WSJ Article on Access to Online Accounts After a Business Owner Dies

There is an article by Molly Williams in today’s Wall Street Journal titled “If a Business Owner Dies, Who Can Access the Web?” The article points out that some small businesses have only one person who knows the passwords to the important online accounts for the business, and that could disastrous for the business if that person becomes incapacitated or dies without writing down the passwords so that others can access the accounts. Ensuring access to the business’s important online accounts is an important part of business continuity planning—a business may need to handle online customer orders, online purchases from suppliers, online payroll software, online bill paying, online marketing, e–mails, and more.

In general, I suggest that a business use its own e–mail server or have the business contract with a commercial e–mail service provider—do not rely on a free e–mail service for your business e–mails. Why? Because the Terms of Service contracts at the major free e–mail service providers (Google, Microsoft, and Yahoo!), say that these accounts are not transferable (or transferable only with permission). So, if the business e–mail account is registered in the individual owner’s name at one of the free e–mail services, the account probably cannot be transferred.

Also, the Yahoo! Terms of Service contract says that your account terminates when you die. The Terms of Service contracts at many other service providers are silent about what happens to your account when you die. If a business contracts directly with a commercial e–mail service provider (rather than one of the free e–mail providers), the account could continue after the owner dies.

The Microsoft and Facebook Terms of Service contracts say that only you may use your account, and you must not authorize a third party to access or use your account. This probably does not work well for business purposes, where more than one person may need to access the online account. As I have mentioned before, it could be considered a crime to access another person’s online accounts—even if you are the duly–authorized fiduciary for that person—if you “exceed authorized access” under the online account’s Terms of Service contract. The Wall Street Journal article quotes me as recommending not to access another person’s account using the person’s password—instead, the duly–authorized fiduciary for that person should contact the service provider to request the contents of the account to avoid potential charges of “exceeding authorized access.” I’ve previously mentioned the proper procedures for contacting Google, contacting Microsoft, and contacting Facebook. For a Yahoo! e–mail account, you can contact Yahoo! Customer Care to start the process, but note that, in the past, they have required a court order directing them to turn over the e–mail account contents citing privacy concerns.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , | Comments Off on WSJ Article on Access to Online Accounts After a Business Owner Dies

Update on Whether It’s a Crime for Fiduciaries to Access a Decedent’s Online Accounts

I’ve written previously that using an incapacitated or deceased person’s passwords to access that person’s online accounts may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. On April 10, 2012, the Ninth Circuit Court of Appeals issued an opinion in United States v. Nosal regarding the scope of the phase “exceed authorized access” under § 1030 of the Computer Fraud and Abuse Act.

In this case, David Nosal, a former employee of Korn/Ferry, convinced current Korn/Ferry employees to obtain information from a confidential Korn/Ferry database—information that Mr. Nosal could use to help start a competing business. The current Korn/Ferry employees were authorized to access the database, but disclosing that confidential information violated Korn/Ferry’s company policies. The criminal charge was “exceeding authorized access” under the Computer Fraud and Abuse Act because the company’s policy was violated.

The Ninth Circuit held in this case that “We need not decide today whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.” Note that the key phrase in that quote is “use restrictions.” The Ninth Circuit concluded “Therefore, we hold that ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” In this case, the current company employees had permission to access the confidential company database, but the company’s policies restricted the use of the information. So, the criminal charge of “exceeding authorized access” under the Computer Fraud and Abuse Act was dismissed.

As I have discussed before, the U.S. Department of Justice has asserted that § 1030(a)(2) of the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime for violating the Computer Fraud and Abuse Act when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position may have a chilling effect on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. The Terms of Service contracts at some major Web services, including Facebook and Microsoft’s Hotmail, specifically prohibit you from allowing anyone else to access your account.

This case is interesting for fiduciaries and family members because the Ninth Circuit narrowly construes the phrase “exceeds authorized access,” despite the government arguing for a very broad construction of “exceeds authorized access.” Although it is not part of the Ninth Circuit’s holding, the most interesting portion of the order to me is the Discussion section of the Ninth Circuit’s opinion, where the court gives several examples of the consequences of the government’s broad construction, including an example about Facebook’s Terms of Service contract provision regarding letting someone else access your account:

For example, it’s not widely known that, up until very recently, Google forbade minors from using its services. See Google Terms of Service, effective April 16, 2007–March 1, 2012, § 2.3, http://www.google.com/intl/en/ policies/terms/archive/20070416 (“You may not use the Services and may not accept the Terms if…you are not of legal age to form a binding contract with Google….”) (last visited Mar. 4, 2012). Adopting the government’s interpretation would turn vast numbers of teens and pre–teens into juvenile delinquents—and their parents and teachers into delinquency contributors. Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 http://www.facebook.com/legal/terms (“You will not share your password,…let anyone else access your account, or do anything else that might jeopardize the security of your account.”) (last visited Mar. 4, 2012). Yet it’s very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.

…Not only are the terms of service vague and generally unknown—unless you look real hard at the small print at the bottom of a webpage—but website owners retain the right to change the terms at any time and without notice. See, e.g., YouTube Terms of Service § 1.B, http://www.youtube.com/t/terms (“YouTube may, in its sole discretion, modify or revise these Terms of Service and policies at any time, and you agree to be bound by such modifications or revisions.”) (last visited Mar. 4, 2012). Accordingly, behavior that wasn’t criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.

The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of our local prosecutor. Cf. United States v. Stevens, 130 S. Ct. 1577, 1591 (2010) (“We would not uphold an unconstitutional statute merely because the Government promised to use it responsibly.”). And it’s not clear we can trust the government when a tempting target comes along. Take the case of the mom who posed as a 17–year–old boy and cyber–bullied her daughter’s classmate. The Justice Department prosecuted her under 18 U.S.C. § 1030(a)(2)(C) for violating MySpace’s terms of service, which prohibited lying about identifying information, including age. See United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009). Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.

So, although the Ninth Circuit’s actual holding in this case does not specifically resolve the question of whether using an incapacitated or deceased person’s passwords to access that person’s online accounts is a crime (if that “exceeds authorized access” when the Web service’s Terms of Service contract prohibits letting others access the online account), the opinion’s discussion about Facebook’s Terms of Service provision gives me some hope for the future. Keep in mind that the Ninth Circuit concluded “Therefore, we hold that ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use,” so the chilling effect on fiduciaries and family members accessing online accounts remains a problem.

For more discussion of United States v. Nosal, read the April 10, 2012, article by Orin Kerr at The Volokhh Conspiracy, including a mention of disagreement among the circuit courts about whether to interpret the Computer Fraud and Abuse Act broadly or narrowly, which could lead to a Supreme Court opinion on this issue in the future.

Posted in E-mail, Financial Accounts, Online Sales Accounts, Social Networking Accounts, Video Games & Virtual Worlds, Web Pages and Blogs | Tagged , , , , , , , , , , , , , | Comments Off on Update on Whether It’s a Crime for Fiduciaries to Access a Decedent’s Online Accounts

Sharing Your Facebook Password With Employers, Schools, or Fiduciaries

Previously, I’ve written about courts ordering spouses to reveal their Facebook passwords in the course of a divorce proceeding. In the past few weeks, there have been several stories about employers asking a job applicant to reveal the applicant’s Facebook username and password and schools asking a student to reveal the student’s Facebook username and password. See articles here, here, here, here, and here for a sampling of articles. The ACLU quickly condemned this practice as an invasion of privacy and has encouraged legislation to protect users’ privacy.

Facebook’s Chief Privacy Officer, Erin Egan, posted on March 23, 2012, that demanding access to a Facebook user’s profile and private information “undermines the privacy expectations and the security of both the user and the user’s friends.” She states, “That’s why we made it a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password.” She also states, “Facebook takes your privacy seriously. We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action.”

In a previous post about Planning Ahead for Access to Contents of a Decedent’s Online Accounts, I cautioned against having a family member or fiduciary use the password of an incapacitated or deceased user to gain full access to that user’s online accounts (“the account itself”) because it may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. According to the statement quoted above by Facebook’s Chief Privacy Officer, in addition to state or federal criminal laws, Facebook may initiate legal action (presumably a civil law suit against the person exceeding access to the Facebook account) where appropriate to protect the privacy and security of users.

It’s essential to plan ahead with a list of passwords so that, during a period of incapacity or after your death, your fiduciaries and family members have full access to your smartphones, tablet devices, computers, and encrypted data storage. But, your fiduciaries and family members must think carefully about the potential for criminal penalties or civil lawsuits if they try to use your list of passwords to get full access to any of your online accounts (“the account itself”). As I’ve discussed before, the safer course of action for now it so have the duly–appointed fiduciary for an incapacitated or deceased person request a copy of “the contents” of the online account from the online service provider, and that should not be construed as “unauthorized access.”

Posted in Social Networking Accounts | Tagged , , , , , , , | Comments Off on Sharing Your Facebook Password With Employers, Schools, or Fiduciaries

Jim Lamm Quoted in The Wall Street Journal’s Law Blog

On February13, 2012, I was quoted in The Wall Street Journal’s Law Blog in the article “What Happens to Your ‘Digital Assets’ When You Die?” by Steve Eder. The article also quotes my colleague, Gene Hennig, who co–authored a Project Proposal with me in May 2011 to the Uniform Law Commission for a uniform law to grant fiduciaries specific powers and authority regarding an individual’s online accounts and digital property during incapacity and after death.

Posted in General | Tagged , , , , , | Comments Off on Jim Lamm Quoted in The Wall Street Journal’s Law Blog

Planning Ahead for Access to Contents of a Decedent’s Online Accounts

February 1 was informally designated as “Change Your Password Day,” and a good collection of articles is available at Lifehacker.com about how to test the strength of your passwords, how to update your passwords with “strong” passwords, and a list of software and services to help you keep track of all of your “strong” passwords. This is also a good time to update your list of passwords, online accounts, and digital property for your estate plan.

News services reported this week that the e–mail account of the president of Syria was hacked by the “Anonymous” group, and that the password he used was “12345.” More details are in this article by Stephen Webster at Raw Story. On one hand, that’s not surprising, because five of the top ten most frequently–used passwords are “123456,” “12345,” “123456789,” “1234567,” and “12345678” (link).

Personally, I like a password and account list that is secure, easy to update, convenient to use, and portable so it’s always with me (or it needs to sync automatically with all my devices, including my iPhone and my iPad). You could use a written list, but that isn’t very secure (and if you store it securely, it isn’t very easy to update). I prefer an encrypted electronic list. Some of the most popular software tools are LastPass, 1Password, KeePass, RoboForm, and Keeper. If you use an encrypted electronic list, make sure you write down instructions for your fiduciaries so they can find it and access it if you are incapacitated or deceased (store the written instructions in a safe deposit box, home safe, etc.).

One of my favorite features of LastPass and similar software tools is that they can integrate securely with my Web browser to automatically fill in my username and password (after I’ve typed in my master password when I first start my Web browser), so that I don’t need to manually type any of my “strong” passwords. LastPass and similar software tools also can generate “strong” passwords when you register for a new Web service or when you choose to change your password for a Web service—and they can fill in the new password automatically for you so you don’t make a typo.

In addition to these software tools, there are a number of Web services that are specifically designed to hold an electronic list of your passwords and online accounts while you are alive, then the service will turn over your list to your duly–authorized fiduciary after you die.

It’s essential to plan ahead with a list of passwords so that fiduciaries and family members have full access to your smartphones, tablet devices, computers, and encrypted data storage. For data that is protected by a strong password plus strong encryption, it may be practically impossible to access the data without the password. But what about online accounts?

I want to stop here and draw an important distinction between access to “the account itself” and “the contents” of an online account after a person becomes incapacitated or dies.

First, the Terms of Service contracts on the major Web services—Microsoft, Google, Yahoo!, Facebook, YouTube, Twitter, eBay, PayPal, etc.—say that “the account itself” is not transferrable or only transferrable with permission. Second, most major Web services won’t reveal or reset the password of an incapacitated or deceased person, so the family members and fiduciaries aren’t able to fully access “the account itself” unless they know the incapacitated or deceased person’s password. Third, if you give fiduciaries and family members your password, letting them access “the account itself” may violate the Terms of Service contract on Web services (which might violate criminal laws—see below). Fourth, some Terms of Service contracts, like the one for Yahoo!, say that a user’s account terminates at death.

In my opinion, full access to “the account itself” for a typical online account isn’t all that valuable to family members or fiduciaries. “The contents” of the online account are where the financial or sentimental value is located. Family members generally want access to and copies of the deceased person’s e–mail contents, photos, videos, music, intellectual property, etc. There are exceptions to this. A Twitter account has followers. A Facebook account has friends. An eBay account has a reputation. For these types of accounts, “the account itself” does have value—but these are probably limited to the business world—the commercial value of followers, friends, or a reputation.

For the most part, the goal of estate planning for most online accounts is to plan ahead so that the duly–appointed fiduciary or family members can find and then obtain “the contents” of the online account—the electronic data—from the Web services after the account holder dies or becomes incapacitated, which can be done even if we don’t know the account password. Planning ahead by leaving a list of your online accounts for your family members and fiduciaries is an important step because it helps the duly–appointed fiduciary locate valuable or significant digital property. Armed with that list of accounts, the duly–appointed fiduciary can request copies of the contents of a deceased person’s Facebook account, e–mail account, and many other types of online accounts. However, as I mentioned above, using a deceased person’s passwords to access “the account itself” may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. On the other hand, having the duly–appointed fiduciary request a copy of “the contents” of the account should not be construed as “unauthorized access,” although some Web services have insisted on a court order authorizing disclosure of “the contents” of the online account citing privacy concerns. The bottom line is that I still recommend planning ahead by keeping a list of passwords to your online accounts, but a critical issue for your fiduciary to consider is whether to use the passwords to access your online accounts (“the account itself”) or whether to just request “the contents”—because of the potential application of these criminal laws.

All fifty states and the federal government have enacted criminal laws penalizing unauthorized access to computer systems and types of private or protected personal data. These laws generally provide consumer protection against fraud and identity theft, but these criminal laws may also have a chilling effect on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. The Terms of Service contracts at some major Web services, including Facebook and Microsoft’s Hotmail, specifically prohibit you from allowing anyone else to access your account.

The U.S. Department of Justice asserts that § 1030(a)(2) of the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime for violating the CFAA when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position was stated by Richard Downing, Deputy Chief of the DOJ’s Computer Crime and Intellectual Property Section, Criminal Division, in testimony presented on November 15, 2011, before the U.S. House Committee on Judiciary, Subcommittee on Crime, Terrorism, and National Security. However, Mr. Downing also testified, “Let me be very clear that the DOJ is in no way interested in bringing cases against the people who lie about their age on a dating site or anything of the sort. We don’t have time or resources to do that.”

On the other hand, there’s an ongoing Michigan case where Leon Walker has been charged with a felony for allegedly accessing his wife’s e–mails from her Google Gmail account. On December 27, 2011, the Michigan Court of Appeals issued an opinion addressing the issue of whether Mr. Walker’s alleged conduct falls within the scope of Michigan’s criminal law on unauthorized computer access, and they held that “the prosecutor presented sufficient evidence of each element of unauthorized access of a computer, MCL 752.795, to support the district court’s decision to bind defendant over for trial.”

If you plan ahead by specifically authorizing a fiduciary under a Durable Power of Attorney (a “digital power of attorney”) or under a Last Will and Testament or Revocable Trust Agreement to access your online accounts during incapacity or after death, would that solve this potential problem of “unauthorized access” by the fiduciary? While that would clarify your intent, I’m not sure whether that is enough because there’s a potential second layer to this problem. If the Terms of Service contract prohibits you from allowing anyone else to access your account, like the Terms of Service contracts of Facebook and Microsoft’s Hotmail, then it may not matter whether you specifically authorized the fiduciary to access your account—the fiduciary isn’t authorized to access the account under the Terms of Service contract, so a fiduciary’s access to “the account itself” may be construed as “unauthorized access” under these criminal laws.

It will be very interesting whether this Michigan case and the testimony from the Department of Justice will have a chilling effect on fiduciaries who are considering accessing a decedent’s online accounts (“the account itself”) using the decedent’s password. As I mentioned above, the safer course of action for now is to have the duly–appointed fiduciary request a copy of “the contents” of the account, and that should not be construed as “unauthorized access.”

Posted in E-mail, General, Social Networking Accounts | Tagged , , , , , , , , | Comments Off on Planning Ahead for Access to Contents of a Decedent’s Online Accounts

Zappos.com Customer Account Information Compromised

On January 15, 2012, Zappos.com announced that their customer account information may have been compromised, including customer names, e–mail addresses, billing and shipping addresses, and phone numbers. CNN reports that this affects 24 million Zappos.com customers.

Fortunately, Zappos.com announced that customer credit card numbers were not compromised. Although unencrypted customer account passwords were not compromised (the encrypted customer account passwords may have been compromised), Zappos.com took the proactive steps of resetting all customer account passwords and recommending that customers change their passwords at other Web sites.

This is another reminder of how important it is to use separate, strong passwords for each online account that you have. As I mentioned in previous postings, a recent study concluded that 75% of users had the same password for both their e–mail accounts and their social networking accounts. If hackers are able to obtain your username and password from one company, they may try the same username and password combination at other popular Web sites. For a detailed list of other reported data breaches, see the list at Privacy Rights Clearinghouse, a nonprofit consumer organization (at this time of this posting, they listed 2,841 publicly–reported data breaches since 2005!).

I’ve previously written about ways to keep track of and securely store your important passwords and online account information. For online accounts, Microsoft recommends creating strong passwords of 14 characters or more with a combination of uppercase letters, lowercase letters, numbers, and symbols. It’s difficult to remember strong passwords, and it’s easy to make a typo when entering them. As I’ve mentioned before, there are tools that enable you to create and maintain an encrypted electronic list of passwords and online accounts on your smartphone or your computer, and these tools can integrate with your Web browser and automatically look up and enter your passwords for your online accounts. For example, LastPass, KeePass, 1Password, RoboForm, and Keeper, among others.

Remember to let your family members and fiduciaries know where you keep your “master” password to unlock your encrypted electronic list of passwords and online accounts in case you become incapacitated or die, and make sure they know where your encrypted electronic list is kept too.

Posted in Online Sales Accounts | Tagged , , , , , , , , | Comments Off on Zappos.com Customer Account Information Compromised

Unique Virtual Sword Sells for $16,000 in Age of Wulin Video Game

I’ve written before about estate planning and charitable giving with video games and virtual worlds. Here’s another example of how valuable digital property can be—including virtual items in video games.

In December 2011, the developers of the video game Age of Wulin held an auction to sell unique virtual items to use in the video game. One man paid $16,000 for a virtual sword to use in the video game. Other unique virtual items to use in the video game sold for $2,500 and $1,600 in the auction.

These values for virtual items are a bit surprising because this video game has not even been released to the public yet. The developers completed the first phase of closed beta testing in 2011, and they plan to release the game to the public sometime in 2012.

As I’ve mentioned before, it is important for video game and virtual world players to plan ahead and incorporate their digital property into their real–world estate plan. Beyond just writing down the account name and password for the fiduciaries to access the account, the fiduciaries and family members need to know if there are monthly fees to keep the video game or virtual world account open (so the valuable video game character and its virtual property and currency are not deleted!), what the approximate real-world value may be, and either how to transfer it or where to sell it. A little time spent planning ahead can make the administration much more efficient when the video game or virtual world player becomes incapacitated or dies.

Posted in Video Games & Virtual Worlds | Tagged , , , , , , , , , | Comments Off on Unique Virtual Sword Sells for $16,000 in Age of Wulin Video Game

Connecticut Court Requires Spouses to Reveal Online Account Passwords in Divorce Proceeding

On November 7, 2011, Kashmir Hill on Forbes.com reported that a Connecticut court ordered Stephen and Courtney Gallion, spouses in a divorce proceeding, to reveal and exchange their online account passwords, including their passwords to Facebook, eHarmony, and Match.com. According to the article, the judge also ordered Mrs. Gallion not to delete any material from her online accounts.

As the article points out, the judge issued these orders to facilitate the discovery process in the divorce proceeding, including evidence relevant to the custody of their children. However, there’s a big difference between turning over your online account passwords versus simply turning over the contents of your online account (e.g., your Facebook postings, your e–mail messages, etc.) in the discovery process.

Facebook, for example, has a procedure that allows a user to download everything that user has put into Facebook, which a user could do and then turn over that resulting data to the other party in the discovery process. To do this, a Facebook user would go into his or her “Account Settings” and click on “Download a copy of your Facebook data.”

Turning over your online account password to the other party in a lawsuit gives them complete access to and control over all aspects of the account, with the potential for abuse by the other party. Also, turning over your Facebook password or letting anyone else access your Facebook account violates section 4.8 of the Facebook Statement of Rights and Responsibilities (last revised April 26, 2011), and, under section 14, Facebook can stop providing all or part of Facebook services if you violate these rules. However, section VI of the Facebook Data Use Policy (last revised September 23, 2011) also states that Facebook “may share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so.” I am interested to find out how Facebook responds to this situation.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , | Comments Off on Connecticut Court Requires Spouses to Reveal Online Account Passwords in Divorce Proceeding

How to Delete Online Accounts and Digital Footprints

On November 10, 2011, Jeffrey A. Lambert posted a story at Maximum PC called How to Erase Your Digital Footprint. The article describes how much information Facebook, Google, and other companies collect about your Web browsing and other Internet activities, especially for advertising purposes. Using free tools described in the article, you can see how much information these companies are collecting, and you can also take steps to delete your digital footprints.

One valuable resource is a link to an article in Smashing Magazine by Cameron Chapman called How to Permanently Delete Your Account on Popular Websites. This article walks through the step–by–step process of closing your Amazon, eBay, Facebook, Flickr, Google, LinkedIn, Microsoft, MySpace, PayPal, Twitter, WordPress, and YouTube accounts (among others). This is very useful information for fiduciaries and family members handling an estate administration after a person has died. After retrieving any valuable or significant information from the deceased person’s online accounts, the appropriate fiduciary can contact the service providers using these steps to close the online accounts. Family members instead may decide to leave a social networking account, personal Web page, or blog account open as a memorial rather than closing the account. See my previous posting for more information on leaving an online account open as a memorial.

Posted in E-mail, Financial Accounts, Online Sales Accounts, Social Networking Accounts, Video Games & Virtual Worlds, Web Pages and Blogs | Tagged , , , , , , , , , , , , , , , , , , , , , | Comments Off on How to Delete Online Accounts and Digital Footprints