I’m occasionally faced with this same dilemma. Either for expediency or convenience, I want to email something I wouldn’t want to fall into the hands of anyone else.
While there are many approaches, there’s really only one pragmatic approach.
Become a Patron of Ask Leo! and go ad-free!
Email is a fundamentally insecure media. I liken it to sending a postcard in the mail: anyone who gets their hands on it can see what it says.
Normally, we think about the servers and administrators who might have access to our messages as they make their way from our inboxes to those of our recipients, but the problem isn’t limited to that scenario. Anything from a typo in an email address to a misconfiguration in an email server can cause email to be delivered to the wrong recipient.
How do you protect yourself?
Encrypt the data
The only really sure way of being protected is to use encryption.
On the surface it sounds very simple, and conceptually it is: you encrypt the data in some way such that only the recipient can decrypt and view it.
In practice, however, encryption ranges from complex to cumbersome.
There are a couple of standards for encrypted email. There are two problems:
- You and your recipient must use the same standard1.
- You and your recipient must set up appropriate encryption keys in advance. Typically, this means creating or obtaining a public/private key pair and installing them appropriately.
There’s actually a third problem: not all email program interfaces support these standards.
It’s complex enough that I can’t really suggest this an approach for most users.
The more pragmatic approach is somewhat more cumbersome: encrypt the document prior to sending it, using a ubiquitous standard, and then send the encrypted document as an attachment to your email.
The “ubiquitous standard” I’d recommend would be Zip. While technically a compression and archiving tool, Zip format includes the ability to password-protect a .zip file. In this case, password protection means the contents of the file are encrypted. I’d recommend using a tool like 7-Zip to perform the encryption, making sure to select standard “.zip” format for maximum compatibility. Compatible zip (or more correctly, unzipping) programs are available on almost every platform imaginable.
All you need do is share the password via some other channel with your recipient, so they’ll be able to decrypt the attachment when it arrives.
You could also use an alternate mechanism, such as a secure messaging app, to send your information. Tools like Signal or WhatsApp both provide end-to-end encryption and file-transfer capabilities. You’ll both need to use the same tool.
This is a problem journalists face all the time. As an example, the Washington Post has a number of mechanisms for contacting them securely, including encrypted email, messaging tools, and more. While you and your recipient need to agree on the mechanism to be used, perhaps reading some of the solutions journalists use might spark some additional ideas for your situation.
- Just How Secure Is Email, Anyway? – Email is ubiquitous and convenient, yet surprisingly not secure. I’ll look at why that is and when you should worry.
- How Do I Securely Share Sensitive Electronic Documents with My Attorney? – Sharing sensitive documents over the internet is both common and commonly done wrong. I’ll look at the pitfalls and alternatives.
- How Do I Encrypt Email? – It’s surprisingly difficult to encrypt email. We’ll look at a practical solution that anyone can use, as well as the way things “should” work.
- How Do I Send Encrypted Email? – An administrator on any of the systems between sender and recipient can easily look at any email that traverses their server. Similarly, networks can be sniffed, and email passing by can be easily read.