Should I Be Concerned about Security: Sending Personal Information over Email

[prowsej]

I work at a church. Today, a volunteer who sends out birthday cards to the kids who are members of the church asked for a list of upcoming birthdays, with the kids' names, addresses, phone numbers and some other information. I will go into our membership database, output this information as an Excel spreadsheet and email it to her.

Should I be concerned about security with this? I understand that email is insecure. Someone could potentially intercept this communication and then they would have a lot of personal information about small children - an undesirable privacy breach.

I have two questions:
1. Practically, should I concerned about security in this situation? Realistically, there's no one with a packet sniffer intercepting our communications, so it seems like a bit of an academic problem.
2. Is there a good alternative? Is there an easy, secure way of sending a file like this that wouldn't require any technical knowledge on the part of the recipient?

Thanks for your thoughts : )

 

[child of wonder]

Email is transmitted via clear text over the internet. Theoretically someone could intercept it.

Realistically, the odds of someone doing so are about 1,000,000 to 1.

 

[JackMDS]

There is No end to security debates.

However since basic levels of security can be achieved in few seconds at No expense there is No reason Not to improve the odds.

Zip the file and send it as an attachment. By doing so, it is not a clear text any more.

Want a little more security make it self extract zip with password, send it as an attachment and send the password to the zip exe in a separate email.

No cost (many zipping program are free) and just few extra seconds for each second email.

 

[n0cmonkey]

PGP it.

This isn't an academic problem, it's a real one. Mail servers get popped all the time.

 

[rookie1010]

by cleartext is it plain ASCII, what are the other modes of transmission

 

[InlineFive]

Originally posted by: n0cmonkey
PGP it.

This isn't an academic problem, it's a real one. Mail servers get popped all the time.

Doesn't PGP require that both the sender and the receiver have the same software?

 

[n0cmonkey]

Originally posted by: InlineFive

Originally posted by: n0cmonkey
PGP it.

This isn't an academic problem, it's a real one. Mail servers get popped all the time.

Doesn't PGP require that both the sender and the receiver have the same software?

Who doesn't have PGP or GnuPG?

 

[Nothinman]

Doesn't PGP require that both the sender and the receiver have the same software?

AFAIK the PGP/GPG format is an open standard so any compliant software should work.

 

[InlineFive]

Originally posted by: n0cmonkey

Originally posted by: InlineFive

Originally posted by: n0cmonkey
PGP it.

This isn't an academic problem, it's a real one. Mail servers get popped all the time.

Doesn't PGP require that both the sender and the receiver have the same software?

Who doesn't have PGP or GnuPG?

Guess I should jump on the ride...late.

 

[JackMDS]

Originally posted by: n0cmonkey
Who doesn't have PGP or GnuPG?

Well give a prediction number in percentage.

This is the targeted population.

Quote: "Today, a volunteer who sends out birthday cards to the kids who are members of the church asked for a list of upcoming birthdays, with the kids' names, addresses, phone numbers and some other information".

How many would have PGP or GnuPG on their computers?

 

[prowsej]

Thanks for the replies, everyone.

A password-protected zip file is a good idea. I can then just telephone over the password and I think it would be reasonably more secure. I'd be satisfied with this form of security through obscurity - and at the very least, it'd be due diligence.

I think that for PGP, the recipient has to have set up something special, right (like download a key)? It won't just appear as a normal email in their Microsoft Outlook/Gmail/etc. inbox, while having been encrypted. (I last tried this with Netscape Communicator 4 in the late 90s - I don't know if the ease-of-use has subsequently improved)

 

[Nothinman]

I'd be satisfied with this form of security through obscurity - and at the very least, it'd be due diligence.

It's not security through obscurity unless your password on the encrypted file is something stupid like 123456. Well and depending on the encryption algorithm used, so check on that before you decide what to use since I don't think XP's built-in zip functionality supports encryption.

How many would have PGP or GnuPG on their computers?

And how many of them would consider sending that same information in a transparent envelope or written on the back of a postcard? I doubt any of them would since they understand the implications of that. Just because they currently don't know how to protect their electronic data doesn't mean they should never learn.

I think that for PGP, the recipient has to have set up something special, right (like download a key)? It won't just appear as a normal email in their Microsoft Outlook/Gmail/etc. inbox, while having been encrypted. (I last tried this with Netscape Communicator 4 in the late 90s - I don't know if the ease-of-use has subsequently improved)

You can create self-decrypting files that just require a passphrase and would be about equal to the encrypted zipfile method above. If you choose to encrypt the whole email then things get a bit more complicated, but not much.

 

[prowsej]

It's not security through obscurity unless your password on the encrypted file is something stupid like 123456. Well and depending on the encryption algorithm used, so check on that before you decide what to use since I don't think XP's built-in zip functionality supports encryption.

Thanks - I just looked into it and now I realize that zip files can be encrypted. I didn't know that before (I had thought that the password was just a software-based impediment to accessing the file, not a key that decrypts it).

Problem solved.

 

[n0cmonkey]

Originally posted by: JackMDS

Originally posted by: n0cmonkey
Who doesn't have PGP or GnuPG?

Well give a prediction number in percentage.

This is the targeted population.

Quote: "Today, a volunteer who sends out birthday cards to the kids who are members of the church asked for a list of upcoming birthdays, with the kids' names, addresses, phone numbers and some other information".

How many would have PGP or GnuPG on their computers?

How many US federal government agencies encrypt all hard drives that could possibly contain personal information? The answer is the same, not enough. Everyone should be using this stuff, whether they're federal employees or church goers looking to send out cards to children. If it was their personal information they'd probably take better care of it, but it isn't and that's no excuse.

 

[cmetz]

Please don't send people's personal information over email. You should assume that all email might be read by people you didn't intend, if not through the public Internet, through your mail server or theirs.