If you have more digital assets which you own, you can also consider getting specific hardware designed to protect digital information. A perfect example would be a hard drive using complete encryption — without the proper password, nothing can be retrieved, and your assets are perfectly safe. You just have to be sure that your executor does know where the storage device is, and has all the keys to unlock it. The cons are simple: the locker must be physically accessible, undamaged (when sometimes defects appear over time, rendering your assets inaccessible), and you will have to physically access it to update it.
By Michael E. Locasto
Death is an uncomfortable subject for many people, and digital systems are rarely designed to deal with this event. In particular, the wide array of existing digital authentication infrastructure rarely deals with gracefully retiring credentials in a uniform fashion.
This research paper highlights an emerging paradigm: gracefully dealing with expired digital identities in a secure, privacypreserving fashion. It examines the confluence of modern browser technology, cloud services, and human factors involved in managing a person’s digital footprint while they live and retiring it when they die.
We contemplate a potential approach to dealing with credentials after death by using cloud computing. We consider the reasons that such an approach may actually provide an opportunity for enhancing authentication security by frustrating identity stealing attacks.
We note that this paper is not aimed at trivializing the real grief and loss that people feel, but rather an attempt to understand how security and privacy concerns are shaped by the end of life, with the ultimate goal of easing this transition for friends and family.
This paper considers the security and privacy issues involved in the management of digital identities during and at the end of life, and whether a technological solution exists that can ease management and increase assurance against digital identity theft.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The focus of this paper is on identifying what kind of changes in authentication technology might more easily support security and privacy goals in passing on control of critical online identity aspects. In short, how do we apply thanatosensitive design (see Section 6) to information security?
1.1 Digital Footprints
Death can be an unpleasant subject. Yet, as we get deeper into the digital age, each of us leaves behind an even greater digital identity footprint, and managing the retirement of that collection of digital identities is an important task that falls on family members and friends after someone dies. Both practical and emotional issues abound: how do I close this online bank account? Should I leave up their hobby Web page or Twitter account  as a tribute to their passion? What do I do with 7GB of their email?
We accumulate a startling about of digital debris, and this statement seems particularly true of those born from 1990 onward, as we can see with the surge in social networking and increasingly visible online lives. The digital information age is young enough that most participants are only beginning to deal with the management of digital identity and privacy concerns when loved ones die. Our digital footprints go far beyond embarrassing Facebook images. The transformation extends to the economy, society, and government: social networking, e-commerce, and “digital government” delivery systems are where our banking, retirement accounts, travel, shopping habits, book reading, music preferences, food ordering, etc. all take place online.
At the same time, most of our current identity management infrastructure is rife with problems as old as low-entropy, guessable passwords or password reuse across accounts. The HBGary Federal saga reminds us that both weak passwords and password reuse across accounts is still rampant . Clearly, there is a need for strong management of multiple independent digital identities (in essence, containers: see Section 4).
1.2 Personal Identity Retirement, Revocation, and Cleanup
Personal digital identity and credential systems are typically set up with little thought as to how credentials might gracefully be retired in conjunction with other aspects of your digital identity. Even retiring individual credentials for organizations and machines is a known hard problem: for example, although mechanisms exist for certificate revocation, its use is subject to substantial challenges (e.g., cache coherency, certificate revocation list size and update frequency) in many environments.
For the retirement of personal identity information, the problem becomes somewhat more delicate. We note that our definition of “cleanup” goes beyond just deleting the account and content. Most
individual authentication mechanisms seem to assume a worldview in which they are the only extant mechanism, and “unsubscribing” or deleting an account is as simple an action as logging in, navigating to a settings or profile management page, and asking the site to permanently disable or delete the account.
This paper suggests that the paradigm of holistic digital identity management is more complex than that assumed by any single authentication mechanism or Web site account.
1.3 Our Definition of Identity
When we say “identity”, we mean the collection of information about a user contained in services as varied as banking and social networking. Such information includes both server and usergenerated content and data.
We see identity as including (1) credentials (i.e., usernames, passwords, passphrases, email addresses, public keys, certificates, identifiers, roles, password “hint” questions and answers, SiteKey phrases and pictures) used to authenticate to the service and authorize different uses, (2) user preferences for interacting with that online identity, (3) personal information (i.e., names, account numbers, address, contact information, date of birth, sex) stored by the service, and (4) content (e.g., account balances, comments, links, likes, posts, medical ailments) generated during the interaction of the user with the service.
We stress that this definition is not a complete one (although the “content” component is meant to cover most data not contained by the other three identity components we specified), but rather a reasonable working definition of the major types of data related to an individual’s real identity that they may wish to control.
1.4 Motivation: Containing ID Breaches
Our motivation to examine the possibility of well-managed endof-life digital footprint erasure or retirement stems from recent incidents highlighting the very old problem of poor quality, reused credentials in software systems ranging from desktops to web sites.
We were motivated to explore this topic by thinking about classic problems with password-based authentication that are particularly compounded in an age where the demand for login credentials from multiple Web sites and services increases the pressure on ordinary end users to take shortcuts, including weak passwords and password reuse across multiple sites.
From a systems perspective, these identities are not compartmentalized. Given the expediency of using weak passwords and the existence of security-weakening measures like password recovery questions, guessing, brute-forcing, or deducing login credentials is relatively easy. Furthermore, given the prevalence of password reuse, corrupting even a single low-importance account holds the potential for corrupting a larger slice of someone’s digital identity.
Although identity management systems like OpenID exist for making it easier and more secure (by reducing the proliferation of weak authentication schemes and “roll your own” crypto, or so the claim goes) to log in to multiple web sites, web applications, and software, OpenID faces its own set of challenges and still supplies a single point of identity failure; a compromise of the main OpenID account leaves a large part of your digital identity open to access and manipulation.
What seems needed, then, is a system for creating identity containers that (1) use strong credentials like completely random passwords, (2) are strongly isolated from one another (i.e., a compromise of one set of credentials does not directly lead to a compromise of even a single other digital identity component), and (3) does so in a fashion largely transparent to the end user (in other words, a user has no chance to create a weak password or reuse a password because they are removed from these decisions).
Assuming that such a software system and service could be built (we sketch a design in Section 4) and done so in a way that is us-able and transparent, we next thought of the implications the deployment of such a service would have. For example, centralizing the management of all your online identity “aspects” opens up the possibility of greater control and greater abuse. But perhaps more fundamentally, given that our online digital identities are likely to grow by accretion as larger segments of society in the developed world move online, it is natural to ask: what happens to all this accumulated information when we die? What are the design considerations for our identity authentication mechanisms such a system might interact with in the eventuality of death? In other words: how do we design authentication mechanisms that explicitly provision a mechanism for dealing with the death of the account holder and passing control to a designated beneficiary (or set of beneficiaries)?
This paper attempts to examine the issues involved with the multilifespan management of digital identity. It examines the paradigm of how to contend with authentication and credential management of a single real person after their death. The key challenge is to gracefully deal with expired digital identities in a secure, privacypreserving fashion. We examine the confluence of modern browser technology, cloud services, and human factors involved in managing a person’s digital footprint while they live and retiring it when they die. We pay particular attention to the design of an authentication and identity management infrastructure aimed at containing identity theft to a particular “identity container” stored in the cloud.
Proactive deletion of information carries a cost. Traditional authentication technologies present roadblocks to coherently and cleanly retiring a digital footprint in a single fell swoop. How can we better manage authentication credentials from the point of view of preparing for the event of death?
We make several assumptions that not all might agree with. First, it is a desirable goal to ease the management of the decisions that the bereaved must confront. Second, account holders wish to pass on parts of their digital identity to a variety of survivors. Third, although deaths are significantly less frequent relative to “common” authentication actions like logins, they are of sufficient importance so that the mechanism should deal gracefully with matters of transferability. Finally, we leave open the question of how to encourage people to undertake planning; we note that people delay other related concerns like retirement planning and life insurance. We believe that those concerned enough with their digital legacy would like some kind of unified management of their digital identity, and we suggest that increasing amounts of modern life will transition to the digital arena, making the task of retiring a digital identity more common or needed than traditional physical interactions like visiting a brick-and-mortar bank to close an account – particularly due to scalability issues in terms of the relative amount of physical vs. virtual interactions people are likely to have.
2. DIGITAL IDENTITY FOOTPRINT
How large are our digital footprints?1 As an anecdotal approach to answering the question, one of the authors has over 300 entries in a password database containing credentials for multiple Web sites, devices, and machine accounts. We suspect that many users can own to significant numbers of accounts and credentials, each forming a part of their total online identity.
Furthermore, it is likely that our digital identities will only grow more complex. As new services come online, and early adopters and the general public create accounts, these services may wane in popularity (see, e.g., MySpace). People are therefore likely to accrue accounts (for example, MySpace to Facebook to Google+). There is little incentive to proactively delete old accounts and email addresses; users simply “move on.” Second, as institutions like the Federal Government start to require online interaction (and institutions like banks make it more attractive by charging fees for in-person services), large segments of the population will have no choice but to move to some form of online interaction. Figure 1 shows how data.gov requires a form of authentication in order to access some data. Setting aside privacy concerns, this type of interaction is likely to become more common for otherwise innocuous reasons like tracking the value of the contractor or the popularity of certain content. In some sense, because online authentication has become easy enough to deploy as a service, there is little incentive not to employ it, but such practices only increase the complexity of dealing with retiring multiple digital identities.
These online accounts naturally have varying importance. A community newsletter may have less relative importance than an account with the Bank of Montreal (BMO). And these accounts may have varying levels of importance in the time following our death. The bereaved will certainly have to dispose of virtual (e.g., frequent flyer miles, fantasy baseball rankings), physical, and financial assets, but may also have emotional needs to satisfy by more deeply analyzing the digital aspects of a loved one’s identity. Yet, wading through all these accounts (or even gaining access to the machine where the bulk of credential information is stored) may be a large technological hurdle for most people.
Our kin and executors have an interest in and important responsibility to dispose of our financial assets, but these may be scattered across multiple banks, financial institutions, and credit companies, all of which have an increasing online presence and a diminishing brick-and-mortar presence. They may have to work with our online tax preparer, multiple retirement accounts, multiple banks (possibly in multiple countries), and several credit card companies. Estate management by our family and executors is no easy task, and the amount of digital interaction and access through an inaccessible set of credentials only makes the task more daunting.
Our family and friends may have an interest in our online social circle (and we may have an equally strong interest in preventing them from discovering it); those in it (e.g., Facebook, LinkedIn, Twitter) may wish to learn about our passing.
Our professional circle (professional organizations like ACM or IEEE, our colleagues, research partners, funding agencies, students, scientists) also has an interest in learning about one’s passing and possibly obtaining access to research material, code, reports, articles, and other intellectual property.
It seems, then, that most of our online lives will need to be disposed of in some way, but existing authentication frameworks don’t make this an easy task. Furthermore, we should have the ability to control such dissemination in a fine-grained fashion; one should be able to specify which sites, accounts, and identity aspects are available or accessible to which type of “identity beneficiery.”
2.1 Value of a Unified Approach
A unified approach to digital identity retiring and cleanup offers control to both the bereaved and the deceased. Our family members are likely to only think of financial and work benefits issues in the short term. In time, they will likely want or need access to a larger piece of the decedent’s digital identity. A unified framework for identity management could provide quicker access (vs. going through legal channels), and it could help the bereaved by-pass the types of restrictions that we see in the Yahoo terms of service imposed on accounts of the deceased. Such an automated mechanism would also relieve service providers of the burden of verifying death certificates or retrieving backups of deleted data for persistent kin. It also offers a degree of control to us while we are alive: we can specify which people will have post-mortem access to specific files and data. Such a facility could be particularly helpful in awkward situations (hidden bank accounts, etc.).
2.2 ID Management
Today, we may depend on a privately stored file, a paper folded in our wallet, or our browser to store the URL, username string, and password required for entry into these sites. We may reuse a single contact email across accounts and even use (and reuse) a weak password. Password recovery hints (or links) for many sites are sent to our contact email account. All these factors make it easy for attackers to hijack a significant part of our digital presence by compromising only a single set of credentials.
3. SURVEY OF TERMS OF SERVICE POLICIES
Revoking single, purely digital credentials such as X.509 certificates is a known hard problem. Gracefully retiring personal identity information poses a somewhat more difficult problem. In fact, some Terms of Service contain provisions that make such cleanup difficult, even for those that survive the account holder.
No Right of Survivorship and Non-Transferabiity. You agree that your Yahoo! account is non-transferable and any rights to your Yahoo! ID or contents within your account terminate upon your death. Upon receipt of a copy of a death certificate, your account may be terminated and all contents therein permanently deleted.
Even when thought is given to handling the retirement of an account, its usability seems quite low. For example, email accounts might be set to expire after a year or so of inactivity. The Yahoo YMail Terms of Service state that an account may be suspended for a variety of reasons, including “…(e) extended periods of inactivity,…”, and that the actual enactment of such a suspension may take one of several forms:
(a) removal of access to all or part of the offerings within the Yahoo! Services, (b) deletion of your password and all related information, files and content associated with or inside your account (or any part thereof), and (c) barring of further use of all or part of the Yahoo! Services.
Such terms of service seem to provide little in the way of comfort or usability for those mourning the loss of a loved one.
3.1 Overview of Policies
We examined policies for several types of accounts (Banking, Social, Healthcare, Cloud Services, and Email) across the United States, Canada, and the UK. This study is still ongoing; we present our partial results in Table 1 and anticipate having more by the workshop.
Some reviewers asked us to take a more international view on this topic; we are in the process of gathering data for multiple countries (primarily English-speaking, e.g., US, UK, Canada, Australia). In Table 1, there are a few things to note. USAA does not have a death or transfer clause, but states that certain provisions will remain in force past the Agreement termination. Wells Fargo’s online account terms of service only talks about death in reference to terminating a “Delegates” access (a Delegate is defined as someone with temporary legal control of the account).
We note that most services contain language about the user’s responsibility not to share login credentials or let others use the account. Very few talk explicitely about death, the bereaved, or executors; of the ones that do (such as Yahoo!) they typically forbid such transfer.
4. CLOUD IDENTITY CONTAINERS
In this section, we sketch the design of a system meant to manage multiple independent aspects of our online digital identities. A side effect of our attempt to consider the trustworthiness properties of such a digital identity management “solution” is to consider how this framework might be used in the event of the identity-holder’s death.
Users already trust their web browsers to store a collection of usernames and passwords for a variety of different Web sites; one author has nearly 180 entries representing over 100 Web sites in one of his frequently-used browsers, another has about 85, and the third has 15.
Users should not have to invent or create strong password mate-rial. A trusted agent (such as a browser extension) running locally can do this task. This includes answers to things like “password hint” questions. Some browser extensions (and Apple’s Airport Utility) already provide such a “strong password” creation service. More generally, users should have the burden of of managing and remembering credentials removed from them.
Aspects of a user’s digital identity should be strongly separated from other aspects. For example, a user’s Amazon cloud services account should not share an email address, username, or password with a photo sharing Web site. An attacker that manages to learn the Amazon credentials should not be able to access the photo sharing Web site and vice versa. In essence, an identity management solution should provide “identity containers” that are strongly isolated from each other.
Storing credentials and other account information locally on disk or semi-persistently in the browser’s memory is less trustworthy than storing them in a special purpose, remote access facility.
Remote management of identity credentials offers users the ability to bypass restrictions like deletion of their personal information should they die or be otherwise unable to access the data.
We envision a browser extension that augments current “password management” browser (and extension) functionality. Such a browser extension would:
- intercept the process of creating credentials for each new Web site or Web application
- ignore (but record) passwords supplied by the user
- generate a strong random password
- generate strong random “password hint” questions and answers
- create a new, disposable single-purpose  email address and other digital identity aspects (e.g., Facebook, Twitter, LinkedIn, blog, Amazon account, eBay account, Skype account)
- pass through any CAPTCHA-style queries involved in creating these new digital identity aspects to the user via the browser interface
- store this digital identity information in a cloud storage service
- retrieve this information when the browser attempts to log into a web site due to user action
One criticism here is that we still need to authenticate the fact that a user initiated a log-in to a particular website, and that relying on the user to supply weak credentials essentially protects high-value credentials with low-value credentials. We are open to suggestions about a more secure mechanism.
4.3 Cloud Storage
Rather than storing credentials locally where they may be subject to theft by malware, the extension can forward them to a cloud storage service; this service essentially becomes a trusted identity container provider. This provider can encrypt and distribute these identity containers in ways that make it difficult for an attacker to subvert or steal multiple credentials at once. Furthermore, since the browser extension creates individual profiles and contact information (e.g., email address) for each credential, an attacker that gains control of a single credential or email address (for example, via disclosure by the email provider) will only have access to that particular identity information. This type of service is particularly useful to survivors that do not have local access to the decedent.
One observation we received in early reviews of this paper was the question: “why is cloud computing involved here?” We mention the use of cloud computing not in an effort to jump on some hype-fed bandwagon, but rather as a reasonable, modern platform for delivering an identity management service to end-users. Our focus on cloud is mainly to help focus the shape of an independent identity inheritance / management service along concrete lines. What is important about this service is the business model, and the collection of technologies and techniques behind what might be currently termed “cloud computing” provides a relatively low barrier to entry for those wishing to provide such a service. In some respects, projects like KeePass that can store their password database in Dropbox are early versions of such a service, but lack the management and inheritance components we discuss below. In any event, the specific technology is less of a focus; we suggest browser extensions and cloud storage only a means to show how such a service may practically be deployed with current technology.
4.4 Handling Identity Inheritance
The user should have the ability to arrange with the cloud provider which set of identity containers is revealed to which set of survivors. In other words, the user specifies which aspects of their digital identity are forwarded to which “identity beneficiary” upon their death.
The user can also choose what combination of events might trigger a transfer of identity information; certain containers may be released if the user fails to respond to a keepalive test (e.g., something like deathswitch.com or a semi-annual email reply requiring a human rather than automated answer), and certain other containers may be released only on presentation of a death certificate and other identifying information.
The identity container provider could also offer to save (independent of the functionality of a specific identity container) other critical physical or virtual documents (e.g., SSN card, birth certificate, legal or financial documents) to be delivered with control of the container to the survivors.
4.5 Service Partners
One substantial obstacle to such a system is the required “network effect” of getting multiple Web sites to buy-in to allowing their users to use this service.
While the service could be deployed without the permission of the Web sites that the user interacts with, the user might be violating the Web site terms of service by allowing others to access the account after they have passed.
As a practical matter, getting broad acceptance for such a service will likely be made easier by gaining the cooperation of various service providers; they should be persuaded to include exceptions for such services in their conditions of use and terms of service. Sites would have to “buy in” to the service. One way they may be convinced to do so is that users might be attracted to their services if users know that the services are certified or compatible with transfers of ownership in the event of death. Furthermore, these service providers (e.g., Google, Amazon, Microsoft) face a scalability problem: it may pose significant workflow problems to have to manually respond to everyone with a death certificate seeking access to a loved one’s data. Handing off this service to a trusted third party may provide an attractive solution.
Another obstacle is the economic model for this service. It would be too close to extortion to ask survivors to pay a fee for access to someone’s data; a subscription model, where the cost is borne by the user while they are alive (similar to a life insurance model) seems much more workable. Still, the identity container provider faces significant risks from external attacks because it is a publicly known source of credential information. A serious compromise could lead to multiple identities being disclosed, and the potential for an insider attack might be significant. These pressures might increase the cost of protecting such a service far beyond what people might be willing to pay.
Furthermore, although large organizations like credit rating agencies might have the financial resources to take on such a service, they may have a conflict of interest in administrating this information, and are likely to view it as part of their intellectual property, rather than seeing their role as a trustee of sensitive third-party information.
One of the best ways to avoid information disclosure is not to store data in the first place, but such restraint is not common, and proactive deletion of information carries a real cost (time and energy spent to trace information and securely erase it). Traditional authentication technologies present roadblocks to coherently and cleanly retiring a digital footprint in a single fell swoop. How can we better manage authentication credentials from the point of view of preparing for the event of death?
We wish to facilitate discussion at the workshop on the following questions:
- Is it possible to design even a single authentication mechanism that gracefully handles the event of death? Setting aside the question of how to federate or manage multiple identities, can a single authentication mechanism gracefully expire credentials or automatically delegate them based on “real world” measurements like the existence of a death certificate? Are “heartbeat” services like deathswitch.com really the best solution?
- Do the dead have a right to privacy? It does not appear to be the case, but they may still have property rights; the CNET article “Taking Passwords to the Grave”  quotes Marc Rotenberg, executive director of the Electronic Privacy Information Center: “The so-called ’Tort of Privacy’ expires upon death, but property interests don’t,” he said. “Private e-mails are a new category. It’s not immediately clear how to treat them, but it’s a form of digital property.”
- Given that the most likely legal framework to apply is that of property rights, How does digital identity information compare with other physical “material” property belonging to the departed?
- How large are current digital identity footprints? A welldone user study exploring this data might shed light on the complexity of managing multiple identities.
- Do the dead have the right to specify the enforcement of compartmentalization of their digital footprint? It seems clear that users engaging in any form of estate planning should have firm footing to specify how to dispose of their digital identity.
- Who “owns” a set of digital credentials: the user or the service they are meant to authenticate to? If a third party generated them (e.g., a browser plugin on behalf of a company or developer), does the third party have any rights? We may be wading into legal murkey waters here (we just don’t have the background to know) – but it seems like any comprehensive definition of “identity” (like the one we gave in Section 1.3) would likely include elements that service providers would think of as their property, setting up a conflict over control of these assets.
- What are the usability concerns of an identity protection system meant to ease transition of digital identity information upon the event of the owner’s death?
- Under what conditions should a provider of such an identity container storage solution be compelled to release this private data? What is the legal framework that should be applied?
- How do survivors prove to the ID container provider their identity? Some services offer to provide data to survivors or executors, but only after a significant amount of paperwork.
- What are the reasonable constraints on the cost of this service? Is an insurance model the most ethical? A centralized identity management solution seems distasteful (witness the reaction to the US National Strategy for Trusted Identities in Cyberspace), but for a marketplace of such services, can they ethically make money when they might be seen to be gouging the bereaved? Does an insurance model for the deceased work?
- How liable should the identity container provider be for disclosure? Do special penalties apply? If there is a viable business or public service in running such a provider, do they have a special responsibility to procure “above average” protection, auditing, and mitigation techniques against cyberattack?
- Is adding yet another layer of management to digital identity just compounding the problem? People already struggle
- with identity overload (and compensate in ways like password reuse and weak passwords); although a cloud-based identity provider framework seeks to decrease this cognitive load, adding yet another layer of indirection to a fractured authentication landscape might be a cure worse than the disease.
Our identity is different than existing web services; we offer finegrained control rather than an unlocked vault.
6. RELATED WORK
A significant amount of work exists on the topic of authorization and authentication; this subfield is a staple of the information security discipline. This paper deals with the usability of authentication schemes (more precisely, digital identity management schemes). Recently, the topic of usable security — particularly usable authentication schemes — has received a great deal of attention. Graphical password schemes were suggested as an easier-to-remember alternative to traditional weak passwords, but even these schemes have weaknesses suggest Biddle et al. . The PassThoughts  paper from NSPW 2005 explored the feasibility of a mentallydriven approach to authentication.
6.1 Identity Management Failures
It seems that however much attention we pay to creating usable authentication mechanisms, identity management remains a challenging task. The recent Epsilon episode  shows us a failure mode of outsourcing user identity information to a third party. From Target and Best Buy to Citigroup and Marriott, valid user names and email addresses were disclosed by a single intrusion .
Recent headline-grabbing attacks by movements like Anonymous and LulzSec demonstrate the ease with which PII and account information can be obtained and released, along with reminders of how poor real-world password practices are (see, e.g., Figure 3; this screen capture was taken from the “Police-Led Intelligence” blog ). In other LulzSec-related news, Troy Hunt performed an analysis of Gawker and Sony passwords, finding, among other things, that 50% of passwords were less than 8 characters, only 4% of those passwords contained three or more types of characters (and only 1% included a non-alphanumeric type), and fully “twothirds of people with accounts at both Sony and Gawker reused their passwords.”4. An earlier companion article lists the 25 most popular passwords for Gawker and rootkit.com, and these two lists bear a great deal of similarity to the Sony set5.
6.2 Death and Computing
In recent years, computer scientists and system designers have begun to understand the implications of death as it affects the social, technological, and personal dimensions of computing. Humancomputer interaction (HCI) researchers have recently embarked on a series of studies seeking to unravel the complexities associated with death and computing. A CHI 2010 workshop (“HCI at the End of Life: Understanding Death, Dying, and the Digital”)6 explored this topic and was organized by one of the co-authors of this paper.
Massimi and Charise first drew attention to this area by envisioning a system design process called “thanatosensitive design” which, death is an issue so immense that it often requires the expertise of multiple disciplines, including law, psychology, medicine, social work, and more. Researchers in human-computer interaction have suggested technology design at the end of life be framed in an approach borrowed from development psychology – that of looking at the human lifespan . In so doing, stakeholder groups and important themes are highlighted. This framing also suggests that the individual’s orientation towards death be considered throughout their own, and across multiple, lifespans. The application areas and needs throughout the lifespan shift; for example, writing a will is an activity often seen as impractical during youth, but immensely important as one grows older.
Beyond framing the space, HCI researchers have also sought to understand the social processes and tools that are involved during bereavement. One study investigated how personal technologies such as PCs and mobile phones are handled following a death in the family, and found that inheritance of such technologies is a complicated and difficult process, with passwords and biometrics commonly causing problems in accessing crucial data postmortem . At the same time, these technologies symbolize a relationship which survivors continue to cherish, and they use technologies to continue the relationship in many ways. For example, Odom et al. describe a woman who buried her loved one with his cell phone so that she can continue to send him text messages . The unique needs of the bereaved, and how technologies might be sensitively designed around these needs, has also been investigated through focus groups and interviews with bereaved parents and thanatology professionals . One specific need from this study included the desire to be sheltered from others and the world immediately following a death, with the suggestion that we design technologies to shelter as much as they might connect.
Social networking websites such as MySpace and Facebook similarly permit relationships to endure past death. One study of MySapce found that the bereaved employ these websites to maintain rituals and write to the deceased, with predictable patterns of use during special occasions such as birthdays, death days, holidays, and so on . Textual messages posted to profiles of the deceased comprise the majority of the interaction on such sites. In a recent linguistic analysis of messages posted to the walls of deceased Facebook users, Getty et al. found that several forms of grieving activities (e.g., sharing stories, expressing emotion) traditionally performed at memorial services are now taking place on these sites . They place this finding in terms of Goffman’s “dramaturgical” orientation towards social performance, which describes “front stage” and “back stage” activities that work together to create social situations . In so doing, we see that many back stage activities (e.g., expressions of grief) are becoming visible to larger audiences on these social networking websites, alongside other more culturally acceptable forms of mourning. In the case of Canadian author and blogger Derek K. Miller , his friends and family used his pre-written last blog post as part of the grieving process.
Still other work has focused on what death means at a more cultural, widespread level. Technology plays a role in the recording, storage, curation, presentation, and stewardship of cultural histories. The Spomenik project – a form of “pervasive monument” – for example, allows mobile phone users to retrieve location-specific information about the mass grave sites from Stalinist purges of Slovenia and Yugoslavia in the 1940s . Other researchers have used digital technologies to capture, organize, and disseminate testimonials from the Rwandan Genocide, remarking on the set of methods needed for designing multi-lifespan information systems .
Commercial products have also been designed to accomodate the unique needs that accomopany death in the digital age. For example, companies such as Entrustet permit users to upload sensitive information with the assurance that the information will be delivered to designated people upon the user’s death (http://www. entrustet.com). Deathswitch.comallows users to sign up for prompts to ensure that the user is still living; in the event that the user does not respond to the prompt in a timely fashion, the web service will automatically send out emails to designated parties. Other websites offer users the opportunity to plan out their own funerals (e.g., http://www.memorialhelper.com).
Recent articles consider best practices for keeping track of digital identity assets after death. Lifehacker  recommends making a list of your accounts, reviewing them to determine which you might want to survive or “go dark,” and placing the authentication credentials on a USB token along with detailed instructions about actions to take with each account. A 2006 CNET article  de-scribes advice from estate planners to put this information in an estate planning document (where it will have legal force). The recent Wall Street Journal article “PINs that Needle Families”  prescribes similar advice. We note that although this approach (writing authentication credentials down on paper) seems appealing and intuitive, it only provides a static snapshot of your digital identity.
7. WORKSHOP DISCUSSION
The lively workshop discussion explored different directions and attempted to understand how this topic might present new and unique security and usability challenges.
The discussion began with a brief, informal straw poll of workshop participants as to how large they thought their digital footprint was in terms of number of accounts; answers seemed to fall into two clusters: 19 responses in the 100 to 750 range and 7 responses in the 50 to 80 range, with one guess at around 1000 and one person declining to answer.
Our moderator, Richard Ford, asked what our definition of digital footprint was, and we moved to our slide with the definition from Section 1.3.
The question arose as to how much control you actually have over your digital assests after your death; we highlighted the advice from the CNET  suggesting the theory that property rights may persist, but Steve Greenwald asserted that all rights cease when you die, whether property or privacy.
During the ensuing discussion, we highlighted the point that people will have to deal with this issue more and more in the future; Angelos Keromytis suggested that perhaps we were really advocating a form of “family-based key escrow”, to which we concurred.
One participant asked whether there were similarities to the garbage collection process; we felt this might be a bit of a stretch of the analogy.
Lizzie Coles-Kemp suggested that this paper was closely related to the activity of the digital curation community (in both traditional and “active” forms), but they were not looking directly at authentication techniques. We certainly agreed. She also made the point that some social institutions are set up to deal with power of attorney while others were not. We feel this reinforces one of our key points: that no uniform, cohesive approach exists to this problem.
MEZ pointed out that companies often have explicit rules and business processes to deal with such events and eventualities; we concurred, but suggest that they are out of scope: money is at stake and they have evolved and implemented the necessary structures to take care of their slice of someone’s authentication footprint. The issue in this paper is that families and friends seldom have a workflow process for dealing with someone’s death.
One participant asked about what happens when a company holding some of your digital footprint itself ceases to exist; we admitted that the ownership rules here are murky (this is one of the potential issues we list in Section 5).
Someone made the point that personal security figures into most security scenarios: now, by offloading crendential management, the risk to life and limb might decrease in favor of a break-in at the remote storage facility.
Jeremy Epstein suggested that one way to influence the NIST NSTIC was to select providers that had a specific policy for this issue.
As the discussion came to a close, there was some agreement that there might be some very interesting usable security issues lurking here, especially with the proposal to create an identity mediator and make delegation natural. We also received links to some interesting projects, including an EU project (www.primelife.eu) and (digitaldeathday.com).
Many information security paradigms seem to ignore the human element in security problems and scenarios. Even disciplines that take human interaction into account (e.g., HCISec or usable security) seldom examine long-term phenomena.
A good expression of this paradigm is in the eventual shift of large parts of our society and economy into the online realm (e.g., banks that are completely online): it is likely that we will have to deal with organizations electronically.
The accrual of a heterogeneous, distributed digital identity footprint presents unique and interesting authentication, authorization, and privacy issues — particularly related to how such an identity collection should be retired after a person dies.
We appreciate the reviewers’ comments and the guidance of our shepherd, Michael Franz. We also appreciate the responses and feedback we received during the workshop: we apologize in advance if we mis-remembered or misrepresented anyone’s comments or point of view. Thanks also to the scribes for our session, Matt Bishop and Cormac Herley.
Locasto acknowledges the support of Canada’s NSERC (Natural Sciences and Engineering Research Council) through a Discovery Grant. Massimi acknowledges support from the GRAND NCE (a Canada Network Centre of Excellence).
BIDDLE, R., CHIASSON, S., AND VAN OORSCHOT, P. Graphical Passwords: Learning from the First Twelve Years. ACM Computing Surveys 44, 4 (2012).
BRIGHT, P. Anonymous Speaks: the Inside Story of the HBGary Hack, February 2011. http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars.
BRUBAKER, J. R., AND HAYES, G. R. “we will never forget you [online]”: an empirical investigation of post-mortem myspace comments. In Proceedings of the ACM 2011 conference on Computer supported cooperative work (New York, NY, USA, 2011), CSCW ’11, ACM, pp. 123–132.
CBCNEWS. Air Miles Among Firms Hit By Huge Data Breach, April 2011. http://www.cbc.ca/news/business/story/2011/04/05/businessdata-breach.html.
CENTER, T. H. How to Contact Twitter About a Deceased User. http://support.twitter.com/groups/33-report-aviolation/topics/122-reporting-violations/articles/87894-how-to-contact-twitter-about-a-deceased-user.
FITZPATRICK, J. What Should I Do About My Virtual Life After Death?, August 2010. http://lifehacker.com/5617683/what-should-i-do-about-myvirtual-life-after-death.
FRIEDMAN, B., NATHAN, L. P., LAKE, M., GREY, N. C., NILSEN, T. T., UTTER, R. F., UTTER, E. J., RING, M., AND KAHN, Z. Multi-lifespan information system design in post-conflict societies: an evolving project in rwanda. In Proceedings of the 28th of the international conference extended abstracts on Human factors in computing systems (New York, NY, USA, 2010), CHI EA ’10, ACM,
GETTY, E., COBB, J., GABELER, M., NELSON, C., WENG, E., AND HANCOCK, J. I said your name in an empty room: grieving and continuing bonds on facebook. In Proceedings of the 2011 annual conference on Human factors in computing systems (New York, NY, USA, 2011), CHI ’11, ACM, pp. 997–1000.
GOFFMAN, E. The presentation of self in everyday life. Penguin psychology. Penguin, 1990.
 GREENE, K. PINs That Needle Families, July 2011. http://online.wsj.com/article/SB1000142405270230456760-4576456182693233372.html.
 IOANNIDIS, J. Fighting Spam by Encapsulating Policy in Email Addresses. In Proceedings of the ISOC Symposium on Network and Distributed Systems Security (2003).
 KOSEM, J., AND KIRK, D. Spomenik: Monument. In CHI 2010 Workshop on HCI at the End of Life (New York, NY, USA).
 MASSIMI, M., AND BAECKER, R. M. A Death in the Family: Opportunities for Designing Technologies for the Bereaved. In Proceedings of the 28th International Conference on Human Factors in Computing Systems (New York, NY, USA, 2010), CHI ’10, ACM, pp. 1821–1830.
 MASSIMI, M., AND BAECKER, R. M. Dealing with Death in Design: Developing Systems for the Bereaved. In Proceedings of the 2011 Annual Conference on Human Factors in Computing Systems (New York, NY, USA, 2011), CHI ’11, ACM, pp. 1001–1010.
 MASSIMI, M., AND CHARISE, A. Dying, Death, and Mortality: Towards Thanatosensitivity in HCI. In
Proceedings of the 27th international conference extended
abstracts on Human factors in computing systems (New York, NY, USA, 2009), CHI EA ’09, ACM, pp. 2459–2468.
 MASSIMI, M., ODOM, W., BANKS, R., AND KIRK, D. Matters of life and death: locating the end of life in lifespan-oriented hci research. In Proceedings of the 2011 annual conference on Human factors in computing systems (New York, NY, USA, 2011), CHI ’11, ACM, pp. 987–996.
 MILLS, E. Taking Passwords to the Grave, September 2006. http://news.cnet.com/Taking-passwords-to-the-grave/2100-1025_3-6118314.html.
 ODOM, W., HARPER, R., SELLEN, A., KIRK, D., AND BANKS, R. Passing on & putting to rest: understanding bereavement in the context of interactive technologies. In Proceedings of the 28th international conference on Human factors in computing systems (New York, NY, USA, 2010), CHI ’10, ACM, pp. 1831–1840.
SELBY, N. Analysis: 70 Law Enforcement Sites Attacked, July 2011. http://policeledintelligence.com/2011/08/01/analysis-70-lawenforcement-sites-attacked/.
SILVER, K. Blogger Announces Own Death After Battle With Cancer, May 2011. http://www.cnn.com/2011/WORLD/americas/05/08/-canada.blogger.death/index.html?hpt=T2.
SNYDER, B. Epsilon E-Mail Hack: How You Can Protect Yourself, April 2011. http://www.networkworld.com/news/2011/041111-epsilon-email-hack-how-you.html.
THORPE, J., VAN OORSCHOT, P., AND SOMAYAJI, A. Pass-thoughts: Authenticating With Our Minds. In Proceedings of the New Security Paradigms Workshop (2005).
Planning for and Administering Digital Assets
I. What are digital assets?
Estate planning and administration professionals cannot ignore the ubiquity of digital assets. 2012 saw global sales of digital music amount to $5.6 billion and in some markets, including the US, India, Norway and Sweden, digital music sales exceeded packaged music sales. Meanwhile, e-book sales represented an estimated 16%, and growing, of all book sales in Canada in 2012. Almost 18 million Canadians, more than half of the population, has an active Facebook account. The Bitcoin virtual currency has been featured regularly in the news as its exchange value skyrocketed from approximately USD$100 to USD$1200 late in 2013, before falling off dramatically again.
The term “digital assets” is used in different ways by different people. In a narrow sense, a digital asset has been defined as “any item of text or media that has been formatted into a binary source that includes the right to use it.”
In a broader sense, digital assets include all of the electronic “possessions” an individual may have, including emails, digital photos, videos, tweets, texts, songs and e-books, as well as online account information for websites or programs such as Facebook, LinkedIn, bank accounts, PayPal and others.In this broader sense, digital assets are sometimes referred to as a “digital estate” or “digital legacy”.
Digital assets have three distinct elements:
- A digital file or record. This is the data that constitutes the content of the asset.
- The right to use the file or record. It has been noted that if there is no right to use a file or record, then it should not be characterized as an asset. Rights of use may derive from authorship or other ownership of the content (for example, emails or original documents), or may be granted by a licence from the owner or a third party licensor (as with most digital music or e-books).
- A method of access. Assets may be categorized into (a) physically controllable digital assets (PCDA) which are stored on hardware to which the owner has access, and (b) controlled accessdigital assets (CADA) stored “in the cloud” on servers belonging to third party service providers and accessible on‐line with the use of a username and password.
Because the law applicable to digital assets is still developing, digital present unique challenges to executors, administrators, attorneys and committees. In addition, planning strategies for digital assets are rapidly evolving as the law, the e‐service industry, and user awareness of estate planning issues all mature.
II. Challenges in dealing with digital assets
A. Property rights vs. contractual rights
To understand digital assets and their management in the estates context, it is necessary to consider the different categories of legal rights which may be applicable to the assets:
- Tangible personal property. Tangible personal property is property that can be physically manipulated and moved. Examples of tangible personal property are computers, mobile and tablet devices, and physical storage media including hard drives, memory sticks and flash cards.
- Intangible personal property. This is property in which an owner has rights but that generally does not have a tangible physical manifestation. Intangible personal property includes all manner of digital files and records over which an individual has rights of ownership, including the individual’s electronic documents, emails, and digital photos. It also includes domain names.
- Contractual rights. Whereas property rights relate to a particular thing and can theoretically be enforced against everyone in the world, contractual rights are personal and enforceable only by and against the parties to the contract, and only in accordance with its terms. In the context of digital assets, contracts govern rights of access to CADA, and in some cases, govern rights of use for particular files or data.
On death, all of a person’s property, including tangible and intangible personal property, vests in the personal representative of the deceased. Personal contractual rights of the deceased, however, generally do not pass to the personal representative unless the terms of the contract specifically provide for enurement of benefits to personal representatives, or specific legislation applies.
B. Can access rights be passed on?
The difference between property rights which survive death and contract rights which often do not can result in a personal representative having a legal right to the files and information stored with a particular service, but having no enforceable right to access that information. This appears to have been the case with Justin Ellworth, a U.S. Marine killed in Iraq in 2004. Yahoo refused Justin’s father’s requests for access to his son’s email account. Eventually, the family sued, and a Michigan court ordered that the contents of the account be turned over. A similar battle was waged by Karen Williams, an Oregon mother whose son died in a 2005 motorcycle accident, against Facebook. Williams was successful only in gaining limited access to the account.
A number of U.S. state legislatures have responded to these types of stories by passing digital estate laws. The laws vary in coverage and scope, but generally provide executors or estate lawyers with powers to access digital assets including social media accounts. The laws remain controversial as they may be in conflict with federal criminal laws, and usually conflict with agreed terms of service which require privacy to be strictly maintained. No similar laws have been enacted or proposed in Canada or any province of Canada to date.
Access issues such as those described above highlight the value in taking appropriate planning steps to pass on access to one’s digital assets to one’s executors or heirs.
C. When is an asset not an asset?
It was widely reported in 2012 that Bruce Willis was suing Apple’s iTunes because over the right to bequeath his ‘vast’ iTunes music collection to his daughters. Although it turned out the story was untrue, it highlighted an issue common with digital services such as iTunes which sell commercially produced content (e.g. songs, movies, and e‐books). These services generally provide the user with a limited licence to access the content in particular ways. For example, Apple’s iTunes allows a user to use downloaded content on up to five authorized devices at a time, and allows each device to store content from up to five different accounts. Such licences are personal rights that expire when the user dies.
While access to content may continue due as a result of storage on a physical device or continued account access via password, there is no further legal right to the use of such content. In many cases, the licensor will have the ability to delete the account and content if it learns of the death of the user.
D. “Unauthorized Use of Computer” Offence
Personal representatives dealing with digital assets must also consider the implications of the Criminal Code offence relating to unauthorized and fraudulent computer use. This offence states as follows:
342.1 (1) Every one who, fraudulently and without colour of right,
obtains, directly or indirectly, any computer service,
by means of an electro‐magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system, uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or
uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)
is guilty of an indictable offence and liable to imprisonment fora term not exceeding ten years, or is guilty of an offence punishable on summary conviction.
For the purposes of paragraph (a), “computer service” is defined to include data processing and the storage or retrieval of data.
Since the actions listed in paragraphs (a) through (d) are worded very broadly, the key phrase in this offence provision is “fraudulently and without colour of right” which is the intent that must be proven in order for the computer use to be considered a criminal offence. The same phrase “fraudulently and without colour of right” is also found in section 322 of the Code which is the general theft offence.
The meaning of the phrase “fraudulently and without colour of right” in the context of this provision was discussed at length by the Quebec court in R. y. St‐Martin12. That case involved a police officer who had used police computers to look up personal information about various women he had met. The court considered and rejected arguments that the term “fraudulently” required proof of dishonesty or moral wrongfulness relating to the motive for accessing the computer service. On this issue, the court concluded:
72 As set out in the text of section 342.1(a) of the Criminal Code, the word fraudulently relates to the obtaining of computer service, not the motive underlying such conduct.
73 In conclusion, a person fraudulently obtains computer service when he or she, consciously, intentionally, without error or accident, obtains the service, knowing that he or she does not have the right to do so.
74 Obtaining such services is, obviously, dishonest and morally wrong.
Accordingly, while proving fraudulent intent in other legal contexts involves a high standard, the court’s interpretation in St Martin was that the elements of this offence consist only of obtaining a computer service intentionally while knowing that you are not authorized to do so.
In the author’s view, it is highly unlikely that the Crown would pursue charges against a personal representative for accessing a deceased’s online account for bona fide estate purposes, even if such access was technically in violation of the terms of service. In particular, a personal representative who was left passwords and specific instructions from the deceased, would have a defensible “colour of right” that should exclude the application of this provision. However, this provision has not been tested in this context and a personal representative uncertain about its rights to access a particular service is encouraged to seek specific legal advice before doing so.
E. Privacy Legislation
Personal representatives should also be aware of their rights to personal information of the deceased under privacy legislation. Privacy legislation may be raised by providers of electronic services as a reason they are not able to provide a personal representative with access to the account of a deceased. In addition, a personal representative may have need to access or correct personal information on behalf of the deceased.
The Personal Information Protection Act (British Columbia) (PIPA) governs the collection, use and disclosure of personal information by private organizations in British Columbia. Other provinces are governed either by similar provincial legislation or by similar provisions in the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPA requires that private organizations obtain the informed consent of individuals for the collection, use and disclosure of personal information. Under section 23 of PIPA, an individual may require an organization to provide him or her with the individual’s personal information under the organization’s control, information about how that personal information is and has been used, and the names of persons to whom the information has been disclosed. The requesting individual then has the right under section 24 to correct any information held by the organization that is incorrect.
The Personal Information Protection Regulations made under PIPA specify who may act on behalf of deceased persons and other individuals. Under section 3 of the Regulations, a personal representative14of a deceased person may exercise the rights of the deceased individual under the Act, and give or refuse consent with respect to personal information of the deceased under the Act. If there is no personal representative appointed, then the “nearest relative” of the deceased has the same rights. The Regulations contain a prioritized list to define “nearest relative”.
Under section 2 of the Regulations, a committee, attorney acting under an enduring power of attorney, a litigation guardian, or a representative under the Representation Agreement Act are also given full power to exercise the privacy rights of the individual whom they represent. Because no priority is granted as between these roles, one adult patient may have two or more representatives authorized to exercise their privacy rights under PIPA.
III. Duties of personal representatives with respect to digital assets
Personal representatives (estate executors and administrators) have an overarching fiduciary duty to conduct themselves and the affairs of the estate for the benefit of the beneficiaries. In the context of digital assets, the general duties and obligations of the personal representative include the following:
- Identify. Ascertain and list all digital assets of the deceased.
- Gain access to PCDA. Secure any PCDA and restrict access. Because the physical property and all the rights to it vest in you as personal representative, you are within your rights to circumvent passwords and security measures if necessary in order to gain access.
- Gain access to CADA. Where the deceased has left passwords for CADA, ensure that you can gain access. Where you do not have a username/password for CADA, consider whether there is another way to request the information.
- Back Up. Where possible and appropriate, make local backups of assets (whether PCDA or CADA) that may have financial or sentimental value. For example, some online digital photo services provide the option of downloading a backup of all files as one compressed file.
- Inventory. List all digital assets located, for the purpose of accounting to beneficiaries.
- Digital assets having determinable value. Digital assets having realizable present or future financial value should be secured and their value ascertained for probate and accounting purposes. Determine whether the asset is to be transferred in kind to a beneficiary or if it should be prepared for sale.
- Personal and sentimental items. For personal and sentimental digital assets without determinable value, arrange for their transfer to the beneficiaries in accordance with the will or law. If these assets are of a personal nature, they may fall within the “articles” provisions employed in many wills. Articles are typically defined to include “items of personal, domestic and household use or ornament”.
- Personal information. Subject to instructions or wishes for dealing with personal information, the personal representative should protect the privacy of the deceased to the greatest degree possible.
- Liabilities. Determine any liabilities relating to digital accounts and pay them together with other estate liabilities.
- Close accounts. Attend to the orderly closing of accounts where all useful assets have been retrieved and the account is of no further use.
- More specific suggestions on how to deal with particular classes of digital assets are set out in Part V, “Handling specific digital assets”.
IV. Duties and rights of attorneys and committees with respect to digital assets
Attorneys and committees will generally have greater legal rights for dealing with digital assets of the incapable adult for whom they act than will personal representatives of a deceased person. This is because all contractual rights of the incapable adult continue in full force and may generally be exercised by the attorney or committee on behalf of the incapable adult. However, if the adult has not kept uptodate and accessible records of account information, the attorney or committee may still run into practical challenges in gaining access to assets or information.
While enduring powers of attorney may be limited to specific powers, most enduring powers of attorney grant general powers to the attorney. A general power of attorney authorizes the attorney to do anything that the adult may lawfully do by an agent in relation to the adult’s financial affairs. Inaddition, section 32 of the Power of Attorney Act provides that an attorney may request information and records relating to the adult who granted the power, if the information or records relate to the incapability of the adult, or to any area of authority granted to the attorney. The Act states that where the attorney has the power to request information or records, the attorney has the same right to those information and records as does the adult. These powers overlap with the powers granted to powers of attorney with respect to personal information under the PIPA Regulations, as discussed above in Part II.E “Privacy Legislation”.
A person appointed as committee of the estate of a patient is granted “all the rights, privileges and powers with regard to the estate of the patient as the patient would have if of full age and of sound and disposing mind.”
Based on the foregoing, an attorney exercising authority under a general enduring power of attorney and an estate committee should have the right to access all digital information and services to the same extent the donor or patient had such rights. If the attorney or committee has not been left with passwords for any CADA, they should have the right to require the service provider to provide them with the password.
Generally, the duties of an attorney or committee will be similar to the enumerated duties #1‐5 and #8 of personal representatives listed in Part III of this paper above. Attorneys and committees must manage the affairs of the adult in the manner that is in the adult’s best interests.
V. Handling specific digital assets
The following sections provide specific suggestions on how executors should deal with particular types of digital assets that may commonly be encountered.
Gaining access to email may be one of the top priorities of an executor because the account can be a valuable source of information for identifying the deceased’s contacts, assets, liabilities, and other critical information.
The following are some of the commonly encountered email service providers:
Gmail: Gmail users may use Google’s “Inactive Account Manager” tool to permit authorized persons access to emails after their death.18 If the deceased user has not set up access using this tool, Google has a lengthy process by which a representative may request the contents of the account. Without providing much detail as to the decision‐making process, they warn that they may be unable to provide the content, and “sending a request or filing the required documentation does not guarantee that we will be able to assist you.”
Yahoo: Yahoo takes the position that its accounts and contents are not transferable. It will not provide passwords or access to content, including email. Yahoo will close the account and permanently delete contents of a verified deceased user on request.
Microsoft Hotmail / Outlook.com: Microsoft has a “Next of Kin” process that allows for the release of contents including emails and address book, following an authentication process. Microsoft will not grant direct account access but will close an account upon request. It is important for the executor to act quickly because Microsoft generally deletes accounts after 9 months of inactivity.
Most e-books are provided under non-ransferable personal licences.
For example, terms of service for Amazon’s Kindle explicitly state “Kindle Content is licensed, not sold, to you by the Content Provider”. The terms of service go on to state, among other things, that the user cannot sell, distribute or assign the e-books.
E-books are typically stored on e-readers, which may have no password protection. Accordingly, it may be possible to pass an e-reader on to a beneficiary with licenced content still on it and available. This would be contrary to the terms of the licence agreement. In addition, the e-reader may be set up to authorize purchases on the user’s credit card. For these reasons, it will usually be advisable for an executor to deregister and delete all content from the device prior to disposing of it.
Music and Movies
iTunes and similar music and movie services provide only licences to use downloaded content. Music files may be subject to digital rights management (DRM) restrictions or may be DRM-free. Even if files are not subject to DRM, an executor should not participate in creating copies as copying is contrary to copyright laws.
iTunes and similar accounts should be deactivated so that further purchases (usually linked to a credit card) cannot be made.
Many games or game services allow users to accrue credits, rights, or virtual goods which may have real world value. Examples include magic weapons in Blizzard’s World of Warcraft, virtual real estate assets in MindArk’s Entropia Universe, and in‐game credits on Pokerstars.com. The end user license agreement for the particular game will dictate whether such virtual goods can be converted back to traditional currency, or legitimately transferred or sold to other players.
There are also secondary markets that facilitate the sale of virtual goods where it may not be explicity permitted under the terms of the end user license agreements. For example, PlayerAuctions is an online platform allowing players of massively multiplayer online (MMO) games to buy, sell and trade digital assets such as in‐game currency, items, accounts, and power leveling services.
Pokerstars.comis a popular online poker site that allows users to deposit real money into online accounts. According to the Pokerstars terms of service, the money that is deposited is held on trust by Pokerstars for the user. The terms of service also allow money to be withdrawn and transferred between accounts. The terms of service do not explain what occurs if a user dies, but an executor representative should be entitled to withdraw the funds.
If the deceased has left his or her username and password for a particular game, the executor should be able to access the account and presumably transfer or sell any assets. This may or may not be in violation of the terms of service. If the username and password was not left, or the executor does not wish to proceed in this way, the executor may approach the service provider directly and ask to gain access to the digital assets.
In most cases, photos will not be specifically mentioned in a will. In many cases, digital photos will be covered by the general “articles” clause, as articles are typically defined to include “items of personal, domestic and household use or ornament”. If the executor is instructed to divide the articles among certain beneficiaries, the executor should provide copies of the digital photos to all such beneficiaries.
In most cases, digital photographs stored locally on a computer hard drive or external drive can be easily copied to allow for distribution pursuant to the will.
Online photo sharing and storage services have varying policies regarding access after death. Yahoo’s Flickr service is non‐transferable and all rights to contents terminate on death. The account may be deleted upon providing proof of death. Google’s Picasa service is handled the same as their Gmail service described under the Email section above.
Social media providers tend to have restrictive policies regarding access to their services by executors or other representatives.
Facebook acknowledges that users own their own content; however, Facebook does not permit account transfers or access by personal representatives. Facebook will delete the account or “memorialize” the
page upon request with the appropriate paperwork. In a memorialized account, only confirmed friends can see the profile or locate it in a search. Contact information and status updates are removed from the profile.
It is important to delete or memorialize a deceased’s Facebook page because, if this does not occur, other Facebook users may receive reminders to add the deceased to certain groups or to add the deceased as a friend.
If a personal representative has access to a Facebook account of a deceased via username and password, he or she should download any content that may be worth keeping (for example photos, status updates and contact information) prior to memorializing the account. They may wish to utilize the Facebook feature that allows a user to download an archive of all of their Facebook content in one file.
Twitter and LinkedIn have established process for deactivation of an account upon providing verification of death. Google + is handled in the same way as Google’s Gmail service described under the Email section above.
If the deceased owned an internet domain name, the personal representative will need to identify which domain registrar was used. Most registrars will release the account of a deceased to the personal representative of the deceased’s estate upon receipt of the appropriate paperwork. The personal representative will then have the ability to transfer the domain to a beneficiary or to a purchaser, or to cancel the registration if it has no value.
Digital currencies and loyalty points
Loyalty programs and digital currency providers maintain their own rules regarding transfer of accounts on death.
Bitcoin is an example of a digital currency. Users download a software “wallet” on their computer or mobile device. The wallet generates unique bitcoin addresses which allows the user to receive “coins” from other users. Once received, coins can be transmitted on to other users.
Bitcoin encourages users to secure their wallet using offline means such as printing the wallet on paper or saving it to a USB drive. Personal representatives may have to look carefully to discover a bitcoin wallet. Users are also encouraged to encrypt their wallet by setting a password. If the password is lost, bitcoins are lost permanently. There is no mechanism to retrieve a lost password.
Air Miles allows the deceased’s account to be merged with the account of a “family member or member of your household” free of charge. The account merge is subject to Air Miles’ consent and requires proof of death. Merging an account under this policy avoids a fee of $0.15 / mile that otherwise applies in transferring Air Miles from one account to another.
Aeroplan’s estate transfer policy allows a beneficiary or heir to redeem outstanding balances for a period of 12 months from the declaration of death once they have provided a copy of the death certificate and will, and have paid a $30 processing fee. Otherwise, transferring points to another account will cost $0.01 per mile.
VI. Planning for digital assets
Memorandum of Digital Assets
Clients should be encouraged to catalogue all of their digital assets and services, and provide access information in a centralized Memorandum or file for the executor. The Memorandum should also express wishes with respect to how the assets should be handled after they die, for example whether accounts should be deleted and closed, or contents passed on to others.
Obviously it will be key to maintain tight security over such a list. The Memorandum may be kept in a safety deposit box, or sealed and stored with the Will in the lawyer’s file. Alternatively, the client may store the information in a password‐protected electronic document and keep the password for the file separate from the file itself.
A Memorandum of Digital Assets is sometimes referred to as a “digital will” or “social media will”. However, since such a document would likely change frequently and many assets would not have financial value, in most cases this document will not be constituted as a formal will. Any assets having significant value should be dealt with specifically under the will, or incorporated by reference in a binding memorandum executed as a testamentary document.
Powers of executor (or digital executor)
Section 142 of the Wills, Estates and Succession Act provides that a personal representative is granted all of the authority over the estate that the deceased person had while alive, subject to the Act and any contrary intention in the will of the deceased person. In many cases, this general power should be sufficient to give the executor all the legal powers they need to deal with digital assets.
Setting out more specific or expansive powers to deal with digital assets may be warranted where (i) the digital assets will be held as part of a trust (since section 142 confers general powers only on personal representatives and not on trustees), or (ii) the client has extensive digital assets and wishes to have specific powers enumerated.
Some professionals have recommended that individuals name a “digital executor” in their will, separate from their primary executor, who is given the power to deal with digital assets. In the author’s view, appointing a separate digital executor will rarely, if ever, be advisable. Unless the powers of the primary executor are carefully limited to exclude digital assets, it is likely that the primary executor will also have authority over digital assets, raising the possibility of conflicts between the primary executor and the digital executor. If a client wishes someone other than their executor to manage some of their digital assets, it will usually be preferable to authorize the executor to engage that person to assist in dealing with digital assets. Having the third party engaged by the executor in this manner makes it clear that the executor retains authority over and responsibility for the management of digital assets.
Enduring power of attorney
As discussed in Part IV above, an attorney appointed under a general enduring power of attorney has the power to deal with digital assets of the adult who granted the power.
Where the client has extensive digital assets, it may be helpful to include a clause in the enduring power of attorney setting out specific powers with respect to digital assets, to remove any doubt.
Password aggregating services
There are numerous online services that allow users to store sensitive information including files, passwords, and instructions, to be released to predetermined individuals upon their death.
For example, PasswordBox is an encrypted online service which allows customers to identify all their online assets including usernames and passwords, and to name “verifiers” who are the people who will confirm their death and manage the information on their passing. Customers can specify beneficiaries for each of their online assets, to whom the information will be passed after their death.
In 2013, Google unveiled its Inactive Account Manager, a tool that allows users to manage their Googlerelated digital assets (e-mails, photos, contacts, etc.) after death. A user can instruct Google to delete the digital assets or send them to trusted contacts after a certain period of inactivity (the default is three months). The person receiving the data will not have access to the account but will have access to the data.
If similar tools are implemented by other service providers, they have the potential to solve many of the access problems that have plagued these services in the past. Of course, these tools are useful only to the extent that they are actually enabled by account holders.