Bequeathing Online assets
By Pulkit Sharma

Cyber law expert Na.Vijayashankar, also known as Naavi in Cyberspace, is one of the most respected names in the Indian tech world.  As Chairman of the Digital Society Foundation and as a Director of Cyber Law College, one of Naavi’s life mottos is “Let’s build a responsible Cyber society”. Naavi’s views are highly regarded and he is regularly quoted by the leading Indian newspapers and magazines.

Naavi has just blogged about the ‘Inheritance of Virtual Assets’ and it seems that the Indian laws are hazy about who inherits your Orkut, Facebook, Yahoo accounts when you pass on from this earthly world.

“
With the increasing penetration of ICT and the changing culture of the society, users of ICT are accumulating virtual assets of various kinds. For example, people buy domain names through registrars with substantial costs. They may buy web hosting and ASP services. They also hold e-mail accounts and online memberships for many paid service. Many professionals build assets such as "Content", "Photographs" etc with IPR and place them in the "Cloud". There are social networking sites such as secondlife.com, facebook.com etc where the users might have built some virtual assets which have the possibility of being converted into cash of the physical world. There could also be accounts such as e-gold, e-commodities etc and which are physical world assets converted into e-assets.

All these assets are today kept at the disposal of an ICT user with the use of an online account maintained normally with a "User Password".

In other words, whoever holds the password, holds the assets. They hold the virtual key to the virtual asset.

Let's now imagine the unfortunate event of the death of the virtual asset holder. Now as per the usual expectations, the asset holder is not supposed to have shared his passwords with any person including his own kith and kin. He is also not supposed to have written down his passwords anywhere. In such an event the assets get frozen for no fault of the legal heirs.

The assets include e-mail accounts which may contain valuable correspondence about many of the physical world contracts and assets that the deceased person could have built during his lifetime. If the e-mail account is not accessible by the legal heirs, their rights guaranteed by law could be adversely affected.

Having granted recognition of a "Digital Contract" entered into by a person with the use of electronic documents, there is a need for the regulators to also pass necessary supplementary laws to enable the owner of the digital contractual rights to transfer his rights through the inheritance laws.

Looking at the Indian Cyber Laws as envisaged in the Information Technology Act 2000 (ITA 2000) set to be substantially amended through the Information technology amendment act 2008 (ITA 2008), the current position in India is that there is no clarity on the legal aspects of "Virtual Assets". Further, ITA 2000 and ITA 2008 has not given recognition to "Will" in electronic form.

In such a situation, if a person approaches a Court of law in India and asks for a succession certificate on the websites owned, passwords possessed etc by a deceased, it is difficult to envisage how the Court would view the request. Similarly, if a person leaves a will in written form but includes in the will his virtual assets some described fully and some not so fully, (say the passwords which are subject to change from time to time", will a Court grant a "Letter of Probate"?

Alternatively, if a claimant approaches yahoo.com or gmail.com and requests that he be provided the password of the deceased because he is the legal heir, how will such organization handle the "claim"?

The undersigned calls the society to therefore start thinking on how we go about to protect the virtual assets of persons.

Though the "inheritance laws" are different statutes than the IT laws such as ITA 2000, there is a possibility of providing a relief for such cases under the ITA 2008 through the rules being framed.

For example, the ITA 2008 is going to prescribe "Reasonable Security Practices" to protect "Sensitive Personal Information".

"Information Security" includes not only prevention of  access by unauthorized persons, but also ensuring that the information is "Available" to the authrorised person. Under the OECD principles, as well as the Data Protection Act of EU countries, it is one of the "Rights" of a data subject to access his information which has to be guaranteed by the data controller. In some cases, the liabilities of data protection applies only to data of a "Living person" and hence is not applicable to the data of the deceased persons. This does not however mean that the data of a deceased person can be placed in public domain. In fact "Copyright" on the web content created by a person may vest with his legal heirs for the next 60 plus years ! and therefore has to be accessible to the legal heirs.

Hence "Reasonable Security" includes making the data available to the "Legal heirs". Hence the rules to be drafted under ITA 2008 can incorporate how the data of a deceased person can be made available to the legal heirs. This would be an obligation cast on the "Intermediaries" who will hold the data.

Naavi.org therefore suggests incorporation of the following provisions in the ITA 2008 rules:

1.Every intermediary shall  demand and obtain the name/s of persons to whom the assets in the name of the service users is nominated. The nominees will be required to provide proof of death of the account holder and submit a claim on the account.

2. Every intermediary should create a "Claims-Ombudsman" to handle the claims.

3. Disputes arising due to inheritance not resolved by the ombudsman should be met through an "Arbitration" for which provision has to be made by the service provider.

4.Virtual assets of persons reported deceased need to be archived securely to enable the claimants to complete the legal formalities that may be necessary for the claims to be settled and should not be removed automatically after expiry of some time in which the account has been inactive.

5.Before removing any data on account of an account being inactive, the service provider should make efforts to reach out to the account holder's last known physical address.

6. Just as the Banking system turns over the money in unclaimed accounts to the Government, the unclaimed virtual assets of a person should be archived with either a Government agency or a trusted private  agency designated by the service provider and accepted by the account user as a part of the terms and conditions of the account creation.

Naavi who presently provides the Cyber Evidence Archival Center is developing a "Virtual Inheritance Assistance Center" at www.ceac.in which will provide necessary guidance to Intermediaries (e-commerce sites, web hosting or domain name registration companies) on setting up of necessary procedures for inheritance management for their clients. It will also provide support and assistance to the public to claim and retrieve virtual assets of deceased persons.
“

Techgoss note: We thank Naavi for allowing us to publish his article