How many times have you entered a login and password today? There was that electricity bill you paid online. The digital sign-in to check your bank balance. And let’s not forget all those Facebook and Twitter visits.
As our lives become increasingly dominated by our login information, some scholars have started to question what happens to all those digital accounts when we’re no longer around to manage them. “When we pass away, one of the concerns is to pass along these security credentials to our bereaved,” says Peter DePasquale, an associate professor in the computer science department. “Typically, if you die, there’s no mechanism to pass along your [login information]. If you are a Google user, for example, there’s no policy that someone can take over your account and send out e-mails letting people know you passed away.”
Together with Michael E. Locasto ’02 and Mike Massimi ’05, DePasquale has been thinking of ways to address this issue of “digital death” by “gracefully dealing with expired digital identities in a secure, privacy-preserving fashion.” To start, the three scholars rounded up the terms of service information from variouse-mail, social, e-health, banking, and cloud services. It turned out that very few of them had policies in place for a user’s death, and the minority that did specifically forbid transferring accounts to friends or family members. “There are some very basic mechanisms for account revocation or memorialization, but these are in their infancy,” notes Locasto, an assistant professor in the computer science department at the University of Calgary. “No one that I know of deals with this in a single, coherent way across all services.”
The solution, DePasquale says, could lie in a web browser extension that would store a user’s digital information and retrieve it when he attempts to log on to a web site. The extension would also offer users the option to specify which aspects of their digital identities would be forwarded to each “identity beneficiary” upon their death. “What we envision is one centralized website that you can log onto and essentially list all of the important websites that you want to share with certain friends and family members after you pass,” DePasquale adds. “Our role would be to act as an intermediary to help automatically provide that information to your relatives.”
There’s an additional twist to the whole thing: rather than storing login credentials locally, the browser extension would forward them to a cloud storage service. Offered by third-party players including Apple and Amazon, cloud storage offers networked online storage through which data is stored in virtualized pools. “We’re very excited about that idea,” DePasquale says. “With the cloud infrastructure, we can scale up the computational power we need very quickly and easily if the [digital death] service becomes popular.”
Last fall, Locasto presented the group’s ideas at the New Security Paradigms Workshop in California. “We mostly focused on the technical aspects of designing an authentication and authorization system that allowed for such ‘graceful’ retirement of digital identity,” he says. “A lot of enthusiasm existed for investigating this problem because it is a very good example of a ‘usable security’ problem.”
DePasquale and Locasto are both quick to point out that their idea is still in its infancy. “At this stage, we’re really in the preliminary exploration of just how large and complex the average digital identity is,” Locasto adds. “Never before has our species had this sort of recording capability. In many ways, a very tangible representation of our living selves can exist after death, [which presents] interesting questions about what it means to be human and what kind of interaction we can have with the past. Tom Riddle’s diary [in Harry Potter] is only the beginning of these sorts of questions.”