Last week, I was looking for a way to securely transmit documents to customers — in this case, a W-9 tax document that contained my social security number.
I’ve always faxed these things — in my mind (rightly or wrongly), faxing them was somehow more secure than sending them by email. I wasn’t about to put my social security number in plain text in an email, so putting it in a tidy PDF wrapper seemed just as insecure.
Does anyone have a good, secure way to send W-9s or other sensitive documents? Emailing SSNs is scary; faxing is passé
— Robert Palmer (@robertpalmer) September 13, 2012
Ultimately, the issue comes down to trust, and trust for me is a gut feeling. For tax documents, I felt like I could trust a 20-year-old fax machine more than email.
My fax provider, though, was having problems successfully sending the fax to the customer, though, and I was looking for alternatives.
Encryption is Always the Answer
One suggestion was S/MIME — a way to digitally sign and encrypt your emails. In many cases this, though, requires that your recipient also have a security certificate for their email. I dreaded having to explain this to a customer.
Email, I was told early on, was like a postcard — anyone can read it along the way if they really want to. S/MIME puts that email in an envelope — harder to read by the passer-by or the handler of the message, but still not impenetrable.
It’s simple to explain how to use an envelope property, but digital certificates are another matter entirely.
Basecamp to the Rescue
What I wanted was a secure place to put the file, and give people a URL to pick it up. Where that place is, ultimately, also comes down to trust. I use Dropbox and Basecamp to securely store files for my clients, and I trust them all because I pay them a monthly fee. If they want to keep me as a customer, they’ll keep my files secure.
The new Basecamp is pretty great, and one of its new features is called “looping in.” You can “loop in” an email address that isn’t necessarily a Basecamp user, and they’ll get access to just that file or message in Basecamp.
What I wound up doing was creating a new project on Basecamp called Honest Code Secure Documents. I made sure that I was the only person assigned to that project.
Then, I created a new message, attached my W-9, and looped in the customer on the message. They wind up getting a message like this:
They click the link and download the PDF. The file is securely stored on the server (and not sent as an attachment) and the user gets a direct link to what they need. I can delete the file later if I want — the only copies that will exist are on my computer and recipient’s computer (provided they downloaded the file). I trust Basecamp to keep the file deleted.
Who knows — maybe in a few months I’ll be able to stop paying for a fax number I won’t use again.