Will credentials


I’m going to be dealing with the final taboo, I hope that doesn’t make you uncomfortable.

The question at hand is what happens to our digital assets when we die, and how do we deal with the identity management issues intertwined with this?

So far it seems that this hasn’t been a problem large enough to deserve legislative and policy attention, but I suspect that’s a result of demographics. Old people don’t use as many online services as younger digital natives; but that’s changing as online services become more ubiquitous and grannies sign up for social networking utilities so that they can see photos of their family. It’s also a problem that will get worse over time; none of us is getting any younger, and the variety and usage of online services grows each day.

For services anchored in the real world like banking and utilities it would seem that the normal rules apply; accounts get closed down, or transferred, as appropriate. But even here there are issues, as online statements and billing remove the paper trail. If I have an online only deposit account then who even knows apart from me, the holding institution and the taxman?

Pure virtual services are clearly more problematic. If my contact book is in the cloud then who gets invited to the wake (and do digital Dunbar numbers mean a much bigger catering order)? If my photos are online how do they get passed on to my kids? Can my MMORPG artefact weapon be handed down from virtual father to virtual son (or at least can my crew keep my inventory)? This should be taken care of by the EULA or service agreement. I checked a few and found nothing. In most cases we have precious few rights even when we’re alive and kicking, so it’s no surprise that there’s no provision for when we’re dead. Maybe Richard Stallman is right to caution that we should all keep local copies of our data.

So what should be happening? Here are a few ideas:

  • Service registries – a place where the online services used by an individual can be gathered together.
  • Escrow credentials – so that next of kin (or executors) can access services on behalf of the deceased.
  • ‘Last post’ provisions – for that final (micro)blog post, email or whatever to say goodbye.
  • EULAs and service agreements with transferable rights.

Perhaps all of these things could be brought together into one service, a sort of digital undertaker. The link to identity is however key. As our needs for stronger proofing and tokens become more widespread the problem of identity inheritance (or in some cases identity delegation) become less abstract and less tractable. These things could also become features of emerging federated identity services, but in that case what would be the regulatory framework, and how do we deal with crossing jurisdictional boundaries?

8 Responses to “Will credentials”

  1. 1 Nick

    This is a highly interesting point, Chris. It’s one I’ve recently dealt with (after the death of a loved one) and one I’ve not heard raised by anyone who was not experiencing it himself.

    In my case, I had a full power of attorney for the decedent during his life, and also was an executor of the will. I am SO not a lawyer. Interestingly, while a PoA expires at death, I was able to do things like transfer funds, commingle assets and sell shares, justifying my actions under the same theory that allows an executor to go and lock the doors or change the locks of a decedent’s house to prevent break-in, thus maintaining the value of the assets belonging to the estate. I’d bet that several institutions should not have accepted the PoA but they did. I used it to deal with issues such as online brokerages, online banks etc that tidied up the estate before and just after the death.

    I also had the challenge of dealing with some digital assets (due to the age of the decedent these were relatively meager, but digital assets they were). Here I am positive that I should not have had the PoA accepted, and I realized that in essentially social-engineering control of the digital effects (to paraphrase George Carlin, ever notice that all your shit is stuff until you die, at which point they instantly become your, ‘effects’?) I was both protecting the assets and breaking at a minimum the terms of use under which they were accepted by the online entity. After some time, I did end up showing proof that I was an executor of the estate, and that was sufficient to gain access to remaining online effects and carry out things like ‘last post’ etc.

    Your calls for service registries, EULA provisions and last post provisions are spot on (for a number of reasons I can’t go into here); I wonder about the escrow credentials – I think surely this is covered by the executor function? Are you suggesting that the credentials be escrowed for someone who is not an executor but who nonetheless was declared as ‘trusted’ by the decedent during his life to handle digital assets? Isn’t this simply another function of the executor?

    • 2 Chris Swan

      Nick, I’m sorry to hear about your loss.

      Let me clarify the point about escrow credentials. I don’t think there’s any need to change the executor function; but there probably is a need for executors to have break glass access to credentials. A quick and dirty fix that might work right now would be existing username/password pairs, but perhaps in time this could become special delegate keys (with perhaps limited actions associated with the delegated role).

      Your comment also raises for me questions around how things like PoA and proof of being an executor get transferred into the digital realm. I’m guessing that you spent a lot of time on help lines and sending faxes/copies of paper documents to get through what you did. This was almost certainly frustrating and time consuming for you, but I expect it was also a costly exercise for the service providers. How things might be different if you could present digital tokens instead (within the context of a well understood legal framework like we already have for PoA and executors).

      • 3 Nick

        You’ve hit it exactly right: costly to them, infuriating for me and traumatic for both of us after I got through yelling (I can imagine the NICE system logs for my calls: ‘Customer is angry. Customer is yelling. Customer has invoked your competitor name. Customer is unsnapping his holster…’) Digital executor credentials would solve quite a bit, and raise some opportunities as well. Again, great post and well worth considering further.

  2. Chris,
    Here are a few services that are related:
    More can be done. But it’s a start.
    – Ashish

  3. 5 Chris Swan

    Cory just asked much the same question over at http://www.boingboing.net/2009/05/27/what-will-happen-to.html, and I guess the conversation will be much more lively there.

  4. 7 Chris Swan

    I didn’t realise that Thursday was ‘Digital Death Day’. The BBC has an article about it – http://news.bbc.co.uk/1/hi/technology/8691238.stm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: