This story originally ran on The Parallax and was updated on July 3, 2019.
A few months ago, my parents asked a great security question: How could they securely send their passport numbers to a travel agent? They knew email wasn’t safe on its own.
Standard email indeed isn’t safe for sending high-value personal information such as credit card or passport numbers, according to security experts such as Robert Hansen, CEO of intelligence and analysis firm OutsideIntel, now part of Bit Discovery.
“Email sometimes has good cryptography but often does not,” Hansen says. When sending between Gmail accounts or within a company, he adds, secure transport “probably isn’t an issue.” But people should ask themselves, “Can somebody steal the data when it’s at rest?”
There’s no 100 percent hack-proof way to send your personal information across the Internet. But thanks to the development of end-to-end encryption, which secures data from even the company providing the encryption, there are tools and techniques you can use to make the process safer for you and the identification numbers we use to rule our lives.
Here are three expert tips for securely sending someone your personal information when planning your summer vacation, buying your next house, or just sending documents to your doctor’s office (when they don’t have their own secure messaging system.)
Tip 1: Use an app with end-to-end encryption
The use of encryption has been increasing “since the mid-1990s,” notes security expert Bruce Schneier, thanks to a seminal court case allowing companies to work on computer cryptography without having to first seek the government’s permission.
Some phone apps protect your text messages using end-to-end encryption. We have highlighted several of the best in a guide to apps offering end-to-end encryption. Here are a few we find exceptionally useful for securely sending personal information.
WhatsApp, used by more than 1.5 billion people, is on every major and several minor platform, including an easy-to-use desktop browser app, and it provides end-to-end encryption by default. If you use WhatsApp (acquired by Facebook in 2014,) you use end-to-end encryption. It’s that simple, and its popularity means that you might not have to convince your intended recipient to install it.
WhatsApp’s encryption tech is actually provided by Open Whisper Systems, which makes its own end-to-end encryption text and voice app, Signal. So which app should you use? Signal arguably has two advantages over WhatsApp, at least from a security perspective. Signal doesn’t store any metadata on its chats, while WhatsApp does. It’s not the content of messages, but it can help identify the type of content being sent. Signal can be set to auto-delete messages, which is effective as long as the recipient hasn’t taken a screenshot or otherwise copied the content of the message.
Signal is also open-source, which means that the code on which it’s built is subject to independent reviews. WhatsApp development is closed, and doesn’t have people not associated with the company poking around in its code. While Signal is only for iPhone and Android, both Signal and WhatsApp can comfortably exist on the same device—they don’t conflict with each other. (Sometimes, however, Signal struggles to let its users go.)
As of July 2019, WhatsApp and Signal are the only two end-to-end encrypted messaging apps for which the advocacy nonprofit Electronic Frontier Foundation offers installation instructions in its Surveillance Self-Defense Tool Guide. The organization elsewhere in its guide recommends the end-to-end encrypted messaging app Wire. Wire works on Android, iOS, and desktops. One of Wire’s benefits is that it doesn’t require you to share your phone number to use the service, instead relying on usernames. That can help minimize the ability of others to track you. But it also stores conversation threads in plaintext when you use it across multiple devices.
End-to-end encrypted Wickr also allows users to delete messages they’ve sent after they’ve been viewed. Once you’ve deleted a message you’ve sent, you don’t have to worry about the recipient’s device storing it. However, because Wickr runs only on iOS and Android, and it has no password recovery method, you might have a hard time convincing your recipient to use it. (Editor’s note: Since this story was originally published, Wickr is still available to all users but is focused on businesses, not consumers.)
Tip 2: If you must use email...
If you must use email—perhaps you’re sending the Panama Papers—strongly consider learning about Pretty Good Privacy. The challenge with PGP is that not only do you have to use it correctly, with different instructions for Windows, Mac, and Linux, but so does your recipient. You can consider sending a password-protected ZIP file, as long as the password isn’t in the same email you send.
Electronic Frontier Foundation technologist Jeremy Gillula advises against creating a simple code for sending important numbers, such as changing all 1s to 2s. “If you’re using simple cipher, might as well call up the recipient and tell them over the phone,” he says.
Some email networks are encrypted within their own systems. If you know that your recipient is using Gmail, and you’re using Gmail, the content of the messages will be protected from snooping while being sent, Gillula says. “It can thwart a passive eavesdropper, but you’re still susceptible to active attacks.”
Tip 3: Ask questions
If you’re not sure about your recipient’s computer security, ask him or her about it. Hansen tells a story about trying to get a mortgage, and the mortgage company wanted “unbelievable amounts of information. I took one look at their website and found a number of different flaws in it.”
He ended up finding a larger, more computer-savvy mortgage company. Good starter questions include:
- Are the data you transmit and the databases that store it encrypted on disk?
- Is access to your information systems handled on a per-user basis, or does everybody use the same username and password?
If the data isn’t encrypted on disk and at rest, and if there’s only one username and password for accessing customer data, keep looking for a different service provider, Hansen says. From there, the questions you ask depend on whether you’re working with a travel agent, a health care provider, or a mortgage firm.