Everyone knows confidential data is not something you should share with third-parties. Especially things like creditcard details, social security numbers (BSN in the Netherlands) or username and passwords. Also, other personal data like bank details and frequent flyer numbers should be kept private. Sometimes this information is requested for a valid reason, like for an employment contract. While refusing to send these details electronically is possible in some cases, sending it in hardcopy is not always a more secure alternative. So, in some cases you might choose to send confidential data to a trusted party.
Mostly you are asked to upload these details via a secure portal. However, when dealing with support desks, HR departments or webshops, in a lot of cases the contact is via regular email. While there are ways to securely exchange confidential data via email (PGP or SMIME), these are not very user-friendly nor widely adopted. By choosing to send data via email you lose control over it. This data is now stored in the «Sent Messages» folder in your email account, but also in the mailbox of the recipient. This can be an email box that is shared among multiple people or hosted on an insecure shared platform. But it can also be stored in a support database hosted with an external company. In any case, it is unknown who has access to the data in that email, and for how long it is stored.
There are several open source tools to keep a certain level of control over the data that you share. The following two tools are actively developed:
• PrivateBin, securely share textual data and conversations
• Nextcloud, securely share documents and files
When you want to quickly share sensitive textual data you can use PrivateBin. This tool allows you to set limits on the time the data in link is available, or even allow the note to be opened a single time only. This prevents your data being accessible from an email that includes that link, once it has been opened. Also, you can set a password on the note requiring both the unique key and the password to gain access to the data. All data in the note is encrypted before it is send to the server, so even the administrators of the Privatebin server can’t see the data in the note. It is only accessible to the sender and the recipient.
Nextcloud, like Google Drive, allows you to send files by sharing a weblink to that file. But Nextcloud also allows you to set a timeperiod and a password on that share. This allows you to grant your bank account manager access to your payslip for the period of your mortgage application, and automatically revoke this when the process is finalised.
Open source tools like PrivateBin, can be installed easily and don’t require a lot of resources. When I deal with support desks that require me to share sensitive data via email, I make sure to send it via a link in PrivateBin or Nextcloud. In the end, not sending data via email, or not sharing at all is most secure, but that’s not always a viable solution. When you do share, share securely and realise what you are giving away.
Disclaimer: You should never share critical data (eg. PIN, Creditcard data, username and password details and social security number).