Sharing Your Facebook Password With Employers, Schools, or Fiduciaries

Previously, I’ve written about courts ordering spouses to reveal their Facebook passwords in the course of a divorce proceeding. In the past few weeks, there have been several stories about employers asking a job applicant to reveal the applicant’s Facebook username and password and schools asking a student to reveal the student’s Facebook username and password. See articles here, here, here, here, and here for a sampling of articles. The ACLU quickly condemned this practice as an invasion of privacy and has encouraged legislation to protect users’ privacy.

Facebook’s Chief Privacy Officer, Erin Egan, posted on March 23, 2012, that demanding access to a Facebook user’s profile and private information “undermines the privacy expectations and the security of both the user and the user’s friends.” She states, “That’s why we made it a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password.” She also states, “Facebook takes your privacy seriously. We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action.”

In a previous post about Planning Ahead for Access to Contents of a Decedent’s Online Accounts, I cautioned against having a family member or fiduciary use the password of an incapacitated or deceased user to gain full access to that user’s online accounts (“the account itself”) because it may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. According to the statement quoted above by Facebook’s Chief Privacy Officer, in addition to state or federal criminal laws, Facebook may initiate legal action (presumably a civil law suit against the person exceeding access to the Facebook account) where appropriate to protect the privacy and security of users.

It’s essential to plan ahead with a list of passwords so that, during a period of incapacity or after your death, your fiduciaries and family members have full access to your smartphones, tablet devices, computers, and encrypted data storage. But, your fiduciaries and family members must think carefully about the potential for criminal penalties or civil lawsuits if they try to use your list of passwords to get full access to any of your online accounts (“the account itself”). As I’ve discussed before, the safer course of action for now it so have the duly–appointed fiduciary for an incapacitated or deceased person request a copy of “the contents” of the online account from the online service provider, and that should not be construed as “unauthorized access.”

Posted in Social Networking Accounts | Tagged , , , , , , , | Comments Off

Jim Lamm Quoted in The Wall Street Journal’s Law Blog

On February13, 2012, I was quoted in The Wall Street Journal’s Law Blog in the article “What Happens to Your ‘Digital Assets’ When You Die?” by Steve Eder. The article also quotes my colleague, Gene Hennig, who co–authored a Project Proposal with me in May 2011 to the Uniform Law Commission for a uniform law to grant fiduciaries specific powers and authority regarding an individual’s online accounts and digital property during incapacity and after death.

Posted in General | Tagged , , , , , | Comments Off

Planning Ahead for Access to Contents of a Decedent’s Online Accounts

February 1 was informally designated as “Change Your Password Day,” and a good collection of articles is available at Lifehacker.com about how to test the strength of your passwords, how to update your passwords with “strong” passwords, and a list of software and services to help you keep track of all of your “strong” passwords. This is also a good time to update your list of passwords, online accounts, and digital property for your estate plan.

News services reported this week that the e–mail account of the president of Syria was hacked by the “Anonymous” group, and that the password he used was “12345.” More details are in this article by Stephen Webster at Raw Story. On one hand, that’s not surprising, because five of the top ten most frequently–used passwords are “123456,” “12345,” “123456789,” “1234567,” and “12345678” (link).

Personally, I like a password and account list that is secure, easy to update, convenient to use, and portable so it’s always with me (or it needs to sync automatically with all my devices, including my iPhone and my iPad). You could use a written list, but that isn’t very secure (and if you store it securely, it isn’t very easy to update). I prefer an encrypted electronic list. Some of the most popular software tools are LastPass, 1Password, KeePass, RoboForm, and Keeper. If you use an encrypted electronic list, make sure you write down instructions for your fiduciaries so they can find it and access it if you are incapacitated or deceased (store the written instructions in a safe deposit box, home safe, etc.).

One of my favorite features of LastPass and similar software tools is that they can integrate securely with my Web browser to automatically fill in my username and password (after I’ve typed in my master password when I first start my Web browser), so that I don’t need to manually type any of my “strong” passwords. LastPass and similar software tools also can generate “strong” passwords when you register for a new Web service or when you choose to change your password for a Web service—and they can fill in the new password automatically for you so you don’t make a typo.

In addition to these software tools, there are a number of Web services that are specifically designed to hold an electronic list of your passwords and online accounts while you are alive, then the service will turn over your list to your duly–authorized fiduciary after you die.

It’s essential to plan ahead with a list of passwords so that fiduciaries and family members have full access to your smartphones, tablet devices, computers, and encrypted data storage. For data that is protected by a strong password plus strong encryption, it may be practically impossible to access the data without the password. But what about online accounts?

I want to stop here and draw an important distinction between access to “the account itself” and “the contents” of an online account after a person becomes incapacitated or dies.

First, the Terms of Service contracts on the major Web services—Microsoft, Google, Yahoo!, Facebook, YouTube, Twitter, eBay, PayPal, etc.—say that “the account itself” is not transferrable or only transferrable with permission. Second, most major Web services won’t reveal or reset the password of an incapacitated or deceased person, so the family members and fiduciaries aren’t able to fully access “the account itself” unless they know the incapacitated or deceased person’s password. Third, if you give fiduciaries and family members your password, letting them access “the account itself” may violate the Terms of Service contract on Web services (which might violate criminal laws—see below). Fourth, some Terms of Service contracts, like the one for Yahoo!, say that a user’s account terminates at death.

In my opinion, full access to “the account itself” for a typical online account isn’t all that valuable to family members or fiduciaries. “The contents” of the online account are where the financial or sentimental value is located. Family members generally want access to and copies of the deceased person’s e–mail contents, photos, videos, music, intellectual property, etc. There are exceptions to this. A Twitter account has followers. A Facebook account has friends. An eBay account has a reputation. For these types of accounts, “the account itself” does have value—but these are probably limited to the business world—the commercial value of followers, friends, or a reputation.

For the most part, the goal of estate planning for most online accounts is to plan ahead so that the duly–appointed fiduciary or family members can find and then obtain “the contents” of the online account—the electronic data—from the Web services after the account holder dies or becomes incapacitated, which can be done even if we don’t know the account password. Planning ahead by leaving a list of your online accounts for your family members and fiduciaries is an important step because it helps the duly–appointed fiduciary locate valuable or significant digital property. Armed with that list of accounts, the duly–appointed fiduciary can request copies of the contents of a deceased person’s Facebook account, e–mail account, and many other types of online accounts. However, as I mentioned above, using a deceased person’s passwords to access “the account itself” may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. On the other hand, having the duly–appointed fiduciary request a copy of “the contents” of the account should not be construed as “unauthorized access,” although some Web services have insisted on a court order authorizing disclosure of “the contents” of the online account citing privacy concerns. The bottom line is that I still recommend planning ahead by keeping a list of passwords to your online accounts, but a critical issue for your fiduciary to consider is whether to use the passwords to access your online accounts (“the account itself”) or whether to just request “the contents”—because of the potential application of these criminal laws.

All fifty states and the federal government have enacted criminal laws penalizing unauthorized access to computer systems and types of private or protected personal data. These laws generally provide consumer protection against fraud and identity theft, but these criminal laws may also have a chilling effect on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. The Terms of Service contracts at some major Web services, including Facebook and Microsoft’s Hotmail, specifically prohibit you from allowing anyone else to access your account.

The U.S. Department of Justice asserts that § 1030(a)(2) of the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime for violating the CFAA when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position was stated by Richard Downing, Deputy Chief of the DOJ’s Computer Crime and Intellectual Property Section, Criminal Division, in testimony presented on November 15, 2011, before the U.S. House Committee on Judiciary, Subcommittee on Crime, Terrorism, and National Security. However, Mr. Downing also testified, “Let me be very clear that the DOJ is in no way interested in bringing cases against the people who lie about their age on a dating site or anything of the sort. We don’t have time or resources to do that.”

On the other hand, there’s an ongoing Michigan case where Leon Walker has been charged with a felony for allegedly accessing his wife’s e–mails from her Google Gmail account. On December 27, 2011, the Michigan Court of Appeals issued an opinion addressing the issue of whether Mr. Walker’s alleged conduct falls within the scope of Michigan’s criminal law on unauthorized computer access, and they held that “the prosecutor presented sufficient evidence of each element of unauthorized access of a computer, MCL 752.795, to support the district court’s decision to bind defendant over for trial.”

If you plan ahead by specifically authorizing a fiduciary under a Durable Power of Attorney (a “digital power of attorney”) or under a Last Will and Testament or Revocable Trust Agreement to access your online accounts during incapacity or after death, would that solve this potential problem of “unauthorized access” by the fiduciary? While that would clarify your intent, I’m not sure whether that is enough because there’s a potential second layer to this problem. If the Terms of Service contract prohibits you from allowing anyone else to access your account, like the Terms of Service contracts of Facebook and Microsoft’s Hotmail, then it may not matter whether you specifically authorized the fiduciary to access your account—the fiduciary isn’t authorized to access the account under the Terms of Service contract, so a fiduciary’s access to “the account itself” may be construed as “unauthorized access” under these criminal laws.

It will be very interesting whether this Michigan case and the testimony from the Department of Justice will have a chilling effect on fiduciaries who are considering accessing a decedent’s online accounts (“the account itself”) using the decedent’s password. As I mentioned above, the safer course of action for now is to have the duly–appointed fiduciary request a copy of “the contents” of the account, and that should not be construed as “unauthorized access.”

Posted in E-mail, General, Social Networking Accounts | Tagged , , , , , , , , | Comments Off

Zappos.com Customer Account Information Compromised

On January 15, 2012, Zappos.com announced that their customer account information may have been compromised, including customer names, e–mail addresses, billing and shipping addresses, and phone numbers. CNN reports that this affects 24 million Zappos.com customers.

Fortunately, Zappos.com announced that customer credit card numbers were not compromised. Although unencrypted customer account passwords were not compromised (the encrypted customer account passwords may have been compromised), Zappos.com took the proactive steps of resetting all customer account passwords and recommending that customers change their passwords at other Web sites.

This is another reminder of how important it is to use separate, strong passwords for each online account that you have. As I mentioned in previous postings, a recent study concluded that 75% of users had the same password for both their e–mail accounts and their social networking accounts. If hackers are able to obtain your username and password from one company, they may try the same username and password combination at other popular Web sites. For a detailed list of other reported data breaches, see the list at Privacy Rights Clearinghouse, a nonprofit consumer organization (at this time of this posting, they listed 2,841 publicly–reported data breaches since 2005!).

I’ve previously written about ways to keep track of and securely store your important passwords and online account information. For online accounts, Microsoft recommends creating strong passwords of 14 characters or more with a combination of uppercase letters, lowercase letters, numbers, and symbols. It’s difficult to remember strong passwords, and it’s easy to make a typo when entering them. As I’ve mentioned before, there are tools that enable you to create and maintain an encrypted electronic list of passwords and online accounts on your smartphone or your computer, and these tools can integrate with your Web browser and automatically look up and enter your passwords for your online accounts. For example, LastPass, KeePass, 1Password, RoboForm, and Keeper, among others.

Remember to let your family members and fiduciaries know where you keep your “master” password to unlock your encrypted electronic list of passwords and online accounts in case you become incapacitated or die, and make sure they know where your encrypted electronic list is kept too.

Posted in Online Sales Accounts | Tagged , , , , , , , , | Comments Off

Unique Virtual Sword Sells for $16,000 in Age of Wulin Video Game

I’ve written before about estate planning and charitable giving with video games and virtual worlds. Here’s another example of how valuable digital property can be—including virtual items in video games.

In December 2011, the developers of the video game Age of Wulin held an auction to sell unique virtual items to use in the video game. One man paid $16,000 for a virtual sword to use in the video game. Other unique virtual items to use in the video game sold for $2,500 and $1,600 in the auction.

These values for virtual items are a bit surprising because this video game has not even been released to the public yet. The developers completed the first phase of closed beta testing in 2011, and they plan to release the game to the public sometime in 2012.

As I’ve mentioned before, it is important for video game and virtual world players to plan ahead and incorporate their digital property into their real–world estate plan. Beyond just writing down the account name and password for the fiduciaries to access the account, the fiduciaries and family members need to know if there are monthly fees to keep the video game or virtual world account open (so the valuable video game character and its virtual property and currency are not deleted!), what the approximate real-world value may be, and either how to transfer it or where to sell it. A little time spent planning ahead can make the administration much more efficient when the video game or virtual world player becomes incapacitated or dies.

Posted in Video Games & Virtual Worlds | Tagged , , , , , , , , , | Comments Off

Connecticut Court Requires Spouses to Reveal Online Account Passwords in Divorce Proceeding

On November 7, 2011, Kashmir Hill on Forbes.com reported that a Connecticut court ordered Stephen and Courtney Gallion, spouses in a divorce proceeding, to reveal and exchange their online account passwords, including their passwords to Facebook, eHarmony, and Match.com. According to the article, the judge also ordered Mrs. Gallion not to delete any material from her online accounts.

As the article points out, the judge issued these orders to facilitate the discovery process in the divorce proceeding, including evidence relevant to the custody of their children. However, there’s a big difference between turning over your online account passwords versus simply turning over the contents of your online account (e.g., your Facebook postings, your e–mail messages, etc.) in the discovery process.

Facebook, for example, has a procedure that allows a user to download everything that user has put into Facebook, which a user could do and then turn over that resulting data to the other party in the discovery process. To do this, a Facebook user would go into his or her “Account Settings” and click on “Download a copy of your Facebook data.”

Turning over your online account password to the other party in a lawsuit gives them complete access to and control over all aspects of the account, with the potential for abuse by the other party. Also, turning over your Facebook password or letting anyone else access your Facebook account violates section 4.8 of the Facebook Statement of Rights and Responsibilities (last revised April 26, 2011), and, under section 14, Facebook can stop providing all or part of Facebook services if you violate these rules. However, section VI of the Facebook Data Use Policy (last revised September 23, 2011) also states that Facebook “may share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so.” I am interested to find out how Facebook responds to this situation.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , | Comments Off

How to Delete Online Accounts and Digital Footprints

On November 10, 2011, Jeffrey A. Lambert posted a story at Maximum PC called How to Erase Your Digital Footprint. The article describes how much information Facebook, Google, and other companies collect about your Web browsing and other Internet activities, especially for advertising purposes. Using free tools described in the article, you can see how much information these companies are collecting, and you can also take steps to delete your digital footprints.

One valuable resource is a link to an article in Smashing Magazine by Cameron Chapman called How to Permanently Delete Your Account on Popular Websites. This article walks through the step–by–step process of closing your Amazon, eBay, Facebook, Flickr, Google, LinkedIn, Microsoft, MySpace, PayPal, Twitter, WordPress, and YouTube accounts (among others). This is very useful information for fiduciaries and family members handling an estate administration after a person has died. After retrieving any valuable or significant information from the deceased person’s online accounts, the appropriate fiduciary can contact the service providers using these steps to close the online accounts. Family members instead may decide to leave a social networking account, personal Web page, or blog account open as a memorial rather than closing the account. See my previous posting for more information on leaving an online account open as a memorial.

Posted in E-mail, Financial Accounts, Online Sales Accounts, Social Networking Accounts, Video Games & Virtual Worlds, Web Pages and Blogs | Tagged , , , , , , , , , , , , , , , , , , , , , | Comments Off

IRS Chief Counsel Advises IRS Agent Not to Request Taxpayer E-Mail Contents From ISP

In IRS Chief Counsel Advice 201141017, an IRS agent tried to obtain a taxpayer’s e–mail contents from the taxpayer’s Internet Service Provider (ISP) without a warrant. The taxpayer’s ISP refused the IRS agent’s request, citing provisions of the Stored Communications Act (18 U.S.C. §§ 2701–2711) and United States v. Warshak, 631 F.3d 266 (6th Cir. 2010). The agent asked the IRS Chief Counsel how to proceed, and the Chief Counsel advised the agent not to request the taxpayer’s e–mail contents from the taxpayer’s ISP.

In this situation, the IRS agent believed that a shell company improperly received over $250,000 of tax refunds, so the IRS agent was trying to trace where the money went. The IRS agent used an IRS administrative summons under § 7602 of the tax code to request the contents of the taxpayer’s e–mails, including e–mails received within 180 days of the summons.

First, the IRS Chief Counsel advised that this IRS administrative summons should be withdrawn because it violates § 2703(a) of the Stored Communications Act, which requires that a governmental entity obtain a warrant to compel disclosure of the contents of an electronic communication that is in electronic storage for 180 days or less. Here, the IRS agent had not obtained a warrant and “would not be eligible to seek a warrant for the civil (as opposed to criminal) tax law provisions he is engaged in seeking to enforce in this case.”

Second, the IRS agent asked whether the agent could request from the taxpayer’s ISP only the contents of the taxpayer’s e–mails that were in electronic storage for more than 180 days, without a warrant. But, the IRS Chief Counsel advised the IRS agent against doing this citing the Warshak case. The Warshak case concluded that the Stored Communications Act provisions that allow a governmental entity to compel disclosure of the contents of an electronic communication that is in electronic storage for more than 180 days without a warrant are unconstitutional because they are an unreasonable search and seizure in violation of the Fourth Amendment. Although the IRS Chief Counsel points out that the Warshak case was a Sixth Circuit decision while the taxpayer’s ISP is located in the Ninth Circuit, the IRS Chief Counsel advises: “In short, we do not believe there is any reasonable possibility that the Service will be able to obtain the contents of this customer’s e–mails that are more than 180 days old through a modified summons upon this ISP without protracted litigation, if at all.”

Third, the IRS agent asked whether the agent could request from the taxpayer’s ISP only “non–content information for electronic communications services specified in 18 U.S.C. § 2703(c)(2) for the customer (e.g., name, address, length and type of service, and means of payment).” For this question, the IRS Chief Counsel advised that the IRS agent may obtain this “non–content information” from the taxpayer’s ISP without a warrant, and this has been upheld by the courts. This can be accomplished using an IRS administrative summons under § 7602 of the tax code, without notice to the ISP’s customer, and it can even be used to obtain the credit card number or bank account number used to pay for the e–mail service (see 18 U.S.C. § 2703(c)(2)(F)).

Although this IRS Chief Counsel Advice 201141017 cannot be used or cited as precedent, this is still helpful for taxpayers to know the current IRS position on requesting e–mail contents from a taxpayer’s ISP or requesting “non–content information for electronic communications” (including name, address, length and type of service, and means of payment including credit card number or bank account number) from a taxpayer’s ISP. It’s also important to note that the taxpayer’s ISP plays an important role in the process—in this situation, the taxpayer’s ISP protected the rights of its customer by denying the initial IRS administrative summons sent by the IRS agent because the summons was too broad.

Posted in E-mail | Tagged , , , , , , , , , , , | Comments Off

October is National Cyber Security Awareness Month

October is National Cyber Security Awareness Month! For tips about creating strong passwords, backing up your data, Internet safety and security, social networking privacy and security settings, and more, visit: StaySafeOnline.org. Tip sheets and other resources are available on their Resource Library site and on their Stop. Think. Connect. site.

Posted in General | Tagged , , , , , | Comments Off