Will credentials
I’m going to be dealing with the final taboo, I hope that doesn’t make you uncomfortable.
The question at hand is what happens to our digital assets when we die, and how do we deal with the identity management issues intertwined with this?
So far it seems that this hasn’t been a problem large enough to deserve legislative and policy attention, but I suspect that’s a result of demographics. Old people don’t use as many online services as younger digital natives; but that’s changing as online services become more ubiquitous and grannies sign up for social networking utilities so that they can see photos of their family. It’s also a problem that will get worse over time; none of us is getting any younger, and the variety and usage of online services grows each day.
For services anchored in the real world like banking and utilities it would seem that the normal rules apply; accounts get closed down, or transferred, as appropriate. But even here there are issues, as online statements and billing remove the paper trail. If I have an online only deposit account then who even knows apart from me, the holding institution and the taxman?
Pure virtual services are clearly more problematic. If my contact book is in the cloud then who gets invited to the wake (and do digital Dunbar numbers mean a much bigger catering order)? If my photos are online how do they get passed on to my kids? Can my MMORPG artefact weapon be handed down from virtual father to virtual son (or at least can my crew keep my inventory)? This should be taken care of by the EULA or service agreement. I checked a few and found nothing. In most cases we have precious few rights even when we’re alive and kicking, so it’s no surprise that there’s no provision for when we’re dead. Maybe Richard Stallman is right to caution that we should all keep local copies of our data.
So what should be happening? Here are a few ideas:
- Service registries – a place where the online services used by an individual can be gathered together.
- Escrow credentials – so that next of kin (or executors) can access services on behalf of the deceased.
- ‘Last post’ provisions – for that final (micro)blog post, email or whatever to say goodbye.
- EULAs and service agreements with transferable rights.
Perhaps all of these things could be brought together into one service, a sort of digital undertaker. The link to identity is however key. As our needs for stronger proofing and tokens become more widespread the problem of identity inheritance (or in some cases identity delegation) become less abstract and less tractable. These things could also become features of emerging federated identity services, but in that case what would be the regulatory framework, and how do we deal with crossing jurisdictional boundaries?
Filed under: identity | 8 Comments
Subscribe
Recent Comments
Tim Coote on Ross Anderson RIP iain on Skiing in Espace Killy (Val… Chris Swan on Getting more from a British Ga… Murray Cowell on Getting more from a British Ga… JL on AI MacGuffin 
Pinboard.in bookmarks- Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
- AI isn't useless. But is it worth it?
- Pluralistic: The true post-cyberpunk hero is a noir forensic accountant
- Subaru battery drain due to missing 3G network
- Paying maintainers: the HOWTO
- SARS-CoV-2 airborne infection probability estimated by using indoor carbon dioxide | Environmental Science and Pollution Research
- An unbiased evaluation of environment management and packaging tools
- Computer says no: British judge refuses to cancel divorce resulting from computer mistake
- Philosophy Museum
- Royal Navy offer must improve to attract and retain staff – you can't motivate an empty chair
Chris Swan's Weblog 
This is a highly interesting point, Chris. It’s one I’ve recently dealt with (after the death of a loved one) and one I’ve not heard raised by anyone who was not experiencing it himself.
In my case, I had a full power of attorney for the decedent during his life, and also was an executor of the will. I am SO not a lawyer. Interestingly, while a PoA expires at death, I was able to do things like transfer funds, commingle assets and sell shares, justifying my actions under the same theory that allows an executor to go and lock the doors or change the locks of a decedent’s house to prevent break-in, thus maintaining the value of the assets belonging to the estate. I’d bet that several institutions should not have accepted the PoA but they did. I used it to deal with issues such as online brokerages, online banks etc that tidied up the estate before and just after the death.
I also had the challenge of dealing with some digital assets (due to the age of the decedent these were relatively meager, but digital assets they were). Here I am positive that I should not have had the PoA accepted, and I realized that in essentially social-engineering control of the digital effects (to paraphrase George Carlin, ever notice that all your shit is stuff until you die, at which point they instantly become your, ‘effects’?) I was both protecting the assets and breaking at a minimum the terms of use under which they were accepted by the online entity. After some time, I did end up showing proof that I was an executor of the estate, and that was sufficient to gain access to remaining online effects and carry out things like ‘last post’ etc.
Your calls for service registries, EULA provisions and last post provisions are spot on (for a number of reasons I can’t go into here); I wonder about the escrow credentials – I think surely this is covered by the executor function? Are you suggesting that the credentials be escrowed for someone who is not an executor but who nonetheless was declared as ‘trusted’ by the decedent during his life to handle digital assets? Isn’t this simply another function of the executor?
Nick, I’m sorry to hear about your loss.
Let me clarify the point about escrow credentials. I don’t think there’s any need to change the executor function; but there probably is a need for executors to have break glass access to credentials. A quick and dirty fix that might work right now would be existing username/password pairs, but perhaps in time this could become special delegate keys (with perhaps limited actions associated with the delegated role).
Your comment also raises for me questions around how things like PoA and proof of being an executor get transferred into the digital realm. I’m guessing that you spent a lot of time on help lines and sending faxes/copies of paper documents to get through what you did. This was almost certainly frustrating and time consuming for you, but I expect it was also a costly exercise for the service providers. How things might be different if you could present digital tokens instead (within the context of a well understood legal framework like we already have for PoA and executors).
You’ve hit it exactly right: costly to them, infuriating for me and traumatic for both of us after I got through yelling (I can imagine the NICE system logs for my calls: ‘Customer is angry. Customer is yelling. Customer has invoked your competitor name. Customer is unsnapping his holster…’) Digital executor credentials would solve quite a bit, and raise some opportunities as well. Again, great post and well worth considering further.
Chris,
Here are a few services that are related:
– https://www.legacylocker.com/
– http://www.deathswitch.com/
More can be done. But it’s a start.
– Ashish
itickr.com
Cory just asked much the same question over at http://www.boingboing.net/2009/05/27/what-will-happen-to.html, and I guess the conversation will be much more lively there.
More from Cory here http://www.guardian.co.uk/technology/2009/jun/30/data-protection-internet, and some analysis and links to other material from Robin Wilton at http://futureidentity.blogspot.com/2009/06/doctorows-diy-digital-deed-box.html
I didn’t realise that Thursday was ‘Digital Death Day’. The BBC has an article about it – http://news.bbc.co.uk/1/hi/technology/8691238.stm
PassMyWill