What happens to your online accounts when you die?
The digital entropy of death
BSides Manchester What happens to the numerous user logins you've accumulated after you die or become too infirm to manipulate a keyboard?
Some people have a plan, the digital equivalent of living will, or have chosen "family" option in a password management package such as LastPass or have entrusted a book of passwords to a family member.
But the consequences of doing nothing are not as neutral as some might expect and were spelled out during an informative presentation by Chris Boyd of Malwarebyes at BSides in Manchester on Thursday. The presentation, cheerily titled "The digital entropy of death", covered what could happen to your carefully curated online presence after you log off.
The dormant accounts of the deceased can be abused, warns Malwarebytes' Chris Boyd. Pic: John Leyden
Miscreants are already targeting obviously abandoned profiles. Boyd explained that in some cases it's easier for fraudsters to gain hold of these accounts than the account-holders' relatives, because crooks know the systems better and controls - although present - are often deeply embedded on the sites such as Facebook, Twitter et al.
"Facebook users have reported receiving friend requests from accounts associated with dead friends and family members," The Independent reports. "Such requests appear to be the result of cloning or hacking scams that see criminals try [to] add people on the site, and then use that friendship as a way of stealing money from them or running other cons."
Social media accounts are, of course, just the tip of the iceberg. Most people these days run 100+ accounts, as figures from password management software apps show. These figures are only increasing over time. Some sites are managing the inevitability of their users shuffling off this mortal coil with features designed to deactivate accounts after months of inactivity or other features, Boyd explained in a recent blog post:
Many sites now offer a way for relatives and executors to memorialise, or just delete, an account. In other circumstances, services would rather you 'self-manage' and plan ahead for your own demise (cheerful!) by setting a ticking timer. If the account is inactive for the specified length of time, then into the great digital ether it goes.
While a lot of services don’t openly advertise what to do in the event of a death on their website, they will give advice should you contact them, whether social network, email service, or web host. When there’s no option available, though, people will forge their own path and take care of their so-called 'digital estate planning' themselves.
Users would be ill-advised to leave everything to their next of kin. "Do some pre-handover diligence, and take some time to ensure everything is locked down tight," Boyd explained. "If there’s anything hugely important you need them to know, tell them in advance."
People may have bought digital purchases tied to certain platforms. Games on Steam, or music on iTunes or Spotify.
"Legally, when you go, so do your files (in as much as anything you can’t download and keep locally is gone forever)," Boyd explained. "That’s because you’re buying into a licence to use a thing, as opposed to buying the thing itself."
Here's a video of his presentation, if you want to see more...
There’s nothing stopping someone from passing on a login to a family member so they can continue to make use of all the purchased content, at least for now. Boyd predicted that at some point, all of our digital accounts tied to financial purchases will have some sort of average human lifespan timer attached to them.
Millennials mark the first generation not to know life before an always-on, everywhere internet, which will become the norm from now on. "Younger generations absolutely will demand reforms to the way we think about digital content, ownership, and inheritance," Boyd concluded. ®
As well as the inevitable rise and fall of social media site (e.g. MySpace), and web 2.0 services there is also the issue of link rot, the phenomenon of more and more URLs not working over time. This issue is covered by Boyd in another recent blog post here.
Sponsored: Becoming a Pragmatic Security Leader