Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: sending sensitive data

  1. #1
    Join Date
    Jun 2008
    Location
    Across The Pond
    Beans
    937
    Distro
    Xubuntu 18.04 Bionic Beaver

    sending sensitive data

    I did some work with a group that wants a W-9 in order to pay me. They want me to send it as a fill-in pdf file via email or as a shared file on Google Drive. Everything in me questions the security of either option (especially by email) and I've just spent the last hour searching the internet for up-to-date information on shared sensitive document security in Drive. Every article I find is either several years old (and likely outdated), comes from Google (of course they're secure), comes from someone wanting to sell an encryption service, or beats around the bush and never gets to the point. So, would you do it? If so, how?

    Come to think of it, if they receive this information via the internet, should I be concerned about how they store it on their devices?
    "Everybody is ignorant, only on different subjects." Will Rogers

  2. #2
    Join Date
    Nov 2011
    Location
    /dev/root
    Beans
    Hidden!

    Re: sending sensitive data

    Try to teach one of them to use gpg and create a private/public key pair, and publish the public key or send it to you. If successful, you can encrypt the pdf file with this person's public key

    Code:
    gpg -er <user-id-name> <filename>
    for example

    Code:
    gpg -er sudodus file.pdf
    and send the gpg-encrypted file file.pdf.gpg. Then it will be safe to send it via for example email.

    The receiving person can decrypt the file with the following command

    Code:
    gpg <filename>
    for example

    Code:
    gpg file.pdf.gpg
    and use their public key (and a passphrase to activate this public key).



    There is a version of gpg for Windows too.

    If this is impossible, I don't know any general safe way via the internet. Maybe paper mail is good enough.
    Last edited by sudodus; October 12th, 2017 at 01:27 PM. Reason: fixed typing error: Window --> Windows

  3. #3
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: sending sensitive data

    The company should have policies and practices in place for the handling of any sensitive data.

    If you don't want to send the information in the clear and they still want it via email, you could always stick the document in an encrypted zip file and send the passphrase via a different method.

    EDIT: Looks like sudodus beat me, but if either method won't work. Paper mail or maybe even fax would be best.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  4. #4
    Join Date
    Jun 2008
    Location
    Across The Pond
    Beans
    937
    Distro
    Xubuntu 18.04 Bionic Beaver

    Re: sending sensitive data

    Quote Originally Posted by sudodus View Post
    Try to teach one of them to use gpg and create a private/public key pair, and publish the public key or send it to you. If successful, you can encrypt the pdf file with this person's public key

    <snip>

    There is a version of gpg for Window too.
    Quote Originally Posted by CharlesA View Post
    The company should have policies and practices in place for the handling of any sensitive data.
    sudosus and CharlesA, thank you. I will approach them with both of these. They started with a home-business idea of bundling eBooks for a niche audience. This turned out to be very successful so they are moving full steam ahead to expand on the idea. My guess is that they really haven't thought it through to this extent yet. Likeable folks, but from my interactions with them I'm guessing they are more experienced in marketing than computers and computer/internet security.
    "Everybody is ignorant, only on different subjects." Will Rogers

  5. #5
    Join Date
    Jul 2013
    Location
    Wisconsin
    Beans
    4,520

    Re: sending sensitive data

    Quote Originally Posted by Buntu Bunny View Post
    They want me to send it as a fill-in pdf file via email or as a shared file on Google Drive.
    It's not their form. It's the IRS's form. Nobody else can require you to use their private version.
    The fillable version on the IRS website is intended to be printed for hand-signature. After that, it should be mailed or scanned.
    A W9 can be dangerous in the wrong hands - it's your SSN and your current name/address, all in one convenient package. A highly-desired target for theft.

    We exchange W9's via email...as scanned or faxed images from business to business (EINs instead of SSNs).
    For personal SSNs, we always use paper and the US Postal Service.
    Last edited by ian-weisser; October 12th, 2017 at 02:01 PM.

  6. #6
    Join Date
    Jun 2008
    Location
    Across The Pond
    Beans
    937
    Distro
    Xubuntu 18.04 Bionic Beaver

    Re: sending sensitive data

    Quote Originally Posted by ian-weisser View Post
    It's not their form. It's the IRS's form. Nobody else can require you to use their private version.
    The fillable version on the IRS website is intended to be printed for hand-signature. After that, it should be mailed or scanned.
    Yes, it is the IRS's form, they just sent a link to fetch a copy.

    A W9 can be dangerous in the wrong hands - it's your SSN and your current name/address, all in one convenient package. A highly-desired target for theft.
    Agreed, which is why I'm so concerned. It amazes me how many people are willing to blindly hand over personal data without a thought. I won't even give out my phone number when a cashier asks for it!

    We exchange W9's via email...as scanned or faxed images from business to business (EINs instead of SSNs).
    For personal SSNs, we always use paper and the US Postal Service.
    Excellent advice, which makes me think I should ask if they will input this data into a computer database. That goes back to the question of how they protect such data on their home business computers. For me it has to be an SSN because I'm not in business, just making a little hobby income (which, of course must still be reported).
    "Everybody is ignorant, only on different subjects." Will Rogers

  7. #7
    Join Date
    Jul 2013
    Location
    Wisconsin
    Beans
    4,520

    Re: sending sensitive data

    Quote Originally Posted by Buntu Bunny View Post
    how they protect such data on their home business computers. For me it has to be an SSN because I'm not in business, just making a little hobby income (which, of course must still be reported).
    Small (home) US-based business means they probably use QuickBooks, which protects the SSN field using their encrypted database and internal API controls.
    It can be a real pain to get data out of QB. If anyone ever cracks the QB encryption, they can sell it for millions legitimately to third-party vendors and won't need to steal PII.

    Of course, their Google-based data, other server-stored data, or local data have no such protections.

    If they accept credit cards, PII protection policies and practices are part of their annual PCI compliance requirement.
    Last edited by ian-weisser; October 12th, 2017 at 03:36 PM.

  8. #8
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    13,505
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: sending sensitive data

    If you're this concerned, put the form in an envelope and take it to the Post Office. You can choose Certified or Registered Mail if you want surety of handling. If you pay for a return reciept, you'll be notified when the item arrives, and the return card will indicate the name of the person who signed for the delivery.

    Really, there is a reason why we still have paper forms and traditional mail services. Not everything has to be electronic.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  9. #9
    Join Date
    Jun 2008
    Location
    Across The Pond
    Beans
    937
    Distro
    Xubuntu 18.04 Bionic Beaver

    Re: sending sensitive data

    Quote Originally Posted by ian-weisser View Post
    Small (home) US-based business means they probably use QuickBooks which protects the SSN field using their encrypted database and internal API controls.
    Good info. I will be sure to ask.

    Quote Originally Posted by ian-weisser View Post
    If they accept credit cards, PII protection policies and practices are part of their annual PCI compliance requirement.
    They accept credit cards and Paypal. They pay via Paypal. Having had Paypal recently help itself to my account I'm not too happy with them at the moment, but that's another story.

    Quote Originally Posted by SeijiSensei View Post
    If you're this concerned, put the form in an envelope and take it to the Post Office... Not everything has to be electronic.
    That's why I'm here asking, to make sure I haven't missed out on any brand new super-duper security information. I've asked these folks for a mailing address so that I can send the form by snail mail, but I have yet to hear back from them. We'll see.
    "Everybody is ignorant, only on different subjects." Will Rogers

  10. #10
    Join Date
    Oct 2005
    Location
    Al Ain
    Beans
    9,263

    Re: sending sensitive data

    In my experience, the strongest data security method that non-geeks can handle are encrypted zip files.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •