Mimsy Were the Borogoves

Mimsy Were the Technocrats: As long as we keep talking about it, it’s technology.

Should Apple enable exes to access their ex-spouse’s iPad?

Jerry Stratton, January 22, 2016

New Orleans man on phone

“Hey, Apple, give me a second. Yup, now she’s dead.” (Saddboy, CC-BY-SA 3.0)

Chris Matyszczyk complains that Apple wouldn’t give a woman the password to her dead husband’s iPad, even though all she wanted to do was play card games on it.

“Even showing the company his death certificate”, reads the summary, did no good in getting his Apple ID password.

But she didn’t show his death certificate. She showed a copy of his death certificate.1 It’s a document that is easily forged, and, for that matter, varies from jurisdiction to jurisdiction. There is no way for a company in Cupertino to know what a valid death certificate in British Columbia is supposed to look like or how to verify that it’s real.

Imagine this scenario:

A man calls Apple and says that his wife recently died. He provides a copy of her death certificate and a copy of her will, and then uses this to access the iPad he stole from his ex-wife—who is not dead after all—and use her contacts list and passwords list to harass her both socially and financially, eventually driving her to poverty and death.

Apple would be excoriated, justifiably so, for having relied on such easily forged documents.2

Matyszczyk writes in the article that:

Those blessed with common sense might wonder that digital assets are no different from any other possessions. If you bequeath your things to someone else, that person should have the automatic rights to those things.

I am not familiar with Canada, but in the United States, we do in fact require courts to be involved with the distribution of physical assets after a death. That’s what an executor is for, to act as a liaison between the probate court system and the inheritors. It isn’t “extreme” for Apple to want a court to be involved in the official transfer of assets after death. It is the normal process. Apple should be wary of anyone asking them to bypass the normal process. That’s a sign that this could be a social engineering attack.

Matyszczyk suggests that creating a “legacy contact” is a solution, but a “legacy contact” is just another email address available to be hacked in order to gain access. Instead of having to research the insecurity questions of the owner, now potential abusers and thieves can also research the insecurity questions of the legacy contact.

If a person wants to transfer access to their password-protected accounts after they’re dead, the best way to do this is to make the passwords themselves available, either in the will or with a trusted third party or with the actual spouse. It should always be a red flag when someone claiming to be a spouse asks for information about their spouse that the spouse could have easily given them. That’s a classic social engineering attack.

Matyszczyk also writes that the spouse was able to transfer the title of the house and the car with just a death certificate and will. I wouldn’t be at all surprised if that’s true. It isn’t just on The Rockford Files that deaths make it easier for cons to succeed. Technically, change of ownership should also be handled through probate, but unfortunately house stealing is a real issue and this includes Canada.

The Canadian case is interesting because it uses one of the worse potential abuses that exists in the United States as well: filing a change of address with the Post Office. Technically, the Post Office sends a notice to the old address as well, but all a potential scammer has to do is keep an eye out for that notice, whose arrival time is easily predicted, and snatch it.

In one case of a house being stolen through forged documents, there is a very telling quote from the Queens official who handles title transfers:

“The old policy was designed to be customer friendly. It’s very hard to be customer friendly and super vigilant at the same time,” Fucito said.

I would argue that making it easy for thieves to steal property and passwords is not customer friendly at all, no matter how much individual customers and ill-informed journalists demand it. This applies just as much to insecurity questions on bank accounts and email accounts, where all an abuser has to do is know basic information about their ex, as it does to trusting easily forged documents.

We shouldn’t ask Apple to reduce their security to the level of banks and governments. We should require banks and governments to improve their security so that houses and accounts cannot be stolen just by social-engineering some bureaucrat into being too embarrassed to require real security.

In response to Allow men to impersonate exes, transgender activists say: Some transgender activists want banks to reduce the security on bank accounts, enabling abusive exes to access their victims’ bank accounts.

  1. Hopefully, Apple can’t hand over his password because hopefully they aren’t storing it. Most likely Matyszczyk is misunderstanding the process for a manual password reset.

  2. Because all the wife wants to do is play games, at one time she could have just erased the iPad and started over. However, Apple took a lot of heat for allowing this as it enabled thieves to use stolen iPads and iPhones. In response to that, Apple has made it difficult to erase an iOS device that is password protected without knowing the password.

  1. Insecurity questions ->