The hard task of collecting a late loved one’s photographs or business assets can become outright impossible when the objects in question are digital, and lie on the other side of a password-protected Google or Facebook account. The deceased’s assets and memories are there, but just out of reach.
Now, a change is coming thanks to the arrival of the “Digital Assets and Digital Accounts Act,” which became law in Delaware this month, and will soon take effect in other places too. It means that tech companies — which tried to halt the laws — will be less able to treat email and social media accounts like digital dust that vanishes when a user dies, but will instead have to let authorized individuals access the way they did when a person was alive.
“Our state enacted this law … I need you to reassign the password”
Big email and social media companies rely on their internal terms of service to dictate what users can and cannot do. When it comes to transferring passwords, for example, Facebook’s terms flatly forbid the practice while Google says it may give a third party access to an account in rare cases and only with a court order.
For heirs, these policies are a mounting problem as people leave more and more assets in the cloud when they die, rather than in the vaults and filing cabinets of yore. This creates a challenge in dealing with the ordinary paperwork of an estate, but also makes it hard to find — or liquidate — digital assets such as game characters, Twitter accounts, blogs or bitcoins.
This problem is what led a team of estate planning lawyers to create the “Uniform Fiduciary Access to Digital Assets Act,” an off-the-shelf piece of legislation that states can use as a template to update their own laws. As Ars Technica reported, Delaware was the first to implement the law this month. But how will it work in practice?
“If you need access, the idea is that you would have a means to contact the company and say ‘Our state enacted this law, I’m the fiduciary and I need you to reassign the password,'” said Suzanne Walsh, a lawyer with Cummings and Lockwood and the chair of the nonprofit group that drafted the model “Digital Assets Act.”
Walsh explained that the model law does not try to list every digital asset that might apply, nor dictate the exact process by which tech companies — “custodians” in legal parlance — will have to comply with password requests. Instead, the law creates a simplified process for an authorized agent to ask for information in the first place.
“You step into their shoes only to the extent necessary to do your job. You get in there and do what’s necessary, like look for contracts and pay bills.”
She added that access to an account is supposed to be temporary, and to provide a “peek and copy” process, rather than let someone take over a dead person’s digital life.
As a result, the new laws may one day lead the likes of Google and Facebook to create a “read-only” version of accounts that will let authorized people harvest content, but not create new emails or status updates. But so far, the companies have indicated they want nothing to do with the new legal regime.
A hostile reaction
Google, Facebook and Twitter declined to comment for this story, and Apple did not reply, which is consistent with the tech industry’s responses to Ars and other media outlets. The companies instead appear to have settled on a strategy of speaking through the “State Privacy and Security Coalition,” an obscure umbrella group that represents “20 leading communications, technology and media companies,” and that participated in the drafting process for the model law.
Jim Halpert of DLA Piper, a law firm that represents the coalition, told the Wall Street Journal that the group opposes the laws because accounts may contain information the deceased do not want to disclose, and because they may “conflict with a 1986 federal law forbidding consumer electronic-communications companies from disclosing digital content without its owner’s consent.”
Neither of these explanations are particularly convincing, however. Despite the companies’ profession of privacy concerns for their late users, the reality is that people have been dying — and leaving behind artifacts for relatives and others to find — for a very long time. The digital dimensions of our personal lives don’t change this.
As for the “conflict” with federal law, DLA Piper’s Michelle Anderson said that the potential conflict relates to a data protection law known as the Electronic Communications Privacy Act (ECPA), which she says may only allow companies to disclose content if there is a court order. But it’s hard to see how this is the case since the drafting notes of the model “Digital Assets” law specifically say that ECPA doesn’t pose a problem.
Instead, the real reason that the tech companies want to sandbag the law is likely due to the considerable compliance costs and touchy emotional issues they could create. Although the model law requires a verification process for agents, for instance, there is still the potential for mischief by trolls or for a company to get caught in the middle of ugly family fights between grieving relatives.
Meanwhile, retailers like Apple and Amazon may fear that the new laws will draw additional attention to the fact that customers don’t actually own media assets like iTunes songs and Kindle books, but are instead just buying licenses that vanish when they die.
The companies, to be fair, have already taken a series of steps to address these issues, but most of these are fairly hands-off. Google, for instance, offers an “Inactive Account Manager” tool that sends passwords to trusted contacts in the event a user’s Gmail goes dark for a long period of time. Facebook, meanwhile, offers ways for family members to delete or memorialize accounts and, in a moving incident earlier this year,
supplied a grieving father with his late son’s Timeline video.
Such measures will be comforting or helpful on some occasions, but they are a far cry from providing a broad practical solution to digital data in the afterlife.
Delaware, but soon everywhere
Many tech companies, including Facebook, are incorporated in Delaware, but that doesn’t mean the state’s new Digital Assets Act applies to all of the companies’ users. Instead, Delaware’s new law will not be much of a headache for the industry since it applies only to the fewer than one million people who live in that state and plan to probate their will there.
Soon, however, many more places will have the law. According to Walsh, around ten states are expected to pass a version of the law in the coming year, including Oregon, Virginia and Florida. When this occurs, big companies like Google and Facebook — and smaller ones like Snapchat or bitcoin-provider Coinbase — will have to put systems in place to accommodate the requests. It’s also unlikely that hey will be able to rely on terms-of-service that prohibit transferring passwords since, under the laws of fiduciaries, the agent is akin to the alter-ego of the user for legal purposes.
What if they simply refuse? In Delaware, the law does not provide serious penalties, but only requires a “custodian” like Facebook to pay legal fees if an agent has to go court to get them to comply. The penalties may be stricter, however, in states like California that have a history of pro-consumer laws and, in any case, ignoring the law is hardly a practical strategy for big companies.
It may take five or ten years, but it’s a good bet that soon our relatives will be able to go through our digital effects when we die in much the same way that they can go through our physical stuff.