2
0
I have approx 3Gb of data that my institution has obtained under a NDA. We are permitted to share it with a small number of partner institutions, but cannot make it publicly available. The users at some of the partner institutions may not be very technically savvy. I will not be able to spend any money to do this, and I am not able to set up new IT systems (so e.g. hosting a SFTP server is out). I am trying to figure out the best way to approach the problem.
An obvious option is to use a service such as Dropbox, and only send the download link to the appropriate people. In practical terms this is probably adequately secure, but in theoretical terms it isn't ideal, as Dropbox themselves can view the data.
I could encrypt it and upload the encrypted file to Dropbox or similar. However, I do not know of an encryption/decryption tool that is straightforward for a non-technical user on the receiving end. Suggestions for such a tool are welcome!
Another option, of course, would simply be to send a DVD to each partner in the post...
Is there a straightforward way of doing this that I haven't thought of?
Related, but not dupes:
- This question gives answers where confidentiality is not a consideration.
- This question gives answers that involve spending money or setting up new systems (and the most recent answer is from two years ago).
EDIT: For clarification, since some of the answers, while helpful, are heading into paranoid territory: The data in question is covered by NDA simply because the organisation who provided it charges for it, and would like to be able to sell it to other people. This is not an "evading-interception-by-the-government" level of secrecy (ie no need for plausible deniability, etc), it's a "take reasonable steps to not violate the agreement" level. There is no personal data about anybody, so ethical and legal concerns about personal data do not apply.
I would watermark the files with recipients names, then burn it to a CD and mail the CD. Optionally with all the data in one big encrypted archive (zip, rar, whatever). I can think of a lot more secure options, but for non-technical users those either will not work or they will get help and store the unencrypted data somewhere. – Hennes – 2013-12-03T15:08:32.267
Dropbox can only view the data when they are legally required to do so, i.e. a law enforcement agency acquires a warrant for the data - Dropbox need to be able to comply and retrieve the data. In your case, provided you're operating within your country's law, Dropbox cannot access your data as per their security statement:- http://www.dropbox.com/security - you could as suggested by @hennes create a self extracting archive (.zip/.rar etc) with a long complex password (64 chars, mix of case, alpha-numeric + symbols) which you share via a letter or fax beforehand.
– sgtbeano – 2013-12-03T15:16:30.3631"We are permitted to share it with a small number of partner institutions, but cannot make it publicly available." This is one major reason why you should treat any third-party hosting services with extreme caution in this regard (you signed the NDA, it's your job to ensure the data is not compromised in the distribution process). Why not just throw the data into a TrueCrypt vault, and distribute the vault to the other institutions via USB keys (or even optical media like DVDs)? – Breakthrough – 2013-12-03T15:16:35.313
That would be the most secure way. But I suspect that it fails the non-technical users part. – Hennes – 2013-12-03T15:19:23.423
1@sgtbeano - You raise valid points. One could even upload a small TrueCrypt storage container to Dropbox, which would mean that, although Dropbox would have "access" to the file ( provided they were forced to access it of course ) they could not view the contents of the file. I would personally encrypt the contents of a physical disk anyways. <sarcastic>After all the USPS has access to the contents of any mail you send.</sarcastic> – Ramhound – 2013-12-03T15:21:14.700
@Breakthrough Because I'm not going to ask the people on the other end to deal with Truecrypt. They're busy, and will not be interested in aquiring, installing and understanding new software. Otherwise, my first thought would have been Truecrypt + Dropbox, as per ramhound's suggestion. – Flyto – 2013-12-03T15:23:07.000
@Flyto my point was more to avoid sending anything over the Internet, and TrueCrypt vaults were not meant for this purpose (I know you can make the containers dynamically expand to mitigate the size increase, but this will affect your plausible deniability). Certainly you can look into this sort of thing, but you're not going to find any satisfactory solution in this context outside of rolling your own (self-hosting it), or physically distributing the media yourself. Does your institution not have provisions for sharing sensitive information/data? – Breakthrough – 2013-12-03T15:50:06.813
@Breakthrough not as far as I know, sadly. Plausible deniability really isn't needed, though - this isn't "evade interception by governments", it's simply "take reasonable measures not to breach the NDA" ;-) – Flyto – 2013-12-03T16:42:06.953
1encrypted zip file would be much easier – Keltari – 2013-12-03T16:49:23.907