Safe emailing of confidential files?
November 26, 2008 9:55 AM   Subscribe

I occasionally need to email PDFs and Word docs that contain confidential information. My clients claim their email is "secure" and don't see the need for any encryption or any approach other than me emailing them the files. What can I do?

They won't accept .zip files, much less a .zip file with a password.

One alternative is to fax the info, but I use web-based faxing, so the PDF goes through a third party before it gets to the recipient. Also, the recipients prefer electronic delivery for some files so the file can be edited on their end.

With the most recent client, I asked if I could upload the files to a secure FTP server and the answer was no.

These are major companies I'm dealing with that supposedly are tech savvy, including government contractors. The files I'm sending include my name, Social Security number, address, bank account info for direct deposit, and similar W-9 type stuff.

I'm on a Mac; the recipients are on PCs. I'm talking about protecting attachments, not the text message in the email itself. Any ideas on (1) how to convince an admin assistant who has no tech knowledge that sending an unprotected PDF or Word doc with this info is a bad idea and (2) how to get her the files in a way she can deal with?
posted by PatoPata to Computers & Internet (17 answers total)
If your clients aren't aware of and willing to take proper precautions with e-mail, what makes you think that they know how to handle confidential information once they have it?
posted by oskay at 10:14 AM on November 26, 2008

Nondisclosure agreement is probably your best bet.
posted by electroboy at 10:18 AM on November 26, 2008

If you're concerned about security, I think the email aspect is just one part of the problem. Assuming it arrives securely, there's no guarantee that they won't print it out and dump it in the recycling bin when they're done.

You could use a secure email service, but then you have to trust some random third party. You could also DIY and setup a secure web area (SSL Certificates and all that) and then you just send a link to your clients.
posted by kamelhoecker at 10:24 AM on November 26, 2008

Imagine someone was fine receiving encrypted files. How would you go about telling them what the password is?
posted by Mike1024 at 10:26 AM on November 26, 2008

Ask them to prove that the entire line of communication between your computer networks and their computer networks is secure at every step of the way. This will include a trip to your ISP, a trip from your ISP to your clients e-mail server, a trip from your clients e-mail server to their ISP, and a trip from their ISP to their personal networks and perhaps more steps. If they support netmail, is that encrypted between the e-mail server and the clients' computers?

Data isn't transmited directly from your computer to their e-mail servers, it must go through many legs on its journey and can theoretically be intercepted at any point along the way unless it is encypted from the origin to its destination.

And lastly is human error. What steps do they perform to ensure their employees do not allow the data from the e-mails to enter the world again?

I'm not a security expert or even an internet communication expert, but those would be my concerns that i'd like answered were I in your position.
posted by Green With You at 10:34 AM on November 26, 2008

As for Mike1024's question, that is a relatively solved problem thanks to Public-key cryptography. Essentially, you don't need to tell someone their password, they just tell you how to encrypt the file and only they can decrypt it.
posted by Green With You at 10:37 AM on November 26, 2008

I would check to see if their company has an Information Assurance program that they are in violation of, and that perhaps you could gently remind them about. Make it seem like you're just trying to look out for them, and protect your relationship with their company by dotting all your i's and crossing all your t's.

Most large corporations, especially those that do business with the government, will have some sort of policy on handling confidential information. That doesn't mean it's actually followed by anyone, because the government is notoriously lax at actually enforcing compliance of this stuff, but you might have more leverage if you can point to a policy on their end that you're "just trying to comply with."

Alternately, you should see if there isn't an actual regulation or law that would mandate better IA practices -- this might be the case if you're working with government documents, health records (esp. ones that fall under HIPPA), or possibly even SSNs.

Barring that, I'm not really sure you're going to be able to do anything. Getting people into a 'security mindset' is very hard, and typically impossible unless you have authority over them and can ram it down their throats. People are lazy, and until you have a security issue, taking proactive measures just seems like a waste of time and effort.

What you probably want, optimally, is S/MIME encryption of your messages. This is fairly easy to implement (it's well-supported by Microsoft Exchange and recent versions of Lotus Notes, which are the two biggest corporate email systems, as well as Apple Mail and most other clients, including Blackberries), and it provides end-to-end encryption and authentication. When it's done right it's practically seamless to the user: they just check an "Encrypt" box and the rest is taken care of. However, it's a pain in the ass to implement, and to be useful really needs to be deployed across the whole enterprise with centralized certificate management and PKI. I don't see it happening in your situation.

Probably the best thing you can hope for is using symmetric encryption, and then sending the recipient the passprase for the file via some more-secure method than email (e.g. phone call). I think recent versions of Adobe Acrobat (the real version, not the "Reader") allow you to encrypt PDFs in a way that offers real security (not just DRM-like protection), and the recipient doesn't need anything besides the free Reader to open them. They just get prompted for the password; no password, no opening. That's not a totally great solution because it means they need the password every time they open the file, not just the first time, so they may find it really annoying.

An encrypted 'wrapper' (like encrypted ZIP) would be good, but you mentioned they already ruled that out.

Ultimately, this may be a battle that you're not in a position to win. Unless they really need your files, and you're in a position to say "unless you start using encryption, we're not going to send you the files, so suck it up," they may just refuse to play ball. In that case, what you should concentrate on is basically covering your own ass: make sure their refusal to abide by good information-assurance practices is documented, so that if something happens down the road you can redirect the blame (and depending on the information, the lawsuits or criminal charges) where it belongs.
posted by Kadin2048 at 10:46 AM on November 26, 2008

Another answer to Mike's question is sometime done by my clients -- they send the encrypted document, and send the password by a different route, say by fax.
posted by JimN2TAW at 10:47 AM on November 26, 2008

PDFs can be encrypted and/or password-protected in and of themselves, so the file stays the same, no need for .zip.
posted by idb at 10:52 AM on November 26, 2008

i know, i know, this doesn't really answer your question, BUT, i presume you are sending them invoices for your work, with your various info so that they can pay you. i understand that you're worried, presumeably about identity theft by people deviously reading your email. but you know what? you should just move past this worry.

1) you want to make things as easy as possible for your client to pay you. asking them to go to a password protected ftp site or look for a fax with a password to a pdf is just going to annoy them and make them not want to work with you in the future if you're this much of a pain in the ass all the time (in their opinion, not mine).

2) if they're anything like any of the places i have ever worked or worked with, your invoice will first be opened by whoever your contact is, and then either forwarded to that person's assistant or printed out and put in the assistant's inbox, where it will sit for days because dealing with invoices is annoying and low on most assistant's to do list. if you're lucky, your invoice will not have sat for 2 hours in the pile of shit people print and don't pick up immediately. once the assistant gets around to processing your invoice, it will get interoffice mailed to the accounting department, where it will be opened by that department's secretary, who will then route it to whatever person deals with your account. it will then sit in that person's inbox for several days before it gets processed and stamped and put in a folder or whatever they do with paid invoices. all this is assuming it's a company that doesn't need 2-3 people to sign off on every invoice. if that's the case, add a few more days of waiting and a few more assistants to the process. so, like 8 people have already seen all of your sensitive information, plus whoever walked by their desk or saw it at the printer.

so, really, encrypting your email is only going to protect your information for a small amount of time.
posted by misanthropicsarah at 11:08 AM on November 26, 2008

Thanks to everyone for the comments so far.

Mike1024, with the password-protection approach, I would call the recipient and give them the password.

To the "why bother?" people: I realize that data privacy is a joke in most companies. I help train financial institutions in data privacy so I know the horror stories. However, I don't think that means that I should abandon my attempts to keep my data private when I can.

Usually this situation occurs before I have much leverage over the client. For example, a government contractor wants my SSN and other info so they can do a background check before they sign a contract with me. They're often in a hurry. My main leverage at that point is "Treat my data carefully or I won't be your provider," which in this economy is not an option for me.

I'm liking the "put it in a secure web area and give them a link" approach because I'm in control until they download it.

Misanthropicsarah, thanks for your comment. However, my clients log onto Freshbooks to see their invoices. I don't send them through email, and they don't include private info. I'm talking about the forms that big companies require new providers to fill out for background-checking, IRS-pleasing, and related bureaucracy-feeding.
posted by PatoPata at 11:16 AM on November 26, 2008

Mail them a CD-ROM with pdf burned on it. Electronic documents, registered mail.

There's no such thing as secure email, unless you're using additional tools that the average person wouldn't be using.
posted by blue_beetle at 11:25 AM on November 26, 2008

I can confirm that the current version of PDF is secure. If I recall, it uses RC4, and it's implemented correctly. Not-so-old implementations of it use a 40-bit cipher, which is not strong enough, my laptop can break that in 3 days worst-case. Current ones use 128, which is not getting broken. If you go that route, double-check it.

As well, the encryption is only secure on the full encrypted scenario - where you can't open the file without the password. Any of the print/edit restrictions are broken, and will always be broken within a few days after being re-implemented.
posted by Lemurrhea at 11:40 AM on November 26, 2008

The files I'm sending include my name, Social Security number, address, bank account info for direct deposit, and similar W-9 type stuff.

I would insist on a workaround rather than sending information across an insecure connection that could easily be used to steal my identity. Find someone whose identity has been stolen. If you don't know anyone whose identity has been stolen, talk to your friends, because they do. Get this person's story.

When you talk to the companies in question, say "I know this person whose identity was stolen," and relay the story. Tell them that you understand that their servers are secure (whether they are or not) but you don't know if the points between your server and their server are secure. End by saying you don't want the same thing to happen to you.

The ideas here are good ones. You can password protect PDFs. lets you create password protected files in their higher-level plans (though you can probably find somewhere that does it cheaper). does password protected file exchange for $14 a month. Rolling your own is always a possibility.
posted by cnc at 3:17 PM on November 26, 2008

Seems like the easiest solution is to buy a fax machine.
posted by gjc at 7:54 AM on November 27, 2008

gjc, as I pointed out in my original post, my clients want electronic versions of some docs, not paper. Also, I have no fax machine because I have no land line, so a fax machine wouldn't be a simple solution.
posted by PatoPata at 6:00 PM on November 27, 2008

late visiting this thread again, but speaking as the person (in my company) who would probably have to process the stuff you're sending (and thanks for the clarification--i was probably just projecting a leeeeetle too much there in my previous comment) i would have no problem with a link to a secure web area that would let me download the forms. no harder than clicking and saving an attachment. the main thing is that while you want your info to be secure, you also want it to be easy for the person on the other end to get the forms and do whatever they do with it. the harder you make it for them to deal with you (in any aspect of your relationship with them) the less likely they are to call you back next time they need the type of services that you provide.
posted by misanthropicsarah at 10:37 PM on November 28, 2008

« Older free me from my free time   |   Where can I find Kinder Suprise Eggs in L.A.? Newer »
This thread is closed to new comments.