To think email isn't a secure way to share your passport etc

[nuvverfing]

I have a virtual job interview next week, and the employer has asked me to email them my passport in advance, as well as showing it at the interview. They have referenced this Government guidance for identity checks: www.gov.uk/guidance/coronavirus-covid-19-right-to-work-checks#updated-advice-for-employers-carrying-out-right-to-work-checks-during-coronavirus-covid-19-adjusted-measures

Surely email isn't a secure way to share personal identity docs? I'm surprised the Government is encouraging it. I will do it, as I haven't been offered an alternative, but it feels uncomfortable. Just me?

Modern email is very secure - but there are even more secure ways of sharing files if you really want to be secure.

As far as I understand, your email is secure when being sent to people - but the message itself on the email server is not encrypted.

You can send password protected attachments or use things like Drop Box to share sensitive files.

DropBox is great.

I get to read my BIL's financial documents because he forgot he added me to show me some photos....

[I don't actually read them, because I'm not a nosy git. But I haven't fancied tackling the conversation about how he should take me off his account, because he can get quite nasty.]

@PerkingFaintly all the images were sent to my government email address and I deleted them once I forwarded them onto recruitment.

I had my documents verified at the post office for an agency who couldn't see the orginals before a new job started. Worked fine.

At all the law firms I have worked at it is normal for clients to send copies of passports for KYC purposes by email. Once received they are stored by our compliance team.

Email is not (and never has been) a secure method of communication. This is basics of GDPR. At the very least it should be sent via an encrypted file and send the password in a separate email.

Ah yes, law firms' email systems.

Not just all that lovely id data to steal, but actual money to divert. They're a popular target as the pickings are so rich.

'I lost £95,000 in a bank scam after my solicitor's email was hacked'
www.theguardian.com/money/2020/feb/29/bank-scam-solicitors-email-hacked
This type of scam is known as “authorised push payment” fraud and includes cases where email accounts – either those of individuals or the companies or tradespeople they have employed – are hacked in order to trick consumers into sending large sums to criminal accounts. Guardian Money has featured a number of these cases, and more than £1m a day is being lost to such scams.

Not to ask a silly question but if you are this worried about a company’s security around an emailed photo of your passport, won’t they have much more personal information about you if you work for them? It seems that the passport scan would be the least of your worries

What do you think could happen when someone sends an email that makes it insecure?

Exactly, most free email accounts are automatically encrypted with TLS so the advice to put text in an encrypted file attachment is, well, completely redundant and unnecessary.

The only security risk is at rest…so once the email is received, the data should be stored in a secure database or deleted. This is required by GDPR for things like identity documents and proof of address. So don’t think any reputable business is going to not take steps to secure the data or to delete it after validating it.

Why are you bothered?

You are sending a photocopy of a passport to an organisation you may never actually work for, who could do anything with your 'copy, regardless of the method used to send it to them.

You know nothing of how secure their servers are, who will have access, how they will delete info you send them, if they even do so.

Good luck with the interview.

Exactly, most free email accounts are automatically encrypted with TLS so the advice to put text in an encrypted file attachment is, well, completely redundant and unnecessary

As far as I am aware - the text in an email would be automatically encrypted but an attachment in such an email wouldn't be - but I am not entirely sure about that.

So if you were to send bank details in an email, it would be encrypted in transit - but at rest, it would not be encrypted in the server. Some email providers could read it if they wanted to.

Something like Proton Mail automatically encrypts email at rest.

If I was sending a sensitive attachment, I would not just send it as an attachment - but then again, people send in CVs all the time - which probably contains lots of sensitive information

So don’t think any reputable business is going to not take steps to secure the data or to delete it after validating it.

Reputable businesses fail to delete or secure data all.the.time.

It's just something people and organisations are crap at.

Even when they've made a token gesture towards it, they frequently haven't deleted or secured all copies, which multiply unintentionally especially as emails get pinged hither and yon still carrying the attachment.

I've just had this with a hospital clinic which I hesitantly entrusted with an emailed medical form. I was replied to by a different person with my medical form still attached – dreadful practice. So that form is now in my sent box, my inbox, and at least two people in the clinic's email boxes, and possibly devices they're reading emails on if sometimes they do admin from home. I can trawl through manually finding and deleting it in my boxes... but not theirs.

And that's if they're even aware of GDPR requirements in the first place.

The number of times I've had to explain to my local council that they do not need my date of birth... They might want it, because they're all about Big Data and what uses they might come up with for data they've previously collected and combined across multiple databases... but THAT IN ITSELF is a breach of data protection legislation, which states that subjects must give informed consent for each purpose for which their data is processed, and that you can't just collect personal data speculatively in case it comes in handy later. I've had the call operators wail "But there's a space on my form for DoB!"

Yeah, no.

I was particularly annoyed by the council because mostly it's been an entirely unjustified collection of data – outright breach of GDPR – but on the one occasion my age had any relevance at all they could have proportionately met their aim by the trad method of asking my age group, 21-25, 26-30, etc. Not asking for my exact birthday which my bank uses as part of my security id.

Honestly, the argument "It's important, so they can't possibly be doing it wrong," does not hold any water whatsoever.

Again, though…this is a company who the OP presumably wants to work for and if all goes according to plan will have access to much more personal data, including bank details, medical information, performance information, etc. Not a random entity that she is doing a piece of business with. If she doesn’t trust them to safeguard their passport data then what about everything else after she hired?

This all really makes no sense. Either this is a dealbreaker for the OP or she trusts them if they hire her.

It's not a Yes/No situation when poor data security is so rampant. As with any widespread problem, you can't just avoid it by going next door – because they're probably just as bad.

Everyone has their own red lines which will cause them to actually walk, but for the most part it's a case of constant management and pushing back where one can, and can be bothered.

Emailing unsecured passport pics about the place is usually an unnecessary risk.

I've mitigated it by sending paper copies (which don't get duplicated left right and centre and can only be accessed by someone physically present). Others have suggested encrypted, password-protected documents which, even at rest, need the password (sent by a separate means, eg phone) to open.

Have you tried to use a copy of a passport as ID? I've never come across an officialdom that doesn't need to see the actual passport or a certified physical copy.

It's the data on the passport page that's the problem – inc date of birth and photo. Passport number used to matter as well, as it was used by eg Western Union money transfer service over the phone without having seen even a copy of the passport, but I think that's changed now.

Of course if you've given your correct date of birth to Facebook and uploaded photos of every moment of your life, it's pointless to worry about your passport. But some of us haven't.

I had this on watch to see if there was an answer

i was asked to send a copy of my passport by Whatsapp. I presume that's no better? I'm so confused by all this.

How isn’t it secure?!! If you’re not 100% sure you’ve got the right email address then send a ‘test’ email first and wait for a response and then send the passport pic to the email thread. All good.

I'm not the OP but I see her point.

in the past, When I've taken a copy of a passport, the copy went in a locked drawer which only two of us could access.

When you email a copy, it can be intercepted by anyone, as well as forwarded by anyone.

I wasn't happy with the client WhatsApp request, so went to their office. I didn't make a big deal, just said I was coming by. I don't know what's reasonably secure and what isn't.

Everything we were told not to do, we're suddenly being asked to do. Do others still shred documents with name and address on?

<headdesk>

So how do you think that email exchange with the email hacker will go?

Because the woman in the article linked above received email confirmation... from the fraudster:

When she received an email purporting to be from her solicitor asking for a transfer of funds, she sent the first instalment – £50,000 – and then emailed a member of staff at the firm’s office to check the money had been received. She received a reply confirming receipt, and the following day, as requested, she paid the balance of £45,750. This was deposited into another Lloyds account after she was told the bank details had been revised because of an ongoing audit.

Flood, who works in a Stockport secondary school, says her heart sank when her bank (not Lloyds) later rang to say that Lloyds had noticed a discrepancy in the payee name. “I phoned my solicitor immediately, only to have them confirm their system had been hacked. The first email asking for the funds transfer looked very authentic. When I received a second email in response to mine, confirming receipt of the first transfer from my solicitor, I felt reassured and made a further payment.
www.theguardian.com/money/2020/feb/29/bank-scam-solicitors-email-hacked

Always PHONE the company you're dealing with to double-check the info before moving large amounts of money or sensitive data around.

And use the phone number from the company website/paper correspondence, not a phone number from the email!

Perking what are your thoughts on sending passport scans etc via email or WhatsApp, please?

Given the passport office send out passports by mail in very obviously passport shaped sizes, and ask you to send precious docs (including former and current passports from other countries) by post, the whole system is entirely hackable at all points! My docs were lost by the post office, even when tracked/signed for and no-one knows where they went!