Protecting Digital Privacy After Death
Katherine: Hi everyone and welcome to the inaugural episode of Planning for Inheritance, a Sunnybranch Wealth podcast covering, as the name suggests, all things inheritance. Today we're going to be talking about what happens to digital assets when someone dies, and what inheritors need to know to prepare themselves. I'm your host, Katherine Fox, founder and advisor at Sunnybranch Wealth. I'm an inheritor, and I built Sunny Branch to serve current and future inheritors who need help talking to their parents about their estate plan, navigating the estate settlement process, or figuring out what to do after they inherit wealth. Before I introduce our guest today, I'd just like to make a quick note that, the Sunny Branch Guides for Inheritors are available for free to anyone who is struggling through any part of the inheritance process. You can find that guide on my website. www.Sunnybranchwealth.com or get a copy via Instagram @sunnybranchwealth.
With that housekeeping out of the way. I am so excited to announce our first ever guest on the podcast, Gennie Gebhart, managing director of technology at the Electronic Frontier Foundation. The Electronic Frontier Foundation, or EFF, is a nonprofit dedicated to defending digital rights. At EFF, Gennie currently oversees the organization's technology focused teams and has extensive experience advocating for consumer privacy, researching third party tracking and secure messaging, and teaching people how they can take steps toward better privacy and security online. Gennie, welcome. I'm glad you can join us today.
Gennie: Thank you so much for having me, Katherine. I'm happy to be here.
Katherine: All right, let's dive right in with the basics. Can you explain to listeners what can be thought of as part of someone's digital estate? I know we all interact with the internet every day, so I'm thinking email and social media, but I know that the scope of our lives online are much broader than just those two platforms, right?
Gennie: Absolutely. And it's so hard to define someone's digital estate because at the end of the day, our digital lives are our real lives and vice versa. Offline and offline, they're all the same. So email and social media are a great and clear place to start. And from there, I just think about what else requires an online account to access and manage, that includes a lot of things that inheritors are going to want to keep track of. Banking accounts, credit card, investment accounts, as well as any other accounts or identities online that information is tied to. A lot of people save their card information to websites like Amazon and Target, Lyft, Uber, a million other Random places online that will differ from person to person. I think about utilities, electricity, internet, cell phone plans are often managed online and have a lot of sensitive information tied to them. And just the long tail of random accounts that you opened and used once and then forgot about. We all have a fitness app that we downloaded but then ditched.
Maybe you signed up for an account to order tickets to a play from a theater's website. Those are all still hanging out there in the ether. So that's the account side that I like to think about, also just think about records , that could be files that are downloaded to someone's computer. It could be something stored on Google drive or Outlook that might require a login to access. This is just as wide ranging as the accounts. This is somebody's file cabinet, you could be finding family photos and treasured recipes right next to insurance documentation and property deeds. So all those records are going to sometimes be accessed differently than an online account you have to sign into.
And going back to email and social media really briefly, online correspondence is also a really valuable and important record, email and social media. Those are our modern address books that could be really important to access and look for that type of information specifically, and just the final thing I like to think about when I say that online and offline are all the same, I think physical devices are very much a part of your digital estate.
Your computer and your phone might have files on them that aren't saved elsewhere. You may be logged into services on those devices already, and even just having access to a physical phone. and the phone number associated with it. That can be a really strong identifier that's tied to all the online accounts we just talked about as well.
Katherine: Okay, so it sounds like it should be a pretty easy thing for people to get their heads around, right?
Gennie: Very easy, very simple, very streamlined.
Katherine: So you just went over a huge amount of online data. We have our physical devices, we have our email, social media. We have all the apps we've ever logged into once. I'm sure anyone listening can open up their phone and go through that app list and look at the ones that you signed into, opened once and haven't opened in the year, years since.
Can you talk us through what happens to all this digital property when someone dies? Does it, is there any sort of system for it to expire or is this all just going to sit out on the internet forever?
Gennie: My answer is slightly frustrating and it's like doctors and lawyers and security people all like to say it depends. But it really does depend what kind of data or what kind of account we're talking about, some things will truly sit out there forever and we all know about that already.
Posts you made on social media. They're just sitting there and they will continue to do so after you die. Most social media platforms offer an option for your loved ones or representatives to memorialize your page, but they're not going to scrub it of old posts for you. And they're also not going to scrub it of all the personal information that your social media account might contain.
Other things will get shut down after a period of inactivity, but That period of inactivity differs depending on the provider. Email is one thing like this. Most providers will shut down an account after a year or two of inactivity, but a lot of things, they will truly just sit there. I think if I had to choose a default that I'd expect for most things, most of the time, if it's on the internet, I would expect it to just sit there forever.
Katherine: Yikes. For those things that do shut down after a period of inactivity, what does shut down mean in the context of an email account?
Gennie: That is a great question.
Katherine: gone forever?
Gennie: I would, I think it's safe to assume that it is gone forever, at least for what you can access. It's a totally different question for Any of these accounts, whether you're deleting them manually or wondering what will happen to them, what does it mean for something to be deleted?
What does it mean for something to be shut down? Maybe it means you can't access it. Is it still hanging around on the company servers? What does that mean for different people's situations? But I think in the case of email, you'd want to check with a particular provider you're thinking about. Gmail or Yahoo or otherwise, they all have different policies, which is very frustrating and confusing.
But I think it's safe to assume that if your account is shut down after a period of inactivity, it means it's no longer accessible. First of all, that's the most immediate important thing, it means you can't log into it. It might mean that the namespace, quote unquote whomever at gmail.com, it might mean that namespace is now free for someone else to use. It might not. But I think the main thing is that It is no, the information in there, the content in there is no longer accessible to you or anyone else. That is the main thing to remember.
Katherine: Got it. So with everything that you just went over, we have a lot of information to dive into. But before we do that, I know your work at EFF focuses specifically on consumer privacy and security. Are there specific digital security issues that estate executors, administrators or inheritors need to look out for after someone dies?
Gennie: Absolutely. And they're very similar to the security and privacy issues that everyone needs to look out for in different ways. I always say that the most dangerous thing on the internet is a link. Or a person pretending to be something that they are not. At the most basic level, that's phishing, and we've all encountered that.
Someone sends you an email or text. They're pretending to be the lottery. They're pretending to be the IRS. They're pretending to be Amazon. They're trying to get you to click on a link and give them something. Often account credentials to log into an account or bank information or something like that.
Everyone should always be on the lookout for this. And we're all somewhat familiar with it. One more level sophisticated is spearfishing. That's combining a link or a person pretending to be something they're not with publicly available information about you. So this would look like someone sends you a message pretending to be your alma mater.
That is visible on your LinkedIn page, and they're claiming to be from your university alumni association. They want you to click on something and give them some information. Or, there's a picture of your grandkids on your Facebook page, and you get a phishing email claiming to be from one of them.
Stuck in a pinch. Those are the classic examples. This could look a lot of different ways. But the important thing about this type of phishing, quote unquote spear phishing, is that it's more rare. Because it means that someone is targeting you individually, targeting your company, something you're affiliated with.
So the thing I'd be really worried about for inheritors with this type of scam is if the news of their inheritance has been shared or publicized, or if they have reason to believe that someone Maybe targeting them specifically, even with these types of phishing, people are somewhat familiar with this.
I'm guessing this is something your listeners might've heard of or even encountered before. There's also a more recent, newer trend along these lines. That's called pig butchering, a very weird name, but it's a type of tech scam that tries to extract money from someone over a long term period. It has this really weird name, right?
Cause it's trying to Take everything that somebody has through this scam and you may have run into it and not really know what it was, it looks like a weird text, something like, “Hey Ron, did you get pizza for the party this Friday?” You are not Ron. You're not going to a pizza party.
Or, “Hey, I'm so sorry. I can't make it tonight. Tell the group I say hi.” And it seems like a wrong number. And this weird. Text is trying to pique your curiosity and get you to respond because over time, “Hey, you won 5 million on lottery.” Like people have started to not fall for that. So this is a slightly more sophisticated version of fishing.
And typically these quote unquote, pig butchering schemes, they end with the promise of a Bitcoin or other type of investment that's backed up by a very elaborate and convincing, but fake website and trying to extract money from victims through those, for any of these types of scams, I would also be especially worried about inheritors being vulnerable to someone saying they're someone they're not online, because these schemes prey on people who are rushed, who are lonely, and who are emotionally stressed.
All sorts of smart and intelligent, tech savvy people fall for these scams. I consider myself all these scams, and I can tell you. I fell for a Bank of America scam once. Anyone can fall. I remember the moment when I clicked on the button, giving all of my bank account information, not my credit card information, my bank account information, to God knows who.
Then I cancelled my card, but, why did I fall for it? I was really rushed that day. I was alone, I was at work in an office. There was no one around me. I didn't have anyone I could call really quick and say, Hey, can you, private bank of America be emailing me? Can you check this out? And I was desperate to just get through tasks.
I wanted to do whatever this email told me to do and just move on to the next one. And. If you're in a situation where you're an inheritor, you're managing a state, you might also be in a lot of those situations in that emotional state. That is what these scams are counting on. You have to remember that the most effective and the scariest digital threats, they are not technically sophisticated.
They're emotionally sophisticated. And the good news there is that you don't have to be some kind of like tech wizard to effectively defend yourself. from these kinds of threats.
Katherine: Wow. I think , it's such a great reminder, just that message that these aren't technically sophisticated threats, these are emotionally sophisticated. And also probably reassuring to our listeners that even experts aren't immune, , from having a bad day, being busy, trying to get to inbox zero and just clicking through something and then realizing after the fact, oops, guess that, wasn't what I was supposed to do.
Gennie: That is absolutely right. Yep. Everybody can have a bad day. None of us are immune. But there's easy things we can do to make ourselves less vulnerable.
Katherine: And I imagine in addition to being stressed, being emotionally vulnerable, working through a really difficult situation, if you're an inheritor, an estate executor, administrator, you're also dealing with a public loss. So there could be, fraudsters, Fishers, if you can call them fishers, who are reading the obituaries, right?
Generally, when someone dies, there's going to be a reasonably detailed obituary that's been published and saying, oh, this person died. This is what they did. This was where they lived. And these are the people that are still alive that are related to them. So can you talk a little bit given all the increased risk that inheritors are facing, can you talk about how they can protect themselves from these threats?
Gennie: Definitely. The first thing to start with when we're thinking about those phishing and pig butchering scams we just talked about, just watch out for messages that are too good to be true that are out of character, or that are urgent. And just when in doubt, Take a beat. Ask somebody else to take a look.
You can confirm the message through another medium. Amazon texts you, you want a thousand dollars. If you log into your Amazon account, surely your thousand dollars will be there, right? If you get a weird email from your bank, just log into your bank account, right? It's all about just slowing down.
And if you can, having a second pair of eyes like that is all it takes to beat the most dangerous thing on the internet. From there. Think about what these scams are often trying to do. They're trying to get you to click on something that will harm or compromise your device or some way, or they're trying to get a password out of you or some information so we can take steps to minimize the effect of either of things.
Ha, either of these things happening. And I have three main things that I tell people in order of importance. They are, one, keeping your software up to date. Two, using unique passwords, and three, using two factor authentication. I often tell people these three things, and they're like, What? I'm not supposed to go download antivirus?
I don't need to buy a VPN? No, you probably don't have to do those things. You might, but if you're in that kind of situation, you should not be getting your digital security advice from a podcast. You should be talking to someone individually. But for 99 percent of people, 99 percent of the time, Doing these three things is going to protect you from 99 percent of threats.
So briefly, I'll just tell you a bit about why to do each of these things. Keep your software up to date. There are new viruses. There's new exploits and scary ways to compromise your device coming up every single day. And the very hardworking people at Apple and Microsoft and wherever, they are keeping track of these and they're releasing updates to address these issues.
It's often called a security patch. Once that update is out of the world, once you get the pop up on your screen, your computer is broken. The whole world knows about the security problem on MacBooks or on Windows or whatever, because everyone can see the security patch and there are a lot of people trying to reverse engineer it so that they can send you a phishing email.
And have you click on the link and mess up your computer and all you need to do is click update and you can benefit from the hard work of all the folks at Apple and Microsoft. This is often the thing people are resistant to do. It's right. Oh, like it can mess up my software. It can move things around.
I often hear people say Oh, when I update my computer, it breaks my software. But like I said, Your software is already broken. That's why it has an update. Brush your teeth, wash your hands, update your software. This is if you don't do anything else, this is the number one thing that will help protect you from all manner of scary things online.
Second use unique passwords. A lot of us just use the same password across different websites. It's easy to remember. You might add a one or like an exclamation mark to the end. You might go extra fancy and have a scheme where you have your password and you add facebook or Gmail.
And I'm telling you, if it's easy for you to remember, it is easy for someone else to guess. A lot of passwords use birthdays wedding anniversaries, pet's names. These are maiden names. These are all very easy to figure out for a dedicated Facebook or LinkedIn sleuth or public records sleuth.
So use unique, random passwords. That means, if one account is compromised, somehow the passwords leaked, you accidentally get phished, you had a bad day, all the other accounts are safe. This can get really hard because you can't remember all these. It's hard to keep track of. So I recommend people use some way to manage your passwords.
This could be a notebook. This could be a spreadsheet. This could be a dedicated password manager, a type of software that just manages your passwords. It's very good at that job. Whatever way works for you to keep track of your unique passwords. That is fantastic. And then finally, this is like expert level, but again, like a little bit of effort for a lot of benefit to your digital security use two factor authentication.
That means that when you log in to an account, it asks for your password. And then it also asks for a second thing, a second factor. And everyone already uses two factor authentication without even knowing it, when you go to the ATM, it asks for your pin, that's a password. And it also asks for your card.
That's your second factor. So there's a lot of forms of two factor authentication and We can talk about maybe in the show notes, putting in some links to EFF's guides to two factor authentication. It can look like a text code that's sent to you when you log in. It can be a code generated by your device.
It takes a little bit of getting used to, but then it's just in your regular routine. And if someone were to get your password, it means they can't get into your account. They don't have your phone or your text or your second factor. Of course, I'm giving Advice for you, the inheritor, but the person who's a state you inherited probably didn't do any of these things.
Let's be honest. Most people do not use unique passwords for each account. And I'm betting that this person who's a state you've inherited also did not do that. And as accounts hang around longer and longer, we talked about all those accounts that are part of the digital estate. That can be a huge problem because in my professional opinion one of those accounts will eventually get breached.
There will be a weird password leak, like something will happen. If they're just hanging around out there, they're a liability. And if your person used the same password on their throwaway fitness subscription as they did on Gmail, as they did on bank accounts, then all of a sudden when that throwaway fitness subscription gets breached, then Gmail and your, and those bank accounts are in trouble as well.
That's something to think about as you prioritize what parts of the digital estate do you want to take care of first, you have an endless to do list and somewhere on there, not necessarily near the very, very top, but it's something to think about. Okay. How do we minimize the number of accounts hanging around or at the very least?
How do we make really unique random passwords for the ones that are important?
Katherine: So that, that's a lot for people to remember and a lot for people to do, but I appreciate the rundown and especially the [00:19:00] simple steps that people can take, right? Update your software. Use unique passwords, use two factor authentication. These are things that everyone can do and they won't take too much time to integrate into your life or if you're managing an estate to secure that digital estate while you focus on other things.
Gennie: You've got to.
Katherine: We will also, for anyone listening, put the links to the guides that Jenny mentioned in the show notes. So if you're interested in learning more, you can do that there. So Gennie, now we're going to get to the big money question. Suppose a loved one of mine dies. I have a list from you of all of the areas of their digital life that I need to consider and manage.
I know that there are specific privacy concerns I'm looking out for, but I don't have anything. I can't even update passwords or put into two factor authentication because I have nothing. I have no passwords, no access. What am I supposed to do now?
Gennie: My first reaction is that I am so sorry because you are in for a very wild and very frustrating ride. One that I watched a family member go through recently when another family member passed away. But there are some places to start. And if I were in this situation, here's where I would start. Is there a laptop or a phone or another device?
Open it up. Am I able to access it? Maybe this person was logged in somewhere already, and you can start there. What you really want, if you wanna prioritize what you need to get access to email access and text message access, because once you have those, you can probably use them to reset everything else.
Are you able to access text messages on this person's phone where they already logged into their email on their computer? These are a couple places to start. Of course, Those devices might be locked with their own password, right? A lot of people have a swipe to open their phone. They have a password for the laptop and then we're back at square one.
Maybe all of a sudden this digital security liability could be your friend. Did this person use really predictable passwords with like their pet's name and and their wedding anniversary? You can try that did they write down their passwords anywhere? Sticky notes. All for some reason, as humans, we just feel a compulsion to write passwords on sticky notes.
Try to be a little bit of a detective, right? Try to find these things. The guesses are free, right? To try to maybe get into a device. But a word of caution with guesses, again, a place where a lot of us start, a place where I would certainly start many devices and accounts will start to lock you out.
After too many incorrect password attempts, and that can just be frustrated and slow you down, right? I know that apple devices, after a certain number of wrong password attempts, they lock you out for a minute. You keep trying, they lock you out for five minutes, an hour. It's not the end of the world.
It's just so frustrating and a slap in the face. And so maybe something you'd want to avoid. So if nothing works and you're still locked out, you will have to go to the companies behind the platforms. That you want to access and go through their process, which are all maddeningly different [00:22:00] and promise different things.
So it's the, and I think a question of prioritizing what is the most important thing for you to access and then, okay, what are the steps we need to take to talk to this company or talk to this bank? What's the documentation they need and start there.
Katherine: Can you talk a little bit more about that? Say I'm totally in the dark and I just need to get access to a deceased family members, email their, say their Gmail account. What kind of response am I going to get from these companies? I don't, is there a phone number for Google? I don't think so.
Gennie: There is no phone number for Google. Yeah, but I would say just unfortunately as a blanket expectation, do not expect much. Google does have, not a phone number, but they do have existing processes to work with family representatives to close an account, for example. But to my knowledge, there's no promise that they'll give you content.
And they definitely will not give you passwords or login credentials. If I recall correctly, and again I'd have to look this up, I think Yahoo won't help you at all. That's just their policy. And what's extra frustrating is that these policies change all the time. With no announcement or warning, why would they announce that?
But it seems very it's very frustrating. It's very closed, right? Like, why won't they give me access to my family members information and account? But honestly, from where I sit as a kind of consumer privacy and security advocate, it makes sense. At the end of the day, for better or for worse, these companies have an obligation to their users, privacy and security, and they don't really have an interest in granting access to a user's private information.
So You I think I've heard of specific high profile cases where it's become a legal battle. But I've also heard of specific high profile cases where Apple wouldn't grant access to a deceased family member's family photos to the family because that's private information on iCloud. That's the policy.
So I think just brace yourself for a frustrating response that might not get you the information or access you're looking for. from the company. Another thing people often wonder about is social media companies. They can help you close an account or memorialize an account and make it a memorial page.
They have pretty well documented processes for that, but they also most likely won't give you access or login credentials. I wish I had more specifics and like more. Tips here, but really just my heart goes out to anyone navigating these processes because they are so frustrating and they can't be avoided with a little bit of planning.
Katherine: Yeah, absolutely. And I just want to for anyone listening who is planning ahead and starting conversations with their parents about their end of life wishes about their estate documents talking to your estate planning attorney about how to protect and give people access to your digital property after you die is a huge piece of this.
So we're really talking today about, What happened, what the security risks are after someone dies. And also for people whose loved ones didn't plan ahead, what you can do, but there are ways to head this off at the past with proper planning and including your digital assets as part of your estate. That is all the time we have for today. Gennie, I want to thank you so much for joining us, sharing your knowledge and expertise and insights with our podcast audience.
Gennie: Absolutely. Katherine. Thank you for having me on. This is an important topic and I really enjoyed discussing it with you.
Katherine: For anyone who is interested in getting in touch with Gennie or learning more about the Electronic Frontier Foundation, you can find her at Gennie, that's G E N N I E, at E F F dot org. You can also check out the Electronic Frontier Foundation at E F F dot org. Thanks everyone again for spending this 30 minutes with us.
You can tune in next month for the next episode of Planning for Inheritance with Sunnybranch Wealth.