Post-Suicide Account Cracking?

An anonymous reader writes "A good friend of mine had her younger brother apparently commit suicide last week. He was a young, promising CS major who was close to being accepted into a very prestigious school. He was very into Linux as well as PHP/MySQL coding. He left absolutely nothing behind for the family as far as a death note or explanation, and there is some possibility that this was all somehow a tragic accident. The family is in a situation where proof of accidental death would change how this was viewed in terms of paying for parts of the funeral. More importantly, some members of the family are hoping to find something, anything, that might explain why this all went down. Since I'm the most computer-skilled person the family knows, they have asked me if I could help them try to find some information. My possible approaches are: his Linux laptop, his university, Gmail And Hotmail email accounts, and a second MySpace profile that apparently has been tagged as private. How ethical would it be to, say, try to crack his root password in a situation like this? I wouldn't attempt to crack a man's account for his wife because she thinks he is cheating on her, as his life is his own business. In death, would you have the same respect for a person's private thoughts? Secondly, If I contacted places like Google, MSN, the university, and MySpace, what are the odds that they would give me access to any of his accounts? I have links to obituaries and such to prove that he is indeed gone. Would it be a matter of not giving it to me (maybe only to the family), or is this something that they would not do at all? Any opinions on if I should do this and if so, how I should go about it?"

I have said it before

[hansraj]

dead people don't really care, one way or another.

file a petition with a judge

[thrillseeker]

a court order will streamline all this for you

Do it.

[sm62704]

Your friend is gone; he no longer owns anything. His worldly possessions, including his accounts and passwords, belong to those he left behind. They have asked you to open the locked box, open it.

There is no ethical delimma. You are being asked to open something by that something's owner. NOT cracking passwords would be wrong.

No need to crack root...

[Nutria]

Just boot it with a LiveCD, and it's all yours.

If you saw your friend again

[Unlikely_Hero]

If you saw your friend again, would you be able to explain why you did it? Would he agree with your reasoning or would he feel you had violated his sovereignty? You can still respect him in death, what would he say?

Two possibilities

[GlobalEcho]

Well, if it was suicide, and there was anything he didn't want people seeing, then he had his chance to delete it. If it was not suicide then I think you have to tread more carefully, but in the end the dead have no right to privacy (or reason to care).

For FSM's sake, though, take a moment to "accidentally" delete his porn and such while you are going about this. That's just basic courtesy.

If you don't know; don't even try!

[Anonymous Coward]

This is IMO one of the silliest questions I've read on /. in some time now. Seeking help on /. for stuff like this is disturbing.

But here is a well meant sound advice: If you don't know how to pull this off then don't even bother trying. Simply because in the process of "cracking" you might accidently destroy very precious data which another real computer expert would be able to retrieve. And should the family sometimes find out about a situation like that then you've really done some serious damage.

For the record; you don't need to "crack" his root password on that linux box. Just boot using a rescue cd (knoppix, ubuntu, whatever) and you'll have full access. But seriously: leave this to someone who knows what he's doing.

IANAL...

[gbrandt]

...but...

The belongings of the deceased become part of the estate. The estate, with a lack of a will, can go either to the 'state' or to the next of kin (depending where you live). The 'state' usually takes its taxes and give the rest to the next of kin. This means that the laptop and accounts now belong to the family (barring the EULA on myspace and google which, correct me if I'm wrong, state that the ownership resides with them). This means that you are cracking a laptop for an OWNER that no longer has a password (forgotten it, so to speak). There is no ethical issue here.

Gregor

Re:Death certificate

[smooth wombat]

You beat me to the punch. Having worked in the financial sector for a time, a death certificate should do the trick.

The catch will be is if the person signed up for accounts but didn't use his real name, address, etc. Then you may have a problem. Otherwise, submitting the certificate (more than likely official copies) should suffice to prove to the various places that the person is truly dead and you are doing a port mortem of his accounts.

The family should be the ones contacting these places as they are next of kin.

I know it's asking for trouble, but this is why all your accounts including username and password should be written down and stored in a separate location. Regardless if it's suicide or getting run over by a wildebeast, someone, somewhere, will need to be able to get into your accounts to clear things up.

Re:I have said it before

[Bondolon]

Indeed, ethics is generally about social relations between people. One could make a case (maybe) that it's immoral to do this, but the only question of ethics I can see here is that of assisting a grieving family.

Everything in Writing

[necro81]

If you do contact Google, MSN, etc., don't do it through electronic means. Don't even do it over the phone. Do it in writing. Yes, actual letters on paper sent via (registered) snail mail. Include copies of the death certificate, obituaries, etc. Don't use your name and address - you are nobody as far as legal standing is concerned. Channel all the communications through one of the parents - have them sign the letters, use their name and address.

It's not that simple

[mario_grgic]

There is no evidence yet that the person didn't desire to make some things private and their wish should be respected even after death.

You are making a mistake that because someone is dead (and hence obviously can't care) implies that they didn't care when they were alive.

In absence of legal will it is hard to tell what the desire of the person was, but if someone wrote in their will that they want for example their laptop destroyed after their death, it would obviously make it un-ethical to ignore that wish and poke through their laptop.

Re:No need to crack root...

[martijnd]

Then try to get Firefox to start up with the original profile. You might be able to automatically login to his Gmail/Hotmail etc accounts.

Re:Death certificate

[JustinOpinion]

My condolences to the family.

I would say that a death certificate is a necessary, but by no means sufficient, piece of evidence.

There was recently a death in my extended family. I have seen how, even with a death certificate and all official documents (police reports, etc.), it still took literally years to finalize routine things (closing accounts, transferring assets, dealing with insurance, etc.). So it turns out its quite long and complicated to even just do the "normal" things (that must be done when any person dies, and for which no one was really contesting anything... just following the protocol). So I can only imagine how difficult it will be in situations where things are unclear.

For instance, if you show a death certificate to an email provider, what does that prove? It shows that someone died, but doesn't actually prove that it was the owner of the account that died. (Did he sign up with his real name, or fake details?) I can imagine an email provider requesting certain conditions (like waiting a year to make sure there is no activity on the account, and requiring some proof of connection between the person and the account).

All this to say: prepare for a long and drawn-out ordeal. Finalizing a person's affairs is not a quick matter. (On the other hand, you might end up being lucky, and finding a "passwords.txt" file on his computer somewhere.)

Re:Do it.

[mpe]

Your friend is gone; he no longer owns anything. His worldly possessions, including his accounts and passwords, belong to those he left behind. They have asked you to open the locked box, open it.

They probably actually belong to his "estate". If he made a will then it will explicitally list who the executors of his will are. Executors of a will have something similar to "power of attorney" when it comes to distributing a person's estate. Even if someone died "intestate" their estate still exists, where things can get complex is that the act of getting married can perform the equivalent of writing a will, where the terms an conditions depend in exactly where and when the marriage took place.
Even if you are an executor (or working for an executor) AFAIK you can't investigate a death. But if your intent is to locate part of their estate then it's ok if you happen to stumble upon information relating to how someone died, though it might be a good idea to share any such information with the police and/or corronor.

Re:I have said it before

[Applekid]

A subpoena could probably compel them to provide you with access.

From the question it seems like it's related to a life insurance policy that doesn't pay on suicide, which is the norm. So, the family ought to do a cost-benefit analysis about renting lawyer time for said subpoenas versus getting what they stand to gain by proving it wasn't a premeditated suicide.

What if you findout about secrets of live people?

[HaaPoo]

Like he has been sleeping with your girlfriend in the past?

Settling affairs, your friends in probate court

[siriuskase]

The administer/executor of his estate has the legal right to conduct business in his name for the purpose of settling his affairs. I would present the paperwork from the propate court to all those places you mentioned and procede to settle his affairs as you see fit.

You may discover something that he did indeed mean to keep private. And, if there is an afterlife, he may care. If so, be like an ethical telephone engineer and behave as if you have no knowledge you aren't supposed to have.

Re:sanitize his history and records

[10101001 10101001]

Get rid of anything that might make them think less of the dead, they're already broken up about it as is. I'm sure the last thing this kid's family would want to find out about is his furry porn collection.

While I understand the feelings behind this, trying to hide the truth about someone to spare the family's feelings seems like a disservice to the family and to society in general. Should everyone think less of JFK if he was a furry porn freak? Or should people, possibly grugingly, accept that it was a part of this hypothetical JFK, and that as much as they might personally detest it, it's part of what made hypothetical JFK who he was.

The fact that all the "bad" stuff keeps being whitewashed only furthers the belief that such things *are* "bad" regardless of how common it is--consider the open secret of marijuana and cocaine usage. Do realize, I'm not advocating to like furry porn or to use cocaine. I'm advocating the realization that there are a lot of things people do in their personal life that have very little influence over what they do in their public life. You can condemn a person for what they do in their personal or public life. But, perhaps, the realization that what people do in their personal life really doesn't hurt anyone and only affects them should really give more people pause to be so willing to condemn them purely because it has, in the past, been socially condemnable.

Beyond that, whitewashing like that makes me condemn the military. It has the effect of one-on-one propaganda for the military, regardless of its intent.

Re:Death certificate

[Jaqenn]

There were a few previous ask slashdots on this:

http://ask.slashdot.org/article.pl?sid=07/01/10/0014220 [slashdot.org]
http://ask.slashdot.org/article.pl?sid=06/09/23/2334218 [slashdot.org]

If I recall the consensus was that anything you can hack together in software has a good chance of failing. Plus, honestly, do you really want to have tons of personal information waiting to go out any day that you forget to push the 'I'm not dead' button before you fall asleep?

Go get a safe deposit box, fill it with stuff, and leave the key with a lawyer.

Re:I have said it before

[Atraxen]

True, but I'd take it one step further and say that ethics extends after death (in some ways) when someone's wishes are known. For example, consider organ donation; if the family knows that the person expressly wished for a certain type of burial, there's generally some consideration of their wishes in deciding whether to allow organ harvesting (and I'm not going into the ethics of when to override these wishes - too off-topic).

So, I'd say that if the person never specified his accounts were in a metaphorical 'burn-box' when he died, it's up to the family to decide about his privacy (same as for organ donation, or releasing personal works/letters [e.g. Tolkien]). So, if the family is requesting it and you have no contrary knowledge of his wishes, I don't see any ethics problems.

Speak to a lawyer.

[Carik]

Seriously. Speak to a lawyer, and then recommend a professional data recovery company to the family. You do not want to get involved with this. Best case, it turns out there's proof it was accidental. I'm not sure how that could be proved, but let's assume it was.

Worst case, you find evidence of... something. Drug use, criminal activity, involvement with a cult, something like that. Whatever it was, it drove him to suicide. Now you're in the position of telling the family that their son/brother was doing something they wouldn't have approved of. Yes, they may be glad to know what really happened, but you'd better believe that things are going to be awkward with the family from now on.

Or, possibly even worse than that... what if it turns out it was something the family did? Even if it wasn't anything illegal or even dishonest... do you want to be in the position of telling the parents that something they did caused their son to kill himself? I wouldn't. I wouldn't want to do that to my worst enemy, let alone people I liked.

Speak to a lawyer to find out the legal issues and what is needed to get information from various hosting services, then suggest that the family contact a good data recovery firm. Have them hire a lawyer to get the data from the hosting services. No matter how much you want to help, restrict it to helping them find professionals to get the data, don't try to do it yourself.

Re:Death certificate

[evilandi]

A death certificate from the next of kin opens many doors.

Correct answer. ISPs will serve up almost anything when presented with correct, verifiable death certificate and a letter from the correct, verifiable next of kin stating that person X is authorised to take over the deceased's logins.

It is, sadly, a very slow process.

I was in the unfortunate situation of having to re-establish control over a number of friends and family's domains when their registrant, a friend of mine from uni, died quite expectedly (had a massive birth defect, estimated TTL 2 years, actual TTL 35 years).

The sad thing is that I am still very annoyed with my dead friend for not making better arrangements, given his condition. Which is definitely not how I want to remember him.

My own will now gives instructions on how to recover my domain registry username/password.

No victim, no crime

[ClientNine]

Your ethics in this case extend to the living, not the dead. "First, do no harm..." might be a good motto here. You are going to be mucking about in some content that might not be what anyone is expecting, but there is a story there and the living want it told-- at least to them.

So long as you are discreet and have the consent of the family, do what you need to do to bring them closure.

I've lost a child. I can assure you that it is important to the family that the tragedy not be a pointless one. A tragedy happened, and at the very least they want to know that they handled it well, that perhaps they are wiser for it, SOMETHING. It's called closure, and it doesn't ease the loss but it does help with the frustration.

Re:Bad idea

[Miseph]

It's actually a bit gray. If the deceased were not so then you would be entirely correct, as this would be unsolicited system intrusion. However, upon his death his possessions, including his various passwords and access to his accounts, became the responsibility of the executor (one would assume that either the mother or father took on this role, as it would be an exceptionally odd thing for a 21 year old to actually write up a will stating otherwise), who has since requested that the intrusion be done on what is, essentially, their property.

What shocks me is that this was ruled a suicide without an inquest going through all of this already. That is a very radical conclusion to come to, and one with (as stated in the story) some pretty serious legal and financial ramifications; happy successful people don't just off themselves for no reason and without any sort of note or indication that things were not going quite so peachy as believed i am surprised that no investigation has been done if only to rule the possibility that it's an accident.

Re:I have said it before

[moderatorrater]

Just don't forget to factor in the additional peace of mind of knowing that he didn't kill himself, or even knowing for sure either way. That can be worth a lot of money, too.

Re:I have said it before

[msuarezalvarez]

You have probably never been in actual need.

Re:I have said it before

[johndiii]

From what I've read about similar cases in the past, you would need a power of attorney from the individual in question to get access to things like gmail and hotmail accounts. If he had a will, his executor might be able to get in.

A subpoena would probably get you in, but a court is not going to issue one just because a person is dead and you want to make the family feel better. If there is some grounds to suspect some kind of criminal activity, or that his death might be murder, a subpoena might be issued - but it would get the police into those accounts, not his friend. If the friend could think of some grounds to sue his estate, discovery might require access to the accounts, and generate an appropriate court order. But for the case as stated, he's likely out of luck.

I've left passwords and relevant access information so that this is not an issue. I do not have a problem with my family getting into my mail accounts, for instance, and they might need to pay some final bills. Some people, on the other hand, would have a problem with this. The accounts should not just be open to anyone who can prove that they guy is dead.

I'm not a lawyer, of course. :-)

Re:I have said it before

[ProfessionalCookie]

It's all the other people that have email in his inbox, personal messages on his myspace etc. Breaking into someone's account, dead or not, doesn't just involve them- it involves everyone who trusts them.

Unethical.

Re:sanitize his history and records

[mckinnsb]

I would agree with the parent post.

Understand that if your going to crack into his laptop or recover his account information for his online services, you will be acting as an arbiter of knowledge (granted that you have permission) concerning the final moments before this person's death.

A year ago my aunt committed suicide, and my mother asked me to crack into her laptop so that she could feel closer to her sister and understand more of what she was thinking before she died. I thought about it for a long time and then I went ahead and did it, managing also to recover her password. The password *itself* just so happened to be meaningful to the family, as was the desktop background she left up the day she died (it was a picture of her two children when they were young).

On the other hand, when they asked me to recover deleted data, I decided not to return the deleted data (I actually denied that I could even do it), to the family. The reason was that she had written a lot of hastily thought out "hate notes" to some members of her family, and in the end she probably didn't mean what she said, because the text files were deleted.

There weren't any "skin mags", but make sure that you don't hand over anything that will open old wounds - wounds that won't heal very easily, now that the person related to them is deceased. On the other hand, if you find touching things, hand them over.

Also understand what this will do to you personally- it will put you in a position of knowing things that your family will not, if you have to hide things from them. That is its own particular burden, and its up to you to decide if you want to carry it. I did, but not everyone would make the same decision.

Re:I have said it before

[ScuzzMonkey]

Anyone familiar with the American legal system should understand that legal and ethical are not the same thing. The ability to do a thing does not make it the right thing.

Steal his identity

[KevMar]

Lots of options here.

first try to crack the passwords on his machine. If you can get any passwords in plain text write them down. He may have reused them. If you can get into his profile, its possible he set his cookies to auto login to his websites.

Next try to get into his email. Call the provider and ask about your situation and find out what the rules are with out ever telling the operator your name or the account name. If the info they give you will not help you, hang up and call back pretending to be the deceased. They dont know he is dead yet.

Get the birth cert, social security number, phone numbers and addresses (current and past), birthdate, drivers lic, mothers maiden name. Try calling from his home phone, or be near that phone when you make your call. Just pretend to be an average user that cant get into your email. Reset the password.

Once you have the email account under your control you can just request a password reset from most of the other services.

Basicly steal his identity, if they cant prove you are not him its hard for them to not let you in. Just play dumb. Dont say you forgot your password, tell them that your email is broken because your account won't work.

Re:I have said it before

[severoon]

Yes, but in this case, the person-in-question may not have been of sound mind enough to have his wishes respected even in a legal context. In some cases, it is the respect for privacy / individualism / freedom of expression / etc that makes some individuals feel cut off from the world and plays a part in their decision to shoot up a school or take their own life.

I'm not saying that we should do away with privacy or any of the things I mention above. However, sometimes between family members and friends there is a need to invade the personal space of others with caring intent—in fact, nature pretty much compels parents to begin their interactions with offspring in this way and gradually taper off as the child grows up (I feel this is relevant because I'm assuming the kid was still in their house, hadn't yet graduated high school). In many cases, the individual's crying out for a sign that someone actually cares enough to overstep usual boundaries...that's one of the main functions of parents.

In this case, I think that TFA may have put undue attention on funeral costs—I'm sure that's a footnote to the family's real wish to answer their questions about what happened. They may feel a little guilty about invading his personal space posthumously, and I think these feelings are understandable but misplaced. If this was a suicide, it is definitely within reason that this kid's last authentic wish would be for someone to notice and figure out what was going on with him. If it wasn't a suicide, then I know I would certainly want that discovered and my family's pain somewhat tempered.

I would be very interested if anyone who knows can post here: if someone dies, does their next of kin inherit their data? Shouldn't the online services like Myspace and Google open his accounts up for them?

Re:I have said it before

[iamacat]

Dead person does indeed have specific rights. For example copyrights are (unfortunately) preserved after death and assigned to the next of kin or more commonly the employer. The body is protected by law from desecration or medical use which has not been explicitly agreed upon by the deceased.

But more importantly, this young man most probably used his computer and online accounts to communicate with living people. If he was having sex with some girl, she may not want that to be widely known. If he did a PHP project for some company, that project does not become family's property. Gmail is also not dead and it's not permissible to hack their account regardless if you theoretically have legal rights to the content within.

That said, if your friend's brother was below 18, parents may have a legal right to use his accounts and even to have Google and MSN reset passwords to let them examine e-mail. Also, if the computer legally belongs to them, it could be legally permissible to hack local content. Even if not, it would be pretty much impossible to prosecute such activity that takes place entirely on and upon someone's own property. You may well find Gmail and MSN passwords in a swapfile or browser cache. Although it might be still illegal to login, again it would be undetectable.

Re:Cracking root password not necessary

[Anonymous Coward]

The parents both have good suggestions. Unfortunately, they're a bit vague on details.

Here's a link that will show you how to modify the root password on the laptop: http://aplawrence.com/Linux/lostlinuxpassword.html

I recommend the "linux init=/bin/bash" method if you're able.

Once you've gotten root access, log in and change the password on the deceased accounts (if he had any. He might have normally logged in as root. Bad, but some people do it.)

This site has general instructions on changing passwords at the command line (along with other info):

http://lowfatlinux.com/linux-change-password-passwd.html

Once you have his password changed, logout and log back in under his account. Startup X windows if it doesn't do it automatically (startx at the command line), and start up firefox. Using firefox, go to the social networking sites, and see if the browser auto-fills in the login or just lets you in (like gmail).

Also, at this point, you should be able to look through the files, etc. I second the posts that say to remove offending material (unless directly related to his death).

On distributions, like Ubuntu, that use sudo to access root commands you might have some issues with the above commands. I'd check with the forms for the installed distribution to make sure (you can tell them you forgot your admin password, and need to change it without reinstalling).

Good luck. It's unfortunate business, but in my opinion, ethics are not the issue here, just technical knowledge.

Thoughts from a coroner

[Pobjoy]

After reading the post and some of the replies I wanted to try and provide some insight on a few things. First of all I should mention that I'm a coroner in British Columbia, Canada, so not everything that applies here will apply in other jurisdictions. However I hope I can still be of some help. In regard to suicide vs. accident, there is typically a presumption against suicide and the coroner or medical examiner should have some substantial evidence if they are going to rule the death a suicide. Having said that, suicide is a lot more common than most people believe. For example, British Columbia has a population of a little over 4 million and we see approximately 500 suicides per year. Contrary to what some people are suggesting there is usualy no suicide note. Also, the person is not always known to be suicidal or even depressed. Sometimes a suicide comes as a complete surprise to family and friends. I would not say that this is the norm but it definitely happens. Evidence of a suicide can take several forms. Ideally there should be a history of some kind to support that the death was a suicide but I have had cases in which the circumstances of the death were such that it was unreasonable to conclude that the death was anything other than a suicide, even though the person had no history of depression, suicidal ideation or behaviour that suggested they might harm themselves. As far as the information on the computer, I have taken information from people's computers and in one case seized a computer to get further info from it. I do not see an ethical issue with this if it will help to determine the manner of death. My only suggestion is that the coroner or medical examiner should perhaps be contacted to see if they are willing to do this. They may not be willing to get involved if they feel that they already have sufficient evidence to classify the death. Also, I do not know if the coroner/ME in your area has the legal authority to do this. Still, if the family strongly believes that the death is an accident and not a suicide they should talk to the coroner/ME about their concerns. When family members have raised such concerns with me I have found that sometimes they have very useful information or insight that can have a significant impact on my investigation. Other times it is clear that they are just not willing or able to accept the truth. As far as legalities, I can tell you that here in BC (and I suspect in most cases) it is the same as most people have stated - the things that belonged to the decedent now belong to the estate. The executor or legal next of kin will likely have the legal authority to give you permission to do what you are talking about. Having said that, I will give the standard IANAL disclaimer along with a reminder that laws can of course vary from one jurisdiction to another. NOTE: sorry about the wall of text. This is my first Slashdot post and I haven't yet figured out how to make it appear in paragraphs the way I wrote it.

Re:I have said it before

[KillerBob]

And yet... for some reason... I have life insurance.

Funny thing, that. It's a matter of personal preference. I do have a reason to have it. Whether you agree with it or not doesn't matter, does it? It's my money, after all.

Besides which, how do you know that I'm the only signer for my student loan? It's possible to get a co-sign on something like that, if you go through a bank. Which, incidentally, you may have to do if the gov't won't approve you for it for one reason or another, like, say, you have too much wealth accumulated (material assets, specifically artwork, in my case), or you come from a family which is too wealthy (also the case).

If you have a co-sign on your debt, then they can most certainly be held accountable for it, even if you happen to die.