Skip

What's the most convenient way to send confidential information securely?
September 14, 2012 12:00 PM   Subscribe

How can I electronically send confidential/private information to other people as conveniently but securely as possible?

How can I securely send sensitive information like a credit card number, tax documents, medical records, software code, etc. to other people as simply and conveniently (for both parties) as possible?

Dropbox?

Google Docs?

Encyrpted ZIP file? (How can I get the password to them securely if I can't call, fax, or see them in person)?

I've tried PGP but it's complicated and burdensome.

Thanks.
posted by Dansaman to Computers & Internet (16 answers total) 2 users marked this as a favorite
 
Not DropBox.

A quick Google search reveals Wuala, a free (for 5GBs,) encrypting alternative to Dropbox.
posted by InsanePenguin at 12:05 PM on September 14, 2012


How are you contacting these people in the first place? How do you know who they are? How is it that you could give them access to a shared folder somewhere but can't give them a password?
posted by hattifattener at 12:08 PM on September 14, 2012


Are you doing this in a professional role? If so, you should know that handling things like medical records and credit card details have very strict regulations (HIPPA for medical records, credit card companies have their own regulations) that are not easily handled by an amateur. In particular, the methods you've mentioned would not suffice and could conceivably get you prosecuted.

I'd have to ask what it is you are trying to do here.
posted by saeculorum at 12:11 PM on September 14, 2012 [4 favorites]


I've tried PGP but it's complicated and burdensome.

Can you expound on that? PGP (or GPG) is the way to go for an email based solution. Engimail is a plug-in for the freely available Thunderbird email client.
posted by Nonsteroidal Anti-Inflammatory Drug at 12:18 PM on September 14, 2012


Well GPG. If this is to "complicated and burdensome" a small, encrypted truecrypt container may work.

I would not give anything on an encrypted ZIP file.
posted by yoyo_nyc at 12:19 PM on September 14, 2012


(yeah, ZIP's builtin encryption is bad. If the trouble with PGP/GPG is the public-key setup and trust management stuff, then you could just use its symmetric-encryption mode, which does simple passphrase-based encryption like ZIP's but with a non-broken algorithm.)
posted by hattifattener at 12:22 PM on September 14, 2012


If you're seriously thinking about transmitting medical records and credit card numbers via DropBox or encrypted zip file, you need immediate help from a compliance consultant - you are risking substantial fines, losing the ability to process credit card payments, and possibly even criminal liability if you continue down the road you're on.

This is not a problem that is amenable to a roll-your-own solution with advice from some internet strangers - the regulations around protecting these types of data are complicated and the penalties for non-compliance are severe.
posted by strangely stunted trees at 12:32 PM on September 14, 2012


Both for personal and business things, such as sending tax documents to an accountant, medical records to a family member or doctor, software code or API keys to a developer, etc. Nothing that directly falls under regulations such as HIPPA as far as my own use of the information.
posted by Dansaman at 12:34 PM on September 14, 2012


Again let me emphasize that I'm not talking about situations that are subject to regulatory compliance. And I'd also like to mention for those who don't know that it's very common for customers of businesses to (insecurely) email credit card numbers to those businesses (not because the businesses requested they do it that way but because people generally are not aware of the security risks or think those risks don't justify the extra effort involved in transmitting via a more secure method). It's also very common for software developers and their clients to exchange sensitive information such as code and API keys insecurely.
posted by Dansaman at 12:38 PM on September 14, 2012


PGP/GPG is really the way to go. If you're on a Mac, GPGTools has select-and-encrypt tools for any text anywhere in the system. You just need to exchange public keys with anyone you need to send information to. As long as you trust that the public keys are coming from who you think they're coming from, there are no holes in your setup, like sending or faxing passwords. You use someone's public key to encrypt a message for them, and they use their private key to decrypt it.
posted by supercres at 12:46 PM on September 14, 2012


Nthing PGP/GPG.

I think your only other option (for email anyway) is S/MIME, but with that you either need to obtain certificates from a recognized certificate authority ($$$), or build your own certificate authority (with blackjack....and hookers....and lots of convincing clients that they should ignore error messages about your certificates being untrustworthy).
posted by RonButNotStupid at 1:16 PM on September 14, 2012


It sounds like you're on the consumer side of these relationships. As such, it's not really going to be possible for you to dictate the means of transmission. Asking your accountant to install whatever encryption software you use, or download via a certain website, just isn't typically going to work. I've tried, believe me.

It's a shame that the state of secure electronic communication, for instance via public-key encrypted e-mail, isn't better, but it just isn't. There's nothing you can do about that.

As such, your safest best is to physically send stuff via certified mail, keep good backups, and remain nimble so that you can discard data you know got lost (i.e., package not delivered, API keys get revoked).
posted by odinsdream at 2:01 PM on September 14, 2012 [1 favorite]


Seconding TrueCrypt or EncFS on a dropbox or similar (article from google). Though one of the engineers at work thought this insecure for some reason and google skills fail me, anybody hear of a similar thing?

Vis a vis the (hard to imagine) situation where you can't call them, mail the password with signed for snail mail.
posted by yoHighness at 3:47 PM on September 14, 2012


It's impossible to give a good answer without knowing what you're defending against.

Are you worried about random people sniffing your network traffic? That your email provider will go rogue? GPG will be fine. Are you worried about spyware? Your laptop getting stolen? GPG won't help much at all.
posted by vasi at 12:14 AM on September 15, 2012


Just addressing the issue of whom might be able to see information once it's been emailed. So it's not about spyware or a stolen computer, rather about what happens after clicking "Send" (on the way to the recipient and when received by the recipient).
posted by Dansaman at 4:50 PM on September 15, 2012


In that case, use 7-Zip to make an AES encrypted ZIP archive, e-mail that, and call the recipient with the password. This requires the recipient to be able to install software and follow minimal instructions.

If that's still too hard, get your own web server and set up an HTTPS folder with Basic authentication. E-mail a link to the files then call the recipient with the username and password.
posted by odinsdream at 6:02 PM on September 15, 2012


« Older Help my find my dream motor ve...   |  Help my curling team come up w... Newer »
This thread is closed to new comments.


Post