A few months ago, my parents asked a great security question: How could they securely send their passport numbers to a travel agent? They knew email wasn’t safe on its own.
Standard email indeed isn’t safe for sending high-value personal information such as credit card or passport numbers, according to security experts such as Robert Hansen, CEO of intelligence and analysis firm OutsideIntel.
“Email sometimes has good cryptography but often does not,” Hansen says. When sending between Gmail accounts or within a company he adds, secure transport “probably isn’t an issue.” But people should ask themselves, “Can somebody steal the data when it’s at rest?”
There’s no 100 percent hack-proof way to send your personal information across the Internet. But thanks to the development of end-to-end encryption, which secures data from even the company providing the encryption, there are tools and techniques you can use to make the process safer for you and the identification numbers we use to run our lives.
Here are three expert tips for securely sending someone your personal information when planning your summer vacation, buying your next house, or just sending documents to your doctor’s office.
Tip 1: Use an app with end-to-end encryption
The use of encryption has been increasing “since the mid-1990s,” notes security expert Bruce Schneier, thanks to a seminal court case allowing companies to work on computer cryptography without having to first seek the government’s permission.
Some phone apps protect your text messages using end-to-end encryption. We have highlighted several of the best in a guide to apps offering end-to-end encryption. Here are a few we find exceptionally useful for securely sending personal information.
WhatsApp, used by more than 1 billion people, is on every major platform (and several minor platforms), and it provides end-to-end encryption by default. If you use WhatsApp, you use end-to-end encryption. It’s that simple, and it means that you might not have to convince your intended recipient to install it. WhatsApp also has an easy-to-use desktop browser app.
WhatsApp’s encryption technology is actually provided by Open Whisper Systems, which makes its own end-to-end encryption text and voice app—Signal.
So which app should you use? Signal arguably has two advantages over WhatsApp, at least from a security perspective. Signal doesn’t store any metadata on its chats, while WhatsApp metadata helps identify the type of content being sent. Signal is also open-source, which means that the code on which it’s built is subject to independent reviews. Because WhatsApp is closed, it doesn’t have people unassociated with the company poking around in its code.
But Signal’s desktop browser, is limited to Chrome, is in a closed testing period; it’s not available to all users. And its mobile app is limited to iOS and Android devices.
Want to use a combination of the two apps? No problem. Signal and WhatsApp apps can comfortably exist on the same device—they don’t conflict with each other.
Telegram’s Secret Chats also provide solid end-to-end encryption, but like Signal, they’re limited to smartphones. Because Telegram’s desktop app doesn’t support secret chats, conversations you conduct using it aren’t protected.
Wickr is encrypted end to end. It also allows users to delete messages they’ve sent after they’ve been viewed. Once you’ve deleted a message you’ve sent, you don’t have to worry about the recipient’s device storing it. However, because Wickr runs only on iOS and Android, and it has no password recovery method, you might have a hard time convincing your recipient to use it.
Tip 2: If you must use email…
If you must use email—perhaps you’re sending the Panama Papers—strongly consider learning about Pretty Good Privacy. The challenge with PGP is that not only do you have to use it correctly, with different instructions for Windows, Mac, and Linux, but so does your recipient. You can consider sending a password-protected ZIP file, as long as the password isn’t in the same email as the content you intend to protect.
Electronic Frontier Foundation technologist Jeremy Gillula advises against creating a simple code for sending important numbers, such as changing all 1s to 2s. “If you’re using a simple cipher, you might as well call up the recipient and tell them [the number] over the phone,” he says.
Some email networks are encrypted within their own systems. If you know that your recipient is using Gmail, and you’re using Gmail, the content of the messages will be protected from snooping while being sent, Gillula says. “It can thwart a passive eavesdropper, but you’re still susceptible to active attacks.”
Tip 3: Ask questions
If you’re not sure about your recipient’s computer security, ask him or her about it. Hansen tells a story about trying to get a mortgage, and the mortgage company wanted “unbelievable amounts of information. I took one look at their website and found a number of different flaws in it.”
He ended up finding a larger, more computer-savvy mortgage company. Good starter questions include:
- Are the data you transmit and the databases that store it encrypted on disk?
- Is access to your information systems handled on a per-user basis, or does everybody use the same username and password?
If the data isn’t encrypted on disk and at rest, and if there’s only one username and password for accessing customer data, keep looking for a service provider, Hansen says. From there, the questions you ask depend on whether you’re working with a travel agent, a health care provider, or a mortgage firm.