Join 3,564 readers in helping fund MetaFilter (Hide)


Is there an easy and secure way to scan and store important identifaction online?
April 22, 2004 7:03 PM   Subscribe

An acquaintance who travels overseas frequently would like to scan and store her important identification (passport and driver's license) along with her credit cards, and store the images securely online. We would like to make the documents easily accessible to her through a Web page, but otherwise secure. I have offered her some space on my shared server, and while I have some ideas about how to secure things, suggestions would be useful.
posted by tranquileye to Computers & Internet (22 answers total)
 
this may be ot, but i just got a really tiny usb keychain thing (smaller than a pack of juicyfruit and only 16mb) that i'm going to use for when i travel, with passport/credit card #s, etc.

I wouldn't trust any online space for that stuff.
posted by amberglow at 7:36 PM on April 22, 2004


Since the content is all images, I would suggest installing Gallery somewhere where one of you has web space, and setting her up a login and priveleged image gallery. If you can get the package installed (it's not terribly hard but requires PHP on your server) setting up logins and priveleges to view certain pages is dirt-easy.
posted by scarabic at 7:54 PM on April 22, 2004


I think amberglow is right - this is a bad idea. Capital B.
posted by crunchburger at 8:01 PM on April 22, 2004


No way would I do this. Might as well have photocopies in your luggage (which I wouldn't do either) where a finite # of humans could conceivably steal it, rather than something like a billion from anywhere in the world and then make copies and email them around faster than a photoshopped picture of a soldier with some Iraqi kids. Tell your friend to leave copies of her identification with a trusted friend who can fax them to her in an emergency. That would be a reasonable compromise.
posted by dness2 at 8:09 PM on April 22, 2004


I did this myself when I lived abroad. If these documents are accessed only in a real emergency, no one will ever be able to know that they're there. So short of her personal domain being randomly hacked (unlikely, if this is all it's used for) some basic protection should be enough.
posted by gd779 at 9:05 PM on April 22, 2004


You guys are so paranoid! Just PGP those suckers, don't tell anyone the passphrase, and leave copies all over the place: Web site, USB key, wherever.
posted by nicwolff at 9:13 PM on April 22, 2004


yea, encrypt them, don't rely on some PHP login, that's not as secure as it needs to be.
posted by rhyax at 9:58 PM on April 22, 2004


I've done the same thing many times with no problems. Just used common sense. Don't believe the chicken littles.
posted by justgary at 11:07 PM on April 22, 2004


I once mailed scans of documents to my hotmail address, as I could probably access that from anywhere without leaving a conspicuous ctrl-H(istory) and without special software. Deleted them when I was back.
posted by thijsk at 3:03 AM on April 23, 2004


"I think amberglow is right - this is a bad idea. Capital B."

Why is this a bad idea? Unless someone knows where the information is, or there is a spider-able link to it, or a hacker can guess it's location, it's 100% unfindable. Even unencrypted.

Security steps (any of which will kep the data secure)

- Put the documents in a directory with an impossible to guess name and make sure directory browsing is off
- Use an htaccess file to password protect the directory
- Use PGP to encrypt the data
- Store the files in a database rather than the file system

Just because a file is on the Internet doesn't mean anyone can find it or download it.
posted by y6y6y6 at 4:41 AM on April 23, 2004


Encrypt the file using Javascrypt. Host the encrypted file on a regular ol' webserver. Host both the Javascrypt app and the encrypted file on the webserver and as long as she knows the pass phrase she can access it from any java-enabled browser.

Javascrypt uses AES and 256 bit keys so the encryption shouldn't be the weak link. Also, Javascrypt runs locally on the client not the server so the "worst case scenario" is somebody installing a keylogger on the client machine or somebody hacking the server and replacing the original javascrypt app with their own derivative which could log the pass phrase. If somebody really wants her data THAT bad, they'll get it no matter what.

On preview, what y6*3 said.
posted by yangwar at 6:40 AM on April 23, 2004


They would never be able to get it if it wasn't online in the first place, no? And this thread isn't helping her privacy either, actually--now people will know to look at or hack tranquileye's server.
posted by amberglow at 8:01 AM on April 23, 2004


"They would never be able to get it if it wasn't online in the first place, no?"

Not to get pissy....... But..........

This fear is really not grounded in reality. And it would be just as logical to say that she shouldn't have a passport or driver's license at all, since someone might steal it. In fact it's much more secure in a protected webspace than it is where ever it is now.

1) There is every reason to believe that there are very few people (if any) on the planet who could hack into tranquileye's server. While it's true that any server can be hacked into, that's only true because I can do things like trick you into telling me your root password, or bugging your phone line. At that point I don't need to hack anything to get the data.

2) Even servers which are vulnerable to remote root exploits are very hard to exploit. You need to find the real IP, then find an unpatched vulnerability, and then you actually need to get the exploit to work. This is not easy. And since even trying can land you in jail, few people are willing to try. And if the person administrating tranquileye's server is making reasonable attempts at security, it's entirely possible that there are no remote exploits anyway.

3) Hacking (or cracking) a server isn't what you seem to think it is. Most hackers will be more than happy to bring a server down, impersonate valid web users, or delete data. None of these would expose the private data files.

4) If it's PGP encrypted properly it's vastly more secure than it is now. She'd be able to email the file to every hacker in town and it wouldn't make it any less private.

"now people will know to look at or hack tranquileye's server."

For what? A driver's licence? Hacking a webserver to get one DL number is dumb. I doubt you could find someone to do it on a bet.

The Net can be a dangerous place. But knowing the truth is a better way to deal with that danger. Giving in to fear, uncertainty and doubt only makes you more vulnerable. Most hackers rely on FUD as a powerful tool.

Time to get real.
posted by y6y6y6 at 10:03 AM on April 23, 2004


ok.
posted by amberglow at 10:57 AM on April 23, 2004


Every time I travel, I do what thijsk did -- I e-mail myself (on Hotmail) a scan of my passport. Then, I can get it from anyplace with a web connection.
posted by Vidiot at 11:46 AM on April 23, 2004


Sorry for going slightly off-topic, but what exactly can you do with a scan of your passport (once the real is stolen, of course)? (I'm not doubting the method, just asking to find out.)
posted by kchristidis at 12:39 PM on April 23, 2004


You can get a new one at your embassy/consulate, faster if you have the photocopy/scan than if you don't.
posted by signal at 1:13 PM on April 23, 2004


what exactly can you do with a scan of your passport (once the real is stolen, of course)?

Also, if you're in a potentially dangerous part of the world, the US embassy is much more likely to let you in during an emergency if you have a photocopy of your passport than if you have nothing at all. So if you're worried about that, it's good to have available as a backup.
posted by gd779 at 1:24 PM on April 23, 2004


In fact it's much more secure in a protected webspace than it is where ever it is now.

Good point. It reminds me of people who still resist buying anything on the net because of credit card security, but gladly hand it over to store clerks and waiters.
posted by justgary at 2:22 PM on April 23, 2004


much more likely to let you in during an emergency

you must put a lot of effort into looking like a local. it's normally obvious who the gringos are.

and what's with the worry about somene stealing a copy? i bet hotels in many countries photcopy passports as a matter of course.
posted by andrew cooke at 2:50 PM on April 23, 2004


it's normally obvious who the gringos are.

Sure. But it can be hard to tell Americans from the English, the Germans, and the Australians. Also, if your skin is the same color as the locals, and if you've been living in the country for a while, and particularly if the emergency has left the embassy guards confused and disorganized, then I wouldn't want to walk up to an embassy and ask for entrance without some kind of proof of citizenship. But then again, I've never had to put this theory into practice, so maybe it wouldn't be a big deal after all.
posted by gd779 at 3:24 PM on April 23, 2004


You should look at encrypted, password protected PDFs, too.
posted by johnnydark at 6:18 PM on April 23, 2004


« Older I'm in a twisty maze of compac...   |  I'm after tips for processing ... Newer »
This thread is closed to new comments.