What happens to your Facebook and other social media accounts after your death? State lawmakers are pondering that question as they consider new laws about a deceased person’s “digital estate.”
Most recently, a New Hampshire lawmaker proposed a bill that would allow the executor of an estate to access and shut down Facebook accounts. According to Facebook’s terms of service, the company will not divulge login information, even to a deceased user’s relatives, ABC News reports.
If passed, New Hampshire would join five other states that have already passed laws addressing one’s online accounts after death (not all of them address social media sites like Facebook, however). Those states are:
Connecticut. An executor or administrator of an estate can access the email accounts of the deceased. The law does not provide for any other online accounts such as Facebook or Twitter, however.
Rhode Island. Similar to Connecticut, Rhode Island’s law only grants to the executor or administrator of an estate access to the deceased person’s email accounts. So it is questionable whether the deceased’s representative can access other social media accounts like Facebook.
Indiana. This law gives greater access to the representative of a deceased person. Presumably, the representative would be able to access any information stored digitally by another.
Idaho. A state law allows a representative of the deceased to take control of, conduct, continue, or terminate any accounts of the decedent on any social networking website, any microblogging or short message service website, or any email service website. It’s interesting that this state would allow someone to continue the account of another, even posthumously.
The New Hampshire law is still far from approval. The lawmaker who proposed the bill is still researching the issue. However, given the number of Facebook users and the importance of Facebook in many people’s lives, you can expect more states to consider new laws.
Who gets access to your Facebook, Google and Twitter accounts after you die? The WSJ’s Eva Tam finds out.
People draft estate plans that carefully detail how their money and property should pass to their heirs after they become incapacitated or die.
But what about our so-called digital assets, such as an iTunes account containing thousands of songs, or a Twitter account with hundreds of followers? Can people pass those on as well? And how do they ensure that heirs get access to password-protected bank and trading accounts that exist only online?
Questions like these are popping up with more frequency—and for good reason. A popular blog or Web domain, for example, can have great, or potential, value as a business. But if the owner doesn’t take the proper legal steps ahead of time, their heirs may lose the rights to those assets. Photos, videos, email and contents of social-media accounts also may be lost.
Make a List
Justin T. Miller, national wealth strategist in the San Francisco office of BNY Mellon Wealth Management, a division of Bank of New York Mellon Corp. , says that clients often react with surprise when advisers ask about their plans for passing on things like online financial and social-media accounts. Even the technology executives he counsels, Mr. Miller says, have given little thought to how to provide their heirs with access to some of their online assets.
Katherine Dean, managing director of wealth planning for Wells Fargo Private Bank, San Francisco, says one couple worth around $20 million seemed abashed when she asked them to detail their digital assets in making a comprehensive financial and estate plan. She gave them a one-page checklist seeking information about such assets as photo and social-media accounts, Web-based games, and online-only banking and brokerage accounts.
“They said, ‘Oh my gosh, we’ve got to go online to get this,’ ” says Ms. Dean. “Whenever we hear that, we take the time to have the conversation that this is very important.”
The most important thing, estate attorneys say, is to establish procedures for protecting and granting access to passwords and for transferring assets and account ownership. The rules can vary widely depending on the vendor. While there is nothing in Twitter’s company rules and conditions that says one of its accounts must close if the owner dies, Apple Inc. ‘s iTunes says it doesn’t have a policy that allows anyone to will or inherit an iTunes account.
But even where limits exist, by placing the license and necessary passwords in a trust, access to such accounts can be preserved, says Naomi R. Cahn, a professor at George Washington University Law School.
Ms. Cahn explains: Many digital assets are owned through a license that is limited to the account-holder and nontransferable. The license may cease to exist when the account-holder dies, so it can’t be transferred in a will. But by placing the license in a trust, it is possible that the license will survive the death of its creator.
Wills play an important role, too, Ms. Cahn says, mainly in stating who should receive any digital property that is capable of being inherited. A will can also designate who will have access to digital accounts, although this may not be legally binding.
Estate advisers caution against listing digital assets and passwords in a will because the will can become public. Such information instead should go into a separate letter, says Lesley Moss, an attorney at law firm Oram & Moss in Chevy Chase, Md.
Looking for Legislation
A group of states is interested in drafting a law that would make it easier for consumers to bequeath online property by giving fiduciaries the right to manage and distribute their clients’ digital assets.
Lawyers, judges, legislators and law professors from the Uniform Law Commission, a group appointed by state governments to draft and promote new state laws, met this summer to discuss such a proposal.
Currently only Connecticut, Idaho, Indiana, Oklahoma and Rhode Island give fiduciaries this right.
While some states, including Idaho and Nevada, have some existing provisions pertaining to limited digital assets for heirs, they are not as broad as the new Delaware law. For now, the state’s version of UFADAA only applies to residents of Delaware, one of the smallest states by population and land area. If other states don’t follow suit soon, people creating family trusts could conceivably use this Delaware law to their advantage, even without residing in Delaware. However, even though many tech companies (including Twitter, Facebook, and Google) are incorporated there, they will not be affected by the new law.
“If a California resident dies and his will is governed by California law, the representative of his estate would not have access to his Twitter account under HB 345,” Kelly Bachman, a spokeswoman for the Delaware governor’s office, said by e-mail.
“But if a person dies and his will is governed by Delaware law, the representative of that person’s estate would have access to the decedent’s Twitter account under HB 345. So the main question in determining whether HB 345 applies is not where the company having the digital account (i.e., Twitter) is incorporated or even where the person holding the digital account resides.”
While an important first step, Suzanne Walsh, an attorney with Cummings and Lockwood in Connecticut and chair of the UFADAA committee, told Ars that she is waiting for the most populous state to adopt its own version, which could also have an important influence on other states.
“I think California is the most important,” she told Ars. “It’s even more important that we have uniformity and uniform enactment.”
“You will not share your password”
Specifically, the new Delaware law states:
A fiduciary with authority over digital assets or digital accounts of an account holder under this chapter shall have the same access as the account holder, and is deemed to (i) have the lawful consent of the account holder and (ii) be an authorized user under all applicable state and federal law and regulations and any end user license agreement.
Typically, when a person dies, access to a digital service officially dies with them. Even giving your password to your spouse or a trusted loved one is forbidden under Facebook’s terms of service.
You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.
You will not transfer your account (including any Page or application you administer) to anyone without first getting our written permission.
In 2004, Yahoo famously denied access to a US marine’s e-mail account to his family after the marine was killed in action in Iraq.
Neither Twitter, Facebook, nor Google immediately responded to Ars’ request for comment.
“This problem is an example of something we see all the time in our high-tech age—our laws simply haven’t kept up with advancements in technology,” said Daryl Scott, in a statement last week. Scott is a member of the Delaware House of Representatives and the lead author of the bill. “By signing this bill into law, we’re helping to protect the rights and interests of the average person in the face of a rapidly evolving digital world.”
UPDATE Tuesday 2:04pm CT: Jim Halpert, an attorney with DLA Piper, and the director of the State Privacy and Security Coalition, an umbrella group that represents Google, Yahoo, Facebook and other firms, said that he opposes the new Delaware law.
“This law takes no account of minimizing intrusions into the privacy of third parties who communicated with the deceased,” he said. “This would include highly confidential communications to decedents from third parties who are still alive—patients of deceased doctors, psychiatrists, and clergy, for example—who would be very surprised that an executor is reviewing the communications. The law may well create a lot of confusion and false expectations because, as the law itself acknowledges, federal law may prohibit disclosing contents of communications.”
When asked why an inherited paper letter should be treated differently under the law, he said that e-mail and other digital messaging has replaced paper correspondence.
“The volume of email is far larger and people usually consider much more carefully what they write in a letter,” he said.
hree days after the Toronto teen lost a long battle with a colon disease, her sister Jaclyn Atkins had a technician crack Alison’s password-protected MacBook Pro. Her family wanted access to Alison’s digital remains: Facebook, Twitter, Tumblr, Yahoo and Hotmail accounts that were her lifeline when illness isolated her at home.
Alison Atkins Linda Bell
“Alison had pictures, messages and poems written that we wanted to keep to remember her,” says Ms. Atkins, 20, an undergraduate at the University of Toronto.
But using Alison’s passwords violated some of those websites’ terms of service, and possibly the law. None of the services allow the Atkins family—or any others—to retrieve the passwords of the deceased. Their argument is that it would violate Alison’s privacy.
Since then, Ms. Atkins’s attempts to recover Alison’s online life have begun falling apart. The websites that previously logged in automatically on Alison’s laptop began locking out Ms. Atkins as part of their standard security procedures. Her attempts to guess or reset her sister’s passwords backfired. Some of the accounts have been shutting themselves down.
On Nov. 21, Alison disappeared from Facebook, where her family used her account to communicate and share memories with more than 500 friends. “We have already lost Alison,” says Ms. Atkins. Now the family says it fears losing another part of her.
The digital era adds a new complexity to the human test of dealing with death. Loved ones once may have memorialized the departed with private rituals and a notice in the newspaper. Today, as family and friends gather publicly to write and share photos online, the obituary may never be complete.
The Atkinses—Jaclyn, Alison, Gary and Lyn—on a 2010 trip to Las Vegas. Linda Bell
But families like the Atkinses can lose control of a process they feel is their right and obligation when the memories are stored online—encrypted, locked behind passwords, just beyond reach. One major cause is privacy law. Current laws, intended to protect the living, fail to address a separate question: Who should see or supervise our online legacy?
In Toronto, taking hold of Alison Atkins’s digital afterlife forced her family to tread a line between celebrating her, and invading her privacy. In the process, her family discovered some dark journals Alison clearly meant to conceal. “She had passwords for a reason,” Ms. Atkins says.
U.S. and Canadian laws, which are similar for the most part, don’t treat digital assets like physical ones that can be distributed according to wills. In 1986, Congress passed a law forbidding consumer electronic-communications companies from disclosing content without its owner’s consent or a government order like a police investigation. Although that law predates the rise of the commercial Internet, courts and companies have largely interpreted it to mean that the families can’t force companies to let them access the deceased’s data or their accounts.
Yahoo Inc. lays it out plainly in its terms of service. “Upon receipt of a copy of a death certificate, your account may be terminated and all contents therein permanently deleted.”
A Yahoo spokeswoman said that users of the company’s mail and photo services “agree that their account content won’t be transferred without their explicit permission.” To ensure an account gets transferred at death, “users need to provide consent and their account information in their estate plans.”
Microsoft Corp. , which owns Hotmail, won’t provide families with passwords or control of accounts, a spokeswoman said. But with “appropriate documentation” it will give next of kin the deceased’s email on discs.
Customers’ privacy is “something the company respects both in life and in death,” says Dharmesh Mehta, Microsoft’s senior director of product management.
Facebook Inc., which by one estimate saw 580,000 American members die this year, has gone to court to oppose the notion that families can compel it to hand over data. In September, Facebook successfully blocked the estate of British model Sahar Daftary from getting account details in U.S. District Court of Northern California, San Jose Division. The executor was hoping Ms. Daftary’s posts and messages might help prove to a coroner that she didn’t commit suicide by showing her state of mind.
A Facebook spokesman said, when it receives requests for user data, “We will respond in a way that is sensitive to [a family’s] loss and is consistent with applicable law, which limits a provider’s ability to disclose data to third parties.”
Five states have passed legislation giving executors power over digital assets. Connecticut and Rhode Island laws cover only email, while Indiana, Idaho, and Oklahoma laws include social-networking and blogging accounts. The laws remain largely untested in court.
National action isn’t expected for at least two years. The Uniform Law Commission, a group that drafts state laws for nationwide consideration, met for the first time in November to tackle a digital-asset law. Under one proposal, the law could broadly redefine the “authorized user” of an account to include an agent or a representative of his estate, says Suzanne Walsh, a Connecticut estate lawyer leading the committee.
But Google Inc. and Facebook representatives raised concerns about how such a law might upend users’ privacy expectations and how it might be implemented, attendees say.
There are also the business costs. Companies fear a patchwork of laws or having to adjudicate who should get a dead person’s files. Handing over data too readily could undermine their users’ trust. And fundamentally, leaving dead people’s accounts active runs counter to a core business proposition of sites like Facebook, which is to sell advertising targeted at real living people.
Internet companies face a “conflict between federal law, which strictly limits” disclosure, and state laws “seeking to expand the authority of the deceased,” a Facebook spokesman said. He also said that keeping dead people’s accounts active “would undermine the fundamental concept of authenticity on Facebook.”
A Google spokesman said, “It’s crucial to strike a balance” between the grieving family and the user’s privacy. He said Google is also concerned that an account could be used to impersonate the dead.
Some people may have good reason to keep their files private. Minneapolis computer expert Mark Lanterman recalls a computer hard drive he recovered for a family after a 2009 fire revealed that its owner was researching arson-investigation techniques, had a female companion not his wife, and was an embezzler.
Facing a lack of legal clarity, families are charting their own course. In one the first lawsuits over the issue, the parents of Justin Ellsworth, a Marine who died in Afghanistan in 2004, sued Yahoo to access his email. Yahoo at first refused, but ultimately complied with a court order to hand over his data.
Since then, a Yahoo spokeswoman said, the company has revised its terms of service to make it clear that the accounts aren’t the property of the estate. (However it will respect a person’s wishes if consent and account details including the password is given in an estate plan.)
Today, some people share passwords so others can access their accounts after death, or write clauses into their wills, though the legality of either is unclear. The Justice Department has said in testimony to Congress that it believes fraud laws would permit criminal charges if a person “exceeds authorized access” by violating a website’s terms of service, which often say nobody else can access an account.
In the Atkins situation, no law-enforcement agency or company is suggesting it would press charges. Still “there hasn’t been a lot of case law on this,” says Jim Lamm, a Minnesota estate lawyer who focuses on digital issues. “It’s up to a prosecuting attorney whether to charge” a family member with a crime for accessing the accounts of the dead, he says, “and that’s not a risk that I would advise them to take.”
In 2009, Facebook began allowing family members to either delete or “memorialize” the accounts of the deceased. In a memorialized account, a person’s existing friends network can still leave comments and photos with the account of a dead person. But nobody has permission to log in or edit the account.
For Teddy Campagna of Salt Lake City, his dead brother’s online presence is making the private process of grieving excruciatingly public. After his brother B.J. committed suicide at age 40 in April, Mr. Campagna planned a fitting funeral for the former photographer of rock concerts, car shows and other events. He dressed his brother in a pair of “really cool Levi’s” and two of his favorite shirts, as well as a beanie, and blasted Pink Floyd music.
Mr. Campagna has struggled to maintain that kind of control online. “His Facebook page is one of only a few things we have left of him,” he says.
So he has kept the account active, which he is able to do because his brother had given him the password. But he’s sensitive about his brother’s suicide and doesn’t want B.J.’s profile tarnished by off-color comments or gruesome details about his cause of death.
Around B.J.’s birthday this summer, an ex-girlfriend of his posted something negative, he says. “I am protecting my little brother, who can’t fight back,” he says.
He says he contacted Facebook to ask what would happen if he “memorialized” his brother’s page and then someone posted an unwelcome message on it. He didn’t like the answer: “That message is also memorialized—forever,” he says, unless its author deletes it.
The Facebook official said the company’s “hearts go out to those who have lost loved ones.” Memorialization, he said, is designed to respect the privacy of the dead. “Allowing ongoing access to accounts,” he said, “could potentially run afoul of federal wiretapping law as well as state computer trespass and online impersonation laws.”
“I think that is a cop-out,” says Mr. Campagna.
In Toronto, Alison Atkins was diagnosed with ulcerative colitis, a painful colon disease, when she was 12. A petite brunette with a broad smile, Alison tried to live a normal teen life. She played the violin and kept pet hermit crabs.
As part of her disease, she had her colon removed—one of at least eight surgeries. “She was wise beyond her years,” says her mother, Lyn Atkins. “We talked about lots of things, including organ donation or being kept alive on machines.”
Alison worked to raise money and awareness for people like her who live with ostomies, which require people to attach a pouch to their bodies to collect waste. At age 13, she posed for modeling portraits wearing her ostomy bag.
In her better moments, she counseled suicidal kids online, her father says. But as her health declined, she could no longer attend school regularly and became suicidal herself, says her sister Ms. Atkins.
Some mystery shrouded Alison’s death. She was found unconscious in her bed on July 26, and suffered heart attacks that left her brain-dead. Her family wasn’t initially certain if she accidentally choked, or intentionally overdosed on pain killers.
Three days after Alison died, Ms. Atkins says her parents asked her to try to access her sister’s Internet accounts to find photos and to better understand what she was thinking in her final days. She took her sister’s MacBook, a hand-me-down that was missing the return key, to a friend who is a computer repairman. Within 10 minutes, she says, he circumvented the computer’s password.
Once on the computer, Ms. Atkins found that it automatically logged her into her sister’s Twitter, Tumblr and Facebook accounts. She spent hours scouring their pages. “I felt a longing, like I was going to find a secret code that is going to change everything and make everything better,” Ms. Atkins says.
Logged in as Alison, her mother posted to Facebook: “We unlocked Alison’s MacBook Pro so don’t be alarmed if you see her online on Facebook.…It’s just her family getting information and all the messages!”
Alison’s sister discovered some of Alison’s most intimate thoughts and feelings. On her Tumblr account, Ms. Atkins found a password-protected second blog under the heading “you wouldn’t want to know.” Inside, she found posts about suicide and what she describes as “dark” comments.
Ms. Atkins and her cousins debated whether to tell Alison’s parents about the private account. Eventually, they did.
As difficult as that was, Alison’s mother, Lyn, says she has no regrets. “I read it with sadness. There were no surprises,” she says.
Ultimately, Alison’s online activities helped the family feel more certain that she likely hadn’t attempted suicide. In some of her final writings, she expressed excitement about plans to meet a boyfriend in coming days.
Asked if she felt Alison had a right to privacy, her mother says she doesn’t believe so. “She was my child. I felt I had a right to know.”
A Tumblr Inc. spokeswoman says the company doesn’t provide passwords to families of the dead, but will shut down accounts upon a family’s request.
Ms. Atkins used her access to Alison’s accounts to change Alison’s privacy settings, she says. She gave herself access to her sister’s private Twitter posts, and unblocked herself and her parents on Alison’s Facebook profile.
A Twitter Inc. spokesman declined to comment on an individual account.
As Alison’s friend network learned of her death, they began posting photos, videos and other memorials to her Facebook page. More than 20 people sent Alison’s Facebook account new friend requests, which her family approved.
Alison’s death notice in the Toronto Star, written by her father and aunt, was short and said little about her struggle or accomplishments. But across hundreds of posts on Facebook, friends wrote their own testimonials about how much they missed Alison and had been inspired by her bravery in confronting disease.
Amid the mourning, Ms. Atkins hadn’t dealt with an issue she knew was coming: Sooner or later, the Twitter, Facebook and other accounts on Alison’s MacBook would automatically log out and require her to type in passwords. She didn’t possess the passwords.
It started happening in early November. She could no longer get into Facebook on Alison’s computer. “I thought I could fix this or figure it out, but I was afraid of telling my parents,” she says.
Her attempts to reset Alison’s passwords made things worse. She couldn’t reset Facebook without access to Alison’s Yahoo mail account. But when she tried to log in to Yahoo, it asked her a series of “challenge” questions, put in place by Alison, which she kept getting wrong.
She suspects her sister intentionally put in the wrong answers to the questions. “Very sneaky on Alison’s part,” she says. The same happened with Microsoft Hotmail.
On Nov. 21, Ms. Atkins noticed that her sister’s Facebook account was gone entirely. Clicking on Alison from her own account brought up an error message. Alison’s profile photo, which once showed the family together at Disney World, had been replaced by a generic outline of a head.
She sent Facebook a message, pleading that the company return her sister’s account to its former state. “We just want her account back the way it was!” she wrote.
On Nov. 26, Ms. Atkins received a response from a Facebook staffer named Chester. “We are very sorry to hear about your loss,” he wrote. “Per our policy for deceased users, we reactivated and memorialized this account.”
Ms. Atkins is happy to have Alison’s Facebook content back, but sad that Alison no longer appears in search results, and that she can’t add any more friends to Alison’s account.
If she herself were to die, Ms. Atkins says, she would want her boyfriend or parents to have access to her accounts. But there is no system to make that happen. The Internet seems like “a scrapbook and a memory book that is going to be there forever—but it isn’t,” she says. “It could all be gone in an instant.”
When you die, your social media presence lives on. But should it? Lawmakers and lawyers are tackling the question of what should happen to your digital life after death.
The Uniform Law Commission recently approved a study committee on fiduciary power and authority to access digital property and online accounts during incapacity and after death. Uniform laws are created when there is little current legislation for states to follow.
Gene Hennig, one of Minnesota’s commissioners on uniform state laws, offered the proposal. “Fiduciaries need clear powers to act on behalf of the individuals in the digital world” after death, he said.
He estimates the uniform law process will take three years or more and will let estates gain access to the dead person’s online property with ease — while also allowing you to have a say in how you want your digital assets to be handled after death.
“There is a crying need for a uniform law that would grant a unified way of addressing the issue throughout the country,” Hennig said.
Lawmakers have been slow to enact legislation related to digital property after death, and social media companies have relied on terms of service to guide them.
Former Oklahoma Rep. Ryan Kiesel was one of the first to realize the need for legislation. The dead are leaving behind valuable virtual property that needs tending to in the same way physical property is passed on, Kiesel said.
“People are living differently in 2012 in that a large part of their lives are shifting digital,” said Kiesel, the backer of Oklahoma’s digital property management after death law, which passed in November 2010.
“We have shifted away from letters in a shoe boxes to email messages and Facebook. There is a lot more traceable communication floating around.”
Laying Down the Law
Only five states — Oklahoma, Idaho, Rhode Island, Indiana and Connecticut — have created laws governing digital asset management after death.
In 2005, Connecticut was the first to establish a digital assets law. The statute is a little dusty — it references an “electronic mail account” and makes no reference to blogs, online bank accounts, payment accounts, photo sharing accounts or Facebook and other social accounts.
“I’m not sure if the existing state laws governing digital assets have been comprehensive enough,” Hennig said. “But I do think existing legislation is a good starting point for a more thorough look into fiduciary access to digital assets after death.”
Other states are crafting legislation now, and don’t want to wait three years or more for a uniform law. Michael Walker, an estate planning attorney, is on the Oregon State Bar virtual assets committee looking into developing a state law on the issue. And just last week, Nebraska Sen. John Wightman announced his sponsorship of a digital assets bill.
Nebraska’s law scrapes the surface of Internet account management and is similar to Oklahoma and Idaho’s laws. The bill proposes a dead person’s personal representative — appointed by the court or the heir to the estate — be granted access and control of digital accounts belonging to the dead person.
Service Providers Cling to Terms of Service
Facebook’s terms of service say it will not issue login and password information to family members of a person who has died. A family member can contact Facebook and request the dead person’s profile be taken down or turned into a memorial page.
If the family chooses a memorial page, the account can never again be logged into. But new laws change the way sites like Facebook are addressing digital life after death.
“Our existing policy works to ensure that privacy settings are preserved and respected. These policies extend to memorialized accounts,” said Tucker Bounds, a spokesman for Facebook. “We will provide the estate of the deceased with a download of the account’s data if prior consent is obtained from or decreed by the deceased, or mandated by law.”
Yahoo’s terms of service have been more strict than others. In 2005, a family asked Yahoo for login and password information for their son, Justin Ellsworth, a Marine who died in Iraq.
Yahoo refused to give login and password information, citing the company’s privacy standards. In the end, the court ordered Yahoo to release the email account login and password.
Gmail and Hotmail will mail the estate holder a CD with the decedent’s account information, after the beneficiary of the estate sends the required information.
The Future of Digital Dead
It’s hard to tell the impact of the five state laws on online property post-death since the laws have hardly been utilized. Kiesel said Oklahoma lawyers now ask a person desiring a will to include how he or she wants digital accounts to be taken care of after death.
The law has created a lot of chatter, but Kiesel hasn’t heard of anyone using the law to gain access to dead loved one’s digital accounts.
Walker said he and other estate planners in Oregon prepare a virtual asset instruction letter (VAIL) for a person to leave in his or her safety deposit box. The letter lists a person’s online account information to make the account more accessible after death. A person can also instruct the executor to delete all accounts without reading emails or other communication, Walker said.
Online services like Entrustet, Legacy Locker and My Webwill offer other options for passing on online account access after death.
But some lawmakers advise against using these services. Kiesel points out that a will including digital accounts is more secure than these sites, which may not exist when a person dies.
Check out the gallery for more services that provide tools for managing your digital life after death. And tell us in the comments: Do you have a plan? Do you think lawmakers should establish uniform methods for dealing with social accounts? If so, how?