A lack of standardization in the way governments and tech firms handle the digital accounts of the deceased could invite fraud and exploitation, the OpenID Foundation has warned.
The standards body released a report yesterday calling for a new framework to close systemic gaps across platforms, jurisdictions and industries.
The Unfinished Digital Estate, warned that no consistent global standards exist to ensure that devices and email, social media, cryptocurrency and other accounts are both accessible to the right people and protected after the account owner dies.
“This issue affects every internet user eventually, yet platforms treat death as an edge case,” said report co-author Dean Saxe. “We have standards for authentication, authorization, and digital consent. We need the same coordinated approach for what happens when users die, before AI deepfakes make this even more complicated.”
Read more on the challenges of digital estate planning: Relatives lose out as deceased IT users take their passwords with them.
The OpenID Foundation’s calls are made more urgent by the growing menace of deepfakes.
The report warned that, in the absence of protections, deepfakes could be used to simulate deceased account holders for “manipulation, disinformation or profit.” It argued that impersonation tactics could be used to target surviving relatives or friends, using the deceased as “bait” in social engineering attacks or scams.
Nefarious individuals might even weaponize access to shared accounts, photos and data to target individuals with abuse or stalking, the standards body claimed.
Personal data collected by websites – including purchases, chats, and electronically submitted information – loses all protection under the GDPR and CCPA once an individual has passed away. However, failing to protect “identity autonomy” after death could open the door to abuse, the report claimed.
A Call for Coordinated Action
The OpenID Foundation called for action from policymakers, tech platforms and standards bodies. It said:
- Policymakers should formally recognize digital assets in inheritance law, clarify identity rights and privacy protections after death, and create frameworks addressing cross-border digital property
- Technology platforms should create systems that move beyond credential sharing to proper “on-behalf-of” delegation
- Tech firms should implement verifiable processes for death and incapacitation, and provide users with controls over posthumous data use
- Systems should be built with clear consent, revocation and auditability
- Standards bodies should design interoperable delegation protocols, create verifiable triggers for incapacity or death, and develop trust frameworks for estate services
