"Let's be bad guys"

[morsla]

I'm working on a "virtual safe" project at work - finding out the legal implications of having electronic versions of your important documents stored online by a third-party service provider. Some documents (watermarked birth certificates, etc) can't readily be digitised; some are easy (account numbers and share certificates), and some are a bit tricky (wills).

Let's say that you have a legal will document, duly witnessed and authorised. You scan it, save it as a PDF, and place it in your online safe, alongside things like identity documents, titles and deeds for property and shares, and whatever else needs to be kept secure. The next summer, a bushfire destroys your town, including your home, your physical documents, your computer, and yourself. Your next of kin want to settle your estate...

Hopefully you told someone that you were making a will, and where you were keeping it.

Then, they need to get access to it. They might know your password, have a login of their own, or persuade the service provider to open up the account. Maybe it takes a court order to do this, or maybe they'll accept a stat dec. In theory, they go into the account, find the document labelled "will," check that it's the most recent version available, and start the process of resolving your estate the way you wanted.


What I'm interested in at the moment: putting on your bad guy hat, how would you break this system? What are the obvious flaws and weaknesses? How do you make sure the right people can access it, while preventing the wrong ones from doing so?

- How does the service provider stop unauthorised access?
- How can people legitimately gain access if you're not able to give permission?
- What about access by legitimate people, but for the wrong purposes? (spying on what's in the will)
- Improper use of documents in the safe (identity theft, fraud)
- How secure is the password and encryption? (technical elements)
- What's the process for gaining/changing access? (human elements)

What questions and ideas sping to mind for you?

Comments

[sharplittlteeth.livejournal.com]

Cory Doctorow did a post on BoingBOing some time ago about something similiar. All his files are encrypted. How does he ensure his estate can access them after his death, but not before then?

http://www.guardian.co.uk/technology/2009/jun/30/data-protection-internet

[morsla.livejournal.com]

That's an interesting post - particularly in the comments, where http://www.datainherit.com/ is mentioned. That's the first service I've seen that is designed specifically with inheritance in mind.

It's based in Switzerland, which gives it some interesting legal protection: insulating it from the rest of the world. It's also designed to be very secure: regardless of court orders, if the designated successors don't have their access details (or backups), then the encrypted data will never be recovered.

So far we've been looking at Australian services (so local courts can assist relatives), from the perspective of wanting to allow legitimate access. Cory's post takes an interesting perspective, trying to remove any possibility of unauthorised access instead.

random thoughts

[aeduna.livejournal.com]

Everything should be encrypted, not just require a password to gain access to unencrypted documents.

When you write a will, you tend to nominate at least one executor. Perhaps that idea could be extended to other documents, so to create the initial safe you need one other person to be given read access only. Of course, how you verify that there are two seperate people is a bit trickier - there may simple _have_ to be an initial physical verification such as ING uses to open an account.

Alternatively, the provider might offer an 'executor-like' service where they have read access under certain circumstances... not sure that works thinking about it

What does it take for a solicitor to release your documentation like a will? Physical death certificate? Might be that the provider needs the same mechanism, perhaps through a legal representative?

I think you're at risk from pretty much the same problems as a bank account - that the security of the account is dependant on the ability of the user to keep the access mechanism secure. So if they use a weak password, or write it down at their house, then its open to a physical breach.

You might want to look at the random key number generators that some banks use for their online banking.

(this really isn't blackhatting, but i am not good at that :))

Re: random thoughts

[morsla.livejournal.com]

I like the idea of requiring a second person if the will already requries executors - I'll have to check whether executors must be nominated, though.

Processes intended to handle absent-minded and forgetful users are definitely the weakest link - password recovery, personal decisions about storing the passwords, etc. This project grew out of the bushfire aftermath, when identity fraud became even easier - so many people lost their identity documents that special procedures were put in place by banks, insurance companies, and government departments. Relaxing the rules meant that people had a slightly easier time of putting their lives back together, but created a window when it was significantly easier to get primary identity documents by deception.

[carlos-v-b.livejournal.com]

Might not be an issue for you, but I know that here in the UK that were at the very least considering, and quite possibly enabling, a law that requires anyone carrying or possessing encrypted data to produce the key for said data within a certain (rather short) time frame (when asked by under some kind of conditions, which I forget).

One of the issues I can see you facing is that the harder you make the system to crack / socially manipulate, the less convenient it will be to use. Which may be part of the attraction; users will feel a bit better if they have to physically sign in documents in person, rather than using a simple user name + password login system.

Verification of data going in is also something you'd want to validate; noone wants allegations that the latest instance of a will was a forgery.

[morsla.livejournal.com]

It would be interesting to see what happens with that law. If the encrypted data potentially has commercial use, instead of private, then there might be all sorts of hurdles to get past. You'd want to have a very solid reason for forcing a company to produce that sort of information.

That would require people to know what the encrypted data was before taking it to court, though :)

I'll ask my supervisor if she's heard of anything similar in Australia, as that's her main area of expertise. One of the recommendations we're likely to make regarding choosing a service provider (for wills and identity documents) is to pick one legally based in Australia, to reduce potential problems if the beneficiaries need to get a court order for access.

[futurelegend.livejournal.com]

My biggest concern would be any person-to-person bypassing of the digital system.. (Call up and charm one's way in.) Processes and procedures would need to be well developed; not just an afterthought.

[morsla.livejournal.com]

Always a risk, and more likely to happen the more secure the digital system is... the human element is often going to be the weak link.

Another human problem would be password storage. The DataInherit company mentioned earlier have everything encrypted, and can't turn over data to a 3rd party. The account owner has a password (and a long access code that can be used to reset the password), and a nominated executor can be given access under a pre-nominated set of conditions. If the account owner loses their password or code, the data is irretrievable... so the way to get past that high-level encryption would be to find where they left their password.

On a completely unrelated note, I bumped into your mum in the city last week :) I had a strange week of running into people I knew.