Thursday, January 31, 2008

4 Ds of Information loss – Death

Death comes to us all. And from a legal perspective, death doesn't stop data. Data is property. Digital photographs are the same as physical photographs from an ownership perspective.

However, the law and reality split.

Getting your hands on your data

Lets assume that Aunt Bessie has died. What now... well as her only heir you get everything.
All her encrypted files. All her data accounts. All her data is yours, but you can't get to it.

Unless Bessie provided something for you...

As Ellybabes pointed out in her Death and Divorce in the Digital World presentation, unless you leave someone the password, they are going to stay locked out.

There is a method... as was pointed out in the ‘Security Now!’ podcast (episode 72):

Today, while alive, I don’t want to give my sensitive stuff or passwords to anyone, including my wife. But when I eventually die or become very ill, I need to make sure that my family has access.
But I know my wife wouldn’t be able to figure it out to save her life. If I have TrueCrypted all of my data, have complex unguessable password schemes and so forth, how do I unwind all of that for the benefit of other people I care about in my life?

So what you could do would be give to your attorney who has your will, or in a safety deposit box, something where access will be granted in the event of something bad happening to you without your taking any action.
Here’s what I’m thinking is that you separate the information out. So one of the things TrueCrypt lets you do is have an image file and a password. You need both; right? Maybe give the attorney the password, maybe even put it in your will, and store the image file in a safety deposit box. Separate the two, to be opened on your death or whatever.

But if you change your password regularly... then the copy with the attorney is probably out of date.
You could always try to break in to the machine, or maybe you don't need to, after all, if the hard drive is not encrypted, you just need to put it in another machine. Right?

What if the machine isn't local. What if the data is on a remote server. Do you need to go get a wig and break in somewhere.

Well, if you want to keep the data, the answer might be yet.

No right of survivorship

Under the terms of service of Yahoo, which includes the photograph sharing service Flickr,
(section 27 Paragraph 4)No Right of Survivorship and Non-Transferability. You agree that your Yahoo! account is non-transferable and any rights to your Yahoo! ID or contents within your account terminate upon your death. Upon receipt of a copy of a death certificate, your account may be terminated and all contents therein permanently deleted.

Or if you prove that she's dead, you loose access to all her stuff permanently.

For the record, a spokesperson detailed how their system works...
Flickr works with the Yahoo! Legal Compliance team to resolve these types of situations. You'll need to send them a copy of the death certificate in order to have the Flickr
account closed. Please include their Yahoo! ID as well as their Flickr screen name for removal of the Flickr account. Compliance can be reached [via telephone and fax].

After a death certificate is received we are not able to
give access to the account but we can close it.

Memorial State

Sites like Facebook are a little more accommodating. According to a Facebook spokesperson
When it comes to our attention that a user has passed away, put the profile in a Memorial State. In the Memorial State, certain profile sections and features are hidden from view to protect the privacy of the departed. We encourage users to utilize groups and group discussions to mourn and remember the deceased.

I don't know what "Memorial State" means, but it does mean that the data is retained.

Not everywhere has such a formal response... I contacted the Irish based life data and the photo and social network

When I posed the question to Marcus MacInnes of he replied...
We do not have a specific policy dealing with the death of one of our users. Our policy on account access however is as follows:
We provide access to a user’s account only under one of the following conditions:
1.via our automated password recovery method;
2. if instructed to do so by a user’s legal personal representative (which may be the user themselves);
3. if we are required to do so by law.

In the event that the owner of an account dies, upon request, we would be obliged to surrender that account to the user’s legal personal representative (usually the executor of their will). The legal representative would then act in accordance with the wishes of the deceased and may for instance request deletion of the account.

And Joe Drumgoole of explained that
we haven't put the legal framework in place yet. Our intention is that all content gets assigned to the probate or estate and the executor gets to do his stuff. In situations where no estate exists or legal structures don't support it we will allow appropriate next of kin (spouse, children, siblings, parents etc.) with supporting documentation to take over the account. We will support an alternate contact to allow somebody else to recover the account but we depend on the user to keep this up to date.

Its definitely a tricky area and something we will be coming across more and more in the future.

Messages from beyond

Another complicating factor is that with more and more of s spending our lives on line. Frequently out virtual network of friends and "friends" are the only ones that the next of kin cannot contact, because all this data exists on remote servers. Do you have a local or hard copy of all your friends contact e-mail addresses or IM names? (Actually do you have a list of all your accounts?)

If you got access to Aunt Bessie's social network account, should "she" be the one sending the funeral notice. Is parking the account in a "Memorial State" the answer? Marcus MacInnes of explained
[the] moral issue which until your question, we had not fully considered. How would friends react to receiving an on-line message from someone whom they knew had recently died. We cannot assume that the custodian of the account would act in any given manner and it is not clear whether or not we have a moral responsibility to provide reasonable protection to our users from receiving messages via our platform which are likely to cause distress. An example of this may be when a custodian acts irresponsibly, either intentionally or unintentionally.

Because of my questions, their policies are being reviewed.

I would have loved to include details of the policies of other vendors, but only the above companies contacted my in time. If I get any more details I'll include them in the comments.

Take care,
William Knott

With kind thanks to John Looney of Google (for the tech and social angles) and Simon McGarr of (for the legal questions and answers) and for all the people quoted above for providing their perspectives.

tags : , , , legal, , , , , , , , , , , , , , , ,

Labels: , , , , , , , , , , , , , , ,


Post a Comment

Links to this post:

Create a Link

<< Home