2

I have approx 3Gb of data that my institution has obtained under a NDA. We are permitted to share it with a small number of partner institutions, but cannot make it publicly available. The users at some of the partner institutions may not be very technically savvy. I will not be able to spend any money to do this, and I am not able to set up new IT systems (so e.g. hosting a SFTP server is out). I am trying to figure out the best way to approach the problem.

An obvious option is to use a service such as Dropbox, and only send the download link to the appropriate people. In practical terms this is probably adequately secure, but in theoretical terms it isn't ideal, as Dropbox themselves can view the data.

I could encrypt it and upload the encrypted file to Dropbox or similar. However, I do not know of an encryption/decryption tool that is straightforward for a non-technical user on the receiving end. Suggestions for such a tool are welcome!

Another option, of course, would simply be to send a DVD to each partner in the post...

Is there a straightforward way of doing this that I haven't thought of?

Related, but not dupes:

  • This question gives answers where confidentiality is not a consideration.
  • This question gives answers that involve spending money or setting up new systems (and the most recent answer is from two years ago).

EDIT: For clarification, since some of the answers, while helpful, are heading into paranoid territory: The data in question is covered by NDA simply because the organisation who provided it charges for it, and would like to be able to sell it to other people. This is not an "evading-interception-by-the-government" level of secrecy (ie no need for plausible deniability, etc), it's a "take reasonable steps to not violate the agreement" level. There is no personal data about anybody, so ethical and legal concerns about personal data do not apply.

Community
  • 1
Flyto
  • 756

3 Answers3

5

You could use a password protected ZIP file and send that over Dropbox. I don't know if that is secure enough for your needs, but is simple.

I think your proposed sneakernet option might be the easiest. Send a DVD in the mail.

daxlerod
  • 3,215
2

bitorrent sync might work here. It needs a client but doesn't use a central server, AES encrypts the traffic, and does a pretty good job at transferring large files. You could also use a 'simple' password encrypted self-extracting archive using 7zip. I'd see firewalls possibly freaking out at the torrent traffic however.

That said, sending a DVD to each partnet is likely the best, most PHB friendly solution

Journeyman Geek
  • 133,878
1

As this has a high potential for a flame war: As I'm not an expert in an ever evolving field of science, I am just summarizing some of my own thoughts about security and encryption here. Thus:

a) on "Dropbox" e.a.: How well could one know whom "service_name" belongs to and why the heck should one be willing to hand over control over sensitive data, especially about other people to "service name"?!¹ A least, one should try to ask around if somebody one trusts might have some online storage (server), with restricted access for only the people one trusts. Or could be held responsible if something happens on one's side.

b) On Password protected data: Just to give an idea how much people trust in companies

As everybody and his/her dog would swear that they wouldn't use such passwords - where do they come from? Also: Why fixed-length passwords (mainly 8 characters) are a bad idea.

c) On Encryption: I've heard very good things about GNU PG (wikipedia article) and quite good things about TrueCrypt (wikipedia). There also is a Stack Exchange on Security; in case you aren't aware of it ;)

ad c) On Ecryption in use: For every piece of software you hear about, look it's name up with an additional keyword like "hack", "crack", "decrypt", etc. This could give even the newest newbie an idea, of how save it might be. Also: As there is enough boasting that it could crack just everything, a little research might result in "just hot air with a hint of sugar and …" in the best case.

Answer Idea how to solve this: Burning the encrypted data on a DVD and transfer it via Sneakernet sounds nice. Doing the best one could do to protect data, especially if it's sensitive data ** about other people** (!) is a must, and nothing less. One reason I am very reluctantly willing to provide other people with my sensitive data is that I do know that security measures are in the most cases handled by "that dude(tte)" hardly ever someone, had spoken more than needed (if ever).

e) Bruce Schneier has written a lot about Trust(ing) - here an introduction

¹ I'm NOT here to roast ANY company about, well, anything - just mentioning "Dropbox" because you named it, as an example. I'm just questioning handing over sensitive data and giving up control to "an Internet service".

Community
  • 1
erch
  • 238