Writing, publishing, geekdom, and errata.

TaxTime: Sending Your Social Security # Through Email Isn't Secure

No comments
TL;DR:  Publishers and authors:  We need to collect and send sensitive data via e-mail.  GPG encryption is the best way to achieve that.

As Lucy Snyder reminded friends on Facebook, it's tax time.  Which means that many publishers (myself included) may send or recieve your identifying data through e-mail.

Heck, I ask for it on all contracts anymore - because sometimes things change during the course of a year, and I'd rather be prepared come tax time than be surprised.

But how can you send that information through e-mail securely?  (Note:  USPS mail is a different level of security, but that's a whole other thing.)

First, make sure that you have SSL encryption turned on (it's on by default for Gmail).  That encrypts your mail between your computer and the server.

But.

That does not guarantee that your e-mail is encrypted between your ISP's mailserver and the recipient's mailserver.  Or between the recipient's mailserver and the recipient themselves.

An analogy:  You put your interoffice mail into an envelope and hand it to the courier.  That courier might forget to use the envelope between buildings.  The other building's courier might not use the envelope either.

So you need end-to-end encryption.

Perhaps the most widespread (and easiest to implement now) standard is GPG (which used to be PGP) encryption.  I mentioned the possible use of GPG back here when it comes to digitally signing contracts.

But really, what the system is best at is encrypting communications.

You know, what we're talking about here.

There's a really good guide at setting up GPG on your system (regardless of what OS you run) over at Lifehacker:

http://lifehacker.com/how-to-encrypt-your-email-and-keep-your-conversations-p-1133495744

and there's even Mailvelope - a way to easily use GPG with the web interface of Gmail.  (Guide to using that here:  http://lifehacker.com/5966787/mailvelope-offers-free-easy-to-use-pgp-encryption-for-gmail-outlook-and-other-webmail-services )

I'm not saying you should use encryption for all of your e-mail (though there's a good argument for why that makes everything more secure).  But I argue that everyone should have the option for using encryption already set up on their system... before they need it.

And remember, if you want to get my public GPG key:

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xDD2F731F
gpg --list-keys 0xDD2F731F
gpg --verify FILENAME

or you can find me on the MIT keyserver.

If you have a GPG key, I invite you to let me know so I can add you to my keychain.   There's a tool to auto-add keys for OSX;  I thiink I'm going to work on one right now for myself.

No comments :