February 1 was informally designated as “Change Your Password Day,” and a good collection of articles is available at Lifehacker.com about how to test the strength of your passwords, how to update your passwords with “strong” passwords, and a list of software and services to help you keep track of all of your “strong” passwords. This is also a good time to update your list of passwords, online accounts, and digital property for your estate plan.
News services reported this week that the e–mail account of the president of Syria was hacked by the “Anonymous” group, and that the password he used was “12345.” More details are in this article by Stephen Webster at Raw Story. On one hand, that’s not surprising, because five of the top ten most frequently–used passwords are “123456,” “12345,” “123456789,” “1234567,” and “12345678” (link).
Personally, I like a password and account list that is secure, easy to update, convenient to use, and portable so it’s always with me (or it needs to sync automatically with all my devices, including my iPhone and my iPad). You could use a written list, but that isn’t very secure (and if you store it securely, it isn’t very easy to update). I prefer an encrypted electronic list. Some of the most popular software tools are LastPass, 1Password, KeePass, RoboForm, and Keeper. If you use an encrypted electronic list, make sure you write down instructions for your fiduciaries so they can find it and access it if you are incapacitated or deceased (store the written instructions in a safe deposit box, home safe, etc.).
One of my favorite features of LastPass and similar software tools is that they can integrate securely with my Web browser to automatically fill in my username and password (after I’ve typed in my master password when I first start my Web browser), so that I don’t need to manually type any of my “strong” passwords. LastPass and similar software tools also can generate “strong” passwords when you register for a new Web service or when you choose to change your password for a Web service—and they can fill in the new password automatically for you so you don’t make a typo.
In addition to these software tools, there are a number of Web services that are specifically designed to hold an electronic list of your passwords and online accounts while you are alive, then the service will turn over your list to your duly–authorized fiduciary after you die.
It’s essential to plan ahead with a list of passwords so that fiduciaries and family members have full access to your smartphones, tablet devices, computers, and encrypted data storage. For data that is protected by a strong password plus strong encryption, it may be practically impossible to access the data without the password. But what about online accounts?
I want to stop here and draw an important distinction between access to “the account itself” and “the contents” of an online account after a person becomes incapacitated or dies.
First, the Terms of Service contracts on the major Web services—Microsoft, Google, Yahoo!, Facebook, YouTube, Twitter, eBay, PayPal, etc.—say that “the account itself” is not transferrable or only transferrable with permission. Second, most major Web services won’t reveal or reset the password of an incapacitated or deceased person, so the family members and fiduciaries aren’t able to fully access “the account itself” unless they know the incapacitated or deceased person’s password. Third, if you give fiduciaries and family members your password, letting them access “the account itself” may violate the Terms of Service contract on Web services (which might violate criminal laws—see below). Fourth, some Terms of Service contracts, like the one for Yahoo!, say that a user’s account terminates at death.
In my opinion, full access to “the account itself” for a typical online account isn’t all that valuable to family members or fiduciaries. “The contents” of the online account are where the financial or sentimental value is located. Family members generally want access to and copies of the deceased person’s e–mail contents, photos, videos, music, intellectual property, etc. There are exceptions to this. A Twitter account has followers. A Facebook account has friends. An eBay account has a reputation. For these types of accounts, “the account itself” does have value—but these are probably limited to the business world—the commercial value of followers, friends, or a reputation.
For the most part, the goal of estate planning for most online accounts is to plan ahead so that the duly–appointed fiduciary or family members can find and then obtain “the contents” of the online account—the electronic data—from the Web services after the account holder dies or becomes incapacitated, which can be done even if we don’t know the account password. Planning ahead by leaving a list of your online accounts for your family members and fiduciaries is an important step because it helps the duly–appointed fiduciary locate valuable or significant digital property. Armed with that list of accounts, the duly–appointed fiduciary can request copies of the contents of a deceased person’s Facebook account, e–mail account, and many other types of online accounts. However, as I mentioned above, using a deceased person’s passwords to access “the account itself” may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. On the other hand, having the duly–appointed fiduciary request a copy of “the contents” of the account should not be construed as “unauthorized access,” although some Web services have insisted on a court order authorizing disclosure of “the contents” of the online account citing privacy concerns. The bottom line is that I still recommend planning ahead by keeping a list of passwords to your online accounts, but a critical issue for your fiduciary to consider is whether to use the passwords to access your online accounts (“the account itself”) or whether to just request “the contents”—because of the potential application of these criminal laws.
All fifty states and the federal government have enacted criminal laws penalizing unauthorized access to computer systems and types of private or protected personal data. These laws generally provide consumer protection against fraud and identity theft, but these criminal laws may also have a chilling effect on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. The Terms of Service contracts at some major Web services, including Facebook and Microsoft’s Hotmail, specifically prohibit you from allowing anyone else to access your account.
The U.S. Department of Justice asserts that § 1030(a)(2) of the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime for violating the CFAA when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position was stated by Richard Downing, Deputy Chief of the DOJ’s Computer Crime and Intellectual Property Section, Criminal Division, in testimony presented on November 15, 2011, before the U.S. House Committee on Judiciary, Subcommittee on Crime, Terrorism, and National Security. However, Mr. Downing also testified, “Let me be very clear that the DOJ is in no way interested in bringing cases against the people who lie about their age on a dating site or anything of the sort. We don’t have time or resources to do that.”
On the other hand, there’s an ongoing Michigan case where Leon Walker has been charged with a felony for allegedly accessing his wife’s e–mails from her Google Gmail account. On December 27, 2011, the Michigan Court of Appeals issued an opinion addressing the issue of whether Mr. Walker’s alleged conduct falls within the scope of Michigan’s criminal law on unauthorized computer access, and they held that “the prosecutor presented sufficient evidence of each element of unauthorized access of a computer, MCL 752.795, to support the district court’s decision to bind defendant over for trial.”
If you plan ahead by specifically authorizing a fiduciary under a Durable Power of Attorney (a “digital power of attorney”) or under a Last Will and Testament or Revocable Trust Agreement to access your online accounts during incapacity or after death, would that solve this potential problem of “unauthorized access” by the fiduciary? While that would clarify your intent, I’m not sure whether that is enough because there’s a potential second layer to this problem. If the Terms of Service contract prohibits you from allowing anyone else to access your account, like the Terms of Service contracts of Facebook and Microsoft’s Hotmail, then it may not matter whether you specifically authorized the fiduciary to access your account—the fiduciary isn’t authorized to access the account under the Terms of Service contract, so a fiduciary’s access to “the account itself” may be construed as “unauthorized access” under these criminal laws.
It will be very interesting whether this Michigan case and the testimony from the Department of Justice will have a chilling effect on fiduciaries who are considering accessing a decedent’s online accounts (“the account itself”) using the decedent’s password. As I mentioned above, the safer course of action for now is to have the duly–appointed fiduciary request a copy of “the contents” of the account, and that should not be construed as “unauthorized access.”