GDPR and common sense


Every so often, I get a glimpse into the thought processes of someone who has a very different view of the world to me.

I don't deal with people's personal information often. So I was surprised to receive an email with a multi-megabyte spreadsheet called "Pay and Bonuses 2020". The email contained this doozy of a sentence:

“Due to GDPR the attached file is password protected, I will send the password in a separate email”

I shit you not.

I checked the sender. They didn't work for my organisation, or any related organisation. We had exchanged emails before, so I suspect email autocomplete had got a bit confused and autofilled "Terence Eden" rather than "Tegan Jovanka" or something.

Two minutes after receiving the email - and before I'd had a chance to inform the sender of their mistake - I received another email.

The password is "03022020" - no quotes

Yup, today's date. Fiendishly difficult to crack...

What are you trying to prevent?

I'm trying to understand the thought process going on here. I think it's based on some faulty comparison to the regular post service. If someone randomly snatches an email, they are unlikely to also randomly get the password.

But that's not the threat we're facing here. If someone is listening to the network - they'll have both emails. If someone gets access to my inbox - they'll have both emails. If you've sent the email to the wrong person - they'll have both emails.

The only thing this prevents is someone accidentally forwarding a single email.

How to solve this?

Sending an encrypted document through email is fine.

But the password should be sent through an independent channel - preferably one you can authenticate.

In this case, here's the process I would recommend:

  1. Send the document via email
  2. Call the intended recipient
  3. Verify you're speaking to the right person
  4. Confirm that they have received the email
  5. Tell them the password

Hopefully they'll store it somewhere secure, rather than write it on a Post-It note.

There are alternatives, of course.

  • Send a link and have someone sign in with the correct credentials.
  • Call the recipient and tell them how to access the document.
  • Text them the password
  • I'm sure you can think of more.

But, please, whatever you do - think about the threats you are trying to defend against.


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

3 thoughts on “GDPR and common sense”

  1. said on beko.famkos.net:

    Heh, no idea what GDPR has to do with password protected attachments but this reminds me of a nifty customer that decided that NextCloud or KeePass files are way too complicated and simply dropped me required data in my HOME folder on the brand new server I was supposed to configure next day anyway. This I could access with my very own ssh key generated just for this purpose the day before. I had to admire the simplicity – and I needed that data on this server anyway 😀 Also auto-complete is a PITA on occasion. Looking at you Firefox.

    Reply | Reply to original comment on beko.famkos.net
    1. says:

      Well, GDPR requires analysing and documenting flows of personal data. I can see how an organisation might choose to have a policy of password-protecting when data is transferred, so phrasing aside, it could sorta make sense.

      They still need to read Schneier on security of algorithms and processes, though.

      Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">