The digital entropy of death: what happens to your online accounts when you die

The digital entropy of death: what happens to your online accounts when you die

Click here to view original web page at securityboulevard.com

Unless you’re planning on having your mind jammed inside some sort of computer chip, eventually mortality will catch up and you’re going to have to work out what you’ll do with all of your online accounts. When it’s time to shuffle off this mortal coil, you might, theoretically, be slightly annoyed if someone is using your dormant accounts to spam viagra or fake Twitter apps. The sad reality is, when we go, we leave behind a potentially terrifying amount of accounts lying around in the digital ether, and not all of them may be as secure as one would like.

Even if they’re locked down with multiple security steps, someone could break into a database and pilfer insecure information from the back end. We have the very odd situation of there being a digital zombie sleeper army, ready and willing to come back and cause all sorts of security/spam issues worldwide.

Is there anything we can do about it? Can relatives ensure we don’t come back as some sort of bizarre cyber-horror? Do websites and services have any process in place for this strange new world of accounts that are, to coin a phrase, just taking a nap?

Surprisingly, help is at hand more often than not. First, though, we need to have a think about some sort of tally.

There’s (not) security in numbers

Passwords are a great way to gauge how many accounts we have personally. Check out any number of “How many accounts do we have” articles going back several years. Very handy! An unintended side effect of said articles and their number crunching is that we can also use that data to try and map out the kind of problem we may be facing with orphaned accounts. The average UK consumer alone has something like 188 online accounts, and that figure is from 2015—no doubt the number continues to rise as every aspect of our lives winds its way online.

Speaking of number crunching: 151,000 people die every day. Something like 55 million people die every year. Even if just 10 percent of the 500,000 people who die in the UK annually had 188 accounts each, that’d still be 94 million accounts suddenly abandoned—more than enough to cause a spot of bother. Then throw in the accounts of the recently deceased from around the world, and the numbers are suddenly a bit panic-inducing.

I’d be surprised if scammers don’t set aside a little time for targeting obviously abandoned profiles. Aside from regular postings asking for help on Facebook due to compromise of dead people’s logins [1], [2], there’s also the problem of “cloning.” Once you start poking around this subject, problems are everywhere.

Setting the tripwires

Of course, there are a fair few security-centric things we can do now to ensure we make it as hard as possible for those going on a spot of dormant hunting. Multi-factor authentication, password managers, good browsing practices, blockers, security tools…in short, everything you’re hopefully doing by default anyway. It’ll all help to keep your accounts in lockdown when the time comes that you no longer require them.

Additionally, not all services will be around forever—the endless churn of the web will see to that. Today’s social network is tomorrow’s “bought out and turned into something for delivering pizzas by taxi.” One can assume a large portion of all but the biggest accounts you have will, eventually, crash and burn. Not good for them, not good for people using the service, but definitely good for anyone no longer fussed about the paradigm shift in pizzas and taxis.

As time has passed, digital providers have realised they need to start offering some options for relatives of the recently deceased—one can’t assume everyone knows their security stuff, and many relatives would be hugely distressed to see accounts of a dead relative tweeting about healthcare plans or posting movie promos to Instagram.

Many sites now offer a way for relatives and executors to memorialise, or just delete, an account. In other circumstances, services would rather you ” self-manage” and plan ahead for your own demise (cheerful!) by setting a ticking timer. If the account is inactive for the specified length of time, then into the great digital ether it goes. These are useful options to have available.

While a lot of services don’t openly advertise what to do in the event of a death on their website, they will give advice should you contact them, whether social network, email service, or web host. When there’s no option available, though, people will forge their own path and take care of their so-called “digital estate planning” themselves.

The D.I.Y. approach

What do you do if the visible services your loved ones used don’t do the whole “death resolution” thing? Worse, how do you even know about the potentially hundreds of logins they have sitting around elsewhere? Sure, you might know about the really obvious ones but people don’t typically draw up a list of the weird, wonderful (and possibly not wonderful) services they used and hand it to their next of kin.

What we are seeing is people making use of password managers in ways other than having a convenient and secure login to services; they’re also creating back up accounts for their digital departure. In these situations, a fully fleshed out password manager, containing all of a person’s logins, has its access stored in a secure place and given to a close relative. Of course, the relative receiving this digital treasure trove is going to be extremely trusted—they probably don’t want to hand it to that crazy uncle who shouts at family gatherings.

The manner in which they hand over the password manager account is incredibly important, too. Is it a physical thing? A login written on paper? Something digital? Is it secure? Maybe it’s a hard drive. Is it encrypted? How will it be updated with new logins/ changes to passwords? Does the relative live nearby if it’s physical? If they live far away, would something purely online make more sense?

These are all important questions that need to be thrashed out long before handing account information over, and it’s probably a bit much to put the onus on the recipient to start bolting security gates you may have left wide open. Do some pre-handover diligence, and make some time to ensure everything is locked down tight. If there’s anything hugely important you need them to know, tell them in advance—don’t hand over a hard drive and ask them why they didn’t make a backup two months after the thing has fallen into the bathtub.

Digital family heirlooms

That’s the grim stuff out of the way. What happens to accounts you’ve invested a ton of money in? You may have bought a lot of digital purchases tied to certain platforms. Games on Steam, or music on iTunes or Spotify—they’re all tied to specific logins in your name. When you die, what happens to the purchases? In the real world, you end up with a ton of dusty boxes. Online? Those “boxes” will be taken away from you.

In an ideal scenario, you could nominate someone to take over a digital account and they’d inherit the purchases. But legally, when you go, so do your files (in as much as anything you can’t download and keep locally is gone forever.) That’s because you’re buying into a license to use a thing, as opposed to buying the thing itself. I did have a whole pile of text for this bit, but as it turns out, the ground has already been thoroughly covered.

Logan’s (video game) Run

Logan’s Run, the sci-fi movie from 1976 where everyone has a timer ticking down till they hit the age of 30, is weirdly relevant to this discussion because ticking timers are most definitely going to be a thing. See, there’s nothing stopping someone from passing on a login to a family member so they can continue to make use of all the purchased content. The platform owners are never going to know about it. However, as those wheels of time continue to crank, at some point somebody is going to wonder why Steve McHuman is still playing games at the ripe old age of 123.

This is why I predict that at some point, all of our digital accounts tied to financial purchases will have some sort of average human lifespan timer attached to them. The moment it wanders past 100 or so years? Poof, gone. I mean, this is better than being chased down by a Sandman once you hit 30, but it does mean your digital purchases will almost certainly expire at a later date—and that’s assuming the services of today are even around in 100 years time.

Many are the grim ways that lead to his cybercave: all dismal

Well, not quite so dismal. Sorry, Milton. We’re in a bit of an odd situation at the moment, as we’re now well into the point in history where we have the last generation to know life before 24/7 Internet. For many, being online is an absolutely crucial resource of existence. Meanwhile, Internet of Things technology ensures it continues to leap from behind a screen to the real world. We can’t escape it, no more than we can somehow skip around Milton’s cave, and the younger generations absolutely will demand reforms to the way we think about digital content, ownership, and inheritance.

I just hope I’m around to see it. And if I’m not? Please, don’t touch my stuff.

This is a Security Bloggers Network syndicated blog post authored by Christopher Boyd. Read the original post at: Malwarebytes Labs


Unless you’re planning on having your mind jammed inside some sort of computer chip, eventually mortality will catch up and you’re going to have to work out what you’ll do with all of your online accounts. When it’s time to shuffle off this mortal coil, you might, theoretically, be slightly annoyed if someone is using your dormant accounts to spam viagra or fake apps. The sad reality is, when we go, we leave behind a potentially terrifying amount of accounts lying around in the digital ether, and not all of them may be as secure as one would like.

Even if they’re locked down with multiple security steps, someone could break into a database and pilfer insecure information from the back end. We have the very odd situation of there being a digital zombie sleeper army, ready and willing to come back and cause all sorts of security/spam issues worldwide.

Is there anything we can do about it? Can relatives ensure we don’t come back as some sort of bizarre cyber-horror? Do websites and services have any process in place for this strange new world of accounts that are, to coin a phrase, just taking a nap?

Surprisingly, help is at hand more often than not. First, though, we need to have a think about some sort of tally.

There’s (not) security in numbers

Passwords are a great way to gauge how many accounts we have personally. Check out any number of “How many accounts do we have” articles going back several years. Very handy! An unintended side effect of said articles and their number crunching is that we can also use that data to try and map out the kind of problem we may be facing with orphaned accounts. The average UK consumer alone has something like 188 online accounts, and that figure is from 2015—no doubt the number continues to rise as every aspect of our lives winds its way online.

Speaking of number crunching: 151,000 people die every day. Something like 55 million people die every year. Even if just 10 percent of the 500,000 people who die in the UK annually had 188 accounts each, that’d still be 94 million accounts suddenly abandoned—more than enough to cause a spot of bother. Then throw in the accounts of the recently deceased from around the world, and the numbers are suddenly a bit panic-inducing.

I’d be surprised if scammers don’t set aside a little time for targeting obviously abandoned profiles. Aside from regular postings asking for help on due to compromise of dead people’s logins [1], [2], there’s also the problem of “cloning.” Once you start poking around this subject, problems are everywhere.

Setting the tripwires

Of course, there are a fair few security-centric things we can do now to ensure we make it as hard as possible for those going on a spot of dormant hunting. Multi-factor authentication, password managers, good browsing practices, blockers, security tools…in short, everything you’re hopefully doing by default anyway. It’ll all help to keep your accounts in lockdown when the time comes that you no longer require them.

Additionally, not all services will be around forever—the endless churn of the web will see to that. Today’s is tomorrow’s “bought out and turned into something for delivering pizzas by taxi.” One can assume a large portion of all but the biggest accounts you have will, eventually, crash and burn. Not good for them, not good for people using the service, but definitely good for anyone no longer fussed about the paradigm shift in pizzas and taxis.

As time has passed, digital providers have realised they need to start offering some options for relatives of the recently deceased—one can’t assume everyone knows their security stuff, and many relatives would be hugely distressed to see accounts of a dead relative tweeting about healthcare plans or posting movie promos to Instagram.

Many sites now offer a way for relatives and executors to memorialise, or just delete, an account. In other circumstances, services would rather you ” self-manage” and plan ahead for your own demise (cheerful!) by setting a ticking timer. If the account is inactive for the specified length of time, then into the great digital ether it goes. These are useful options to have available.

While a lot of services don’t openly advertise what to do in the event of a death on their website, they will give advice should you contact them, whether social network, email service, or web host. When there’s no option available, though, people will forge their own path and take care of their so-called “ planning” themselves.

The D.I.Y. approach

What do you do if the visible services your loved ones used don’t do the whole “death resolution” thing? Worse, how do you even know about the potentially hundreds of logins they have sitting around elsewhere? Sure, you might know about the really obvious ones but people don’t typically draw up a list of the weird, wonderful (and possibly not wonderful) services they used and hand it to their next of kin.

What we are seeing is people making use of password managers in ways other than having a convenient and secure login to services; they’re also creating back up accounts for their digital departure. In these situations, a fully fleshed out password manager, containing all of a person’s logins, has its access stored in a secure place and given to a close relative. Of course, the relative receiving this digital treasure trove is going to be extremely trusted—they probably don’t want to hand it to that crazy uncle who shouts at family gatherings.

The manner in which they hand over the password manager account is incredibly important, too. Is it a physical thing? A login written on paper? Something digital? Is it secure? Maybe it’s a hard drive. Is it encrypted? How will it be updated with new logins/ changes to passwords? Does the relative live nearby if it’s physical? If they live far away, would something purely online make more sense?

These are all important questions that need to be thrashed out long before handing account information over, and it’s probably a bit much to put the onus on the recipient to start bolting security gates you may have left wide open. Do some pre-handover diligence, and make some time to ensure everything is locked down tight. If there’s anything hugely important you need them to know, tell them in advance—don’t hand over a hard drive and ask them why they didn’t make a backup two months after the thing has fallen into the bathtub.

Digital family heirlooms

That’s the grim stuff out of the way. What happens to accounts you’ve invested a ton of money in? You may have bought a lot of digital purchases tied to certain platforms. Games on Steam, or music on iTunes or Spotify—they’re all tied to specific logins in your name. When you die, what happens to the purchases? In the real world, you end up with a ton of dusty boxes. Online? Those “boxes” will be taken away from you.

In an ideal scenario, you could nominate someone to take over a digital account and they’d inherit the purchases. But legally, when you go, so do your files (in as much as anything you can’t download and keep locally is gone forever.) That’s because you’re buying into a license to use a thing, as opposed to buying the thing itself. I did have a whole pile of text for this bit, but as it turns out, the ground has already been thoroughly covered.

Logan’s (video game) Run

Logan’s Run, the sci-fi movie from 1976 where everyone has a timer ticking down till they hit the age of 30, is weirdly relevant to this discussion because ticking timers are most definitely going to be a thing. See, there’s nothing stopping someone from passing on a login to a so they can continue to make use of all the purchased content. The platform owners are never going to know about it. However, as those wheels of time continue to crank, at some point somebody is going to wonder why Steve McHuman is still playing games at the ripe old age of 123.

This is why I predict that at some point, all of our digital accounts tied to financial purchases will have some sort of average human lifespan timer attached to them. The moment it wanders past 100 or so years? Poof, gone. I mean, this is better than being chased down by a Sandman once you hit 30, but it does mean your digital purchases will almost certainly expire at a later date—and that’s assuming the services of today are even around in 100 years time.

Many are the grim ways that lead to his cybercave: all dismal

Well, not quite so dismal. Sorry, Milton. We’re in a bit of an odd situation at the moment, as we’re now well into the point in history where we have the last generation to know life before 24/7 Internet. For many, being online is an absolutely crucial resource of existence. Meanwhile, Internet of Things technology ensures it continues to leap from behind a screen to the real world. We can’t escape it, no more than we can somehow skip around Milton’s cave, and the younger generations absolutely will demand reforms to the way we think about digital content, ownership, and inheritance.

I just hope I’m around to see it. And if I’m not? Please, don’t touch my stuff.

This is a Security Bloggers Network syndicated blog post authored by Christopher Boyd. Read the original post at: Malwarebytes Labs

Eleanore

Main curator on Digitaldeathguide. Supported by a bot. Some articles may need to be weeded, don't hesitate to tell me !