How to determine and compare risk in methods for document exchange

Question

Lets say you are talking to a representative of a bank or government institution on the phone, and the representative requests that you send some documents, e.g. document A, B, and C. You ask if you can send the documents by e-mail (method 1), but is told it is not a secure enough method. Alternatively you can log on to the institution's web-site and upload the documents (method 2), or you can send them by physically by mail (method 3).

Is it possible to quantify the risk of these methods somehow? Why would method 1 be less secure than method 2 and 3, when the number and type of documents match what was agreed, and your name is stated on them? Who could possibly interfere the exchange that happens in method 1, compared to method 2 and 3?

Alternatively, why is method 1 considered not to be secure enough?

Answer 1

You don't specify, so I'm going to assume that you want confidentiality (no one but you and the recipient must see the contents of the documents) and integrity (the recipient should receive exactly the documents you sent without any modification).

Method 1: Email

Email is horribly insecure. Every mail server between the sender and the receiver necessarily gets a copy of everything in the email, and unless the email is signed with DKIM, each server could also modify it at will before sending it to the next.

Method 2: Website upload

Assuming the website uses TLS (i.e. it's an https url), uploaded file(s) will be encrypted between your computer and the website's server, so no one in between will be able to view or modify the contents (though they will be able to see that you sent something and they can tell how large it is).

Method 3: Physical mail

There are plenty of people that could interfere with your mail and view or modify the contents, but it comes with a risk of discovery and legal consequences.

Overview

A website upload is the easiest and safest option of the 3, as it is the only method that reliably prevents anyone but the recipient from viewing or modifying the contents.