Comments on: What's the most convenient way to send confidential information securely?

Question: What's the most convenient way to send confidential information securely?

Dansaman — Fri, 14 Sep 2012 12:00:03 -0800

How can I electronically send confidential/private information to other people as conveniently but securely as possible?

How can I securely send sensitive information like a credit card number, tax documents, medical records, software code, etc. to other people as simply and conveniently (for both parties) as possible?

Dropbox?

Google Docs?

Encyrpted ZIP file? (How can I get the password to them securely if I can't call, fax, or see them in person)?

I've tried PGP but it's complicated and burdensome.

Thanks.

By: InsanePenguin

InsanePenguin — Fri, 14 Sep 2012 12:05:03 -0800

Not DropBox.

A quick Google search reveals Wuala, a free (for 5GBs,) encrypting alternative to Dropbox.

By: hattifattener

hattifattener — Fri, 14 Sep 2012 12:08:51 -0800

How are you contacting these people in the first place? How do you know who they are? How is it that you could give them access to a shared folder somewhere but can't give them a password?

By: saeculorum

saeculorum — Fri, 14 Sep 2012 12:11:09 -0800

Are you doing this in a professional role? If so, you should know that handling things like medical records and credit card details have very strict regulations (HIPPA for medical records, credit card companies have their own regulations) that are not easily handled by an amateur. In particular, the methods you've mentioned would not suffice and could conceivably get you prosecuted.

I'd have to ask what it is you are trying to do here.

By: Nonsteroidal Anti-Inflammatory Drug

Nonsteroidal Anti-Inflammatory Drug — Fri, 14 Sep 2012 12:18:39 -0800

I've tried PGP but it's complicated and burdensome.

Can you expound on that? PGP (or GPG) is the way to go for an email based solution. Engimail is a plug-in for the freely available Thunderbird email client.

By: yoyo_nyc

yoyo_nyc — Fri, 14 Sep 2012 12:19:26 -0800

Well GPG. If this is to "complicated and burdensome" a small, encrypted truecrypt container may work.

I would not give anything on an encrypted ZIP file.

By: hattifattener

hattifattener — Fri, 14 Sep 2012 12:22:40 -0800

(yeah, ZIP's builtin encryption is bad. If the trouble with PGP/GPG is the public-key setup and trust management stuff, then you could just use its symmetric-encryption mode, which does simple passphrase-based encryption like ZIP's but with a non-broken algorithm.)

By: strangely stunted trees

strangely stunted trees — Fri, 14 Sep 2012 12:32:02 -0800

If you're seriously thinking about transmitting medical records and credit card numbers via DropBox or encrypted zip file, you need immediate help from a compliance consultant - you are risking substantial fines, losing the ability to process credit card payments, and possibly even criminal liability if you continue down the road you're on.

This is not a problem that is amenable to a roll-your-own solution with advice from some internet strangers - the regulations around protecting these types of data are complicated and the penalties for non-compliance are severe.

By: Dansaman

Dansaman — Fri, 14 Sep 2012 12:34:47 -0800

Both for personal and business things, such as sending tax documents to an accountant, medical records to a family member or doctor, software code or API keys to a developer, etc. Nothing that directly falls under regulations such as HIPPA as far as my own use of the information.

By: Dansaman

Dansaman — Fri, 14 Sep 2012 12:38:30 -0800

Again let me emphasize that I'm not talking about situations that are subject to regulatory compliance. And I'd also like to mention for those who don't know that it's very common for customers of businesses to (insecurely) email credit card numbers to those businesses (not because the businesses requested they do it that way but because people generally are not aware of the security risks or think those risks don't justify the extra effort involved in transmitting via a more secure method). It's also very common for software developers and their clients to exchange sensitive information such as code and API keys insecurely.

By: supercres

supercres — Fri, 14 Sep 2012 12:46:38 -0800

PGP/GPG is really the way to go. If you're on a Mac, GPGTools has select-and-encrypt tools for any text anywhere in the system. You just need to exchange public keys with anyone you need to send information to. As long as you trust that the public keys are coming from who you think they're coming from, there are no holes in your setup, like sending or faxing passwords. You use someone's public key to encrypt a message for them, and they use their private key to decrypt it.

By: RonButNotStupid

RonButNotStupid — Fri, 14 Sep 2012 13:16:59 -0800

Nthing PGP/GPG.

I think your only other option (for email anyway) is S/MIME, but with that you either need to obtain certificates from a recognized certificate authority ($$$), or build your own certificate authority (with blackjack....and hookers....and lots of convincing clients that they should ignore error messages about your certificates being untrustworthy).

By: odinsdream

odinsdream — Fri, 14 Sep 2012 14:01:40 -0800

It sounds like you're on the consumer side of these relationships. As such, it's not really going to be possible for you to dictate the means of transmission. Asking your accountant to install whatever encryption software you use, or download via a certain website, just isn't typically going to work. I've tried, believe me.

It's a shame that the state of secure electronic communication, for instance via public-key encrypted e-mail, isn't better, but it just isn't. There's nothing you can do about that.

As such, your safest best is to physically send stuff via certified mail, keep good backups, and remain nimble so that you can discard data you know got lost (i.e., package not delivered, API keys get revoked).

By: yoHighness

yoHighness — Fri, 14 Sep 2012 15:47:04 -0800

Seconding TrueCrypt or EncFS on a dropbox or similar (article from google). Though one of the engineers at work thought this insecure for some reason and google skills fail me, anybody hear of a similar thing?

Vis a vis the (hard to imagine) situation where you can't call them, mail the password with signed for snail mail.

By: vasi

vasi — Sat, 15 Sep 2012 00:14:26 -0800

It's impossible to give a good answer without knowing what you're defending against.

Are you worried about random people sniffing your network traffic? That your email provider will go rogue? GPG will be fine. Are you worried about spyware? Your laptop getting stolen? GPG won't help much at all.

By: Dansaman

Dansaman — Sat, 15 Sep 2012 16:50:31 -0800

Just addressing the issue of whom might be able to see information once it's been emailed. So it's not about spyware or a stolen computer, rather about what happens after clicking "Send" (on the way to the recipient and when received by the recipient).

By: odinsdream

odinsdream — Sat, 15 Sep 2012 18:02:15 -0800

In that case, use 7-Zip to make an AES encrypted ZIP archive, e-mail that, and call the recipient with the password. This requires the recipient to be able to install software and follow minimal instructions.

If that's still too hard, get your own web server and set up an HTTPS folder with Basic authentication. E-mail a link to the files then call the recipient with the username and password.