I Needed to Save My Mother’s Memories. I Hacked Her Phone.

I Needed to Save My Mother’s Memories. I Hacked Her Phone.

I Needed to Save My Mother’s Memories. I Hacked Her Phone.

Click here to view original web page at I Needed to Save My Mother’s Memories. I Hacked Her Phone.

Claire Merchlinsky

Several days after my mother died in a car accident, my two sisters and I sat together in her apartment, stunned and overwhelmed. High on our horrible to-do list — along with retrieving her smashed vehicle from the tow lot, making burial plans and meeting with the rabbi — was this: getting into her cellphone.

Everything we needed to get her affairs in order was on her phone. Her contacts would tell us who to reach out to about the memorial service. Her email would tell us whether she had made plans we needed to cancel. Her finance apps would tell us whether she had been paying bills electronically. And there would be personal information, too. Her texts to family and friends. Her notepad. Her photos. The e-book she had been reading on the flight home in the hours before the accident as she left the Tulsa International Airport.

Luckily, Mom had given me the passcode to her phone only a month before. When we felt ready, I turned on her iPhone in its pink plastic case and typed in the code.

Nothing.

I typed in the code a second time. Again, nothing. My sisters and I looked at one another. A tightness gripped my stomach as I realized that the code Mom had given me couldn’t possibly work: That code had contained four digits, and her phone was asking for six.

Six digits means one million possible combinations, and her phone would give us only 10 tries before Apple would erase all of her data. Her old passcode had been the last four digits of the phone number at our childhood home, which ended in a zero. We decided to add two zeros to the end and were so confident that we knew how Mom’s brain worked that I paused dramatically before I tapped in the final zero, certain it would work. It did not.

[As technology advances, will it continue to blur the lines between public and private? Sign up for Charlie Warzel’s limited-run newsletter to explore what’s at stake and what you can do about it.]

After that failure, my sisters and I treated every one of the remaining tries like some sort of nuclear access code. We made a few more attempts, none successful. With each failure, the phone made us wait longer between tries. Eventually we decided it was best to stop and find a different way in — the risk of permanently erasing everything was too great.

As a historian and biographer, I’ve made a career of reconstructing lives. To do that, you need information. The people I study and write about are entrepreneurs, innovators, famous and wealthy individuals. Their lives have been well documented in countless ways, including television interviews, newspaper and magazine articles, congressional testimony, patent records and the corporate archives of companies they founded. It’s relatively easy to reconstruct those lives, particularly if there are still friends and colleagues to help fill in the blanks.

Mom left no public record aside from a letter to the editor published in The Tulsa World. Instead, she had a dusty purple plastic bin she labeled “Memorabilia” with a Magic Marker. Inside were a prom program, a love letter from a boyfriend we had never heard of and hundreds of drawings, photos and notes from her grandchildren or us sisters as children. She had the photo albums she had made when we were little. A safe deposit box held her citizenship papers and other legal documents.

Nearly anything from the past 20 years existed only online, locked away behind passwords and firewalls. Notwithstanding the cards she made by gluing New Yorker cartoons onto cardstock, her written communications essentially stopped in the early 2000s, when she got an email account. She was a great texter, pouncing to be the first to respond in any group and embracing emojis with the passion of a preteenager. Her social media posts were politically passionate and at times head-scratchingly random.

I valued these public things, of course, but I also wanted more. We document our lives in two ways, one intended and one not. There are the emails we send, the photos we post and the comments we debate and wordsmith before hitting Return. And then there is the inadvertent record: the enraged first drafts, the unflattering selfies, the record of purchases at Amazon or Netflix, the digital sticky notes we had not meant to keep.

We work hard to curate the public self and rarely think about the shadow self. I knew from my own work, however, that off-the-cuff notes, old receipts, call logs and calendar entries can serve as proxies for feelings. A run of doctor’s appointments, a glut of calls to the same phone number that never picks up, the purchase of five types of acne cream or a self-help book — these are clues. When we are alive and artificial intelligence assembles these clues to hazard an eerily accurate prediction about our interests and future desires, we are horrified. But for a historian looking at the life of someone who has died, the same clues can lead to understanding.

As a daughter, my heart broke at the realization that digital records, along with the stories from those of us who loved Mom, were going to be the best way to be with her again, to learn from her again or to laugh again at her stupid jokes. But as a historian, my mind raced. If the only way to preserve her memories was to put together the pieces of her digital life, then we had to hack into her online accounts.

After a frantic hunt, my middle sister found a small pocket calendar in Mom’s desk. The back pages were filled with handwritten login IDs and passwords. I patted myself on the back for having insisted Mom record her passwords, and we sisters rejoiced … for about five minutes. At site after site, login page after login page, every attempt failed.

The only login and password combination that worked was for her Apple iCloud account, but she had protected it with two-factor authentication. We could see that her phone was receiving texts — texts from Apple containing the codes needed to get into her account — but we couldn’t unlock the phone, so we couldn’t see the code. I called a few high-powered techies I know from working at Stanford and living in Silicon Valley, but none of them could help. It seemed we would be locked out of everything.

Eventually I found a savior — a young employee at an Apple Store. I explained to him that I had Mom’s login ID (an email address) and the password for her Apple account, but I couldn’t override the two-factor authentication. He asked me to enter the login and password, and he grimaced when her locked phone lit up with the authentication code we could not see. Then his expression changed. “Let’s try her SIM card,” he said.

A phone’s SIM card is no bigger than the fingernail on your pinkie finger, but it is of vital importance. It gives your phone its unique identity, making it possible to associate the physical device with a specific mobile carrier and phone number. You can pop the card out of your phone by inserting a paper clip in the tiny hole you might have noticed on the side of your phone. Moving a SIM card from one phone to another is how most people move their phone number when they upgrade their devices.

The employee ejected the SIM card from Mom’s phone and put it in his own. His phone now had her phone number. We logged into Mom’s iCloud account again. This time we clicked the link that said we had not received the original two-factor passcode sent to the phone as a trusted device. We requested another be sent to her phone number. An instant later, his phone buzzed with the code. “O.K. to input this?” he asked. My heart pounded at the thought of this young stranger being with me when I peeked into Mom’s hidden digital life for the first time, but I nodded approval. He typed the code on the site.

Boom: We could see her Apple mail, her memos, her bookmarks and her photos. We had recovered a key to unlock her digital world.

At home, I put Mom’s SIM card into my husband’s phone so that it could receive texts sent to her number. Now, with her login ID and control over her phone number, I could impersonate her. At every website, I said that I forgot her password. The website tried to confirm her identity by texting a code to Mom’s registered phone number — and the code would go straight to my husband’s phone. Once I was logged in, I could then change both the password and the trusted phone number that would thereafter be associated with the account. Every time a page opened up with her name at the top, I felt a mix of elation and nausea.

It took hours, but I gained control of her email accounts, her Amazon account, her cable provider and the sites for her credit cards. We never did figure out the passcode to her phone, which means I will most likely never see the iMessages or other encrypted information. Otherwise, I now have access to almost all of her digital history.

After all that work to crack Mom’s accounts, I haven’t looked at them. It has been six months, but it’s still too soon. Looking through her digital life will mean remembering her before she was gone, back when I was a daughter with the luxury of being annoyed by her calls or texts, back before she or I understood in the visceral, never-going-back way I do now that it was all going to end. I haven’t even listened to the voice mail messages from her that I still have on my phone. I do know they almost all begin in the same way: with a pause and then her voice saying, “It’s just me.”

Leslie Berlin, a historian at Stanford, is the author, most recently, of “Troublemakers: Silicon Valley’s Coming of Age.”

The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: letters@nytimes.com.

Follow @privacyproject on Twitter and The New York Times Opinion Section on Facebook and Instagram.

Images

What Happens to My Digital Assets on Death or Incapacity?

What Happens to My Digital Assets on Death or Incapacity?

What Happens to My Digital Assets on Death or Incapacity?

Click here to view original web page at What Happens to My Digital Assets on Death or Incapacity?

A recent New York case, Estate of Swezey (NYLJ, 1/17/19 at pp. 23, col. 3) highlights the confusion in the laws of many states regarding the administration and distribution of digital assets at a decedent’s death. In this case, decedent’s executor asked Apple to turn over decedent’s photographs stored in his iTunes and iCloud account. No provision in decedent’s Will specifically authorized the executor to access decedent’s digital account. The Court relied on the relatively new section 13-A in the New York Estates, Powers and Trusts Law (“EPTL”), Administration of Digital Assets which provides for different procedures for the disclosure of electronic communications, in contrast to the digital assets. To disclose electronic communication specific user consent is required or a specific court order for an identifiable reason. Other digital assets, such as the photographs requested by decedent’s Executor, are treated like other assets which belonged to decedent at death and are within the purview of the Executor’s general responsibility. The Swezey Executor was trying to access decedent’s photographs. The Court concluded that Apple was required to disclose those photographs.

The Uniform Law Commission promulgated the Uniform Fiduciary Access to Digital Assets Act (the “Original Act”) in 2014. In 2015 the Uniform Law Commission further refined their attempt and came up with a Revised Uniform Fiduciary Access to Digital Assets Act (the “Revised Act”).

The Original Act treated digital assets like traditional assets. The owners could decide what would happen to them and the fiduciaries could have control of them when the owner died or became incapacitated. After a person died, his or her executor would have the same right to access the deceased person’s accounts as the deceased person had during life. And if the executor did not have needed login or password information, he or she could ask the company for access and the company would have to comply. This approach would have given executors the access they need to wrap up the estate – including passing on photos, archiving emails, deleting or modifying social media accounts, paying final bills through bill pay, and canceling subscriptions.

This Original Act met with strong opposition from technology companies as well as from privacy advocacy groups such as the ACLU. They argued that providing executors the authority to access all of a deceased person’s digital assets would invade the deceased person’s personal privacy in ways that they would not have imagined or wanted. Additionally, technology companies argued that elements of the Original Act were contrary to federal privacy laws and state and federal computer fraud laws, forcing companies to violate one law while complying with another.

The Revised Act addressed many of these concerns and greatly reduced the authority of an executor to access digital assets. It also prioritized the document that would control some of these issues.Here are some of the key changes:

  • An executor does not has authority over the content of electronic communications (private email, tweets, chats), unless the deceased person explicitly consented to disclosure.
  • An executor can get access to other types of digital assets, such as photographs or an eBay or PayPal account.
  • The first place to look for authority to disclose digital assets is an “online tool,” separate from terms of service, through which users during their lifetimes can determine the extent to which their digital assets are revealed to third parties, including fiduciaries. (On Facebook, for example, the online tool is known as Facebook Legacy Contact.) If a user has provided direction through the online tool, it will supersede conflicting directives, including those in a Will.
  • Next look to the decedent’s or incapacitated person’s Will, trust or power of attorney to see what explicit instructions and authority, if any, are given.
  • If a fiduciary does not have explicit permission through a Will, trust, or power of attorney, look to the terms-of–service agreements to see the rules regarding access to a deceased or incapacitated person’s account.
  • If the terms of service do not cover the issue, the Revised Act’s default rules apply. Those default rules recognize multiple types of digital assets. For certain digital assets, like virtual currency, the Revised Act gives fiduciaries unrestricted access. For electronic communications, however, the statute does not provide fiduciaries access; instead, it allows them to access a “catalog” of communications consisting of metadata such as the addresses of the sender and recipient, as well as the date and the time the message was received.
  • Fiduciaries may request court orders if necessary. In general, access is only granted to assets that are “reasonably necessary” for wrapping up the estate.
  • Custodians may not provide access to deleted or joint accounts.

The Revised Act has been adopted by a majority of states in one form or another, including New York as evidenced by the enactment of Article 13-A in the EPTL, Administration of Digital Assets. However, as an individual, to be most certain you achieve the results you want, it is best you decide what you want to happen to your digital assets and on line presence if you are incapacitated or dead and have your power of attorney, Will or Revocable Trust reflect these wishes. It is a good idea to catalog your on line presence. Leave specific instructions about how to access your accounts. Include websites or devices needed, as well as usernames and passwords. Tell your executor or attorney in fact what to do with each account. Do you want your stored photos to be shared with family, your twitter account deleted, your blog to be archived and saved? Be as clear and thorough as possible. Why allow someone else to decide? Do it yourself with the help of your estate planning professional.

Judge orders Apple to give widow access to late husband’s iPhone photos

Judge orders Apple to give widow access to late husband’s iPhone photos

ake hundreds of photos,” Rachel Thompson said on a London morning television talk show. “He was very artistic and he recorded our life as a family.”

Life Matters Media, a Chicago-based resource helping families and healthcare professionals talk about death, offers a Guide to Digital Death.

Some of the organization’s recommendations include:

  • Take an inventory of all the online services used for banking, paying bills, shopping, social media accounts, and cloud storage.
  • Choose a password management system, whether its an Excel spreadsheet or a service like Dashlane, PassWordBox or Keeper, to hold accounts and passwords.
  • Select a fiduciary to manage the accounts after your death. A will should include the way to access the chosen password management system.
Court orders Apple to give widow access to late husband’s iPhone photos

Court orders Apple to give widow access to late husband’s iPhone photos

Court orders Apple to give widow access to late husband’s iPhone photos

Click here to view original web page at Court orders Apple to give widow access to late husband’s iPhone photos

court order iCloud access
Plan ahead so that family can access your iPhone photos if you die.

A U.K. court ordered Apple to provide a widow access to her late husband’s iPhone photos, after a lengthy legal battle that ended Sunday when the woman and her daughter could finally look at the pictures.

Matt Thompson did not leave a will when he took his own life in 2015, and Apple makes clear that user accounts are non-transferable after death.

The case attracted a lot of media attention. Rachel Thompson and her attorney are using the moment to engage the public in a conversation about making arrangements for digital content in the event of death.

Lengthy court fight for iPhone photos

The case pitted grieving heirs against Apple’s strict policies on data privacy. Thompson, now a single mother of a 10-year-old daughter, said her husband recorded every family moment. He left behind more than 4,000 still photos and 900 videos.

“Photos used to be kept in physical photo albums but now they’re kept online,” Thompson’s attorney Matt Himsworth told the Daily Mail. “Now, instead of looking through a photo album, our loved ones need a username and password to access this material. But what happens when they don’t have this information?

“There should be a universal process in order for heirs of estates to access the data held in these accounts.”

Thompson was estranged but not divorced from her husband when he died. She could not remember her husband’s password, so she went to an Apple Store. Staffers said they could not access the photos on her husband’s phone.

Apple told her she would need a court order to gain access to her late husband’s iCloud account. It took nearly three years, and several thousand pounds, to get the photos and videos.

Central London County Court Judge Jan Luba issued the order last week. The judge also called for changes in privacy law that would make these types of cases easier to settle.

Apple did not contest the order. The company granted Thompson access over the weekend.

“He would take his phone everywhere and take hundreds of photos,” Rachel Thompson said on a London morning television talk show. “He was very artistic and he recorded our life as a family.”

Plan for your digital afterlife

Life Matters Media, a Chicago-based resource helping families and health care professionals talk about death, offers a Guide to Digital Death (.pdf).

Some of the organization’s recommendations include:

  • Take an inventory of all the online services used for banking, paying bills, shopping, social media accounts and cloud storage.
  • Choose a password management system, whether it’s an Excel spreadsheet or a service like Dashlane, PassWordBox or Keeper, to hold accounts and passwords.
  • Select a fiduciary to manage the accounts after your death. A will should include the way to access the chosen password management system.