SecureMac, Inc.

The Checklist 80: Digital Legacies

March 15, 2018

For all our listeners of The Checklist, it is no secret that we are strong advocates for security. Usually, we come on this show to talk about how to secure your digital life and keep unauthorized individuals from snooping through your information. Security is important, and in just about every situation, it’s not just desirable — it’s necessary. There is one unfortunate scenario, though, when it quickly causes problems: when …

The Checklist 80: Digital Legacies

For all our listeners of The Checklist, it is no secret that we are strong advocates for security. Usually, we come on this show to talk about how to secure your digital life and keep unauthorized individuals from snooping through your information. Security is important, and in just about every situation, it’s not just desirable — it’s necessary. There is one unfortunate scenario, though, when it quickly causes problems: when you’re not around anymore to enter your password or walk through the reset process.

On today’s show, we’re thinking about the digital legacies we leave behind after we pass. It might seem like an unusual subject; when was the last time it was something you considered? Yet that’s exactly why we need to think about it; with more of our lives “going online” and treasure troves of valuable and necessary personal information and paperwork now stored behind passwords and encryption, we need to consider how to make it properly accessible when your family needs it most. Today we’re discussing ways that allows your loved ones to reach important information in the event of your death. On our list for today:

  • Make sure family can access your devices
  • Store important information securely
  • Backups can be critical
  • Different service providers, different rules
  • Digital property

Today’s discussion doesn’t just draw on best practices and common sense, but also comes from real experiences. Trying to sort out someone else’s digital legacy can be exhausting and emotionally draining, such as trying to solve a puzzle where you don’t quite know what you’re looking for. We hope that the subjects we cover today will inform you about ways in which you can set up a secure legacy that doesn’t compromise your general safety, so that your loved ones can avoid these same difficulties.

Make sure family can access your devices

Access is the first and perhaps the most important factor to consider. Everything else you do regarding setting things up to leave behind digital systems that your family can access won’t matter if they’re unable to get past the password prompt at the start. That means you should think about how to allow them to get in to places such as the primary or administrator account on your desktop computer or laptop, as well as mobile devices like your iPad or iPhone. The last thing you want, especially with Apple devices, is to put your family in a situation where they must start guessing passwords. There are two reasons for that.

First, have you ever tried to guess someone’s password? Even if you know them very well, it can be incredibly time-consuming. On iOS devices, the system will force a waiting period between attempts after too many incorrect passwords, adding an even bigger time delay. What if you used a password that was just a series of alphanumeric characters with no rhyme or reason to them? No one is ever going to guess it; similarly, even a 4-digit iOS passcode presents thousands of possible combinations to try.

Second, repeated guessing could put the data itself at risk. Do you use the setting on your phone that automatically wipes your data after ten failed unlock attempts? It’s a great option if you’re concerned about theft and want to protect your device, but it could mean your family ends up losing it all if they exceed the limit trying to get into your device. It’s not just valuable information that can disappear — it’s mementos such as the photos on your camera roll, too. From the outside, there’s no way for another user to know you have the setting enabled, so they could easily run through 10 attempts in one sitting and mistakenly wipe your data.

Now, we’ve talked on this show several times about how you shouldn’t write down passwords. Generally, that’s true. You don’t want to write them all down and put them on a Post-It stuck to your monitor, and you don’t want to keep them in a drawer that just anyone could open. That said, it’s important to write down some of your important passwords for storage in a secure location. Keep them updated, too; whenever you change the password to log on to your machine or to get in your phone, make sure to update your records. An old password will put your loved ones back at square one.

The best option is one that is easy to access but also secure. This could mean living a list in a sealed envelope with your lawyer, or inside a small safety deposit box down at your local bank branch. Whichever method you choose for storing some of your passwords in hard copy, make sure you’ve communicated with your family about its location and how to access it in the event of an emergency.

Store important information securely

Now let’s think about what your family might need to do once they’ve gotten access to your computer. At that stage, they might need to dig through your files to get at important financial information or to make other determinations — and that’s before we even consider data that might be of sentimental value to them. How good are you at organizing your digital life? If everything is spread out in a mess across your entire hard disk, now might be a good time to think about instituting a filing system to make it easier to sort through. It’s okay if you want to keep personal documents and information in a loose collection, but try to keep essential data together and accessible.

Some of these digital documents, of course, should always be secure — the sensitive information they contain could be damaging if they fell into the wrong hands. A prime example would be something such as your tax returns, which often show off identifying information like Social Security numbers. Use something that will keep that information locked away, such as a password-protected PDF or in an archive file that you’ve encrypted with a password. As with your computer login information, leave the access codes in a place for your family to use them if necessary.

What about access to the websites that you use? Whether it’s the website for your bank or your social media account, your family may want or need to access these places as well. If you’ve been following the right practices, you won’t be using the same password for every site. In an ideal world, you aren’t even using the same password in more than one place, ever! Doing that, along with creating strong and unique passwords, mean that there can be no way for family members to guess their way in, as could be the case with your computer.

As a rule of thumb, you should look to securely store a wide variety of information in a digital trove for your family. This should include logins and passwords, and can also include information such as account numbers, credit card numbers, and other information. Given the sensitive nature of such information, you’ll want to use as secure an option as possible. Password managers, such as 1Password, are the easiest choice for rapidly storing and automatically updating passwords to all your usual sites.

The Mac Keychain also can store all this information, alongside a feature called “Secure Notes” which allow you to stash data of your choosing in the keychain safely. With either of these software solutions, you can leave behind a digital lockbox that your family can access to reach the information they need. Both the Keychain and apps like 1Password rely on a Master Password to govern their access controls, so again, leave that in a safe place.

If you intend to keep it at home, use something strong and durable like a fire safe that your spouse or children know how to open. If you use a physical device, such as a hardware token, for multi-factor authentication, it should also be accessible. As passwords are increasingly just one part of the puzzle, you need to think about everything it would take to get into your accounts if necessary.

Backups can be critical

Just as with password security, backups are another topic we’ve covered time and again here on The Checklist, and for good reason. They’re helpful for everything from getting important work back after you mistakenly overwrite a file to recovering from a severe malware infection. More than that, though, your backups can be a critically important part of ensuring your family won’t lose their ability to access your information.

Let’s consider the many scenarios in which your family would need to rely on a backup instead of just accessing your device directly. The clearest case where a backup would be the only option is when the device was destroyed, won’t work, is simply gone for good. This could be the case in a natural disaster, or a car accident, or any number of other scenarios. When you don’t leave the actual hardware behind, a backup is the best answer.

In another case, the device might still exist, but your family may not be able to access it for some time — perhaps even a long time. If your death occurs when you’re away from home, such as while traveling out of state or even overseas, it can take a while for the device to make its way back to you. It could even end up being held by the police for a time, if your device must be used as evidence in a criminal investigation. The final case is one we mentioned earlier — where your family has the device, but the data on it is long gone. If someone accidentally wipes your phone by guessing the password too many times, they’re going to really hope you had a backup in place!

Okay, so you need to have copies of your data in the event one of these situations comes to pass. What should you think about to make sure those backups are an accessible part of your digital legacy?

Automatic updates should be the first order of business. An out of date backup, especially one that is months or years old, likely won’t help your family the way you want; this can leave them with information they can’t use. Make sure you run backups regularly. It’s straightforward to set them up on a schedule with utilities such as iCloud Backup or Time Machine, and you can often configure them to run when you’re asleep so that it won’t interrupt your usual daily habits.

Let your family members or your attorney know where you’ve stored your backups. If you aren’t using a cloud backup service but have saved the data on physical drives, they’ll need to know where to look to find them. That’s especially true if you’ve taken the extra step of choosing offsite storage for maximum security. They can’t help anyone if they can’t be found, so be clear about the state of your backups.

The last thing to consider: encryption and passwords. Just as it was with the other passwords we’ve discussed today, you’ll want to ensure that your drive passwords are stored alongside the other valuable data you’ve set aside for family access. If you’ve encrypted hard drives with FileVault, it is essential that you print out the recovery key and store it with your other essential information. Whether that’s in a safety deposit box or a fire safe, it’s vital to preventing your family from being locked out of the backups you worked so hard to create.

Different service providers, different rules

So now that you’ve taken all these steps to set up your digital life in a way that your family can get back in if necessary what about what they can do with the account information you’ve stored? Unfortunately, there are no easy answers here. In fact, the situation is quite complex, and it can vary widely from service to service depending on what you want to accomplish.

It all comes down to what’s in the fine print within the Terms of Service that many of us “Agree” to without actually reading through them. In some cases, a service may stipulate that your loved ones do not have the authority to access your accounts or manage the information found within them. In other cases, the rules could be very unclear to the point of causing confusion. Some websites and service providers will allow you to access their information, while others offer the ability to simply delete the data they have permanently. To do this often requires a death certificate and a substantial amount of back and forth communication.

In the United States, both federal and state law can come into play too; some rules are in place to determine what you can and cannot access, but there is not much consistency from state to state. To help your family know what to do in the event of your passing, take some time to familiarize yourself with the policies held by your account providers. It is also worth consulting your state and local laws to find out if there are any restrictions you should be aware of and plan for; it can make straightening things out after your death much simpler and less stressful.

Some companies, such as Google, have done a lot of thinking about complex issues like these. Think about how far your Google account can stretch across the Web. Everything from payment data to your emails, photos, and documents could be spread out on Google’s servers. To that end, they have a few tools that can be quite useful. One of those is the Inactive Account Manager, a feature that allows you to set some rules about what happens when you do not log in to your account for a specified period.

The way it works is simple. Define the period of inactivity that you think is best suited to this scenario. You don’t want it to be too short — we all have times when we’re away from the Web, and we don’t log in for a day or two. After your set period elapses, Google will notify emergency contacts you defined and let them know you’ve granted them access to your account. This way, your family does not need to engage Google directly in a discussion or provide them with a death certificate to access this important hub for your data, as they would if you did not set it up. If you prefer, you can also set the Inactive Account Manager to simply delete your account altogether.

What about major social networking sites, such as Facebook? After years of uneven policy-making and a lack of clarity, Facebook has taken steps to make it easier for family members to take over the accounts of their deceased loved ones. There is a set procedure they can use to request that Facebook set your account to “memorial” mode, which blocks any further login attempts and puts your page into a special category. Alternatively, your family can choose to request a complete closure of the account if they’d prefer to take it down. Discuss these options with your family ahead of time, so they understand the potential paths to take.

Digital property

There’s one more thing to consider in today’s discussion: your digital possessions — and we’re not talking about the files you downloaded to your computer. As complex as the situation is where account access is concerned, it’s harder to consider the right way to handle digital items such as music files from iTunes, eBooks from Amazon, and movies you may have purchased. With physical items, it’s a no-brainer — you just name beneficiaries in your will, and the law takes care of everything else. With digital goods, these rules often don’t apply at all.

Generally, the law surrounding the DRM (digital rights management, or copy protection) on your media make it clear that only the original account holder is entitled to the licenses they purchased for those items. This is why digital media is often linked to a single device which is necessary to access that data. If your family has the device and your account credentials, it may not be a problem, though it is a legal gray area. Nonetheless, you spent money on those digital goods — it’s reasonable to want to know that your family could continue enjoying them.

With iTunes, some individuals have had success speaking to Apple’s Customer Support team about the passing of their loved one. However, there’s no guarantee they will grant your loved ones access to your files, so it’s important to think about other plans to make. For example, you could set up Family Sharing now, allowing you to share your media without sharing your account. This way, your family can use their own devices instead of relying on yours to use the media you purchased. Other files, such as movies, may not be so easy to share, however.

The good news is that many of us have begun switching away from purchasing downloadable files to using subscription-based services, like Spotify or Apple Music. DRM is, therefore, becoming less of a problem now than it was in the past. If there is anything specific you would like to preserve for your loved ones, though, it is worth considering other forms of physical media instead of relying solely on a digital collection. As you survey your files, think about what you know you’d really want to leave behind.

That wraps up our discussion for today; we hope you’ve learned some essential tips and tricks for setting up and safeguarding your digital legacy. From storing your passwords in a very secure location to sorting out what to do about digital property and more, there’s a lot of food for thought here. Consider what you would leave behind if today were your last day — would your loved ones be able to access the most important data?

If you’d like to revisit some of our earlier episodes for a refresher on some of the other security topics we’ve covered on the show, you can find them all, complete with full show notes, here in our archives. Want to get in touch with the team? Have questions about something we discussed on today’s episode, or want to share your own thoughts with us? We welcome your emails at Checklist@SecureMac.com.

Join our mailing list for the latest security news and deals