculous. I could get the pensions, I could get benefits, I could get all kinds of things from the federal government and the other government. But from Apple, I couldn’t even get a silly password. It’s nonsense.”
Bush’s daughter provided Apple with the serial numbers for the couple’s iPad and computer, her father’s will that left everything to his wife, and a notarized death certificate — but was told it wasn’t enough.
Apple has since backed off on requiring a court order, but the requirement to provide a will and death certificate is fairly common when someone is seeking account information such as passwords, says Popovic-Montag, managing partner of Hull & Hull LLP.
Technology has become so ingrained in our lives, that we may overlook our digital assets when preparing or reviewing estate plans.
“Technology plays a greater role in our everyday lives,” she tells AdvocateDaily.com. “We now use password-protected technology to pay our bills, communicate and socialize with others, store our photos and music, and to promote ourselves and our businesses.
“By using technology in these ways, we are constantly creating and amassing digital assets and therefore stand to leave behind a multitude of digital content when we die,” she says. “As a result, digital assets are quickly becoming an increasingly relevant consideration for estate planning purposes.”
There are fairly obvious digital assets, such as your email, online banking and social media accounts like Facebook, LinkedIn, Twitter and Instagram. But there are also point reward programs (Shoppers Optimum Points, Aeroplan/Air Miles), digital libraries such as iTunes, online sales accounts (Amazon, Etsy, eBay, Craigslist, Kijiji) and monthly account withdrawal authorizations (cellphone, utilities, memberships, subscriptions) that should be considered.
“Failing to plan for your digital assets can have consequences — for your loved ones and for your digital legacy,” says Popovic-Montag. “No right of survivorship currently exists for digital assets so your surviving loved ones are often faced with challenges when trying to access or delete online accounts, as was the case with this widow trying to obtain her deceased husband’s Apple ID.”
The problem, says Popovic-Montag, is legislation has not been able to keep up with technological advances. She says very few jurisdictions have rules with respect to the release of information required to access accounts to family members or friends, absent a court order.
“Different providers have developed different policies regarding what they allow and what they require in order to facilitate access to, or removal of, digital information stored,” she says. “Unless someone is aware of automatic bill payments/preauthorized debits, these may continue for months following death thereby depleting assets of the estate.”
By creating a digital estate plan, you can ensure your estate trustee knows your digital assets exist and how you would like them managed. Popovic-Montag says an easy way to do this is to create a password-protected spreadsheet that provides relevant information, such as:
a description of the assets;
the web addresses;
user IDs, passwords;
account numbers; and
any other relevant information or instructions.
Popovic-Montag says there are also online services that are designed to assist with storing passwords and relevant information, including, Assetlock, PasswordBox, SecureSafe and Deathswitch.
She says it’s best to appoint a digital estate trustee who is technologically savvy, can handle the responsibility, and is also a person you trust to handle your affairs. Let this person know what you would like done with your digital assets. For example, do you want your Facebook account memorialized or destroyed?
Many providers now have a means for their users to plan for their assets, grant access to a nominated individual for limited purposes and/or leave instructions regarding end-of-life wishes, she says, but there is no standard procedure or service offered by all.
Facebook, for example, introduced a feature called Legacy Contact, which lets users of the social network authorize another person to access or modify their account after they die. Google has Interactive Account Manager, which allows account holders to control how information will be dealt with after a prolonged period of inactivity. Meanwhile, Twitter will work with a person authorized to act on behalf of the estate or with a verified immediate family member of the deceased to have an account deactivated but will not provide access to the deceased’s account regardless of relationship.
Popovic-Montag says it’s important to keep in mind that not all jurisdictions will have the same services available.
“Some services offered in relation to digital-estate planning might be intended for, and only available, to users in the United States or another country,” she says.