The rapid technological advances of recent decades have transformed nearly every aspect of our lives. One major shift is that many of us now maintain extensive digital footprints, spanning countless online accounts, from email and social media to banking, investments, cloud storage, utility payments, and more.
In life, we work hard to protect these accounts from others, particularly cybercriminals. Yet when death or incapacity strikes, ensuring that our loved ones have legal access to them becomes critically important.
This emerging area of asset management remains in its early stages, facing a complex technological landscape, fragmented (or nonexistent) legal frameworks, and significant systemic gaps.
To address these challenges, the OpenID Foundation (OIDF) has been developing a new whitepaper and a digital estate planning guide that examine this issue on a global scale.
In this Help Net Security interview, Dean H. Saxe, an OpenID Foundation member and long-time contributor to digital identity standards, discusses this initiative and what the Foundation hopes to accomplish with them.
(Dean H. Saxe’s answers have been edited for length and clarity.)
Why did the OpenID Foundation decide to focus on the problem of what happens to digital assets after death, and why do you think this issue has been neglected for so long?
I became interested in this idea in 2010, when a close friend of mine passed away unexpectedly at a young age, leaving behind his wife and two young children. We both worked in security and his data was difficult for his family to obtain after his passing.
At the time, I considered how we could implement a dead man’s switch that would activate after a specified period of account inactivity. This could be used, for example, to release account credentials to a chosen loved one. However, the penetration of credential managers was very low at the time, so the idea was put on the back burner for years.
In 2022, I was in Berlin for the European Identity & Cloud (EIC) Conference. The FIDO Alliance had just announced synced passkeys, a significant development that highlighted both a challenge and an opportunity. The challenge was that digital credentials, such as passkeys, would not allow an individual to write down their credentials, creating more barriers to accessing the digital estate of an individual after death. The opportunity, however, was the increased use of credential managers that would occur as passkeys became commonplace for most users.
I shared my ideas with a select group of identity standards architects, including Vittorio Bertocci, a friend and mentor. They all agreed.
Unfortunately, Vittorio got sick and passed away on October 7, 2023. In the following weeks I talked to members of the identity community at the Authenticate Conference and the Internet Identity Workshop. Each of these conversations helped move forward the ideas that eventually became the Death and the Digital Estate Community Group (DADE CG). The group was chartered in September 2024 and began to meet regularly in November 2024.
As regards to why this issue has been neglected for so long, I cannot say for sure. However, many of my friends and colleagues are uncomfortable talking about death and thinking of their own mortality. I, too, am uncomfortable with the topic! I think that’s a natural barrier that has prevented us from making headway until now.
What kind of problems do businesses encounter and what kinds of risks do companies face when employees or customers pass away without a clear digital estate plan?
I first encountered this problem a while back in a previous role when a customer services team member came to me with the questions: “What do we do with the account and digital assets of a customer who has passed away? How do we verify they have died?”
At the time, there weren’t any runbooks for how to handle the death of a customer. Once again, because many people are uncomfortable discussing death, we had not planned for it. In my own experience working with various organizations, it’s clear that we fail to consider what to do when our customers or users pass away or become incapacitated. And until we pave a clear path for organizations to follow, it is unlikely that we’ll see broad adoption of mechanisms for managing death and the disposition of users’ digital assets.
I see two clear problems for companies today: First, how do you prove that a customer has died? Second, how do you ensure that the customer’s digital assets are handled in accordance with their wishes?
In the first case, proving the death of a user will depend on the jurisdiction in which they died, so unique processes will have to be created depending on the jurisdiction. This is incredibly difficult and time consuming to manage on a worldwide basis.
In the second, there is no clear pathway to establish who is responsible for the decedent’s digital assets and how they wish to have them handled. (Though Kudos to Apple, Google, Facebook, and other organizations that have established mechanisms that individuals can configure to establish a mechanism for their chosen legacy managers to handle their accounts in accordance with their wishes.)
But we still lack a universal set of mechanisms that operate within the context of law and culture to manage a digital estate.
Should some accounts be inheritable (e.g., accounts where you pay for games, books, etc., or accounts storing digital art and other creative digital works)? That is, should the contents be inheritable?
I’m not a lawyer, so I don’t feel like this is an area I can weigh in upon. However, if these assets are inheritable, there must be a pathway to enable this inheritance which may, or may not, exist today.
How is AI, and especially tools that generate content or simulate people’s voices and likenesses, making this issue more complex? This seems to me a completely novel problem – who has the “rights” to this “material”, and are companies already misusing the access they have to photos, videos and audio recordings?
We’re in the early days of understanding how AI impacts death. There are tools that allow individuals to create AI avatars of themselves for their friends and family to “speak” with after death. This is behavior that the individual will have consented to.
On the other hand, there are AI avatars created without the knowledge or consent of the deceased. In one famous case, a murdered man’s sister created an AI deepfake of her brother which was played in court during the sentencing phase for the person who murdered him. The images were of the deceased man, but the words he “spoke” were those of his sister.
Is this right? Is this wrong? I can only speak for myself to say that this makes me incredibly uncomfortable.
The current draft of the paper says that “digital estate planning will not be viable at scale until the technical stack supports delegation that is verifiable, revocable, interoperable, and usable by the average person with or without legal representation. Service providers, such as social media sites, cloud services, and online crypto wallets, require digital estate services to manage their users’ legacy managers.” Can you see this happening without regulations? What’s the incentive for service providers?
Today, we lack the tools (protocols) and the regulations to enable digital estate management at scale. Law and regulation can force a change in behavior by large providers. However, lacking effective protocols to establish a mechanism to identify the decedent’s chosen individuals who will manage their digital estate, every service will have to design their own path. This creates an exceptional burden on individuals planning their digital estate, and on individuals who manage the digital estates of the deceased.
For example, some services require the use of impersonation – logging in as the user with their credentials – to close their digital accounts. But impersonation can be abused. There have been many instances of deceased individuals “posting” new content on social media accounts after their death.
The incentive for service providers to resolve these gaps is unclear to me. While I hope that they are incentivized by being good citizens of the world, this is unlikely to create the change we need.
If laws don’t catch up quickly, do you think people will start treating their digital assets like “contraband”, e.g., secretly sharing passwords or creating shadow archives to bypass companies?
Sharing of credentials is already happening and, in many cases, is a recommended practice due to a lack of other mechanisms for managing digital assets.
What are the most important aspects that need to be addressed correctly to achieve satisfactory digital estate “handover”?
I encourage you to review the planning guide we released for public comment alongside the white paper.
However, to answer the question, I encourage individuals to document their digital estate: list every online account including social media, financial, insurance, healthcare, email, cloud file storage, etc., along with the username for the account. Ideally, all this information along with the user’s credentials (e.g. passwords, passkeys, and OTPs) are stored in a suitable credential manager, such as 1Password, BitWarden, or Dashlane. The data should include specific instructions, where relevant, regarding your wishes for handling of the data after you have passed away.
For example, you may wish to have your Facebook account memorialized while your blog should be maintained for five years before being shut down and removed from the internet. The data is yours – take care to be explicit how you’d like it to be handled after your death.
The individual should store the necessary data to unlock the credential manager in a secure place that can be accessed after their death. Depending on their circumstances, this may mean leaving the data with their lawyer or other estate planning professional. If the data is provided to a loved one, there is a risk of abuse of the trust they have placed in this individual.
Finally, work with a lawyer familiar with estate planning and digital assets to ensure that your digital estate is properly represented in your estate documents, along with your specific wishes for each account and the data contained within the account.
You’ve been involved in this project for a while. Were there any comments that surprised you? And were there aspects you hadn’t considered before starting the project?
Absolutely! Early in the DADE work a member of the community group expressed discomfort with the word death. In their culture, it is considered impolite to use such terms. As an American growing up culturally Jewish, my view of death and related practices were influenced by what I observed in my own life.
My co-author, Mike Kiser, did a masterful job of documenting some of the different belief systems and practices around the world that impact how individuals talk about, think about, and manage death. I’m glad to have a partner like Mike to help expand our understanding of the cultural and religious practices around death and dying to inform our work.
If we are to be successful in developing protocols for managing digital estates, the protocols must be flexible enough to account for the different practices and laws found around the world. I look forward to learning more as we continue this work to ensure that all humans worldwide can manage their digital estates in a way that is culturally and religiously appropriate.
What do you hope this white paper and guide will change, in terms of public awareness and industry standards?
When we set out to write this paper, we wanted to influence the large technology and social media platforms, politicians, regulators, estate planners, and others who can help change the status quo. Further, we hoped to influence standards development organizations, such as the OpenID Foundation and the Internet Engineering Task Force (IETF), and their members.
As standards developers in the realm of identity, we have an obligation to the people we serve to consider identity from birth to death and beyond, to ensure every human receives the respect they deserve in life and in death.
Additionally, we wrote the planning guide to help individuals plan for their own digital estate. By giving people the tools to help describe, document, and manage their digital estates proactively, we can raise more awareness and provide tools to help protect individuals at one of the most vulnerable moments of their lives.
The comment period for the paper and guide ends on Friday, October 24th. Instructions for how to send in comments can be found here.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
