Safer Computing By David Frier: Death and Taxes
Death and Taxes. With enough lawyers you can avoid most of the taxes, but as sure as I am typing these words, and you are reading them, every one of us is going to die.
While we each have a will to cover our possessions and assets, how many of us include in that document what to do about digital assets? More to the point – if someone dies and leaves no will, the law is reasonably straightforward about what to with their possessions and finances. But our legal system has not yet really begun to address consistently what to do with the dear departed’s Facebook or Twitter accounts, their email, websites, and so on. These are digital assets but there’s not necessarily a physical item that corresponds to any of them. To make sure these are handled according to my wishes after I die, I have made a “data will.” Note: I am not a lawyer and this is not legal advice. If you want your “data will” to be enforceable as part of your actual last will and testament, you must consult a lawyer.
What’s in a data will? This will differ in the details for everyone but I think these major sections are a good starting point. First and foremost, passwords.
If you are using some kind of password management tool as I suggested in last month’s column, this will be easy. You will only need to tell your survivors where the password data resides, and what is the master password to gain access to it. If there’s no password manager wrangling all your individual passwords, you’ll have to list them all in this document, or an attachment. The password list or manager also provides a map of where you had an online presence and business or personal relationships, which will help in other ways.
If some of your online accounts have two-factor authentication such as an app on your phone that generates a 6-digit code when logging in from a new device, etc., make sure the document details where to find that, and how to use it. Also, include information on how to unlock your phone!
Email is still a fundamental service in the online world, and especially so when it’s the focal point for most sites’ password-reset processes. So make sure your document includes an abundance of information as to where your email is delivered, how to log into it, and pointers to the password manager entries for the email password (or the email password itself).
You may wish some of your online accounts and services to continue running. For example, you may host a family website, or use a backup service that includes your spouse’s or other family members’ data. Instructions as to what should be kept going vs. what can safely be shut down will be useful here. Also consider that any auto-pay arrangements, such as monthly or annual billing to a certain credit card or via PayPal, might not be obvious to your loved ones. Make these arrangements explicit in this document.
Finally, how to notify online friends and colleagues of your death. Many of us are members of virtual communities that might not have visibility to other more traditional ways our death would be communicated, such as local obituaries or even Facebook pages. If you are a member of professional mailing lists or other such niches of cyberspace, make sure your survivors will know how to send a notification to those communities. You may have been working on a joint project at the time of your death: it’s only polite to let the team know you won’t be at the next meeting.
Once you have completed this awesome document, you have two main things to worry about: How to make sure it has the desired effect once it’s needed, and how to keep it safe, meanwhile. I mentioned above that if you want it to be legally enforceable, then you need to consult with a lawyer as to how to make it part of, or an attachment to, your will. Be sure to confirm whether or not it will become part of the public record — if so, you will want to work with your lawyer to conceal the passwords and other sensitive information in your document.
As for the security of the document while you’re still alive, I refer back to the three most basic concepts of information security: Confidentiality, Integrity and Availability. All three of those apply here, with very high stakes. You need to be sure the document is not disclosed to anyone unauthorized, that it is not altered without your knowledge, and that your survivors can get to it after your death without serious obstacles. There are a lot of ways to accomplish each of these three things, but what I will delve into in next month’s column is document storage “in the Cloud”, and how that can address all three of these concerns.
Reader Letter of the Month:
Rob H writes,
I have heard that email cannot be considered confidential, yet I have to log in and provide a password to read or send it, and so do my correspondents. So aside from that time I made the mistake of cc’ing the whole softball team on a… private… note to my boyfriend, is this really a problem? And if so, what can I do about it?
Oh, Rob – who among us has not realized, mere seconds after sending, that we hit Reply-All when we really should have hit Reply. Hopefully if your suggestions were more explicit, at least the softball team were all adults. And adult about it. But you do illustrate with this example a basic problem we all struggle with when it comes to email. The original design of the “email” messaging standard simply did not have much about security among its starting requirements. Its mission was to get a block of text from point A to point B or report back some possibly-helpful error condition if it could not. Maybe you don’t think of 1982 as a kinder, simpler time but that’s what it was.
All of the security aspects of email that we see now were added on, and it all doesn’t necessarily work seamlessly. If I want to send my friend Don an email and I want the content encrypted as it travels between my PC and Don’s, I have to do that differently depending on whether we’re using a corporate email system such as Exchange or Lotus Notes, straight Internet email protocols like SMTP, POP3 or IMAP, or webmail such RoadRunner, Yahoo or GMail. For some combinations of my mailbox and Don’s, it might not even be possible to encrypt the message end-to-end because at some point in the string of hand-offs, one encryption scheme simply doesn’t talk to the next one.
Accordingly, the safest course is to consider email to be like mailing paper postcards: anyone who wants to can probably read yours, without trying too hard.
Please continue send your awesome questions to firstname.lastname@example.org and I will try to answer at least one every month. No question is silly!
One final note: on Sept. 20, I will be teaching an InQueery session on Safer Email. Come out and learn how not to be taken in by the great variety of email scams and spams. 6:30 p.m. at the LGBTQ Resource Center, 100 College Ave.