Data Thieves Are Targeting Dead People’s Social Media Accounts

Identity theft is a problem in the afterlife

InIn 2012, the family of a deceased soldier in the United States was blindsided when they started seeing his face on ads for dating websites. His photo was being used to entice more people to visit the site.

In another case, a woman received new Facebook messages sent from the account of a dead friend, says Faheem Hussain, a clinical assistant professor at Arizona State University who studies the digital afterlife. Someone was impersonating her friend and using his account to harass her. While she knew she could block the account, she hesitated because it was also her last remaining connection to her friend.

Unsettling experiences like these are no longer unusual. Most social networking platforms do not make it easy for users to implement sufficient plans or safeguards to protect their data after death, leaving it vulnerable to privacy breaches and misuse.

Only a few companies give users options to manage their accounts after death. Google, for example, lets you designate an “inactive account manager” who will get a notification and, if you choose, access to your private data when your account is inactive for a specified amount of time. The idea is that this trusted person, who Google verifies using a phone number, will delete or safeguard your account after you have died.

Many other companies, like TikTok and Skype, don’t have a policy for dealing with accounts of the deceased. Others, like Twitter, Instagram, and Snapchat, will memorialize an account — flagging it as belonging to a deceased person and removing it from features like friend suggestions — if family members or trusted friends confirm that a user has died with a death certificate or obituary.

This is a new territory.

“It’s understandable when you’re a small startup,” Jed Brubaker of the University of Colorado Boulder tells OneZero. Brubaker studies digital afterlife on social media and helped develop Facebook’s policies for user data after death. “[But] if your company’s been around for decades, or years,” he says, “it’s probably time for you to figure out what your longer-term plan is.”

Policies that let you designate another person to handle an account after you die are only as reliable as the person you choose. Like Google, Facebook offers this option: This person, the “legacy contact,” can memorialize your profile after your death or delete it permanently. A memorialized account shows “Remembering” in front of the person’s name, and any shared content remains visible, but the account won’t appear in public spaces, like suggested friends and birthday reminders. Facebook will also memorialize accounts if it receives a valid request from a verified family member or close friend.

This policy, however, doesn’t specify what happens if your legacy contact quits Facebook or becomes unavailable for other reasons. An account that isn’t deleted or memorialized is in limbo and is easier to hack. Abandoned or seldom-used accounts are more vulnerable because no one checks in on them, making them easy targets. Besides providing the opportunity for identity theft and fraud, abandoned accounts could be co-opted to harass others, as Hussain’s example illustrates.

But even people who do have legitimate access to a dead person’s account could misuse it. For example, an ex-partner could take advantage of a deceased person’s account by using it in ways that person would not have approved of, data ethics researcher Jessica Vitak of the University of Maryland tells OneZero.

Designing policies for digital data after death is difficult because the legal implications are fuzzy. You can’t exactly transfer ownership of your digital accounts like you would leave your succulents to your roommate because they aren’t treated by the law in the same way. Ownership of physical objects is clear: You have something in your possession or you don’t. It’s much more ambiguous with digital objects.

“[A will] might be great for expressing your intent,” but there are a lot of ways in which that metaphor doesn’t work, particularly in social media, says Brubaker. For example, if you post a selfie and tag a friend in it, it’s not clear if it still belongs to you or also in part belongs to your friend. Things that happen on social media often involve multiple parties, Brubaker says, making it difficult to determine what belongs to whom.

These complications make it emotionally painful and legally messy for families to regain control of a person’s accounts or digital content after they die. If you make no plans to manage your account after death, or aren’t given the option to do so, you remain the only individual with a legal right to access the content, even after death. Anyone wanting to get access would need to have a strong case, like being the parents of a minor who owned it.

Often, the people who are left in charge of an account also risk losing access to the deceased person’s content, since their only options are to delete or memorialize the account, not access it. Hussain cites a 2014 example in which a student and social activist in Bangladesh fundraised for his cancer treatment on Facebook then passed away. When his account was memorialized, his family lost access to his Facebook statuses, which they had wanted to collect and publish.

Designing afterlife policies is complicated by the fact that cultural norms regarding data can differ across the world. For instance, it’s common to share passwords among friends and family in some countries in South Asia, says Hussain, adding that in some cases, families will continue using a relative’s account after their death.

Ultimately, afterlife options are only useful if users can implement them, which is often not the case. Hussain points out these policies are not available in all languages; often, they are not explained well and may be hidden among pages of security settings, adds Vitak. Companies may argue that users have control over their data, she says, “but that doesn’t mean that the entire user base is educated and has the technical skills to be able to effectively change the setting to what they want.” She argues that it’s the responsibility of the company to educate users about their privacy options and educate them about how their data will be used.

We need to find ways in which we can honor and respect the person’s wishes after they pass.

What will happen to your data in the far future, long after you are gone or when companies fold, is even more murky. Data policies can change and often do — like when companies gave users more control over their data to comply with the EU’s General Data Protection Regulation. If new policies don’t allow anyone but the user to make changes to their data, we’ll have a problem, says Brubaker. “This is a new territory.”

Until afterlife policies can address all of these issues, our posthumous accounts remain vulnerable. A troubling trend in Japan illustrates the potential consequences: Ashir Ahmed at Kyushu University, an associate professor of information technology, says that a few Japanese families have been blackmailed into paying ransom by people claiming to have content from a deceased relative’s online accounts that would be damaging for their family’s reputation.

For now, whether you include digital accounts in your will or not, Brubaker says that you should designate a trusted person to be a steward who cares for your accounts, even if they don’t necessarily take ownership of them.

“Death is an emotionally powerful event,” Vitak says. “We need to find ways in which we can honor and respect the person’s wishes after they pass.”

Science journalist based in New York with a PhD in infectious disease ecology. @chiayi_hou on Twitter.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store