What's the most convenient way to send confidential information securely?
September 14, 2012 12:00 PM   Subscribe

How can I electronically send confidential/private information to other people as conveniently but securely as possible?

How can I securely send sensitive information like a credit card number, tax documents, medical records, software code, etc. to other people as simply and conveniently (for both parties) as possible?


Google Docs?

Encyrpted ZIP file? (How can I get the password to them securely if I can't call, fax, or see them in person)?

I've tried PGP but it's complicated and burdensome.

posted by Dansaman to Computers & Internet (14 answers total) 2 users marked this as a favorite
Not DropBox.

A quick Google search reveals Wuala, a free (for 5GBs,) encrypting alternative to Dropbox.
posted by InsanePenguin at 12:05 PM on September 14, 2012

How are you contacting these people in the first place? How do you know who they are? How is it that you could give them access to a shared folder somewhere but can't give them a password?
posted by hattifattener at 12:08 PM on September 14, 2012

Are you doing this in a professional role? If so, you should know that handling things like medical records and credit card details have very strict regulations (HIPPA for medical records, credit card companies have their own regulations) that are not easily handled by an amateur. In particular, the methods you've mentioned would not suffice and could conceivably get you prosecuted.

I'd have to ask what it is you are trying to do here.
posted by saeculorum at 12:11 PM on September 14, 2012 [4 favorites]

I've tried PGP but it's complicated and burdensome.

Can you expound on that? PGP (or GPG) is the way to go for an email based solution. Engimail is a plug-in for the freely available Thunderbird email client.
posted by Nonsteroidal Anti-Inflammatory Drug at 12:18 PM on September 14, 2012

Well GPG. If this is to "complicated and burdensome" a small, encrypted truecrypt container may work.

I would not give anything on an encrypted ZIP file.
posted by yoyo_nyc at 12:19 PM on September 14, 2012

(yeah, ZIP's builtin encryption is bad. If the trouble with PGP/GPG is the public-key setup and trust management stuff, then you could just use its symmetric-encryption mode, which does simple passphrase-based encryption like ZIP's but with a non-broken algorithm.)
posted by hattifattener at 12:22 PM on September 14, 2012

If you're seriously thinking about transmitting medical records and credit card numbers via DropBox or encrypted zip file, you need immediate help from a compliance consultant - you are risking substantial fines, losing the ability to process credit card payments, and possibly even criminal liability if you continue down the road you're on.

This is not a problem that is amenable to a roll-your-own solution with advice from some internet strangers - the regulations around protecting these types of data are complicated and the penalties for non-compliance are severe.
posted by strangely stunted trees at 12:32 PM on September 14, 2012

Both for personal and business things, such as sending tax documents to an accountant, medical records to a family member or doctor, software code or API keys to a developer, etc. Nothing that directly falls under regulations such as HIPPA as far as my own use of the information.
posted by Dansaman at 12:34 PM on September 14, 2012

Again let me emphasize that I'm not talking about situations that are subject to regulatory compliance. And I'd also like to mention for those who don't know that it's very common for customers of businesses to (insecurely) email credit card numbers to those businesses (not because the businesses requested they do it that way but because people generally are not aware of the security risks or think those risks don't justify the extra effort involved in transmitting via a more secure method). It's also very common for software developers and their clients to exchange sensitive information such as code and API keys insecurely.
posted by Dansaman at 12:38 PM on September 14, 2012

PGP/GPG is really the way to go. If you're on a Mac, GPGTools has select-and-encrypt tools for any text anywhere in the system. You just need to exchange public keys with anyone you need to send information to. As long as you trust that the public keys are coming from who you think they're coming from, there are no holes in your setup, like sending or faxing passwords. You use someone's public key to encrypt a message for them, and they use their private key to decrypt it.
posted by supercres at 12:46 PM on September 14, 2012

Nthing PGP/GPG.

I think your only other option (for email anyway) is S/MIME, but with that you either need to obtain certificates from a recognized certificate authority ($$$), or build your own certificate authority (with blackjack....and hookers....and lots of convincing clients that they should ignore error messages about your certificates being untrustworthy).
posted by RonButNotStupid at 1:16 PM on September 14, 2012

Seconding TrueCrypt or EncFS on a dropbox or similar (article from google). Though one of the engineers at work thought this insecure for some reason and google skills fail me, anybody hear of a similar thing?

Vis a vis the (hard to imagine) situation where you can't call them, mail the password with signed for snail mail.
posted by yoHighness at 3:47 PM on September 14, 2012

It's impossible to give a good answer without knowing what you're defending against.

Are you worried about random people sniffing your network traffic? That your email provider will go rogue? GPG will be fine. Are you worried about spyware? Your laptop getting stolen? GPG won't help much at all.
posted by vasi at 12:14 AM on September 15, 2012

Just addressing the issue of whom might be able to see information once it's been emailed. So it's not about spyware or a stolen computer, rather about what happens after clicking "Send" (on the way to the recipient and when received by the recipient).
posted by Dansaman at 4:50 PM on September 15, 2012

« Older In search of a motor vehicle that can take what I...   |   What should our name be? Newer »
This thread is closed to new comments.