Tips From Security Experts on Choosing and Storing Passwords

One of the most frequently asked questions I hear when I talk about estate planning for digital property is, “How should I choose and store secure passwords for my accounts?” There’s a great July 10, 2013, article by Dan Goodin on Ars Technica asking this question to five computer security experts, including security technologist, cryptographer, and author Bruce Schneier (his blog and his books are excellent). The article has some helpful password tips, and it’s interesting to see the differences in how the security experts store their passwords!

I’ve written about choosing and storing secure passwords before. As I’ve mentioned, Microsoft generally recommends using a different strong password for each account, and choose strong passwords that are at least fourteen characters long, using a mix of uppercase letters, lowercase letters, numbers, and symbols.

When it comes to storing your passwords and keeping them up-to-date, my general recommendation is to choose a system that you’ll actually use. A written list may work well for you because it’s easy to create. A written list is much better than doing nothing, but a written list may be insecure and less convenient to update and to keep with you all the time. An electronic list can be much more secure (encrypted) than a written list, and a wide variety of easy-to-use tools are available to help you create and manage your electronic password list. Look for electronic password list software or an electronic password list Website that is easy-to-update, convenient, and secure (encrypted).

Some of the popular software tools that you can install on your computer or smartphone include Dashlane, LastPass, 1Password, KeePass, RoboForm, and Keeper. Several of these software tools are mentioned and used by the five security experts interviewed in the Ars Technica article above. Make sure that you write down instructions for your fiduciaries so they can find and access your electronic password list if you are incapacitated or deceased (store the written instructions in a secure location like a safe deposit box, home safe, etc.).

Some of the popular Web-based electronic password list services (accessed through a Web browser) offer a mechanism for authorized fiduciaries or family members to access your electronic password list if you are incapacitated or deceased. You tell the company in advance which key people can unlock this information at the appropriate time, and, after being contacted by that fiduciary or family member, the company will grant access after a verification procedure. Some of these services also can store scans of your important legal documents, including financial powers of attorney, health care directives, wills, trusts, deeds, and insurance policies. Some of the popular Web-based electronic password list services include AfterSteps, AssetLock, Assets In Order, Deathswitch, EstateMap, Estate++, E-Z-Safe, LegacyLocker, SecureSafe, and World Without Me. Check out their Web sites for more information on the services and features that they offer.

Posted in General | Tagged , , , , , , , , , | Comments Off on Tips From Security Experts on Choosing and Storing Passwords

Video Clip: What Happens to E-mail, Facebook, and iTunes After You Die?

Minnesota’s KSTP-TV Eyewitness News ran a five-minute video story on May 2, 2013, by Tom Hauser on what happens to your Apple iTunes purchases, e-mail accounts, Facebook account, and other online accounts after you die. I had the pleasure of being interviewed for the story, and Mark Lanterman, CEO and CTO of Computer Forensic Services, was also interviewed. You can read the text story and watch the video story at the following link: http://kstp.com/news/stories/S3020243.shtml

I was also interviewed for an April 30, 2013, story on WNYC public radio by Stan Alcorn. You can read the text of the story and listen to the audio recording at the following link: http://www.wnyc.org/shows/newtechcity/blogs/new-tech-city-blog/2013/apr/30/three-barriers-make-it-hard-pass-digital-accounts-after-death/

Technology is changing the way we interact with people and transact business. We are accumulating valuable and important electronic data in our smartphones, computers, and online accounts. We need to plan ahead for our data and online accounts so that our fiduciaries and family members can receive that data after we become incapacitated and after we die.

First, you should make a list of any valuable or important data, online accounts, and digital property. This could be a written list or an electronic list stored in your smartphone, in your computer, or in an online account. Make sure to include where each account or digital property item is, how you access it, and why it’s valuable or important to you. And, make sure to keep the list up-to-date!

Second, you should contact your estate planning attorney to include your digital property in your estate plan. Make sure your estate plan appoints a fiduciary to act on your behalf with respect to your digital property (as well as for all your other property) during incapacity and after death. This may include preparing a durable power of attorney, a will, and a revocable living trust, if appropriate for your situation—please contact your estate planning attorney for tax and legal advice about your specific facts and circumstances. And, make sure your estate plan authorizes the companies that hold your electronic data to release that data to your fiduciaries during your incapacity and after your death.

Planning ahead for your digital property is essential to arrange for full access to your data, to keep estate administration costs down, to provide for a smooth estate administration, and to ensure that none of your valuable or important digital property is overlooked. If you haven’t planned ahead, a computer forensics expert may be able to recover and access data from your smartphone or your computer. But, it may be practically impossible to retrieve the data from your online accounts if you haven’t planned ahead!

Contact your estate planning attorney today to include your digital property in your estate plan!

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , , | Comments Off on Video Clip: What Happens to E-mail, Facebook, and iTunes After You Die?

Google Users Can Now Plan Ahead for Incapacity and Death for their Google Data

If you use Google’s Gmail service or one of its other popular services, Google has new user account settings that are helpful for digital estate planning purposes. With these settings, you can direct Google to send your Gmail messages and your other Google data to a trusted person after your Google account “times out” due to inactivity. You can also set how many months (3, 6, 9, or 12) before your Google account “times out,” and Google will send you a warning before that happens.

In other words, you could set it up so that, if you haven’t logged in to your Google account within the last three months (e.g., due to incapacity or death), then Google should send your Google Gmail (e–mail) messages, your documents stored on Google Drive, and your data from other selected Google services to your spouse, to one or more of your children, or to someone else. You can select up to 10 people to receive a notification that your account is closed and, if you choose you can also send one or more of those people Google account data that you select (e.g., you can send your Google Gmail messages to one person and your Google Drive documents to someone else). You designate these people with an e–mail address and, if you choose to send them your data, with a mobile phone number also. One challenge with this is that the person you designate to receive your data may not be able to receive your data because they changed e–mail accounts, because they changed phone numbers, because they are incapacitated, or because they are deceased. So, consider naming more than one person to receive your Gmail messages and other Google data, and keep those e–mail accounts and phone numbers up–to–date. Also make sure to update your designated recipients if you get divorced or if a designated person dies.

Although these new Google account settings allow you to give your Gmail messages and other Google data to someone else during incapacity or after death, these settings do not transfer “the account itself”—just the data in the account. Google’s current policy is not to transfer one user’s account to another user.

Another option that these new Google account settings allow is to delete your Google account and your Google data after your account “times out.” Unfortunately, it’s an all–or–nothing setting (e.g., you can’t specify to delete your Google Gmail messages but preserve your Google Drive documents).

These new settings are called the “Inactive Account Manager,” which is under the Account Management heading [December 2013 update: Google recently moved the Inactive Account Manager settings under the Data Tools heading] of your Account section of your Google account settings. Note that this is not in your Gmail settings—instead, you need to navigate to your Google account page, which has this Web address: https://www.google.com/settings/account [December 2013 update: you can now use this Web address to go directly to Google’s Data Tools settings: https://www.google.com/settings/datatools]. For more information about these new settings, read Google’s Public Policy Blog posting from April 11, 2013.

Hopefully, other online account providers like Apple, Facebook, Microsoft, Yahoo!, and others will offer similar account settings so that users can plan ahead for what happens to their e–mail accounts and other online account data during incapacity and after death. As I’ve mentioned before, it’s important to integrate digital property into your estate plan. You should plan ahead for incapacity and death with respect to your online accounts and other digital property: (1) to arrange for full access to your electronically stored information; (2) to keep costs down; (3) to provide for a smooth administration; and (4) to ensure no valuable or significant online accounts or other digital property are overlooked by your fiduciaries and family members.

Posted in E-mail | Tagged , , , , , , , , , , | Comments Off on Google Users Can Now Plan Ahead for Incapacity and Death for their Google Data

Convertible Virtual Currency (Like Bitcoin) is Subject to U.S. Money-Laundering Rules

On March 18, 2013, the the U.S. Financial Crimes Enforcement Network released new interpretive guidance regarding “convertible virtual currency” for purposes of the Bank Secrecy Act (BSA). The BSA requires financial institutions in the United States to report cash transactions and suspicious financial activities that might signify money laundering, tax evasion, or other criminal activities. The Financial Crimes Enforcement Network is a bureau of the U.S. Department of the Treasury that combats money laundering, among other things.

Under the new interpretive guidance, “virtual currency” is defined as a medium of exchange that operates like a currency in some environments but does not have all the attributes of real currency (“real currency” is the coin and paper money of the United States that is designated as legal tender). “Convertible virtual currency,” then, is defined as virtual currency that has an equivalent value in real currency or that acts as a substitute for real currency.

Without getting into too much detail, the new interpretive guidance states that “exchangers” and “administrators” are “money transmitters” within the scope of the Bank Secrecy Act and its regulations, unless a limitation or exemption applies, if they either: (1) accept and transmit a convertible virtual currency or (2) buy or sell convertible virtual currency. In other words, these parties may be subject to the registration requirements, record-keeping requirements for certain transactions, and mandatory reporting requirements for certain suspicious activities that might signify money laundering, tax evasion, or other criminal activities. Under the new interpretive guidance, an “exchanger” is a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency, and an “administrator” is a person engaged as a business in issuing (putting into circulation) a virtual currency and who has the authority to redeem (to withdraw from circulation) the virtual currency.

However, a mere “user” of convertible virtual currency is not subject to the Bank Secrecy Act and its regulations. Under the new interpretive guidance, a “user” is a person that obtains virtual currency to purchase goods and services. In other words, merely using convertible virtual currency to purchase real or virtual goods or services does not make the person a “money transmission service” (so the person does not have the registration, reporting, or record-keeping obligations under the Bank Secrecy Act regulations).

One example of a popular convertible virtual currency is Bitcoin. Based on the definition of “convertible virtual currency,” the new interpretive guidance might also apply to the virtual currencies used in online video games and virtual worlds (e.g., if the video game or virtual world virtual currency has an equivalent value in real currency), bringing certain video game transactions within the scope of the Bank Secrecy Act and its regulations unless a limitation or exemption applies. According to a March 21, 2013, article in the Wall Street Journal by Jeffrey Sparshott, the “anti-money-laundering rules would apply depending on the ‘factors and circumstances’ of each business.”

This new interpretive guidance is another example of how much value is being converted into virtual currencies and how much these virtual currencies have become part of our daily lives. On May 18, 2009, John D. Sutter on CNN reported that at least $1 billion per year is transferred into virtual currencies each year, primarily for online video games. That’s amazing, and I can only imagine how much more value is converted into virtual currencies today. These virtual currencies, including Bitcoin and amounts in video games and virtual worlds, can have financial value and should be included as part of a person’s estate planning.

Posted in Financial Accounts, Video Games & Virtual Worlds | Tagged , , , , , , , , , , | Comments Off on Convertible Virtual Currency (Like Bitcoin) is Subject to U.S. Money-Laundering Rules

Jim Lamm Presents at 2013 Miami Law Review Symposium on “Will You Have a Digital Afterlife?”

On Friday, February 15, 2013, I presented a ninety–minute seminar titled “Will You Have a Digital Afterlife?” with Professor Christina L. Kunz, Michael J. McGuire, and Damien A. Riehl at the 2013 Miami Law Review Symposium on Social Media & the Law in Coral Gables, Florida. Our panel discussed how computers, electronically stored information, online accounts, and other digital property have changed the way we interact with people and how we transact business, and this flood of digital property is also changing how fiduciaries and family members administer an estate after a person’s incapacity or death.

Our panel discussed the four main obstacles for fiduciaries and family members trying to access electronically stored information, online accounts (e–mail, social networking accounts like Facebook and Google+, etc.), and other digital property. These four main obstacles are: (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

Our panel reported on current state legislative efforts regarding fiduciary access to digital property and the Uniform Law Commission’s Drafting Committee that is working on this topic. We also discussed intellectual property law issues, including a current case addressing the issue of whether a person can sell a “used” digital music file, book, or movie purchased from Apple’s iTunes store without violating copyright law. And our panel discussed estate planning tips to plan ahead for digital property during incapacity and after death as well as tips to help identify an incapacitated or deceased person’s online accounts and software tools to help gain access to electronically stored information that may be protected by a password on the person’s smartphone, iPad, or computer.

Posted in General | Tagged , , , , , , , , , , , , , | Comments Off on Jim Lamm Presents at 2013 Miami Law Review Symposium on “Will You Have a Digital Afterlife?”

February 2013 List of State Laws and Proposals Regarding Fiduciary Access to Digital Property During Incapacity or After Death

Note: please refer to this August 2013 post for an updated list of state laws.

When a person becomes incapacitated or after a person dies, there are significant challenges that fiduciaries and family members face when dealing with that person’s smartphones, computers, electronically stored information, online accounts, Internet domain names, and other digital property. As I’ve mentioned in previous posts, there are four main obstacles for fiduciaries and family members trying to access this digital property (especially online accounts like e–mail accounts, social networking accounts like Facebook, etc.): (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

in May 2011, my colleague Gene Hennig and I submitted to the Uniform Law Commission a Project Proposal for a uniform law to grant fiduciaries specific powers and authority regarding a person’s online accounts and digital property during incapacity and after death. In January 2012, the Uniform Law Commission appointed a Study Committee, which presented its final report at the July 2012 Uniform Law Commission annual meeting. On July 17, 2012, the Uniform Law Commission appointed a Drafting Committee on Fiduciary Access to Digital Assets to prepare a uniform law on this topic. The first meeting of the Drafting Committee was held November 30 and December 1, 2012, and the second meeting of the Drafting Committee is February 15–17, 2013.

As of the date of this posting, I am aware of five states that currently have enacted specific laws to help fiduciaries deal with e–mail fiduciary access to online accounts, although I believe that several of these laws are too limited in scope:

  1. Connecticut Statutes § 45a–334a (see also Proposed Bill 5227 introduced January 11, 2013, status)
  2. Idaho Statutes §–15–3–715(28)
  3. Oklahoma Statutes § 58–269
  4. Rhode Island General Laws Chapter 33–27
  5. Indiana Code § 29–1–13–1.1

As I mentioned above, the Uniform Law Commission appointed a Drafting Committee on Fiduciary Access to Digital Assets to prepare a uniform law on this topic. As of the date of this posting (including the updates mentioned below), I am aware that the following other states that have already introduced or are considering introducing new legislation to address fiduciary access to digital property, although I believe that several of these proposals are too limited in scope:

  1. California
  2. Colorado
  3. Maine: Legislative Document 850 introduced March 5, 2013, (to study the issue), status (thank you to Justin LeBlanc for notifying me about this bill)
  4. Maryland: Senate Bill 29 introduced January 9, 2013, status
  5. Massachusetts
  6. Michigan: House Bill 5929 introduced September 20, 2012, status (thank you to Brian Cohan for notifying me about this bill)
  7. Missouri
  8. Nebraska: Legislative Bill 783 introduced January 5, 2012, status
  9. Nevada: Senate Bill 131 introduced February 18, 2013, status (thank you to Ashley Watkins for notifying me about this bill)
  10. New Hampshire: House Bill 116 introduced January 3, 2013, status
  11. New Jersey: Assembly Bill 2943 introduced May 14, 2012, status
  12. New York: Bill A823–2013 introduced January 9, 2013, status
  13. North Carolina Senate Bill 279 introduced March 12, 2013, status (thank you to Evan Carroll for notifying me about this bill)
  14. North Dakota: House Bill 1455 introduced January 21, 2013, status
  15. Ohio
  16. Oregon Senate Bill 54 introduced January 14, 2013, status (thank you to Evan Carroll for notifying me about this bill)
  17. Pennsylvania: House Bill 2580 introduced August 23, 2012, status
  18. Virginia: Senate Bill 914 introduced January 7, 2013, status

If you are aware of any other state that is considering this type of legislation, please contact me so that I can add it to the list.

[Updated February 25, 2013, to add links to Michigan bill; on March 18, 2013, to add links to Nevada, North Carolina, and Oregon bills; and on April 1, 2013, to add links to the Maine bill]

Posted in General | Tagged , , , , , , , | Comments Off on February 2013 List of State Laws and Proposals Regarding Fiduciary Access to Digital Property During Incapacity or After Death

Jim Lamm Presents on Digital Death at 2013 Heckerling Institute

On Thursday, January 17, 2013, I presented a ninety–minute seminar titled “Digital Death: What to Do When Your Client Is Six Feet Under But His Data Is in the Cloud” with Professor Christina L. Kunz and Damien A. Riehl at the 47th Annual Heckerling Institute on Estate Planning in Orlando, Florida. Our panel discussed how fiduciaries and family members need to inventory, value, and administer smartphones, computers, electronically stored information, online accounts, domain names, and other digital property as part of their duties for estate and trust administrations, guardianships, and conservatorships. We also talked about estate planning tips to plan ahead for digital property during incapacity and after death.

Specifically, we talked about the four main obstacles for fiduciaries and family members trying to access electronically stored information, online accounts (e–mail, social networking accounts like Facebook and Google+, etc.), and other digital property. These four main obstacles are: (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

Our panel also discussed intellectual property law issues, including a current case addressing the issue of whether a person can sell a “used” digital music file, book, or movie purchased from Apple’s iTunes store without violating copyright law. Finally our panel reported on state legislative efforts regarding fiduciary access to digital property and the Uniform Law Commission’s Drafting Committee that is working on this topic.

You can download the Table of Contents from the seminar materials here: Table of Contents (PDF link).

Posted in E-mail, Intellectual Property Rights, Social Networking Accounts | Tagged , , , , , , , , , , , , , , , | Comments Off on Jim Lamm Presents on Digital Death at 2013 Heckerling Institute

Jim Lamm Quoted in The Wall Street Journal

On January 5, 2013, I was quoted in The Wall Street Journal in the article “Life and Death Online: Who Controls a Digital Legacy?” by Geoffrey A. Fowler.

The article describes a Toronto family’s struggle with a deceased teenager’s digital afterlife, and the obstacles created by criminal laws, privacy laws, and Terms of Service contracts with online account service providers. For more information about the court case mentioned in the article involving Facebook opposing (and successfully blocking) a family’s demand to obtain a decedent’s Facebook account data, read my October 2012 posting about the Facebook case and about the the Stored Communications Act.

Posted in Social Networking Accounts | Tagged , , , , , , , , | Comments Off on Jim Lamm Quoted in The Wall Street Journal

Uniform Law Commission’s Drafting Committee on Fiduciary Access to Digital Assets

The Uniform Law Commission has appointed a Drafting Committee to address the issue of Fiduciary Access to Digital Assets, and its first meeting will be November 30 and December 1, 2012, in Minneapolis, Minnesota. The ULC studies and reviews state laws to determine which laws should be uniform among the states, and, when appropriate, they draft and propose statutory language to promote uniformity.

In May 2011, my colleague Gene Hennig and I submitted to the ULC a Project Proposal for a uniform law to grant fiduciaries specific powers and authority regarding an individual’s online accounts and digital property during incapacity and after death. Although I am not a commissioner, I have been actively involved in this ULC process as an observer.

In January 2012, the ULC appointed a Study Committee to consider the issue of Fiduciary Access to Digital Assets. That Study Committee presented its final report at the July 2012 ULC annual meeting.

On July 17, 2012, the ULC appointed a Drafting Committee to prepare a uniform law on Fiduciary Access to Digital Assets. As I mentioned above, the first meeting of the Drafting Committee will be held on November 30 and December 1, 2012, in Minneapolis, Minnesota. The second meeting of the Drafting Committee is scheduled for February 15–16, 2013, in Washington, D.C.

Posted in General | Tagged , , , , , , , | Comments Off on Uniform Law Commission’s Drafting Committee on Fiduciary Access to Digital Assets

Facebook Blocks Demand for Contents of Deceased User’s Account

On September 20, 2012, Facebook obtained a court order blocking a demand to turn over the contents of a deceased user’s Facebook account. The executor of Sahar Daftary’s estate requested a subpoena to compel Facebook to turn over the decedent’s Facebook account contents as part of a coroner’s inquest to determine her cause of death. According to the court records, the executor disputes that Ms. Daftary committed suicide and “believes that her Facebook account contains critical evidence showing her actual state of mind in the days leading up to her death.” However, the court held that the Stored Communications Act’s privacy rights protect the account contents, and Facebook cannot be compelled to turn over the contents in a civil action.

At first glance, this may appear to be a surprising result. However, I believe this case was decided correctly under the Stored Communications Act. Also, while one key question was not answered by the court in this order, I believe this case is ultimately beneficial to other families and fiduciaries seeking e–mails or other contents of an incapacitated or deceased user’s online accounts. To explain why, let’s first examine the privacy rights under the Stored Communications Act, and then I’ll explain my thoughts about this new Facebook ruling.

Stored Communications Act

The Stored Communications Act (also known as the “Stored Wire and Electronic Communications Act”) is part of the Electronic Communications Privacy Act of 1986. The Stored Communications Act is codified in 18 U.S.C. §§ 2701 through 2712. Among other things, the Stored Communications Act creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain service providers.

Without going too far into the technical details, in general, the protections under the Stored Communications Act depend on:

  1. Whether the request or demand for information is made by a governmental entity (e.g., in a law enforcement investigation) or by some other person or entity (e.g., in a civil lawsuit);
  2. Whether the company provides services to the public (e.g., Facebook, Google, Yahoo!, Microsoft, and Apple provide services to the public) or whether the services are not publicly available (e.g., an employer that provides e–mail accounts only to its employees);
  3. Whether the request or demand is for the contents of the electronic communications and files (e.g., the body and subject line of an e–mail) or whether the request or demand is for noncontent information (e.g., the user’s name, address, connection records, length of service, type of service, network/IP address, and the means and source of payment for the service);
  4. Whether access to the contents of the electronic communications and files are “restricted in some fashion” or are “completely public”; and
  5. Whether the company provides an “electronic communications service” (ECS) or a “remote computing service” (RCS).

For more a more detailed description of the Stored Communications Act, I recommend reading A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It by Orin S. Kerr.

Estate Administration Example

Let’s walk through an example involving the administration a deceased user’s estate to better understand how the Stored Communications Act applies. Let’s assume the decedent had: (1) a free e–mail account (it doesn’t matter if it’s a Google Gmail account, a Microsoft Hotmail account, or a Yahoo! Mail account); (2) a Facebook account; and (3) an employer–provided e–mail account. Also, let’s assume we have a duly–appointed executor with authority to act on behalf the decedent’s estate (an executor also is referred to as a personal representative of the estate or as an estate administrator).

First, if there is a law enforcement investigation involved regarding the decedent (e.g., a murder investigation involving the decedent’s death or a crime for which the decedent is being investigated), then a governmental entity might want to review the e–mail or Facebook account contents. Under § 2703 of the Stored Communications Act, a governmental entity can compel the disclosure of contents of electronic communications and files protected under the Stored Communications Act by following the proper procedures for the type of information requested from each provider (e.g., a search warrant, subpoena, etc.). That’s beyond the scope of our example, so I’m not going to walk through those procedures.

In our example, the executor of the decedent’s estate is not a governmental entity. So, there are three main options for the executor to obtain the contents of the two e–mail accounts and the Facebook account:

  1. Ask each provider for a copy of the deceased user’s account contents;
  2. File a civil lawsuit against the provider to try to compel the provider to turn over the deceased user’s account contents; and
  3. Use the decedent’s username and password (if you have them) to access the decedent’s e–mail and Facebook accounts to directly obtain a copy of the account contents.

The first option is what I generally recommend. The duly–appointed executor of the decedent’s estate (or, for an incapacitated user’s accounts, the duly–appointed guardian, conservator, or attorney–in–fact under a durable power of attorney) asks the provider for a copy of the account contents and furnishes documentation to the provider showing the fiduciary’s authority (e.g., a copy of the durable power of attorney or a certified copy of the court documents appointing the guardian, conservator, or executor to act on behalf of the living user or of the deceased user’s estate). If the user is deceased, I recommend also furnishing a certified copy of the death certificate to the provider. The executor of a decedent’s estate stands in the shoes of the decedent, so, for purposes of our example, the executor should be able to provide “lawful consent” on behalf of the decedent to divulge the contents of the decedent’s accounts. I will say more about “lawful consent” below (and why the September 20, 2012, Facebook order mentioned above is relevant to this). The second option for the executor—file a civil lawsuit against the provider—does not work if the Stored Communications Act applies. A civil action cannot require (see § 2703) a provider to disclose the contents of electronic communications and files protected under the Stored Communications Act, but the provider may voluntarily disclose the contents if one of the exceptions under § 2702(b) is met. Again, I will say more about the “lawful consent” exception below. The third option for the executor—use the decedent’s username and password to access the account directly—might be construed as “unauthorized access” under a state or federal criminal law. I’ve written previously (here and here) about whether it’s a crime for fiduciaries to access a decedent’s online accounts, and the chilling effect those criminal laws have on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. Since option two doesn’t work if the Stored Communications Act applies and option three might be construed as a criminal act, that leaves the duly–appointed executor (or other fiduciary) with option one as the clear choice: ask each provider for a copy of the deceased user’s account contents and provide appropriate documentation to back up the request.

Second, to continue applying the Stored Communications Act to our example, let’s look at whether the company holding the contents is providing services to the public. For the free e–mail account and the Facebook account in our example, we know that Google, Microsoft, Yahoo!, and Facebook provide these services to the public. But, the employer–provided e–mail account in our example is different, because the typical employer only provides the e–mail account to employees (and a school that provides accounts only to its students and staff also does not provide services to the public). That difference is important because § 2702(a) of the Stored Communications Act prohibits a company that provides ECS or RCS to the public from divulging the contents of the electronic communications or files unless an exception is met. That statutory prohibition on divulging contents doesn’t apply to a company that does not provide ECS or RCS to the public (e.g., the employer–provided e–mail in our example), because there is a different expectation of privacy for the user. So, the company could voluntarily divulge the employer–provided e–mail account contents or might be compelled in a civil proceeding to turn over those contents—the company can’t use § 2702(a) of the Stored Communications Act as a shield to prevent disclosure. But, there may be other reasons that the company can’t or won’t turn over the employer–provided e–mail account contents, such as: (1) a trade secret protected by state law; (2) a non–compete agreement, a non–disclosure agreement, or the company’s electronic resources policy; (3) “protected health information” under the Health Insurance Portability and Accountability Act of 1996—HIPAA (but, an incapacitated employee’s designated health care agent or a deceased employee’s personal representative has authority to request this information); (4) medical information protected from disclosure by a state law or the Americans with Disabilities Act of 1990; (5) “nonpublc personal information” under the Gramm–Leach–Bliley Act; or (6) some other privacy law or privilege.

Third, in our example, the executor of the deceased user’s estate is looking for the contents of the electronic communications and files. Different protections apply for voluntary and compelled disclosure of “contents” versus the “noncontent information” about the account, especially if a governmental entity is making the demand. For our example, similar exceptions apply under the voluntary disclosure rules for contents and noncontent information. I will say more about the “lawful consent” exception below.

Fourth, we need to consider whether access to the contents of the electronic communications and files in our example are “restricted in some fashion” or are “completely public.” If the contents are completely public, the privacy protections of the Stored Communications Act do not apply. On the other hand, if access to the contents is restricted in some fashion, then the privacy protections of the Stored Communications Act do apply. It’s interesting to think of a user’s “privacy rights” with respect to social networking services, such as a user’s Facebook Wall (or MySpace Comments or Google+ Stream), which can be seen by hundreds or even thousands of “friends.” Do those contents receive privacy protections under the Stored Communications Act? The court in Crispin v. Christian Audigier, Inc., 717 F.Supp.2d 965 (C.D. Cal. 2010), faced this issue and determined that Facebook’s Wall feature and MySpace’s Comments feature are analogous to a restricted–access electronic bulletin board on which friends and family can post messages and news updates. The court in Crispin determined that a user’s Facebook Wall or MySpace Comments postings can have restricted access (receiving privacy protections under the Stored Communications Act) if they are only visible to another person who has been granted access to see the user’s full profile.

Fifth, we look at whether the company provides an “electronic communications service” or a “remote computing service.” Different rules apply for voluntary and compelled disclosure with respect to ECS providers versus RCS providers if a governmental entity is making the demand, but the distinction is less relevant for our example with the executor of a deceased user’s account potentially bringing a civil suit. A single company might be classified as providing just ECS, just RCS, both ECS and RCS, or neither ECS nor RCS. In the Crispin case mentioned above, the court determined that both Facebook and MySpace are ECS providers and RCS providers. With respect to private messaging features of Facebook and MySpace, the court in Crispin determined that these features are analogous to e–mail communications and held that Facebook and MySpace operate as ECS providers with respect to unopened messages and operate as RCS providers with respect to messages that have been opened and retained. The court in Crispin also held that “Facebook and MySpace are ECS providers as respects wall postings and comments and that such communications are in electronic storage. In the alternative, the court holds that the Facebook and MySpace are RCS providers as respects the wall postings and comments.”

Based on the discussion above, for our example, the free e–mail account and the Facebook account have statutory privacy protections under the Stored Communications Act. So, both the company providing the free e–mail account (e.g., Google, Microsoft, Yahoo!, etc.) and Facebook are prohibited by § 2702(a) of the Stored Communications Act from divulging the contents of the electronic communications or files unless an exception is met. If the Stored Communications Act applies and an exception is met under § 2702(b), then the provider may voluntarily divulge the contents but cannot be compelled to divulge the contents in a civil suit. As discussed above, the prohibition against voluntary disclosure under § 2702(a) of the Stored Communications Act does not apply to the employer–provided e–mail contents. With respect to the free e–mail account and the Facebook account, to which the Stored Communications Act does apply, the exception for voluntary disclosure under § 2702(b)(3) is relevant: a provider “may divulge the contents of a communication…with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service.”

With that “lawful consent” exception under § 2702(b)(3) in mind, the key question is whether the duly–appointed executor of a deceased user’s estate (or other fiduciary for a living user) can provide “lawful consent” so that the provider may voluntarily divulge the contents for purposes of § 2702 of the Stored Communications Act.

Conclusions From the September 20, 2012, Facebook Ruling

Finally, this key question brings us back to the September 20, 2012, court order blocking a demand to turn over the contents of a deceased user’s Facebook account. As I mentioned above, the executor of Sahar Daftary’s estate asked the court to compel Facebook to turn over the decedent’s Facebook account contents as part of a coroner’s inquest to determine her cause of death. From the discussion above, the Stored Communications Act applies, § 2702(a) prevents Facebook from divulging the contents unless an exception is met, and Facebook cannot be compelled to divulge the contents in a civil suit. In its Motion to Quash Subpoena in a Civil Case filed on August 6, 2012, and in its Reply In Support of Motion to Quash Subpoena in a Civil Case filed on August 27, 2012, Facebook asserts that it is not clear that the executor’s consent satisfies the Stored Communications Act’s exception for “lawful consent” under § 2702(b)(3). Facebook argues that different jurisdictions may vest different powers in executors, so this would “impose excessive burdens and risks on Facebook and other service providers.” Facebook also argues that “it would be far too burdensome to require service providers to analyze the law of the relevant jurisdiction each time an administrator asserted the right to consent on behalf of a deceased user. It would also be patently unfair. Service providers are subject to serious penalties for wrongful disclosure.” But, I believe a reasonable counterpoint to this argument by Facebook is that banks and brokerage companies need to deal with fiduciaries on a routine basis, and they’ve figured out a way to make that process work effectively.

To its credit, Facebook offered a reasonable middle ground stating “Facebook would not object if the Court (1) holds that Anisa Daftary may provide lawful consent under Section 2702 of the SCA to the disclosure of communications in Sahar’s account, and (2) orders Facebook to disclose the reasonably accessible communications sought by Applicants.” In this case, Anisa Daftary is both the mother of Sahar Daftary (the deceased Facebook user) and the executor of her estate. However, because the Stored Communications Act applies and the provider cannot be compelled to divulge the contents in a civil suit, the September 20, 2012, order states that the court lacks jurisdiction to address whether the executor of the deceased user’s estate may offer consent so that Facebook may disclose the records voluntarily (the court notes that it would be an impermissible advisory opinion).

So, with all that being said, why do I believe that this case is ultimately beneficial to family members and fiduciaries seeking e–mails or other contents of an incapacitated or deceased user’s online accounts? Because I think the court’s order should give comfort to Facebook and other online account providers to voluntarily disclose an incapacitated or deceased user’s account contents. Facebook mentioned in its pleadings the chilling effect of the Stored Communications Act’s prohibitions (and penalties) on voluntary disclosure of contents unless an exception is met. While the court did not answer the question of whether, as a matter of law, the executor of a deceased user’s estate (or a duly–appointed fiduciary acting on behalf of an incapacitated user) may provide “lawful consent” under § 2702, the final sentence of the court’s opinion suggests what the answer should be. The court said “Of course, nothing prevents Facebook from concluding on its own that Applicants have standing to consent on Sahar’s behalf and providing the requested materials voluntarily.” I want to be clear: this sentence is not a determination of the court that others can rely on—it is only obiter dictum. Still, I believe this sentence is ultimately beneficial because it strongly suggests (to me) that this court would not oppose the executor of a deceased user’s estate providing “lawful consent” under § 2702 of the Stored Communications Act. And, this court—the U.S. District Court, Northern District of California—is especially important because the Terms of Service Agreement for Facebook (section 16.1) provides that any disputes must be resolved in a court located in Santa Clara County, California (which is within the boundaries of the U.S. District Court, Northern District of California). In addition, the U.S. District Court, Northern District of California, is the chosen federal court jurisdiction under the Terms of Service Agreement for Apple, Google, LinkedIn (section 8.1), Twitter (section 12.B), WordPress, Yahoo! (section 27), and YouTube (section 14). So, the final sentence from this court’s order, even though it isn’t binding authority, should give comfort to some of the major online account service providers because this court is the key jurisdiction for these providers in the event of a dispute. A notable exception to that list of providers is Microsoft, which selects Washington state for its dispute resolution provision.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , , , , , , | Comments Off on Facebook Blocks Demand for Contents of Deceased User’s Account