Occasionally, you will need to send some sensitive information online. The good news is that there are plenty of ways to do this. The bad is that there is always a risk that someone might intercept it and steal your information.
When communicating online, a few ways are faster or more convenient than email. But does the same hold true when sending sensitive documents and information?
Email, in general, is not the most secure way to send sensitive information, at least when talking about popular email services like Gmail.
Here’s why.
Why You Should Avoid Emailing Sensitive Information?
Data on email can be compromised in a few ways.
First, data can be compromised as it travels through the network. Let’s say you’re hosting your email externally from an organization and need to send an attachment to someone outside.
That email and attachment will go through at least three connections. This means at least three points at which someone could intercept your communication. Plus, if you use different email hosts, the connection between your host and the recipient’s server is another weak point to consider.
Another point where your sensitive information on email is vulnerable is on the servers where it is stored.
You’ve probably deleted an email or two in your time. It’s pretty easy to do. Just check the box next to the email and click the bin icon. But, just like real trash, it doesn’t disappear right away. Instead, it gets stored in the Trash folder, so now you will need to delete it permanently from there as well, which you can do with a simple Empty Trash now (to empty the entire folder) or by checking the box next to the email and clicking Delete Forever.
But is it deleted forever?
Well, when it comes to Google, nothing is as it says on the package.
Here’s what a Google spokesperson said about deleting emails forever:
“Google keeps multiple backup copies of users’ emails so that we can recover messages and restore accounts in case of errors or system failure, for some limited periods. Residual copies of deleted messages and accounts may take up to 60 days to be deleted from our servers. Deleted messages may also remain on offline backup systems for some limited period.”
Let’s go through that quote for a bit:
- Google keeps multiple backup copies of your email.
- It keeps them for “some limited periods.”
- Copies of messages take up to 60 days to get deleted from Google servers.
- Deleted messages remain on Google’s offline backup systems.
Of course, it’s not just Google’s fault. In many countries, such as Germany, Switzerland, and the Netherlands, the law requires that emails be kept for at least 6 months before they can be permanently deleted.
That’s something that you need to consider when choosing an email service. Look for an email encryption service with servers in a country that allow messages to be deleted permanently.
Gray Duck Mail, forever delete your emails and files.
Here’s how to delete emails instantly after sending them on Gray Duck Mail.
If You Must Use Email to Send Sensitive Information
If you really “must” send sensitive data over email, protect it.
There are two ways to do this:
- Send a password-protected zip file
If you need to send secure email attachments to someone, sending it to them as a zip file is best.
The .zip format itself supports two different encryptions, ZipCrypto and AES-256. So which one should you use?
Well, it depends on what you’d sooner sacrifice: your security or compatibility.
ZipCrypto is pretty weak and relatively easy to crack, but most zip archives support it.
On the other hand, AES-256 is a much stronger encryption, but only a few archivists support it. I recommend going with this one since it’s supported by major 3rd party zip archivers like 7-Zip and WinZip, and most people use these anyway.
Of course, that’s not the end of the story. If you need to send an encrypted zip file over email, the other person needs a way to open that file, or it’s useless to them.
In other words, they would need a password to open the file.
But if you send a password with the file, you might as well announce, “Hey, here’s a secret document. Feel free to open it”. Sending passwords in an email is often not the best idea.
That’s why you should send the password either in a separate email or through another channel, like a text message.
- Use PGP encryption
Another solution is to use PGP encryption. Not all email services use it, and you and the recipient must have it. If only you use PGP and not the recipient, the file is insecure.
When you encrypt a plaintext using PGP, it compresses it. This serves two purposes:
- First, it saves on disk space and transmission time, but more importantly,
- It enhances cryptographic security, making the file harder to crack.
The whole point of PGP (or Pretty Good Privacy) is that the risk of intercepted emails is much lower when you send something using this encryption.
When the message is sent with PGP, it’s first converted into a ciphertext, which only someone with the right key can translate back into readable text. The message will be unreadable to anyone who intercepts the message without that key.
But wait, doesn’t PGP require special software?
That used to be the case, and it opened another problem.
How secure is the 3rd-party PGP software?
That’s not the case with Gray Duck Mail. We’re using the OpenPGP.js library, which is constantly audited by IT and security professionals and is trusted far and wide by individuals, organizations, and governments.
The OpenPGP.js library is maintained by our friends at Proton Technologies.
Need to send sensitive information to someone? Be sure to use the safest email accounts at Gray Duck Mail.