An unfortunately common question for Mac 911 since the start of the pandemic has been how to deal with one’s online accounts and data stored on computers and mobile devices after they passed away. In most cases, preparations need to be made to grant this kind of posthumous access. Apple added an option in late 2021, called Digital Legacy, that lets you set up your iCloud account to make it easy for designated people to retrieve specific data, such as photos and contacts.
But a reader recently asked the inverted question: how can data be stored forever in the event of death? Some people have secrets; others are intensely private; others want to be forgotten. The author Franz Kafka burned an estimated 90 percent of his work while he was alive. He died of tuberculosis at the age of 41, leaving instructions to his dear friend and literary executor Max Brod: “Everything I leave behind … in the form of diaries, manuscripts, letters (myself and others), sketches and so on, to be burned unread.” (Brod ignored this instruction, which has caused a century of doubt.)
Modern strong encryption of the entire device makes it possible to prevent anyone from obtaining your locally stored data once you are gone. For data stored in the cloud, there may be no technical way to ensure that an account that contains files or details that are only encrypted by the cloud provider can be made unrecoverable. You may have to leave some instructions and hope for a more loyal Max to carry them out.
Here’s how to set things up to avoid losing access in your lifetime and make sure your data mostly disappears with you if you want to. (Keep in mind that this is a computer publication column. I’m not a lawyer and none of the following includes legal advice. Consult experts when making precise plans.)
What do you want to leave behind
Assuming you want some photos, documents, or other details to be available to family, heirs, descendants, friends, or the public, identify them first. I recommend storing that information and updating it regularly on a site that allows inexpensive storage and where you can give someone a password for post-mortem access.
For example, set up a Google Account separate from the one you use for other purposes, and pay the company’s annual data storage fees for amounts greater than the included space if necessary.
Then keep everything else safely under lock and key.
Passwords and Second Factors
It’s never a bad time to improve your password strength, confirm that the passwords you use are good enough, and enable stronger account security:
Password Manager: Use 1Password, DashLane, LastPass or iCloud Keychain to generate and manage all your passwords. Some of these apps allow you to store other information securely in these apps. This centralizes your password storage, creating a single locked vault. But also…
Password manager password: Except for iCloud Keychain, set a strong password that you will remember and otherwise not be available to other parties. You may want to create and keep a recovery kit, which password managers produce, in case you forget the password. But if you store that kit somewhere other people can find, they can just as easily use it to unlock passwords for all your email and online accounts. (iCloud Keychain relies on device passwords and biometrics; see below.)
Strong passwords: To prevent people from guessing your passwords, make sure that all services where you store private information or record what you do have what is currently considered a strong password. That is at least 12 randomly generated characters from a password manager or randomly selected words that make up a password of 20 characters or longer. (To use passwords when they become available later in 2022 from Apple, Google and Microsoft for even more protection.)
Two-factor authentication (2FA): While 2FA discourages easy access to your account by those without your credentials, it can also be another lock that keeps accounts safe.
One weakness with leaving accounts is that a family member or other party who gains access to your phone number — not even your phone — can initiate a series of account recovery steps, even on sites that support 2FA. See ‘Leave Instructions’ below for thoughts.
Get ready within the Apple ecosystem
If you’re fully part of the Apple ecosystem, here’s how to prevent anyone else from getting your data. (Many of these tips are enough for the living and the dead.)
macOS: Enable FileVault. With a strong account password enabled for all accounts to log in via FileVault, the Mac data is essentially unrecoverable. (Intel Macs with a T2 security chip and all M-series Macs automatically encrypt all data on the internal boot volume, but without FileVault enabled on those machines, the Macs can boot and decrypt the startup disk before you enter your password, which makes it easier to break.)
iOS/iPadOS: Since the iPhone 5s for iPhones and the iPad Air (2013) for iPads, Apple has built full device encryption into its mobile devices. A device must be booted and unlocked to access the data stored on it. Set a strong passcode: at least six digits, but preferably a longer alphanumeric one. Because of the way Apple restricts and controls password entry to discourage cracking, the password doesn’t have to be nearly as long as passwords stored elsewhere, in which a cracker can obtain the encrypted form of the password and perform trillions of offline brute force tests. to carry out.
iCloud: If you don’t use iCloud at all, your data may remain available after you’re gone. Most iCloud sync services are only encrypted by Apple, meaning anyone with account access can access and download that data. (iCloud Keychain is end-to-end encrypted, avoiding that problem.) However, if you don’t enable Digital Legacy as described above, it’s unlikely that Apple would let anyone sign into your account. Apple also has a process to delete a deceased person’s account.
On devices that offer Touch ID or Face ID unlocking, these biometric methods are seemingly impossible to get around. After you are no longer with us, your biometrics will come with you. (There are some horrifying suggestions online that it might be possible to unlock devices from someone who had just died; I think that’s unlikely for the vast majority of us.)
Apple automatically disables biometric access after 48 hours after a device has not been unlocked in any way, and reverts to password-only unlocking.
Leave instructions about credit cards, bank accounts, phone numbers and online accounts
Even if you do not have significant assets that you believe you will leave behind, it is best to make a will and find a friend, relative, or attorney you can trust to act in your best interest as executor of will. That person can manage the financial aspects of discontinuing services. For example, an executor can notify all financial institutions and credit card companies of your death and send a copy of the death certificate to freeze the expenses of your accounts.
However, as the legal information site Nolo points out, “In most states, your executor does not have legal authority to access your digital assets.” Instead, you should instruct someone you trust about what you want to do. You can leave money to that person on the condition that they carry out your wishes, but whether an executor can arrange for compliance is difficult to say. (Again, I’m not a lawyer: this is a great area where you should find local legal advice.)
Data in the cloud or with online accounts remains vulnerable unless it is encrypted with keys held only by you or generated and stored on your devices. For the first, that would be Backblaze for online backups, where you and only you own the encryption key of your backups. For the latter, many iCloud services rely on end-to-end encryption secured with keys stored only on your iPhone, iPad, or Mac, such as iCloud Keychain (mentioned earlier), health data, Wi-Fi passwords, and your Safari browsing history and bookmarks.
You could rely on benign neglect: without regular interaction with many accounts, they just go defunct. Lack of an active credit card or failure to respond to security alerts can cause a site to close an account. With the password preparations made above, seemingly no one will be able to access the account even if it remains active indefinitely.
But you can’t fully count on that: sites are being hacked. You probably want someone to take more aggressive steps.
While you are able, you can list all the sites, banks, telephone companies and other services related to phone numbers, text messages, data storage and other services so that a party you trust can systematically shut down things that an executor can. not:
Secure your phone number or numbers: Some sites provide access or recovery of accounts by texting links or codes to a phone number. You must have an executor keep your number for a period of time, with the proviso that they cannot use it for account access, or have the number frozen or locked to prevent another party from accessing it.
Close online accounts: Many services have an appropriate party notify them to close an account. A copy of the death certificate is usually required. Every service is different, so your appointee may need to do quite a bit of research. It can take 30 to 60 minutes per account to find current instructions at the time of your death, generate and follow through on the paperwork.
To clear devices: Depending on the state or country and local rules, you may be able to ask someone to wipe your devices. With proper device security, that can be impossible. Furthermore, Apple devices that support Activation Lock will generally be unusable if you died with Find My Mac/iPhone/iPad enabled – the device will at the very least be erased, but unusable by the next person.
This Mac 911 article answers a question from an anonymous Macworld reader.
Ask Mac 911
We’ve put together a list of the most frequently asked questions, along with answers and links to columns: read our super frequently asked questions to see if your question is there. If not, we are always looking for new problems to solve! Email yours to mac911@AppSixty.com, including screenshots where appropriate and if you’d like to use your full name. Not every question is answered, we don’t answer email and we can’t provide direct advice to solve problems.