Planning for my kidnapping
Imagine tomorrow you go shopping and, for whatever reason, you never come back. Maybe be someone killed you, maybe someone kidnapped you, maybe you had an accident ... Now imagine you are travelling alone in Thailand and you die. How people who know you are going to find out what happen ? if you are being kidnaped how the police will do to find you, if you got lost how people will find you ? If you die how your family is going to find your papers ?
I wanted to find a way to answer all those questions, basically we can sum up the issues in 3 points :
- In case of being kidnaped or getting lost send as much information on your last location, and following locations, your last activity, all your digital information to someone who is going to help liberating you
- In case of dying, sending all your documents (passwords, friends list, legal documents, ...) to your family
- Not sending those documents by mistakes if you are not on the situations above
First step : collect your position, your activity, your documents, ...
The first step is to be sure that you have the data that you want to send, on my part, the data are:
- My current position and recent history
- My last know activity and a recent history
- The list of my credentials
- The list of my legal documents (id, passport, health insurance, work papers, ...)
I've written an article explaining how I'm doing 1. and 2. (position in real time, and last activity), so this is fixed.
For my credentials, I use keepassXC with a keyfile + a master password, the keyfile and the password db is synced using syncthingd with a server that I rent
My legal documents are all tied in one folder on my laptop which is also synced on the same server
So basically we have all the needed documents which are synced in real time on the same server
Second step : Choose how to trigger the sharing of documents
The biggest problem is you want the alert to react quickly but not fire because you have been sleeping for 8 hours. So I chose to rely on the time since I last changed of activity. Currently after 24h without changing activity a first notification is sent to my own email so that if this is a mistake I can stop the system before it is too late. And if 6 hours later I've still haven't changed of activity then a mail is sent to my parents.
So basically if something happens to me my parents will be notified maximum 30h after the event, this is not so great but this is a good beginning. In the future I should try to have an adaptive delay depending on the last activity, for example if my last activity is eating, then I won't eat for 24 hours, so I can trigger the alert after for example 4 hours.
Last step : What to put inside the notification
So my parents will receive an email after 30 hours of inactivity. In this email there is a link to a page which will allow them to retrieve all the documents.
The link is random generated link available only 6 hours, this is important to be safe as you don't want anyone to be able to access all your passwords ...
And the page, there are explanations of that page is about, like, "maybe I was kidnaped, maybe I'm lost, check my last time active on whatsapp, contact xxxx to see if he knows anything" You can also view the current position of my phone and a small location history, that way you can see if I'm still moving, or if the last point if 30 hours old, you can also see my last activity and when it started
And finally you can get the list of all my passwords, for that purpose I created a form, with 6 facts on my life, that only my parents can know all of them, like what was the color of my first car ..., then there you can submit your answer, there is a rate limit on the number of requests you can make to prevent a brute force. If the 6 answers are true, the backend will decode the keepassxc archive and return a json of the archive, containing all of my credentials, including the ssh password to connect on the server to get all the paper documents.
Conclusion
I know that all of that is far from being perfect. I check every few months that the alerting is working, by decreasing the delay to trigger the alert, but the server can go down, ton of things can happen to make the system not working, so that's why I tried to keep everything as simple as possible, postgresql + django + cron. Someone should create a service to manage that at a bigger scale, or maybe that's something that 1password or others could include in their offer