BSides Manchester What happens to the numerous user logins you’ve accumulated after you die or become too infirm to manipulate a keyboard?
Some people have a plan, the digital equivalent of living will, or have chosen “family” option in a password management package such as LastPass or have entrusted a book of passwords to a family member.
But the consequences of doing nothing are not as neutral as some might expect and were spelled out during an informative presentation by Chris Boyd of Malwarebyes at BSides in Manchester on Thursday. The presentation, cheerily titled “The digital entropy of death”, covered what could happen to your carefully curated online presence after you log off.
Miscreants are already targeting obviously abandoned profiles. Boyd explained that in some cases it’s easier for fraudsters to gain hold of these accounts than the account-holders’ relatives, because crooks know the systems better and controls – although present – are often deeply embedded on the sites such as Facebook, Twitter et al.
Alongside regular postings asking for help on Facebook due to compromise of dead people’s logins (examples here and here) there’s also the problem of “cloning”.
“Facebook users have reported receiving friend requests from accounts associated with dead friends and family members,” The Independentreports. “Such requests appear to be the result of cloning or hacking scams that see criminals try [to] add people on the site, and then use that friendship as a way of stealing money from them or running other cons.”
Social media accounts are, of course, just the tip of the iceberg. Most people these days run 100+ accounts, as figures from password management software apps show. These figures are only increasing over time. Some sites are managing the inevitability of their users shuffling off this mortal coil with features designed to deactivate accounts after months of inactivity or other features, Boyd explained in a recent blog post:
Many sites now offer a way for relatives and executors to memorialise, or just delete, an account. In other circumstances, services would rather you ‘self-manage’ and plan ahead for your own demise (cheerful!) by setting a ticking timer. If the account is inactive for the specified length of time, then into the great digital ether it goes.
While a lot of services don’t openly advertise what to do in the event of a death on their website, they will give advice should you contact them, whether social network, email service, or web host. When there’s no option available, though, people will forge their own path and take care of their so-called ‘digital estate planning’ themselves.
Users would be ill-advised to leave everything to their next of kin. “Do some pre-handover diligence, and take some time to ensure everything is locked down tight,” Boyd explained. “If there’s anything hugely important you need them to know, tell them in advance.”
People may have bought digital purchases tied to certain platforms. Games on Steam, or music on iTunes or Spotify.
“Legally, when you go, so do your files (in as much as anything you can’t download and keep locally is gone forever),” Boyd explained. “That’s because you’re buying into a licence to use a thing, as opposed to buying the thing itself.”
Here’s a video of his presentation, if you want to see more…
There’s nothing stopping someone from passing on a login to a family member so they can continue to make use of all the purchased content, at least for now. Boyd predicted that at some point, all of our digital accounts tied to financial purchases will have some sort of average human lifespan timer attached to them.
Millennials mark the first generation not to know life before an always-on, everywhere internet, which will become the norm from now on. “Younger generations absolutely will demand reforms to the way we think about digital content, ownership, and inheritance,” Boyd concluded. ®
As well as the inevitable rise and fall of social media site (e.g. MySpace), and web 2.0 services there is also the issue of link rot, the phenomenon of more and more URLs not working over time. This issue is covered by Boyd in another recent blog post here.
Unless you’re planning on having your mind jammed inside some sort of computer chip, eventually mortality will catch up and you’re going to have to work out what you’ll do with all of your online accounts. When it’s time to shuffle off this mortal coil, you might, theoretically, be slightly annoyed if someone is using your dormant accounts to spam viagra or fake Twitter apps. The sad reality is, when we go, we leave behind a potentially terrifying amount of accounts lying around in the digital ether, and not all of them may be as secure as one would like.
Even if they’re locked down with multiple security steps, someone could break into a database and pilfer insecure information from the back end. We have the very odd situation of there being a digital zombie sleeper army, ready and willing to come back and cause all sorts of security/spam issues worldwide.
Is there anything we can do about it? Can relatives ensure we don’t come back as some sort of bizarre cyber-horror? Do websites and services have any process in place for this strange new world of accounts that are, to coin a phrase, just taking a nap?
Surprisingly, help is at hand more often than not. First, though, we need to have a think about some sort of tally.
There’s (not) security in numbers
Passwords are a great way to gauge how many accounts we have personally. Check out any number of “How many accounts do we have” articles going back several years. Very handy! An unintended side effect of said articles and their number crunching is that we can also use that data to try and map out the kind of problem we may be facing with orphaned accounts. The average UK consumer alone has something like 188 online accounts, and that figure is from 2015—no doubt the number continues to rise as every aspect of our lives winds its way online.
Speaking of number crunching: 151,000 people die every day. Something like 55 million people die every year. Even if just 10 percent of the 500,000 people who die in the UK annually had 188 accounts each, that’d still be 94 million accounts suddenly abandoned—more than enough to cause a spot of bother. Then throw in the accounts of the recently deceased from around the world, and the numbers are suddenly a bit panic-inducing.
I’d be surprised if scammers don’t set aside a little time for targeting obviously abandoned profiles. Aside from regular postings asking for help on Facebook due to compromise of dead people’s logins , , there’s also the problem of “cloning.” Once you start poking around this subject, problems are everywhere.
Setting the tripwires
Of course, there are a fair few security-centric things we can do now to ensure we make it as hard as possible for those going on a spot of dormant hunting. Multi-factor authentication, password managers, good browsing practices, blockers, security tools…in short, everything you’re hopefully doing by default anyway. It’ll all help to keep your accounts in lockdown when the time comes that you no longer require them.
Additionally, not all services will be around forever—the endless churn of the web will see to that. Today’s social network is tomorrow’s “bought out and turned into something for delivering pizzas by taxi.” One can assume a large portion of all but the biggest accounts you have will, eventually, crash and burn. Not good for them, not good for people using the service, but definitely good for anyone no longer fussed about the paradigm shift in pizzas and taxis.
As time has passed, digital providers have realised they need to start offering some options for relatives of the recently deceased—one can’t assume everyone knows their security stuff, and many relatives would be hugely distressed to see accounts of a dead relative tweeting about healthcare plans or posting movie promos to Instagram.
Many sites now offer a way for relatives and executors to memorialise, or just delete, an account. In other circumstances, services would rather you ” self-manage” and plan ahead for your own demise (cheerful!) by setting a ticking timer. If the account is inactive for the specified length of time, then into the great digital ether it goes. These are useful options to have available.
While a lot of services don’t openly advertise what to do in the event of a death on their website, they will give advice should you contact them, whether social network, email service, or web host. When there’s no option available, though, people will forge their own path and take care of their so-called “digital estate planning” themselves.
The D.I.Y. approach
What do you do if the visible services your loved ones used don’t do the whole “death resolution” thing? Worse, how do you even know about the potentially hundreds of logins they have sitting around elsewhere? Sure, you might know about the really obvious ones but people don’t typically draw up a list of the weird, wonderful (and possibly not wonderful) services they used and hand it to their next of kin.
What we are seeing is people making use of password managers in ways other than having a convenient and secure login to services; they’re also creating back up accounts for their digital departure. In these situations, a fully fleshed out password manager, containing all of a person’s logins, has its access stored in a secure place and given to a close relative. Of course, the relative receiving this digital treasure trove is going to be extremely trusted—they probably don’t want to hand it to that crazy uncle who shouts at family gatherings.
The manner in which they hand over the password manager account is incredibly important, too. Is it a physical thing? A login written on paper? Something digital? Is it secure? Maybe it’s a hard drive. Is it encrypted? How will it be updated with new logins/ changes to passwords? Does the relative live nearby if it’s physical? If they live far away, would something purely online make more sense?
These are all important questions that need to be thrashed out long before handing account information over, and it’s probably a bit much to put the onus on the recipient to start bolting security gates you may have left wide open. Do some pre-handover diligence, and make some time to ensure everything is locked down tight. If there’s anything hugely important you need them to know, tell them in advance—don’t hand over a hard drive and ask them why they didn’t make a backup two months after the thing has fallen into the bathtub.
Digital family heirlooms
That’s the grim stuff out of the way. What happens to accounts you’ve invested a ton of money in? You may have bought a lot of digital purchases tied to certain platforms. Games on Steam, or music on iTunes or Spotify—they’re all tied to specific logins in your name. When you die, what happens to the purchases? In the real world, you end up with a ton of dusty boxes. Online? Those “boxes” will be taken away from you.
In an ideal scenario, you could nominate someone to take over a digital account and they’d inherit the purchases. But legally, when you go, so do your files (in as much as anything you can’t download and keep locally is gone forever.) That’s because you’re buying into a license to use a thing, as opposed to buying the thing itself. I did have a whole pile of text for this bit, but as it turns out, the ground has already been thoroughly covered.
Logan’s (video game) Run
Logan’s Run, the sci-fi movie from 1976 where everyone has a timer ticking down till they hit the age of 30, is weirdly relevant to this discussion because ticking timers are most definitely going to be a thing. See, there’s nothing stopping someone from passing on a login to a family member so they can continue to make use of all the purchased content. The platform owners are never going to know about it. However, as those wheels of time continue to crank, at some point somebody is going to wonder why Steve McHuman is still playing games at the ripe old age of 123.
This is why I predict that at some point, all of our digital accounts tied to financial purchases will have some sort of average human lifespan timer attached to them. The moment it wanders past 100 or so years? Poof, gone. I mean, this is better than being chased down by a Sandman once you hit 30, but it does mean your digital purchases will almost certainly expire at a later date—and that’s assuming the services of today are even around in 100 years time.
Many are the grim ways that lead to his cybercave: all dismal
Well, not quite so dismal. Sorry, Milton. We’re in a bit of an odd situation at the moment, as we’re now well into the point in history where we have the last generation to know life before 24/7 Internet. For many, being online is an absolutely crucial resource of existence. Meanwhile, Internet of Things technology ensures it continues to leap from behind a screen to the real world. We can’t escape it, no more than we can somehow skip around Milton’s cave, and the younger generations absolutely will demand reforms to the way we think about digital content, ownership, and inheritance.
I just hope I’m around to see it. And if I’m not? Please, don’t touch my stuff.
This is a Security Bloggers Network syndicated blog post authored by Christopher Boyd. Read the original post at: Malwarebytes Labs
At the time of writing this I am 37. I got my first mobile phone when I was 17, 20 years ago! My first computer was a Sinclair Spectrum and I played games on it. In fact, computers were for playing games on as far as I was concerned until at least 1997. I had IT (Information Technology) lessons in school but didn’t pay much attention. It was mostly graphs, flowcharts and spreadsheets, boring.
The point I am making is that up until the age of 16 or so I never considered using a computer for anything other than games. These days, obviously you can still do that BUT … you can also do so much more! My job wouldn’t exist without one, or much of my leisure time. Films, TV Series, Books and yes … still games are all things that I experience online. They are purchased to “own” and are all stored in formats that can’t be held.
There lies what is about to be a massive issue when it comes to Estate Planning and it is a problem that few have thought about.
Digital Assets: A new addition to the Last Will and Testament
When you mention estate planning to someone and ask them to define it, apart from a small groan they may audibly mention Wills, money, houses and inheritance tax. Stocks, bonds and guardians may get a mention too. Although important … nothing new or out of the ordinary. The concern is when it comes to the items we have spent money on that you can’t hold. You can’t pass it over in person and you certainly can’t leave it to someone by mentioning the item and location.
We spend money on things these days that are in the cloud, on a hard drive or within an account with security measures. We have services taking money from our bank accounts monthly or yearly, that in the event of our death, would be really difficult to close without being able to log into the account. It may not sound like too much of a problem and not worth worrying about.
You should however as it is yet another, albeit newer part of the probate process that can and will give your loved ones a stressful time once you are gone.
Games, Films, apps, subscriptions and more have all been paid for and belong to you. The thing is … how are they easily cancelled and are you able to transfer any of them onto your loved ones when you die?
Online Purchases of the young and old
Today’s older generation are becoming more and more tech savvy and as such are embracing computers, tablets, smart phones and more.
In doing so they may have set up accounts with the likes of Google, iTunes, Facebook, Twitter and Spotify to name but a few. Young or old, you may have purchased games from the Xbox Marketplace or films from Apple TV service or Sky. Do these disappear from your accounts on death or are they an asset that you own and can pass to someone else? It is definitely something that you should look into.
Another big question is, what happens to social media accounts when we die?
Do bear in mind though .. it is not just the older generation that need to take heed. We do not know the date of our death and just because someone is 60 doesn’t mean they will die before someone who is 40.
For this reason I am taking the time to explain the importance of embracing your digital footprint and purchases and to make the process of closing things down easier for your loved ones. Also, where you are able, to allow the digital items to be passed onwards after you are gone.
Aside from online purchases and services we also need to take responsibility for our social media accounts. Mainly to ensure that they don’t upset our family members in future.
Many services take a monthly fee from you in order to continue your access. Setting them up is as easy as putting in your email address and Paypal information. Closing can be just as easy, click the cancel button under profile.
What if the person doing it isn’t you and doesn’t have your profile information though?
In this circumstance the ease of online accounts goes out of the window. Some services will require proof of death and others will suggest it is easy when it may be far from the case. Take Netflix as an example, it works as I have described. Want to cancel? Head to the account section from a computer and click on “Cancel Membership”.
The same issues arise with social media accounts. Which ones do you have?
Would you want them closed after you die? What harm could come from it?
Let’s use Facebook as an example. Just for now let’s say we are friends and that you have shuffled off this mortal coil. You are gone, I return from your funeral, open my phone and see a post from you. I drop phone, screen cracks … it’s all your fault.
I realise I am making light of the situation and that is intentional. It would seriously freak me out!
Facebook business pages allow for you to schedule posts days or months into the future. If you use a third party solution such as Hootsuite … you can do the same thing with your personal posts. You could be long gone and yet seemingly from beyond the grave you are trying to talk to your facebook followers.
It has happened and it will continue to happen unless we take the appropriate steps to ensure that social media account login credentials are available to executors.
In the case of Facebook, I could have informed them that you had died. It would have taken immediate family to report your passing before Facebook would do anything about it though. There are two options, memorialising your account or asking for account cancellation. Facebook states that they would never openly give the login details to anyone whether you are alive or dead and it is their policy to memorialise the account. This allows for the account to stay open and for people to be able to use it to gather and share memories.
Is that what you would have wanted though? Account removal may be considered a preferred option. After you have gone, this all takes time and potential upset for friends and family that they most likely could do without.
Even if you haven’t scheduled posts you would still appear in searches and available for tagging in photos. Personally, I would find that creepy and would want to protect the people I care about from the upset.
Providing your social media log in details on death would ensure that your accounts could be closed quickly if that were your choice as per your last wishes. If you made no such specification, at least it would be easier for your loved ones to make the decision.
The problem is only multiplied when we look at the fact that we may have Twitter, Google+, Instagram, Snapchat, YouTube, LinkedIn, Pinterest, Tumblr, Flickr, Vine, Digg …. I could go on.
Your rights of purchase after you die
Entertainment services like Sky, Apple TV and other satellite TV services allow for you to buy films and series to download to your hard drive. Do you own these films indefinitely though?
Searching online turns up few results for the main reason that I believe the average person hasn’t really thought about it yet. In fact the companies are making it difficult to find this information out too. Looking into the help and support portals provided by the likes of Netflix and Sky, show me that they don’t believe it is a big deal as yet. It has certainly got me thinking about what I spend my money on.
How much money might we have pumped into our film or music collection over a lifetime though?
If it were DVDs or CDs I would leave them to my partner, sister or friend. When it’s all online though and associated with an account that I have sole ownership of … what happens then?
In order to find this out, it would mean direct contact or potentially looking into the terms and conditions of service or purchase.
I emailed Sky and asked … what happens in the event of my death?
The response I received back was short and to the point …
“I wish to inform you that your account will be changed to deceased status and you will not be able to gift it to your friends or your family.”
Although pretty vague and not really specific to the films and series that were bought to keep, maybe I am to actually take it at face value. If I die, my purchases cease to be.
I emailed back and mentioned that this is concerning news. That we are all spending money on items that are only good for the period of our lifetime whereas previously they were for the length of the CD/DVDs lifetime.
The response I received then was from a manager who stated:
“With any Buy & Keep purchases these will be available no matter what, if for instance your Sky TV account was to close, you will still be able to view all your Buy & Keep purchase via www.skystore.com . These can also be accessed by friends and family as long as they know your username/email and password in order to access www.skystore.com , if they do know these details then by all means they will be able to view the purchases you have made.”
This would suggest that your account is never closed and that they allow other people to access a deceased persons account. It doesn’t seem ideal and could potentially be upsetting.
iTunes, Amazon, your satellite or cable service all offer the opportunity to buy music, film and TV online as a digital entity. In order to properly understand your rights of purchase for digital items you would need to delve into their Terms and Conditions or flat out ask and potentially get the kind of response I have received.
Although I looked into a couple of examples for you, that isn’t really the purpose of this blog. Now that we have some scale and idea of consequence the big question is … how do we make sure that we look after our family, pass down what we are able to and generally allow for a smoother transition. We would be gone, who cares right? I think I would.
Make a list of digital assets
Simple, although potentially time consuming.
I don’t just mean online accounts here but also any and all technological assets that you have. Hard drives, computers, phones, tablets … even that old Psion Organiser you have (could be worth a bit of money these days!).
Unless you have an obscure collection, the hardware side of things may not take that long, It’s the online accounts and their access details. Accounts including Social Media, Shopping, email, photo and video sharing, cloud storage, banking, gambling, websites and blogs should all be listed.
Now you have a choice in my opinion. I have seen a fair few articles suggesting that you write down usernames and passwords for all accounts. As I type this I am well aware that the advice may well go against the terms and conditions of the services in question. As always it is totally your decision to take heed but there is no doubt that doing as suggested would make things a lot easier for your family.
* Keep a complete list of all accounts including passwords to allow access after you are gone. This may not be the best course of action as passwords change all the time with most services suggesting you do it multiple times a year. Keeping a file updated so often would become annoying.
* Give one person access to everything during your lifetime, although this isn’t ideal and may feel like an invasion of privacy.
* There are online resources that offer multiple options to pass your differing accounts to differing people. Entrustet or Legacy Locker, allow you to designate access to differing people. You may not want all of your emails read by your mother but you may trust a friend to delete the emails and account without reading it. You may have a Picasa account that you would like your family to have access to and a dropbox account that needs to be made available to your work colleagues. All of this can be organised though the multiple online services available. A potential problem here would be the companies in question not surviving. You may have paid them to allow for the service only to have them go bust making the process void.
* My suggestion and perhaps a better option all round, would be to make sure that all accounts are set up to the same email account. You would still write the list but without the passwords. Then just provide the username and password for that email address either in your Will or beforehand. Having an email address just for services could be prudent as then your personal emails wouldn’t be accessible to someone else. When you die, your Executor can go and reset your passwords for the accounts from that email address. If you change your password to this account you only have to update one. You may also want to add the executors email address as a recovery address so if they are locked out … they can still get in.
The only extra accounts that this may not work with would be banking accounts but as the information isn’t going to be released until they have seen your Will anyway, you may deem the log in information for these to be safe written in or attached to your Will.
Who gets what? Assigning digital assets
Depending on what you have through hardware to software and online accounts, you may wish for different people to have access as mentioned above.
You may want some things saved, passed along or deleted. While your wishes may conflict with the service providers terms and conditions, your Executor will find it useful information to know what you would have wanted.
Some digital assets may have monetary value or have funds associated with them like PayPal or Bitcoin. If you are anything like me, you could have accounts with stock image galleries or web asset portals that have outstanding credits available. Rather than let them expire or go unused you may want to give someone else the opportunity to use them.
One of your revenue streams could be an online store. Does that stop and shut up shop because you are gone or would you want to pass the helm to a trusted friend or co-worker?
Name a Digital Executor
The person who deals with your physical estate may not be the person you want to deal with your digital assets. A good example of this would be that I personally trust my father to deal with the physical estate but asking him to do anything with a computer would be asking more than his abilities allow.
A wish to have differing Executors for your physical and digital affairs is currently unlikely to be legal as the law states that an Executor has the duty/ability to wrap up all of your estate. A digital Executor is not an enforceable request and as such not legally binding but you may decide to name two people as Executor. They would be jointly responsible but of the understanding that they deal with their assigned and requested duties.
Store the information somewhere accessible but secure
This would be similar advice to what we would suggest for your Will and it would make sense to keep them both in the same place.
* Tell one or two trusted individuals of your plans. These could be your agreed executors or additional to them.
* Store somewhere accessible to one or two other people. This could be a safe, offsite secure storage, a bank vault or in the case of your digital affairs … an online service.
* Provide all information to get the ball rolling. A pin number, lock code or password that opens up the rest of the information (whether this be access to your email account or other service) needs to be stated in your Will or passed to your Digital Executor before you pass away.
Add it to your Will
It will be added as a request rather than a legal instruction but including the information as part of your Last Will and Testament is definitely a good idea. Just by stating who your Digital Executor is and the location of your list/wishes, you would be aiding them to wrap up your affairs in an orderly fashion.
When someone dies their Will becomes a public document. Through www.gov.uk you are able to search for the probate records of anyone you wish. For this reason, I would suggest you don’t include the log in details as part of your Will but as more of an accompaniment. Giving away your log in details may be overly private … particularly as passwords could be rather revealing depending on what they are!
Refer to the information as an outside document that is necessary to complete your wishes. This way you can continue to add to it or edit it up until the time that it is needed.
Estate Planning for the Future
Ask anyone who works with technology and they will happily explain that computers are still relatively new and that iPhone X smartphone will be as obsolete as the iPhone 8 was in almost as quick a time (nerdy joke there).
As the world moves forward, there will be assets that we would have never previously thought of that need to be given thought and inclusion into your Estate Planning requirements.
Folium Consulting LLP keep our operating practices up to date and relevant to ensure that you are receiving a product that will be relevant and most importantly legal long into the future.
Should you want to talk to us about your situation and Estate Planning concerns, we offer FREE consultations in a place of your choosing. We will endeavour to work to your availability and you can have anyone you wish join us for the consultation.
Contact us via phone on 0800 240 1714 or via the form, chat facility or Facebook messenger. We will be on hand to organise and help you with any questions you may have.
Andy looks after the graphical/digital services and content for Folium Consulting. With previous experience offering not only creative solutions and content writing but also estate planning and Will provision Andy is able to provide informed and engaging articles for you to read. All articles are also vetted by Folium Consulting management to ensure that the information you are receiving is current, up to date and useful.
Who will have authority to access or manage your digital assets after you die? Arizona, like many other states, recently passed the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA) , which may help your executor (called a “personal representative” in Arizona) gain legal and practical access to […]
A Last Will and Testament, commonly referred to as a Will, allows one to specify how their assets will be distributed and who will be in charge of distributing those assets as the Executor of their estate upon their passing. This is different from your Agent / digital executor […]