What happens to your email when you die?
For most people this hopefully isn’t an urgent question, but a few high profile cases have made it an issue for lawmakers and judges around the world. You might think that your family could show up with a death certificate and/or a court order and get access to your digital content, but it’s not that straightforward. The federal Electronic Communications Privacy Act (ECPA) governs what types of information cloud service providers like Google and Yahoo! can disclose and under what circumstances — and it doesn’t account for death. Companies are inclined to point to their terms of service to decide when and how to provide access to accounts, but this is often decided on a case-by-case basis. This has left a confusing and delicate gap in the law that competing entities are rushing to fill.
It’s easy to forget the amount of administrative work we conduct in online accounts —many of us only receive electronic statements and bills— and one of the tasks facing grieving families and friends is to close and settle accounts for their deceased love ones. This is challenging without access to email or other digital accounts where statements and other notifications are commonly sent. Additionally, years of family memories can be stored in a password-protected account, often through cloud services. The combination of sentimental and practical reasons to give access, and the serious privacy concerns implicated in doing so, has made this a hot button issue. Several states have already introduced legislation, and we expect to see more this legislative session.
What are the options?
Currently, anyone can write their will to include instructions for the dispensation of online accounts in whatever way they wish. ECPA does not prevent account holders from granting access to their own accounts by sharing passwords or other security details. (Pro-tip: Don’t put your passwords in your will because that document will become part of the public record. Instead, leave instructions for where to find a list of passwords to chosen accounts.) This is a good solution — it allows individuals to express their wishes, gives clarity to tech companies, and doesn’t require anyone to look at the U.S Code. However, only 45 percent of Americans have a valid will at death, and far fewer specifically address access to digital accounts, leaving many personal representatives with uncertain fiduciary duties.
Several states are taking up legislation this year to determine the default for how digital assets are handled through estate law. Lawmakers will be able to choose among different model bills as a jumping off point, and these proposals demonstrate different ways we conceptualize the essence of digital content.
One proposal, written and promoted by the Uniform Law Commission, broadly supports allowing access to digital accounts by fiduciaries such as estate executors. The philosophy guiding the approach of the Uniform Fiduciary Access To Digital Assets Act (UFADAA) is that digital assets are not different from physical assets, and it relies on the principles of fiduciary duty to ensure that no harm results from granting access to accounts. The model bill is long and in-depth and includes specific rules for four categories of fiduciaries including: personal representatives (named executors or court-appointed administrators), conservators (court-appointed guardian for a person with mental or physical disabilities), those granted power of attorney, and trustees (who manage assets held in trusts). Each category has different restrictions on what types of information can be accessed, but all are subject to the restrictions ECPA poses on release of the content of electronic communications. Under this bill, personal representatives—the people given power by the court to manage estates in the event that there is no executor listed in a will or when an individual dies intestate—are granted the broadest access.
Recently, the Center for Democracy & Technology joined several other advocacy organizations in expressing our opposition to this model. As we stated in our letter to lawmakers, the access granted under this bill is too broad and raises serious privacy concerns. Any model that grants full access to all of a decedent’s digital accounts and information by default fails to address the variety of digitally stored content and raises concerns for third parties who might have communicated with the deceased. Many of the individuals who communicated with the user will still be alive, and they may have sent vulnerable or sensitive information to the deceased. This is a particularly concerning when you consider communications between individuals in Alcoholics Anonymous or other confidential programs.
The authors of UFADAA argue that this vulnerability also exists when executors gain access to physical letters and records — an obviously true point. However, digital assets differ significantly from physical estates in three important ways: digital accounts often store content by default rather than as an active choice by the individual; in many cases there are no storage costs associated with saving digital content for the user, eliminating the burden of storing tremendous volumes of personal data; and consumer expectations are as variable as the huge array of digital accounts and cannot be governed by an unconditional rule. The combination of these features sets digital content apart with respect to the potential harm caused by granting access to the next-of-kin.
NetChoice, a trade association that represents many technology companies including Facebook and Google, has laid out an alternative proposal titled the Privacy Expectation Afterlife and Choices Act (PEAC). This model requires companies to disclose contents only when a court finds that the user is deceased, and that the account in question has been clearly linked to the deceased. Additionally, the request for disclosure must be “narrowly tailored to effect the purpose of the administration of the estate,” and the executor demonstrates that the information is necessary to resolve the fiscal administration of the estate. And even then, the amount of information is further restricted to the year preceding the date of death. This is stringent guidance meant to protect the privacy of those who communicated with the user while also ensuring that their loved ones can access important financial statements that may be delivered to the account. CDT supports the principles laid out in the PEAC bill, and we urge policymakers considering this issue to adopt this approach.
Regardless of which proposal states adopt, the best-case scenario is for users to set their own preferences for accounts so that their friends and family have clarity on their personal wishes. In order to achieve this, lawmakers should consider which of these models (or another alternative) would create an incentive structure that encourages companies to develop and nudge users to express their wishes proactively. And for those who don’t leave clear guidance, the rules should default to privacy protecting measures and not to an agreement established in the Terms of Service. Some companies have already created tools for users to express what they would like to happen to their account. For example, Google’s Inactive Account Manager allows users to decide what should happen to their account with a good amount of granularity, including whether or not the content is deleted from Google’s servers. This not only helps families, it creates a level of assurance that technology companies will honor the expressed wishes of the user.
It may seem like this question is attracting an outsized amount of attention, but as people with longer and more nuanced digital histories (stored across huge numbers of online accounts) reach the end of their lives we will have to decide how to define our digital legacy. And these rules will set the defaults and boundaries of what is possible.
Many people want to preserve their experience of the world for future generations to explore and enjoy, and future family members and historians will treasure digital documents. It is possible to envision a world where a person’s entire digital presence could be combined in order to give a thoughtful timeline of their interests and experiences throughout their life — you could map the growth and withering of friendships, the deepening of curiosity into a hobby, and the arc of falling in love using this data. It is this amazing and potentially beautiful power that should guide us to make a deliberate and careful decision about what happens to our digital content. Ultimately, the fact that digital data is different is what makes accessing and preserving it so valuable. But it also means we can’t simply look at the status quo for the best way to manage this content—we must consider it in new and innovative ways.