![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
"Let's be bad guys"
I'm working on a "virtual safe" project at work - finding out the legal implications of having electronic versions of your important documents stored online by a third-party service provider. Some documents (watermarked birth certificates, etc) can't readily be digitised; some are easy (account numbers and share certificates), and some are a bit tricky (wills).
Let's say that you have a legal will document, duly witnessed and authorised. You scan it, save it as a PDF, and place it in your online safe, alongside things like identity documents, titles and deeds for property and shares, and whatever else needs to be kept secure. The next summer, a bushfire destroys your town, including your home, your physical documents, your computer, and yourself. Your next of kin want to settle your estate...
Hopefully you told someone that you were making a will, and where you were keeping it.
Then, they need to get access to it. They might know your password, have a login of their own, or persuade the service provider to open up the account. Maybe it takes a court order to do this, or maybe they'll accept a stat dec. In theory, they go into the account, find the document labelled "will," check that it's the most recent version available, and start the process of resolving your estate the way you wanted.
What I'm interested in at the moment: putting on your bad guy hat, how would you break this system? What are the obvious flaws and weaknesses? How do you make sure the right people can access it, while preventing the wrong ones from doing so?
- How does the service provider stop unauthorised access?
- How can people legitimately gain access if you're not able to give permission?
- What about access by legitimate people, but for the wrong purposes? (spying on what's in the will)
- Improper use of documents in the safe (identity theft, fraud)
- How secure is the password and encryption? (technical elements)
- What's the process for gaining/changing access? (human elements)
What questions and ideas sping to mind for you?
Let's say that you have a legal will document, duly witnessed and authorised. You scan it, save it as a PDF, and place it in your online safe, alongside things like identity documents, titles and deeds for property and shares, and whatever else needs to be kept secure. The next summer, a bushfire destroys your town, including your home, your physical documents, your computer, and yourself. Your next of kin want to settle your estate...
Hopefully you told someone that you were making a will, and where you were keeping it.
Then, they need to get access to it. They might know your password, have a login of their own, or persuade the service provider to open up the account. Maybe it takes a court order to do this, or maybe they'll accept a stat dec. In theory, they go into the account, find the document labelled "will," check that it's the most recent version available, and start the process of resolving your estate the way you wanted.
What I'm interested in at the moment: putting on your bad guy hat, how would you break this system? What are the obvious flaws and weaknesses? How do you make sure the right people can access it, while preventing the wrong ones from doing so?
- How does the service provider stop unauthorised access?
- How can people legitimately gain access if you're not able to give permission?
- What about access by legitimate people, but for the wrong purposes? (spying on what's in the will)
- Improper use of documents in the safe (identity theft, fraud)
- How secure is the password and encryption? (technical elements)
- What's the process for gaining/changing access? (human elements)
What questions and ideas sping to mind for you?
no subject
That would require people to know what the encrypted data was before taking it to court, though :)
I'll ask my supervisor if she's heard of anything similar in Australia, as that's her main area of expertise. One of the recommendations we're likely to make regarding choosing a service provider (for wills and identity documents) is to pick one legally based in Australia, to reduce potential problems if the beneficiaries need to get a court order for access.