Posted: July 8, 2019 by
This story originally ran on
The Parallax
and was updated on July 3, 2019.
A few months ago, my parents asked a great security question: How could they securely send their passport numbers to a travel agent? They knew email wasn’t safe on its own.
Standard email indeed isn’t safe for sending high-value personal information such as credit card or passport numbers, according to security experts such as Robert Hansen, CEO of intelligence and analysis firm OutsideIntel, now part of
Bit Discovery.
“Email sometimes has good cryptography but often does not,” Hansen says. When sending between Gmail accounts or within a company, he adds, secure transport “probably isn’t an issue.” But people should ask themselves, “Can somebody steal the data when it’s at rest?”
There’s no 100 percent hack-proof way to send your personal information across the Internet. But thanks to the development of
end-to-end encryption,
which secures data from even the company providing the encryption, there are tools and techniques you can use to make the process safer for you and the identification numbers we use to rule our lives.
Here are three expert tips for securely sending someone your personal information when planning your summer vacation, buying your next house, or just sending documents to your doctor’s office (when they don’t have their own
secure messaging system.)
court case
allowing companies to work on computer cryptography without having to first seek the government’s permission.
Some phone apps protect your text messages using end-to-end encryption. We have highlighted several of the best in a
guide to apps offering end-to-end encryption.
Here are a few we find exceptionally useful for securely sending personal information.
WhatsApp,
used by
more than 1.5 billion people,
is on every major and several minor platform, including an easy-to-use desktop browser app, and it provides end-to-end encryption by default. If you use WhatsApp
(acquired by Facebook in 2014,)
you use end-to-end encryption. It’s that simple, and its popularity means that you might not have to convince your intended recipient to install it.
WhatsApp’s encryption tech is actually provided by
Open Whisper Systems,
which makes its own end-to-end encryption text and voice app,
Signal.
So which app should you use? Signal arguably has two advantages over WhatsApp, at least from a security perspective. Signal doesn’t
store any metadata
on its chats, while WhatsApp does. It’s not the content of messages, but it can help identify the type of content being sent. Signal can be set to auto-delete messages, which is effective as long as the recipient hasn’t taken a screenshot or otherwise copied the content of the message.
Signal is also open-source, which means that the code on which it’s built is subject to independent reviews. WhatsApp development is closed, and doesn’t have people not associated with the company poking around in its code. While Signal is only for iPhone and Android, both Signal and WhatsApp can comfortably exist on the same device—they don’t conflict with each other. (Sometimes, however, Signal
struggles to let its users go.)
As of July 2019, WhatsApp and Signal are the only two end-to-end encrypted messaging apps for which the advocacy nonprofit
Electronic Frontier Foundation
offers installation instructions in its
Surveillance Self-Defense Tool Guide.
The organization
elsewhere in its guide recommends
the end-to-end encrypted messaging app
Wire.
Wire works on Android, iOS, and desktops. One of Wire’s benefits is that it doesn’t require you to share your phone number to use the service, instead relying on usernames. That can help minimize the ability of others to track you. But it also stores
conversation threads in plaintext
when you use it across multiple devices.
End-to-end encrypted
Wickr
also allows users to delete messages they’ve sent after they’ve been viewed. Once you’ve deleted a message you’ve sent, you don’t have to worry about the recipient’s device storing it. However, because Wickr runs only on iOS and Android, and it has no password recovery method, you might have a hard time convincing your recipient to use it. (Editor’s note: Since this story was originally published, Wickr is still available to all users but is focused on businesses, not consumers.)
Panama Papers
strongly consider learning about Pretty Good Privacy. The
challenge with PGP
is that not only do you have to use it correctly, with different instructions for
Windows, Mac,
and
Linux,
but so does your recipient. You can consider
sending a password-protected ZIP file,
as long as the password isn’t in the same email you send.
Electronic Frontier Foundation technologist Jeremy Gillula advises against creating a simple code for sending important numbers, such as changing all 1s to 2s. “If you’re using simple cipher, might as well call up the recipient and tell them over the phone,” he says.
Some email networks are encrypted within their own systems. If you know that your recipient is using Gmail, and you’re using Gmail, the content of the messages will be protected from snooping while being sent, Gillula says. “It can thwart a passive eavesdropper, but you’re still susceptible to active attacks.”
He ended up finding a larger, more computer-savvy mortgage company. Good starter questions include:
The Parallax
and was updated on July 3, 2019.
A few months ago, my parents asked a great security question: How could they securely send their passport numbers to a travel agent? They knew email wasn’t safe on its own.
Standard email indeed isn’t safe for sending high-value personal information such as credit card or passport numbers, according to security experts such as Robert Hansen, CEO of intelligence and analysis firm OutsideIntel, now part of
Bit Discovery.
“Email sometimes has good cryptography but often does not,” Hansen says. When sending between Gmail accounts or within a company, he adds, secure transport “probably isn’t an issue.” But people should ask themselves, “Can somebody steal the data when it’s at rest?”
There’s no 100 percent hack-proof way to send your personal information across the Internet. But thanks to the development of
end-to-end encryption,
which secures data from even the company providing the encryption, there are tools and techniques you can use to make the process safer for you and the identification numbers we use to rule our lives.
Here are three expert tips for securely sending someone your personal information when planning your summer vacation, buying your next house, or just sending documents to your doctor’s office (when they don’t have their own
secure messaging system.)
Tip 1: Use an app with end-to-end encryption
The use of encryption has been increasing “since the mid-1990s,” notes security expert Bruce Schneier, thanks to a seminalcourt case
allowing companies to work on computer cryptography without having to first seek the government’s permission.
Some phone apps protect your text messages using end-to-end encryption. We have highlighted several of the best in a
guide to apps offering end-to-end encryption.
Here are a few we find exceptionally useful for securely sending personal information.
WhatsApp,
used by
more than 1.5 billion people,
is on every major and several minor platform, including an easy-to-use desktop browser app, and it provides end-to-end encryption by default. If you use WhatsApp
(acquired by Facebook in 2014,)
you use end-to-end encryption. It’s that simple, and its popularity means that you might not have to convince your intended recipient to install it.
WhatsApp’s encryption tech is actually provided by
Open Whisper Systems,
which makes its own end-to-end encryption text and voice app,
Signal.
So which app should you use? Signal arguably has two advantages over WhatsApp, at least from a security perspective. Signal doesn’t
store any metadata
on its chats, while WhatsApp does. It’s not the content of messages, but it can help identify the type of content being sent. Signal can be set to auto-delete messages, which is effective as long as the recipient hasn’t taken a screenshot or otherwise copied the content of the message.
Signal is also open-source, which means that the code on which it’s built is subject to independent reviews. WhatsApp development is closed, and doesn’t have people not associated with the company poking around in its code. While Signal is only for iPhone and Android, both Signal and WhatsApp can comfortably exist on the same device—they don’t conflict with each other. (Sometimes, however, Signal
struggles to let its users go.)
As of July 2019, WhatsApp and Signal are the only two end-to-end encrypted messaging apps for which the advocacy nonprofit
Electronic Frontier Foundation
offers installation instructions in its
Surveillance Self-Defense Tool Guide.
The organization
elsewhere in its guide recommends
the end-to-end encrypted messaging app
Wire.
Wire works on Android, iOS, and desktops. One of Wire’s benefits is that it doesn’t require you to share your phone number to use the service, instead relying on usernames. That can help minimize the ability of others to track you. But it also stores
conversation threads in plaintext
when you use it across multiple devices.
End-to-end encrypted
Wickr
also allows users to delete messages they’ve sent after they’ve been viewed. Once you’ve deleted a message you’ve sent, you don’t have to worry about the recipient’s device storing it. However, because Wickr runs only on iOS and Android, and it has no password recovery method, you might have a hard time convincing your recipient to use it. (Editor’s note: Since this story was originally published, Wickr is still available to all users but is focused on businesses, not consumers.)
Tip 2: If you must use email…
If you must use email—perhaps you’re sending thePanama Papers
strongly consider learning about Pretty Good Privacy. The
challenge with PGP
is that not only do you have to use it correctly, with different instructions for
Windows, Mac,
and
Linux,
but so does your recipient. You can consider
sending a password-protected ZIP file,
as long as the password isn’t in the same email you send.
Electronic Frontier Foundation technologist Jeremy Gillula advises against creating a simple code for sending important numbers, such as changing all 1s to 2s. “If you’re using simple cipher, might as well call up the recipient and tell them over the phone,” he says.
Some email networks are encrypted within their own systems. If you know that your recipient is using Gmail, and you’re using Gmail, the content of the messages will be protected from snooping while being sent, Gillula says. “It can thwart a passive eavesdropper, but you’re still susceptible to active attacks.”
Tip 3: Ask questions
If you’re not sure about your recipient’s computer security, ask him or her about it. Hansen tells a story about trying to get a mortgage, and the mortgage company wanted “unbelievable amounts of information. I took one look at their website and found a number of different flaws in it.”He ended up finding a larger, more computer-savvy mortgage company. Good starter questions include:
- Are the data you transmit and the databases that store it encrypted on disk?
- Is access to your information systems handled on a per-user basis, or does everybody use the same username and password?
No comments:
Post a Comment