The digital afterlife: who owns our data when we die?

The Paypers talks about what happens with our data when we die with Dean H. Saxe, one of the OpenID Foundation members, who led the development of the paper The Unfinished Digital Estate: Culture, Law, and Technology After Death.

When employees or customers die, what happens to their email accounts, files, and digital assets? The OpenID Foundation is developing a major new whitepaper exploring exactly this on a global scale, with input from lawyers and affected families. It reveals that most companies lack clear policies, and this is creating significant problems for businesses and families around the world. The foundation is also developing a ‘planning guide’ offering practical tools for anyone who uses digital services to actively manage their digital estate.

Before the whitepaper and the planning guide are formally launched later this year, the OpenID Foundation is inviting public feedback on both (full details here).

With billions of people now having significant digital lives, how should legal systems and tech platforms handle what happens when owners pass away?

Honestly, it’s a travesty. My colleague and co-author Mike Kiser says, ‘death is not an edge case’. Yet many businesses fail to provide easy-to-find, easy-to-use mechanisms for individuals to proactively manage their data on these platforms. 

This results in multiple harms: lost access to financial instruments such as cryptocurrencies, lost digital memories such as photographs and videos, social media accounts that are posthumously un-managed, etc. 

In some of the worst cases I’ve become aware of, social media accounts of politicians and other public figures have posted new content after the owner has passed away, resulting in social media posts that appear to be coming from the afterlife! The owners of these accounts are impersonated by individuals with access to the social media credentials, allowing them to post on behalf of the account owner even after death!

How can financial institutions - banks - be impacted by this situation?

I’m not an expert on banking. However, there are non-traditional financial services, such as cryptocurrencies, that are often managed outside of the traditional banking systems. If users manage their own offline wallets, these assets may be lost and unrecoverable if data is not shared with the owner’s heirs. 

Similarly, custodial wallets at online services could be lost if the assets are unknown to the estate or if the credentials to the custodial wallet were not shared with the owner’s estate. 

My friend Jen Zegel has been writing and speaking about this for a few years now. Her podcast offers some great insights: Digital Planning Podcast. 

Why are families increasingly locked out of deceased relatives’ digital lives, and how can this be solved?

In my own personal life, this is my biggest concern. I have an archive of 25+ years of digital photos and videos, including audio and video of my paternal grandfather talking about his life. These treasured assets could be lost forever if I didn’t have a defined mechanism to transition these files to my wife and children. 

Many of these assets will be available to my family through Apple’s Legacy Contact feature. However, if I solely depended on this feature and also stored my passwords and passkeys in Apple’s Passwords application, my family would find that they cannot access these credentials, potentially be locked out of other services that hold my data. This is highlighted in Apple’s support articles: Data that a Legacy Contact cannot access.

For this reason, I recommend storing all of your digital credentials in a password manager/credential manager that supports legacy contacts. In our planning guide, which has been released for comment alongside our whitepaper, we make a similar recommendation.

How is AI creating new challenges by generating content and simulating dead people?

I see a few different issues here. First, some individuals are choosing to create AI avatars of themselves to be shared with their friends and family after death as a way to remember them. 

While the intentions of the individual are good, this can create new harms for the survivors who are presented with this AI version of the deceased, complicating their grief. Depending on the nature of how the avatar was created and managed, these avatars may say or do things that the person may not have said or done of their own accord. 

Second, individuals are using AI to resurrect others! In Arizona, USA, a man was killed in a road rage incident. When his killer was convicted, the victim’s sister created an AI avatar of her brother that was played in court during the sentencing phase of the trial. The avatar used the victim’s likeness and voice, but the words were those of his sister. Personally, I find this use of AI to be deeply problematic and unethical. 

Third, AI is being used to resurrect individuals without their consent. Ozzy Osbourne has been turned into an AI avatar by Rod Stewart, with the video played at his concerts. https://faroutmagazine.co.uk/rod-stewart-celebrates-ozzy-osbourne-with-strange-ai-video/. 

Similarly, AI was used to create a George Carlin comedy routine more than 10 years after his death. https://www.nbcnews.com/news/us-news/george-carlins-estate-sues-ai-generated-stand-special-titled-glad-dead-rcna135808. 

As a society, I don’t think we yet have a handle on the ethical use of AI when it comes to resurrecting the deceased.

How do companies navigate legal uncertainty when digital account holders pass away?

Since I am not a lawyer, I can’t really address this question from a legal perspective. However, in a previous role, a member of the customer service department asked, ‘How do we deal with the account of someone who has passed away?’ 

This led to interesting discussions about how the company could confirm a user had died, the rights of the survivors to their digital data (e.g., books, videos, other licensed content), and access to their account. 

Imagine this scene repeated across every consumer-facing digital company, and you can see what a significant problem this is.

How can companies manage deceased account holders when legal responsibilities differ across countries?

Again, from a lay-person’s perspective, what I can say is that platforms that host users' digital content need to consider how to manage the death and disability of their users in all of the jurisdictions in which they operate. 

Beyond legal concerns, there are also cultural and religious considerations that must be taken into account. My co-author, Mike Kiser, did a wonderful job exploring some of the different cultural and religious beliefs about death and how these should be accounted for when designing digital systems. How each digital service handles the death of its users must be culturally informed in order to design systems that work for their users and survivors. This is no easy task.

About author

 

 

Dean H. Saxe is a Principal Security Engineer at Remitly and co-chairs the OpenID Foundation's Death and the Digital Estate Community Group (DADE CG) and Interoperability Profiling for Secure Identity in the Enterprise Working Group (IPSIE WG). He is also a founding IDPro member. As an identity standards architect with 20+ years in information security, Dean is dedicated to shaping identity standards across IETF, OIDF, and other leading organisations.

 

About the OpenOD Foundation

The OpenID Foundation (OIDF) is a global standards body helping people assert their identity wherever they choose. Since 2007, OIDF has created secure, interoperable, privacy-preserving identity standards. OIDF’s OpenID Connect standard serves billions across millions of applications, while FAPI powers Open Banking worldwide. OIDF standards enable identity assertion and data access at an internet scale, connecting global networks. Individuals, companies, governments, and non-profits are welcome to participate at openid.net.