Welcome to the SecAware blog

I spy with my beady eye ...

24 May 2019

NBlog May 24 - leaving a digital legacy

Yesterday morning, I checked the ISO27k Forum messages as usual. Among the ping-pong of ongoing conversations was a sad request to stop emailing a Forum member who died just last week. His widow sent a few polite messages through his email account to the whole list, replying to an assortment of recent Forum emails. Presumably she didn't read or comprehend the 'unsubscribe' instructions from Google at the bottom of every message, and given the circumstances, it's entirely understandable - not least because I think she is Spanish, while the Forum and its instructions are in English.

Unsubscribing someone from an email list is a simple example – something that’s easy for those of us who frequently use managed mailing lists (or groups or reflectors or Special Interest Groups or whatever they are called) but is not necessarily obvious to those who don’t, especially when they are in turmoil, grieving and overloaded with a million difficult tasks all at once. It’s an extraordinarily stressful time. Thinking logically is an effort.

The same thing applies to other forms of social media, both professional and casual, plus various work systems, plus online banking, tax systems and so forth – online systems that our loved ones may need to access when we’re unable. And the same again for local accounts including boot passwords. These are our ‘digital footprints’.

Both pre- and post-mortem information security issues cover the whole CIA gamut:
  • Confidential passwords, passphrases, account numbers, IDs etc. may be (and jolly well should be!) hard or impossible for someone to retrieve on our behalf – password vaults being a classic example. Don’t forget that super-strong passwords/passphrases and biometrics are useless without the key person;
  • Integrity concerns mean we can’t simply demand access to someone else’s affairs: there are procedures to be followed, things to prove, legal and administrative hoops to jump through, which takes time and effort, plus there are trust aspects to this (to what extent should we trust those tasked with dealing with our affairs? What if they turn out to be unable, or unsuitable?);
  • Availability of information assets is certainly an issue: recall the recent story about the death of a Canadian CEO for a cryptocurrency exchange business with sole access to the vault containing $millions of customer as well as corporate assets? Without the essential key, the crypto did exactly what it was meant to do. The inability to access someone’s smart phone or tablet or safety deposit box without their access PIN code are everyday examples, and can be a distinct challenge even for the spooks.
It is generally possible for our survivors (or rather, ‘executors’ with the legal right to manage our affairs) to gain access and control of, say, our bank and investment accounts, pensions and insurance etc. through official mechanisms, but for obvious reasons the authorization and control transfer process is formal, tedious and can be slow … which can be a massive problem if there is a desperate need for cash to pay for household and funeral expenses etc

A pragmatic approach is to think ahead. Make sure we don’t take all our super-duper passwords with us to the grave, for starters … which may mean writing them into our wills, sharing them with our nearest-and-dearest or lawyers or trusted colleagues, or at least leaving behind sufficiently strong clues for someone who knows us very well (and isn’t totally consumed with grief) to figure out the secret phrase that opens our password vault. Simply letting someone know that we use a particular password vault is a good start, ideally showing them how it works. 

Making escrow arrangements for our source code is another example – a delicate subject that I need to broach, again, with a talented programmer friend. 

By the way, our simply forgetting a password or whatever can cause real problems. It’s not just about death. Forgetfulness, stress, overload, mental illness and old age can put us in the same spot. The sheer number of passwords and their complexity is the main reason that password vaults rock.

Giving someone we trust ready access to our email accounts is another tip, especially as so much revolves around email – including ‘lost password’ retrieval mechanisms for instance. 

That’s why hackers and social engineers are so keen to gain access to a victim’s email account/s. Aside from simply impersonating them and exploiting their social networks, the ability to reset their passwords on other systems extends the identity fraud. Federated identity management can make this issue even worse: imagine all the mischief someone can do with control of your Google, Facebook, government or work ID!

There are other practical things we can do to prepare for our incapacity and ultimate demise, such as writing a will (in a proper, legally valid manner – not as easy as it may appear), maintaining/updating it (e.g. whenever we change our vault passwords), nominating and informing suitable executors (including ‘digital executors’ if that means anything to you and your legislature), arranging insurance, clearing our debts and so on. Those of us lucky enough to have investments ranging from savings accounts, houses and businesses to golf clubs, vintage motorbikes and priceless collections of antique Star Wars figures (still sealed in their original boxes, naturally) can help by preparing written lists and descriptions of our assets with approximate “fire-sale” values and either instructions for their disposal or who to contact for help …

… And that leads to my final Hinson tip for those of you still reading and thinking about this dark and depressing topic: we can help each other. Aside from ourselves, what about our relatives, friends, colleagues and acquaintances. Are they on top of this? Do they need a hand to understand the issues and make preparations while they are still able? Would they welcome our assistance post-mortem? What about organ donation: is that something they'd consider?

This is a tough topic to raise and address, taboo for some, but the alternative is even tougher. 

If I’ve set you thinking, there are loads of resources on the web. If you find anything particularly helpful and interesting Out There, or have anything you’d like to add or modify in what I’ve said here, please comment below. This is NOT a taboo topic. It deserves a good airing.

PS  Further suggestions from friends and colleagues:
  • "I have a file in my desk labeled Death. It leaves instructions for those that will survive me, and includes the password to my password safe." [Not so useful if you die in a house fire though ...]
  • "I have a password vault with a password that uses an algorithm that needs to be derived using some obscure documented rules that only people very close to me would know." [A little puzzle, what fun!]
  • "Someone I know has a two part password to a password vault where his wife has one half and a close friend who lives abroad has the other half." [That's fine if they both survive your friend, and can both be contacted!]
  • "My password vault also has instructions on what do with each account e.g. 'Log onto this hotel booking site and cancel any bookings'" [... or opt for a late check-in maybe] 
  • "As with all business continuity plans you need to tell people about it and test it from time to time. Every so often I get one of my children to “test” my BCP to make sure they can get at my passwords. This is one of those kinds of BCP that you are 100% certain will need to be invoked at some point and where the key objective is to minimise the impact on your loved ones. Don’t underestimate the importance of doing something like this." [True. It's so sad to hear about grieving family and friends facing additional nightmares due to the departed's lack of foresight and prep. Denial is a fifth form of risk treatment after avoidance, mitigation, sharing and acceptance.]

No comments:

Post a Comment