Recommendations for secure file transfer service?
June 9, 2016 6:52 AM   Subscribe

My company needs a service whereby we send out a link by email to a client, they click the link and it asks them to upload a file or files. Does such a thing exist?

My company's clients want to send us sensitive files. Most of them don't have a preferred method for doing this, and don't want to have to register an account somewhere to be able to do it.

Data must remain inside the EU (and preferably inside the UK).

Ideally the workflow would look something like this:
1. I log into the service and create a file request.
2. A request is sent to the client's email address, and contains a link to the upload service.
3. Client clicks link and is immediately able to upload files via HTTPS (no login!)
4. Uploaded files are encrypted and stored.
5. I receive a notification that files have been uploaded.
6. I log back into the service and download my files via HTTPS.

Now, try as I might, I haven't been able to find anything that does this job in a seamless, straightforward way. My clients have zero technical know-how - they've just been told they can't send the files by email.

I realise that there is a security issue with my checklist: I can't be sure that the wrong person doesn't get the unique email link and upload a malicious file. But that's something we can mitigate in other ways.

I could probably write my own solution, but time is pressing. So does anything like this exist? I'm happy to look at third-party solutions (provided they are suitable accredited and trustworthy) or solutions I can install myself (PHP/MySQL).
posted by pipeski to Computers & Internet (9 answers total) 3 users marked this as a favorite
Dropbox Requests does the no tech experience upload thing, but it breaks your EU/UK only rule. Also, it uses HTTPS but files aren't encrypted.

I suspect the encrypted thing might be difficult to solve, as encryption means the client will have to enter a decryption passphrase which can't be transmitted with the file otherwise the whole thing is pointless, so it would have to be a set passphrase or transmitted to you via another secure communication method, which sounds like it might be difficult for less tech savvy clients.

You might look into rolling your own service with OwnCloud. They have a File Drop feature that might work for you, although it's not clear to me at a glance how they handle encryption for the File Drop files.
posted by bluecore at 7:19 AM on June 9, 2016

I work at a law firm where we are in a similar situation as you. Out IT department rolled out Accellion across the firm, and I use it almost daily for secure file transfer, and at times send the client a link to upload data. It works pretty seamlessly.
posted by wocka wocka wocka at 7:31 AM on June 9, 2016

WorkShare does all of that (and more) and is one of the go-to resources for that exact service among US law firms, but I don't know if they have servers in the EU. I believe they DO have an option where you can share the data on your own server, rather than using theirs. It's worth looking at their offering as well as Acceliion's.
posted by The Bellman at 7:36 AM on June 9, 2016

Is couriering a USB stick/CD-R out of the question?
posted by EndsOfInvention at 9:15 AM on June 9, 2016

We -- and small, lean software company -- use ShareFile (now owned by Citrix) for both "official" distribution of our products and client upload of data when required (e.g., database copies for debugging purposes).

I'm a little embarrassed to admit it, but I discovered the service because it's what my accountant's firm uses to transfer tax materials back and forth. It requires a login to submit files, but those are easily managed.

With it, I can:
  • Create an actual login for a client, for persistent and ongoing usage; or
  • Create links to specific files so that outsiders can download files, and these can be configured to require identifying information or be "free access," depending on my preference.
I can get notifications when files are downloaded, uploaded, or changed, based on the folder location in the account.

I don't think you can do the "email a link to upload" thing, and based on the security aspects of what you describe there I kinda wonder if anyone does that.
posted by uberchet at 9:17 AM on June 9, 2016 [1 favorite]

Response by poster: Couriering is out, yes. Workshare and Accellion just look too feature-rich. I've had the same experience with SharePoint, i.e. you end up paying for something you're only going to use 1% of.

I just tried ShareFile, and it does pretty much exactly what we need. The files are transferred via SSL and encrypted at rest - they apparently store the keys on a separate server (not perfect, but reasonable). They use Amazon S3, so there's not really any control over location, but maybe we can live with that. It looks like ShareFile has an enterprise option where we could use our own storage, but the infrastructure requirements are way beyond our capabilities.

If I could find something with the features of ShareFile, but EU-hosted, I'd go with that...
posted by pipeski at 10:16 AM on June 9, 2016

What about WeTransfer? Several companies I do business with in Europe use it pretty much exclusively. They are based in Amsterdam but I admit I don't know if all their datacenters are in the EU. The free version is easy to use and the Plus version allows you to do more feature-rich stuff like password protection.
posted by bedhead at 11:38 AM on June 9, 2016 [1 favorite]

Actually, it seems that if you are in the EU when you upload, they store your files in the EU. Source.
posted by bedhead at 11:40 AM on June 9, 2016

Hightail (formerly YouSendIt) has a feature called Uplink that allows you to provide upload links via email. They have some sort of technology that lets you keep data locally instead of uploading to the cloud. Hightail is definitely concerned about the demise of the US/EU Safe Harbor stuff, so you can likely get in touch with their UK offices and confirm that they offer the services you absolutely need.
posted by infinitewindow at 1:09 PM on June 9, 2016

« Older Where do I take my indecisive mom and her dog on...   |   I'm looking for gift ideas for a surfer. Newer »
This thread is closed to new comments.