This story originally ran on  
The Parallax 
and was updated on July 3, 2019.
A few months ago, my parents asked a great security question: How could they securely send their passport numbers to a travel agent? They knew email wasn’t safe on its own.
Standard email indeed isn’t safe for sending high-value personal information such as credit card or passport numbers, according to security experts such as Robert Hansen, CEO of intelligence and analysis firm OutsideIntel, now part of 
Bit Discovery.
“Email sometimes has good cryptography but often does not,” Hansen says. When sending between Gmail accounts or within a company, he adds, secure transport “probably isn’t an issue.” But people should ask themselves, “Can somebody steal the data when it’s at rest?”
There’s no 100 percent hack-proof way to send your personal information across the Internet. But thanks to the development of 
end-to-end encryption
 which secures data from even the company providing the encryption, there are tools and techniques you can use to make the process safer for you and the identification numbers we use to rule our lives.
Here are three expert tips for securely sending someone your personal information when planning your summer vacation, buying your next house, or just sending documents to your doctor’s office (when they don’t have their own 
secure messaging system.)

Tip 1: Use an app with end-to-end encryption

The use of encryption has been increasing “since the mid-1990s,” notes security expert Bruce Schneier, thanks to a seminal 
court case 
allowing companies to work on computer cryptography without having to first seek the government’s permission. 
Some phone apps protect your text messages using end-to-end encryption. We have highlighted several of the best in a  
guide to apps offering end-to-end encryption
Here are a few we find exceptionally useful for securely sending personal information.
WhatsApp, 
used by  
more than 1.5 billion people
 is on every major and several minor platform, including an easy-to-use desktop browser app, and it provides end-to-end encryption by default. If you use WhatsApp 
(acquired by Facebook in 2014,) 
you use end-to-end encryption. It’s that simple, and its popularity means that you might not have to convince your intended recipient to install it.
WhatsApp’s encryption tech is actually provided by 
Open Whisper Systems
which makes its own end-to-end encryption text and voice app,
 Signal
So which app should you use? Signal arguably has two advantages over WhatsApp, at least from a security perspective. Signal doesn’t 
store any metadata 
on its chats, while WhatsApp does. It’s not the content of messages, but it can help identify the type of content being sent. Signal can be set to auto-delete messages, which is effective as long as the recipient hasn’t taken a screenshot or otherwise copied the content of the message.
Signal is also open-source, which means that the code on which it’s built is subject to independent reviews. WhatsApp development is closed, and doesn’t have people not associated with the company poking around in its code. While Signal is only for iPhone and Android, both Signal and WhatsApp can comfortably exist on the same device—they don’t conflict with each other. (Sometimes, however, Signal
 struggles to let its users go.)
As of July 2019, WhatsApp and Signal are the only two end-to-end encrypted messaging apps for which the advocacy nonprofit  
Electronic Frontier Foundation 
offers installation instructions in its  
Surveillance Self-Defense Tool Guide
The organization 
elsewhere in its guide recommends 
the end-to-end encrypted messaging app 
Wire
Wire works on Android, iOS, and desktops. One of Wire’s benefits is that it doesn’t require you to share your phone number to use the service, instead relying on usernames. That can help minimize the ability of others to track you. But it also stores 
conversation threads in plaintext 
when you use it across multiple devices.
End-to-end encrypted  
Wickr 
also allows users to delete messages they’ve sent after they’ve been viewed. Once you’ve deleted a message you’ve sent, you don’t have to worry about the recipient’s device storing it. However, because Wickr runs only on iOS and Android, and it has no password recovery method, you might have a hard time convincing your recipient to use it. (Editor’s note: Since this story was originally published, Wickr is still available to all users but is focused on businesses, not consumers.)

Tip 2: If you must use email…

If you must use email—perhaps you’re sending the  
Panama Papers
strongly consider learning about Pretty Good Privacy. The 
challenge with PGP 
is that not only do you have to use it correctly, with different instructions for  
WindowsMac
and  
Linux
but so does your recipient. You can consider  
sending a password-protected ZIP file
as long as the password isn’t in the same email you send. 
Electronic Frontier Foundation technologist Jeremy Gillula advises against creating a simple code for sending important numbers, such as changing all 1s to 2s. “If you’re using simple cipher, might as well call up the recipient and tell them over the phone,” he says.
Some email networks are encrypted within their own systems. If you know that your recipient is using Gmail, and you’re using Gmail, the content of the messages will be protected from snooping while being sent, Gillula says. “It can thwart a passive eavesdropper, but you’re still susceptible to active attacks.”

Tip 3: Ask questions

If you’re not sure about your recipient’s computer security, ask him or her about it. Hansen tells a story about trying to get a mortgage, and the mortgage company wanted “unbelievable amounts of information. I took one look at their website and found a number of different flaws in it.” 
He ended up finding a larger, more computer-savvy mortgage company. Good starter questions include:
  • Are the data you transmit and the databases that store it encrypted on disk? 
  • Is access to your information systems handled on a per-user basis, or does everybody use the same username and password?
If the data isn’t encrypted on disk and at rest, and if there’s only one username and password for accessing customer data, keep looking for a different service provider, Hansen says. From there, the questions you ask depend on whether you’re working with a travel agent, a health care provider, or a mortgage firm.