Skip to main content
U
Under S.
Inspiring
April 24, 2019
Question

Safest way to transfer a document w/ sensitive info to a client online?

  • April 24, 2019
  • 1 reply
  • 2088 views

This one is a little off-topic but still web-related : I'm looking to transfer scanned copies of sensitive documents via web. So they're images of documents, rather than actual text documents (in other words, without OCR, you can't guess the contents). I'll likely use a PDF shell to bind the JPGs together in order.

First, I thought to do it via my web server this way :

  1. Scan and bind the pages into a PDF file
  2. Zip the resulting PDF file up w/ password protection
  3. Create a directory on my web server w/ password protection via .htaccess
  4. Place the pw-protected ZIP file there for the client to pick up
  5. Delete the ZIP file from the server when pickup is made (appx. 24-48h later)

My thinking was that should someone ever care enough to want to hack their way into this directory, they'll probably succeed (everyone eventually does, right?) but there will be nothing there 90% of the time. And if they should make it through during the 24-48h when something actually will, those docs will be zipped under a 2nd level of pw-protection. While I'm assuming there must be a million tools out there right now to crack open a protected ZIP, I was thinking that it would take a rather extraordinary set of circumstances to lead to an actual document breach.

But am I being naive about that?

A friend of mine working in I.T. sure seems to believe so. Said it's almost impossible to protect anything that's been uploaded to a web server, so he suggested I go with a pw-protected ZIP sent via encrypted email instead. He suggested that the minute I upload anything on my web server, the host will likely already have made its own copy of it (just because they can) and they'll have it long after I delete it from the server. I'm not someone who's ever been very comfortable uploading to clouds when it comes to personal IRL stuff, so I'm pretty easy to scare in this regard.

When I asked if there could be issues with HIS proposed method -- such as the clients not being able to decrypt the email on the other end -- he hesitated. So I'm thinking that solution isn't as viable as he's suggesting it is.

I realize the battle for internet privacy is ongoing and never ending… with new advancements being made on both sides every year... but I'm not looking for 100% full-proof as much as the safest bet at the moment.

Thanks!

This topic has been closed for replies.

1 reply

Nancy OShea
Community Expert
Nancy OSheaCommunity Expert
Community Expert
April 24, 2019

See this article for more ideas.

how-can-i-securely-send-sensitive-tax-docs-to-my-tax-preparer

Nancy O'Shea— Product User & Community Expert
U
Under S.Author
Inspiring
April 25, 2019

https://forums.adobe.com/people/Nancy+OShea  wrote

See this article for more ideas.

how-can-i-securely-send-sensitive-tax-docs-to-my-tax-preparer

Good to know to avoid email under any circumstance; but I have a question about this part :

Share your documents using an encrypted file-sharing service. A lot of file-sharing services offer some sort of encrypted transmission for file sharing. One of those is Dropbox.

Is pw-protecting a ZIP file + using Dropbox really all that secure, though? At the very least, would it not be safer to cut the middle-man and deliver the archive via private https link to my own secure website (especially if I will manually delete the only known copy of it on the internet within 48h)? I was originally worried about my web host cloning all its clients' files as they are uploading them (just because they could), but feels like trusting Dropbox would require an even greater leap of faith. (But maybe it's just me.)

WolfShade
WolfShade
Legend
April 25, 2019

If the recipient uses an email client that works with any encryption protocol (like PGP), and has a public key available in any of the standard PKIs, there is no reason to NOT use email to send documents that contain sensitive information.

And I've never been a fan of online document/file repositories, but most especially DropBox.  There are many documented cases of security vulnerabilities associated with DropBox, and I deleted my account over a year ago because of them.

To be honest, there is no 100% bullet-proof method of transporting digital files that contain sensitive information, short of physically handing them from one person to another (ie, no middle man), but there are ways to make it so difficult for malicious actors that it won't be worth their time/effort.  Just do your research.

V/r,

^ _ ^

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices