The OpenID Foundation has issued a warning about the potential for fraud and exploitation stemming from a lack of standardization in how governments and tech companies manage the digital accounts of deceased individuals. In a report released yesterday, the organization emphasized the need for a cohesive framework to address systemic gaps across various platforms, jurisdictions, and industries.
Titled The Unfinished Digital Estate, the report highlights the absence of consistent global standards that ensure devices, emails, social media, cryptocurrency, and other accounts are both accessible to authorized individuals and adequately protected after the account owner’s death. Dean Saxe, a co-author of the report, stated, “This issue affects every internet user eventually, yet platforms treat death as an edge case. We have standards for authentication, authorization, and digital consent. We need the same coordinated approach for what happens when users die, before AI deepfakes make this even more complicated.”
The urgency of the OpenID Foundation's recommendations is amplified by the rising threat of deepfakes. Without proper protections, these technologies could be employed to impersonate deceased account holders, leading to manipulation, disinformation, or financial gain. The report suggests that such impersonation tactics might be used to exploit surviving relatives or friends, using the deceased as "bait" in social engineering attacks or scams.
Moreover, malicious actors could exploit access to shared accounts, photos, and data to engage in harassment or stalking, according to the standards body. It also noted that personal data collected by websites including purchases, chats, and electronically submitted information loses all protection under regulations once an individual passes away. The report warns that neglecting to safeguard “identity autonomy” after death could invite abuse.
A Call for Coordinated Action
The OpenID Foundation is urging policymakers, technology platforms, and standards bodies to take action. Their recommendations include:
- Policymakers should formally recognize digital assets in inheritance law, clarify identity rights and privacy protections after death, and create frameworks to address cross-border digital property.
- Technology platforms should develop systems that go beyond credential sharing to establish proper “on-behalf-of” delegation.
- Tech firms need to implement verifiable processes for death and incapacitation, and provide users with controls over how their data is used posthumously.
- Systems should be designed with clear consent, revocation, and auditability provisions.
- Standards bodies should create interoperable delegation protocols, establish verifiable triggers for incapacity or death, and develop trust frameworks for estate services.
