Well durrr - my family will work out my password by deciphering the clues I've drawn in blood around my own body (which I will position in the form of a vitruvian man).

Be careful Blitz, it does leave one sorely tempted just for curiosities sake.

You could have some sort of Dead-Man's switch... eg: so long as you make a posting to twitter every day it assumes you're alive. If you skip a day (or a week or whatever) it assumes you're dead, and automatically sends your entire porn collection to everyone in your address book.

Slight aside:

Its quite amazing how quickly a bunch of people known to the deceased can guess passwords.

This was demo'd very clearly after 9/11 attacks on World Trade Centre.

Password protected systems and records were quickly recovered through brainstorming sessions convened with groups of people known to the deceased.

In a relationship with two technically skilled people, you could export all your passwords to a non-encrypted format and use the other person's Public Key for encryption.

Store this on each others encrypted drives, in a hidden partition if you're so inclined. This assumes 100% trust between partners, of course.

As for my own, seriously non-techie wife, I have still to find a good solution to this issue.

@3: The problem with that is someone could compel your spouse to decrypt the key, either by legal means or some other coercive means. Splitting the key into two and giving half each to two lawyers in two countries reduces the opportunity for coercion and conspiracy.

I have a non-techie wife who, even with all my passwords and phrases, would be challenged to get all the info she'd need. Luckily, I have two tech enabled brothers I think I can trust. I guess in the end, you just have to trust someone if you have info that important protected by passwords/phrases.

Deathswitch http://www.deathswitch.com/

Legacy Locker http://legacylocker.com/

The whole thing strikes me as a tad paranoid. What would you have on your hard drive that people would be so desperate to get at?

#3's suggestion is reasonable enough, beyond that I quite agree with xkcd on this one.

I'm thinking about doing the same thing, actually, using two lawyers in two different countries. And I don't think one can be too paranoid. It's not that I have anything to hide from the person that I am with, but I might have bits and pieces that I don't want the rest of the world to see.

"these "dead man's switch" services are far less deserving of my trust"

I can think of a few reasons. In fact I thought of quite a few reasons when I was considering starting up such a service. I am interested in hearing your reasons Cory...

"I don't want to simply hand the passphrase over to my wife,"

Hmmm... so what do you need to hide from your wife? It seems a tad paranoid and OTT to me...

A way to deal with this problem is to set up your digital life so that in the event of your sudden death, things that are encrypted can be lost forever and it will still be ok. Any data you have encrypted now that you want to share with the world or certain individuals you could already be sharing in some way.

I have a personal website just for this sort of data, as do many. It is my hope that some service steps up that will offer perpetual free personal web hosting. Then I can put my writings and pictures and movies somewhere and know they'll always be there.

Just use "rosebud" as password (as, by the way, found in several Might & Magic-games) for all your stuff and mutter it prior to your last gasping breath.

Here's my suggestion:

1. give your spouse or close relative a password (PW1)
2. sign up with a (not yet existing) online service with these features:
- allows you to store a file
- emails that file to a specified email adress if and only if you fail to log onto the service at least once every 60 days.
3. create an account, save your passwords to a file, encrypt the file with PW1, upload it to the online service, specify your spouse's email.
4. make a strict habit of logging into the service every month until you die.

Vulnerabilities: Your ISP would have logs of you accessing the online service monthly. The service would know the email adress of your spouse. Your spouse would know PW1. If they band together (voluntarily or not) they could have your passwords.

decreasing the vulnerabilities: If the online service was gmail (or something similarly large) then you could probably hide in the crowd to a fair degree.

You could buy a traceless second hand smartphone and use it to log onto the gmail account monthly (from random locations).

You could (at the cost of complication) add proxies at some of the joints. E.g. the service emails an email adress created only to forward mail to your spouse.

I'd some such setup more than one or two lawyers.

@HotPepperMan: In the unlikely event that his wife is forced to reveal the passphrase etc etc.

#8 The Future

Cory, I tend to agree with The Future ... what kind of dastardly plans do you have laid out in gory detail that you're afraid Big Brother is going to compel you to give up?

And you don't have 5 friends who you don't trust to not "act in concert against" you? Is boingboing a secret subsidiary of The Guardian, and we're all puppets in the first internet based "Wonderful things and English news" ponzi scheme?

I understand wanting privacy, but it does seem a bit paranoid.

I'm not sure what it is you have to protect - are you the current head of the Knights Templar and know where the Arc is? And you are sworn to protect that knowledge forever?

I rejected a safe-deposit box because of all the horror stories I've heard of banks that refuse to allow access to boxes until the will is probated, and the data necessary to probate the will is in the box.

Amazingly, it seems that in the UK, the law really does prevent banks from allowing access to boxes until the will is probated -- from http://www.hmcourts-service.gov.uk/infoabout/civil/probate/why_will.htm -- 'WARNING: do not store your will in your safety deposit box. The box can’t be opened until Probate is granted and Probate can’t be granted without the original will.'

But why would you ever need to encrypt the 'data necessary to probate the will'? Why not put your key in the safe deposit box, and leave your will and all the necessary documentation with your solicitor?

Shamir's Secret Sharing Scheme (SSSS) sounds like Harry Potter's horcruxes!

This sounds like a great plan--for the tiny minority of people who have access to attorneys in two countries. Are there no workable plans for those of us who have neither the international connections nor the financial resources for multi-nation legal resources?

Cory, set your will up as a 'pour over' that kick starts a trust. Spouse gets all and trustees to watch out for minor children. I don't live a life with anything worth encryption. No financial data leaves the house on electronic media and it is all duplicated by the money managers. The lawyer holds our wills and we've shared access to bank safe deposit boxes.

In a different context, this kind of thing happened to my family decades ago. My grandfather was a court reporter with his own version of shorthand. When he died in 1920, no one could decipher his notes for a recent trial for which the final transcript had yet to be written. My grandmother even hired experts in the field to look at them. The case had to be re-tried - and my grandmother lost the income the transcript would have generated.

My wife and I both use KeePass. Each has the other's password and a copy of the key file. Of course, if we both croak the kids are SOL.

So you keep secrets from your wife, you believe that your child is going to grow up to be a crackpot, and you think your friends are going to act in concert against you to access your computer files? I think estate planning may not be your biggest problem right now.

here's another i'm thinking of doing: all the data dies with me. problem solved.

I wouldn't consider giving a secret to a lawyer in a different country as anything more than a procedural inconvenience. It might even be easier to compel a foreign lawyer to release information than a domestic lawyer, due to treaties: and Canada is a Commonwealth country. (A British court rules against a foreign party, and the foreign court by treaty upholds the judgement: happens in civil suits all of the time.)

Not too grandiose! My crummy little secrets pale. Imagine the conversation with 10 'friends' as you divvy up the codes to the Hard Drive of Knowledge. I'm resigning myself to the idea nothing I've done or accumulated is worth much to any but a small circle of friends and family. I'm selfish enough to hope that circle is very small by the time I finally join the choir invisible! Seems simpler, and frees me up to worry about immediate problems, like why is my hair so whacked out with each passing year? Lawyers in two different countries, that's a hoot. Cory and Ernst Blofeld and Howard Hughes will need a fourth for bridge in the hereafter. Maybe Shamir?

I had the same dilemma and came to a good solution, to spend everything on booze, drugs, and women.
Some people might think this to be inconsiderate, and irresponsible but tough $hit.
I did although, make funeral arrangements, to have my carcass dumped on my Ex-wife's lawn at night

Create a file with your passwords, encrypt it using your wife's public key and your lawyers public key. You could also have an alternate version that was signed with your lawyer + one other person (sibling maybe?).

Then you can be sure it won't be unlocked until your will is executed.

What's that? Your lawyer doesn't have a public key? oh...I see.

Why not tell your wife a password, but tell her never to tell anyone you've told her the password?

To all external observers this is the same as if you'd not set up an IP probate. If you're worried about unpleasant forms of coercion, this could happen even if you didn't set up IP probate, so you're offering no extra safety.

I don't know about the UK, but in the US spouses have legal privilege and cannot be forced to give evidence against each other.

This all sounds quite over-the-top paranoid. What is in the computer that is more secret than, say, your legal paper documents that you keep in a locked drawer or something? Just give your wife your passwords and have done with.

Print the keys using Optar: http://ronja.twibright.com/optar/.

Since it's now not readable by humans, but in paper form, you have over two million years of solutions for safe storage of this kind of information. It's security by obfuscation, but at least decoding requires physical access to the document.

You can also add a one-time pad to the deal, making two parts (pad and encrypted document) fully essential to retrieve the key.

Very interesting Cory...I've been trying to come up with a solution for myself in the last little while and unfortunately still haven't struck upon the one that works for me.
I completely love that we're hit a point in our digital lives that this is not only worth entertaining, but necessary for many! The nerd in me finds this all so very exciting.

Happy Canada Day, eh.

I'm curious what the difference is between the law in Britain and in the U.S., particularly California, regarding marital privilege. As far as I can tell with only a law school education (which believe me, does not qualify me as anything close to an expert), California Marital Privilege protects all marital communications from discovery. How could a court compel a spouse to disgorge a password, particularly if it was merely verbally communicated and could in no way be considered tangible data?

Likewise, the attorney-client privilege is only waivable by the client, even extending past death. The only exception would be for cases in which the attorney-client communication was for the purposes of fraud or crime, in which case I can understand that there could be a slippery slope as far as admission of the key to get to the evidence of the crime or fraud encrypted in the database.

So what are the differences, and how do these privileges apply to the post-death trusts & wills data encryption concerns enunciated by Mr. Doctorow?

@Cory (comment #6)

it seems like this is only a problem if your wife wouldn't perjure herself to protect you. and no one but you and her would ever need to know she had done so.

that, i suppose, or supervillains with torture devices and truth serums. but by the time the supervillains are working over your wife do you REALLY care about your encrypted data?

splitting the phrase in two, and giving each half to a different party /is/ essentially Shamir secret sharing, without the math and parity bits.

I keep all of my passwords in a Rolodex that sits on my desk under my monitor. Alphabetized and accessible!

This xkcd comic comes to mind. Tough problem to crack. Thanks for one possible option Cory.

My wife knows my passwords and won't tell anyone else. Probalby not complicated enough...

I'm making a treasure map in several pieces and burying a thumbdrive. Bonus inheritance will go to the maker of the most madcap movie about the race to the thumbdrive.

A safe deposit box is the best and simplest answer.

The copy of the will that is to be used for probate should be put somewhere easily accessible and well-known... like your home. Nobody is going to break into your home to steal your will and the government isn't going to subpoena you for access to it. On the off chance that your will might be lost od destroyed, you should place a notarized copy of it in the safe deposit box as a backup (backing up important documents... I'm so crazy) along with your passwords, but that's only there as a backup, not to make it difficult to get through probate.

Once probate is finished, the contents of the safe deposit box, including passwords, is then accessible to whomever you've specified.

Instead of Shamir secret sharing with two relatives or ten friends, why not secret share with thousands of Boing Boing readers?

Why exactly shouldn't my encrypted data die with me? All the stuff that I meant to be made public is, well, public. I don't see why other people need to read my mail after I'm dead. If I wanted them reading my mail, I wouldn't have encrypted it.

My solution is just to keep the keys to my kingdom in a hidden lockbox that only I have access to, and which nobody except a few heirs know about. If I die they should break into the box by whatever means they can (locksmith, crowbar, etc).
This won't foil a determined attacker, but it will make it hard for them, obvious if such attack is taking place, and easy for me and other concerned parties to foil such attacks. Don't rule out security by obscurity.

I also appreciate the point that another poster made: All your financial records are in the end discoverable anyway by state actors with subpoena powers who can get them directly from the financial institution, and ne'er do wells who can get them by hacking or social engineering. So there's not really any point in making your copies impenetrable. The only intellectual property that you can really secure are things that nobody else has copies of, and unless you're Michael Jackson with unreleased Beatles recordings in the vault, there's not much motivation for outsiders to bother with expensive attacks.

@Cory: what will happen if you forget your password? (car crash, injury or something else)

G-d forbid other people crack my passwords after I'm dead. Doesn't everyone have legal, but... "personal" interests and records tucked away? That would be, shall we say, disheartening for spouses, children, and friends to find out as a lovely new post-mortem lens to view your life through?

There's no need to tell anyone the password. Find some place that will sell cluster computing time. Encrypt a document with all of the info you want people to have using encryption strong enough that it would take this cluster a reasonable amount of time to brute force it. Then just leave a thumb drive with the encrypted document and the code to run on the cluster.

Good idea to include a spare lawyer (I woulddn't recommend a spare wife, though a spare family member might be useful).

Your best friends can fall victim to social engineering or (think China, Iran...) be rounded up and tortured until they provide the information that gives access to your passwords.
If your communications are monitored, most of your close friends may be known.

Even this leaves a problem: what if they can't find the key when they need it? I've given backups to people for safekeeping and when I wanted them back they didn't remember ever having received them from me...
People get Alzheimer's...

The ideal system doesn't rely on the survival/sanity/memory of one person, on the possession of an object or on current support for a particular technology.

Whatever you do, the system should probably be re-evaluated yearly and updated if necessary. (annual task in your electronic calendar)

Good idea to include a spare lawyer. I woulddn't recommend a spare wife, though a spare family member might be useful.

But even this leaves a problem: what if they can't find the key when they need it? I've given backups to people for safekeeping and when I wanted them back they didn't remember ever having received them from me... People get Alzheimer's... If all these people are your age or older, your system may not be functional anymore when you die.

The ideal system doesn't rely on the survival/sanity/memory of one person, on the possession of an object or on support for a particular technology.

Whatever you do, the system should probably be re-evaluated yearly and updated if necessary. Maybe put a recurring annual task in your electronic calendar.

@46
Obviously data not meant to be public after death would be separately encrypted.

As for after-death scenarios, what about an implant? You can get small RFID chips under the skin, so why not a small-scale, non-wireless implant that must be physically removed to be read?

The only problem I can see with that is if your body is unrecoverable (mid-ocean plane crash, VERY violent death, etc.)

Quick question about lawyers:
Why are lawyers such a bad idea? Anything given to a lawyer is protected by LAW. You can murder somebody, tell your lawyer and they are not allowed to report it (even under oath) unless they feel not providing the information will put a human being into jeopardy.

This is an interesting mental exercise, but pragmatically there are probably only two types of data: that which is "secret" and that which is "private".

Private things are those things that you don't want the whole world to know, but expect that some people close to you need to know. As some rough examples, think about your sex life, medical history, and how much money you earn.

Secret things are those things that you don't want anybody to ever know. Maybe you cheated on your wife once, or that time in college when you got really stoned and experimented with homosexuality. Whatever the case, these are things you wouldn't even trust to your immediate family.

The private things you eventually want your family to find out. If they became public, they might be awkward, but it wouldn't destroy your life. Thus, you want to make it difficult for others to learn these things, but you don't need to invest a lot of time, money, or effort in doing so.

The secret things should never get out. No amount of effort (within reason) should be spared.

Given this dichotomy, the solutions are simple.

Private matters can be trusted to multiple individuals whom you trust: your wife, kids, siblings -- anyone you trust enough to know the information. Give them your keys, your passwords, or whatever details they need, and trust them not to use them until the time is right. Sure, they may go ahead and sell your private details to the tabloids, but if you really trust them, then the chances (risk) should be quite low, and since these things were only private, the damage if they are exposed (threat) isn't terrible.

The secret things should stay secret. Don't tell your wife, your children, not even your priest in a confessional. If something is truly that sensitive that it can never become public, then don't share it with anybody. As George Orwell so eloquently put it, "Nothing was your own except the few cubic centimeters inside your skull."

And that's all there is to it. It's a classification system similar to what various governments use: confidential, secret, and top secret. It's not fine-grained, it doesn't require layers of confusing technology, and it protects you only as much as you require.

If something is so sensitive that it can't be discovered, then tell no one. If nobody needs to know, then don't tell them. If some people do need to know, but you'd prefer if others didn't know, then you'll have to trust those who need to know and hope that they don't say anything. There isn't much more that can be done -- once it's been told, the cat is out of the bag. We have to trust those that know. Besides, if it's so important that they know, then you must be trusting them with something else already.

In case I didn't make it clear in my last post, the trick with any security matter is what is an acceptable and reasonable level of security. You don't need to keep your salary secret in the same way that you keep the keys to a nuclear missle secret. Few things in our lives are all that terribly sensitive, though we have good reason to want to keep them secret. Do what you can to mitigate the risk and accept the fact that you're never 100% secure.

More often than not, we risk integrity and authenticity over confidentiality. Sure, you may not want your heirs to know who is getting the best deal out of the will, but is that worse than the will being lost forever or falsified? If you want confidentiality, make a single copy and hide it with multiple layers of security, but don't be surprised if it's never found. On the other hand, if you want to make sure it can always be found, make multiple copies and pass them around to as many people as you can. Then you can be assured that at least one copy exists and that, if somebody did try to make a fake, there would be several other real ones to prove the one-off as a fake.