Why digital death is about compassionate design but is vital to cybersecurity
A few years ago, I lost a beloved friend. He was a software developer and way too young to die. A few months after he died, I received a Skype message from his account; this ghostly Skype message stopped me in my tracks. Working in cybersecurity, of course, I knew it meant his account had been hacked; nonetheless, it upset me. A few years earlier, my niece had lost her husband; again, far too early. Not long after his death, my niece began receiving emails from her dead husband's account; you can imagine her feelings at that time.
Unfortunately, when people die, their online life persists; they may die, but their data lives on. Unfortunately, digital death is an area of identity management that is being left to rot as it is highly charged and complicated to resolve. However, if the industry does not fix this, the results will devastate friends and relatives, and dormant or 'ghost accounts' will open the door for cyber-attackers.
What’s the problem with dormant or ghost accounts
Ghost accounts may be associated with the dead, but they affect the living too. Any account that is left dormant is at risk. The number of such inactive accounts is surprising. Data for the UK, for example, shows that in 2019, almost 5 million inactive internet users were recorded as not having used online accounts in the previous three months. Digitization of services, such as banking, has created large pools of inactive accounts, with millions of accounts opened to test out new digital banking apps, that are left to stagnate as people forget about them or move back to traditional banks. The fact that online life is intrinsically tied to identifying yourself through creating an account at every juncture is driving a new generation of zombie accounts that stay around to haunt us when cybercriminals hijack them.
As we have seen, account takeover after death leads to emotional upset in loved ones. But these accounts can also provide the entry point into scams, phishing, ransomware attacks, and more. According to a report from fraud prevention vendor, Sift, account takeovers soared by over 131% in 2022; the digital death of ghost accounts must be an integral part of any account management system. But how can accounts owned by someone who no longer exists on this planet be closed? It's more complex than you'd think.
Closing the door on digitally dead accounts
My friend who died had many online accounts, and his widow, as she grieved, had to deal with them. Her experience was mixed. In a short interview, she told me how the lack of a joined-up approach to dealing with the accounts of deceased family members was the most challenging thing to deal with. UK government departments have a coordinated approach to dealing with government-related digital services. In the UK, the "Tell Us Once service" provides an online portal to notify government services of the death of a person so that related accounts can be closed.
However, government accounts aside, other online life, such as social media, email, retailer accounts, etc., are not so easy to deal with; as my friend's widow told me about either closing or taking over her dead husband's accounts, "I didn't realise it would be as hard as it was."
My friend's widow explained that while there were processes to close accounts, it became difficult as she had to supply multiple copies of the hard copy death certificate and various other documentation to prove her relationship. Often these had to be posted out as hard copies. Also, my friend was married, but those not officially wed to another person, or other relatives, will have to ensure we have the suitable types of documentation at hand to process account closure. Finally, if someone dies young, without having made a will or having set up a notary, closing an account post-death will be very difficult.
The problem with closing or the legitimate taking over of the accounts of the deceased are not just a technical consideration. For example, email accounts can be viewed as a modern-day equivalent of the letters our grandparents may have kept in a box; this box of letters was only opened once they had passed on to reveal secrets of their past lives. When a person dies, their email account holds precious insights into a loved one's life. But, of course, it may also reveal information that is best left unread.
Social media may have a similar role in remembrance. Social media posts and photos provide a memory box for the bereaved. Email and other personal information stores are not necessarily best dealt with using an on/off switch. Delegation is an essential aspect of digital death.
One positive advance in digital death is that most social media platforms offer the ability to 'memorialize' an account. This is where the account is locked and held in the form of stasis to allow friends and family to remember their loved ones.
Online subscriptions are another related area that needs a digital death process. Chances are, when you die, your loved ones will have to deal with copious online subscriptions, many of them with associated accounts that hold personal and financial data, which opens the can of worms in terms of the privacy rights of the dead.
Privacy is not typically equated with dead people. After fall, who cares if you have not consented to share your name and address if you aren't alive anymore to complain? Some systems, such as medical data repositories, will be regulated, with data requiring deletion after X years (depending on the legislation). But the lifetime of other data, including search data, is fuzzier. The various EU states use the GDPR's "Right to Erasure" to encompass privacy rights post-death. In France, for example, the French Data Protection Act provides a framework for individuals to set out guidelines on the storage, communication, and erasure of their data after they die.
Leaving an account dormant is not an answer; Gmail accounts must have been inactive for 24 months before Google will consider it idle and delete the content. No doubt, Google will have pondered the best timing for this. Still, two years is a long time to leave an account open with credential stuffing attacks affecting popular accounts such as PayPal: PayPal, interestingly, adds a charge to any inactive account after 12 months; not sure how dead people will pay this charge.
As technology advances, the control of accounts is ever more complicated. For example, it may be a good idea to leave a list of accounts and login credentials with a solicitor in a will; those left behind could use them to log in and deactivate, memorialise, or delete old accounts. However, as MFA and biometric logins become common unless you leave your hand or face behind, post-death login might be tricky, especially if a liveliness check is needed.
The tricky balancing act of security, compassion, and control
Since my friend died in 2016, there have been attempts to create processes to deal with death. However, these processes are painful, lengthy, and have edge cases that will leave accounts open to abuse. The problem with "closing the barn door after the horse has bolted," or in other words, not closing accounts until after someone has died, is that it reflects poor system design.
I mentioned delegation earlier; this is where an account may be associated with another person. Delegation usually happens as part of account registration or shortly after that, not as an afterthought once someone dies. But delegation is a tricky balance of security, verification, and consent. This article is not about the intricacies of developing delegation in an identity management system, but suffice to say, it involves a mix of technical protocols, flexible delegation and management policies, an exceptional UI/UX, and a legal framework to underpin it.
The fact is that digital death is a vital tool for security, privacy, and peace of mind. Therefore, digital death capability must become a function within any system that creates an account containing personal data. Digital death should be legislated for, but legislation alone cannot fix this issue.
It used to be that when someone died, you had to clear out their house and belongings; that was a bad enough task. However, as we increasingly move into an age where everything is digitized, including our identity, our loved ones will have to do a digital clearance alongside a house clear-out. Death is an important life event and a vital aspect of a digital identity system that reflects our life history and uses our data. Any identity-related service, including a digital wallet, must deal with these most complex use cases.
Clever people in the tech industry, such as Kaliya Hamlin in tech and digital death and Edina Harbinja on the legalities of postmortal privacy, have explored this thorny subject for many years. But it will take industry acceptance of the joint responsibility of personal data to take this forward. Legislation is the key to driving digital death capability, but the industry also needs the tools and legal framework to act upon the legislative requirements.
More from Cybernews:
Subscribe to our newsletter