Because I'm all about the "good enough."

Saturday, February 20, 2016

How Google turned me into my mother.

We are facing a big problem, one that's hidden behind the more prominent issues of cybercrime, encryption wars, and vulnerability disclosure. It's endemic to our digital infrastructure, and it's going to get worse over time. And it's so complex that I'm not sure I can do it justice in a blog post. I've been talking about it here:

https://www.youtube.com/watch?v=lU8_S0V_zOQ (B-Sides London)

https://www.youtube.com/watch?v=mKnKQv-0cwE (HouSecCon)

In a nutshell, it has to do with digital delegation.

What do I mean by that? I mean any situation where an online user needs to be able to delegate all or part of their access or capabilities to someone else -- whether temporarily, intermittently, or permanently. Most identity and access management models only deal with delegation in an enterprise context: Alice needs to go on PTO, and Bob needs to cover for her during that time, without anyone confusing the two people for the purpose of accountability.

But real life is more complicated than that, and it involves legal protections as well. Take the reasonably simple example of a minor child. A parent or legal guardian has the authority to administer many things for a child, but the design of online accounts is often muddled. Which signups does the parent have to do, and which ones does the parent simply approve at some part of the workflow? If a registration is asking for a date of birth, whose date of birth are we talking about? And what happens when the child reaches the age of legal majority? Does the parent suddenly have to turn over access to a login, or does the parent drop out of the approval workflow?

At the other end of the spectrum, we have the problem of what happens to online accounts after the owner dies. We still haven't worked that out too well yet -- there are good talks out there by people who have had to deal with it personally -- but death is a pretty permanent condition, as well as a binary one. What about temporary or intermittent delegation?

If you were incapacitated today for a month -- let's say, due to the proverbial bus accident -- who would be able to pay your online bills? A friend can't just go to your bank and say, "Yeah, I just need to be set up as a secondary on this account so I can get into billpay." No, if you were conscious, you would probably just give your friend your password. And if you're using 2FA with that account on your phone (as everyone should do, right?), you'd have to hand over your phone -- oh yes, and the passcode for the phone too. Or would you let your friend change over the 2FA registration to their phone for a while, to make it easier?

That's just one scenario. The harder one, which I've had to live through twice now, is the declining parent who has good days and bad days, and doesn't want to give up control of their accounts. They may be so impaired that they make mistakes with them, or forget how to use the sites, but they won't simply sign everything over to their child (and in some cases, they may already be so disabled that they can't take the legal steps to sign things over anyway).

Dealing with an incapacitated loved one is heartrending. You want to allow them as much autonomy as possible, while protecting them from themselves. Above all, you don't want to have to get them declared legally incapacitated; that will ruin your relationship forever. You simply want to be able to help them out. "Hey Dad, do you just want me to log in and take care of this for you? I know you're tired today, but this bill is due." And in the future, they may have good days where they can go back to doing it themselves; you don't want to have taken over their logins, changed passwords, set up your own phone as the recovery number, and so on. There has to be a better middle ground, between impersonation (which can trigger fraud alerts) and the permanent, legal takeover.

So here's the story behind the title of my talks, and this post. I had to take over my father's Gmail account when he had a stroke, so that I could get into his accounts and reset the passwords, so that I could pay my parents' bills (as well as watch those accounts for fraud). Later, I had to take over my mother's Gmail account, and I set up my personal (non-Gmail) email address as a secondary on her Gmail.

What I found out was that Google helpfully associates the two addresses when you do that, so whenever someone using Gmail tried to mail me at my personal email, Google would say brightly, "Oh, you mean [my mother]!" So whenever anyone mailed me using Gmail -- business associates, friends, merchants, etc. -- the messages would be sent to me, but under my mother's name. That's pretty creepy when it happens.

I went in and removed my email address as the secondary, but it didn't fix the problem. I am now permanently associated with my (now deceased) mother as far as Google is concerned. I reported this to them, but they did not consider this to be a security or privacy issue, so there you are. (I don't want to delete my parents' Gmail accounts, because I don't want an impostor popping up in the future, and there may still be alerts coming in from other accounts I don't know about.)

The bottom line here is that we need a massive overhaul in the design of consumer-facing systems that can take into account different delegation cases. They need to handle authentication, re-certification, and legal proxies, and they need to understand non-binary conditions, while at the same time continuing to protect against account takeovers and fraud.

Right now, this is not a crisis, since the majority of people who are becoming incapacitated did not set up much in the way of online accounts. But as the tech-savvier baby boomers age, it is going to get much worse; I have hundreds of accounts out there dating back decades, some of which I'm sure I've forgotten about and never entered into a password manager. If my children had to take over my business affairs, there would be no other way for them to do it other than online (they don't know how to write a check, and all my statements arrive electronically anyway).

Luckily, a few companies out there are starting to become aware of the issue and offer emergency access functionality. It's a start. But we need global, consistent mechanisms for doing this, and they need to be set up at the point of initial registration, not months after someone has managed to get a legal power of attorney signed and notarized, and has had to fax it to fifteen different entities.

I don't have a ready answer for this, except that a bunch of us need to get to work on it. Our digital future as a society depends on supporting our real-world life cycles.