Stuart Breckenridge

Privacy and Security

A few years ago I applied for a bank account and was asked to provide identity, address, and income proofs either via fax or email. This struck me as odd for two reasons:

  • individuals don’t tend to have fax machines; and,
  • sending (private) documents over email is not even close to secure.

In my situation using a fax machine was immediately excluded, so I enquired about the email option and highlighted my concerns about security. I was told that in order to protect my documents, I could compress them and then add a password to the compressed file. “And how would you like me to send the password to you?”, I asked. “By email”, I was told.

The person I was speaking to didn’t seem to realise the sheer stupidity of sending a password in cleartext or, as it turns out, the security shortcomings of password protected zip files. I didn’t press the matter further as I decided to drop the application.

I don’t think that it’s unreasonable to expect that, at a minimum, businesses should be using PGP or S/MIME for encryption, and providing clear instructions to their clients as to how it should be used. For bigger institutions (e.g. banks) that need documents from you, they should provide a secure, online portal for document upload.

Any business stating that they respect your privacy and then ask for your documents over an unencrypted channel should be viewed with suspicion. It’s nothing more than corner cutting.