Sharing Secret Files More Safely: Some Questions to Ask Yourself

How can you share files safely? Whether you're sharing through a secret URL, or consumer online services, there are privacy and security issues to consider.

15 July 2014


In the old days, things seemed much simpler. If someone needed a file from you, you could simply email it to them as an attachment.

Sure, that wasn't necessarily the safest thing in the world to do (especially if you weren't using encrypted email) but it was a rapid way of sharing a file, and the chances that the file would fall into the wrong hands were relatively small.

After all, there wasn't that much account hacking going on.

But Today, Things are Different

For one, people often don't like receiving large files via email. Have you noticed that it doesn't matter how many gigabytes (or even terabytes!) of hard drive storage your new PC has, and it doesn't seem to take any time at all until it's filling up and bursting at the seams?

The problem isn't just application bloat, and software products like Adobe Photoshop and Microsoft Office filling up your hard disk with rarely used features and security updates, but also a change in the data we use on a daily basis.

It's not at all unusual these days for home computers to be chock-a-block with high definition movies, thousands of music tracks, and albums of megapixel photographs, all eating into your storage allowance. And that's before you consider all the PowerPoint presentations, Word documents, spreadsheets and databases that your work has compelled you to take home with you.

If you send a large file to someone via email, there is not only the danger that it will be bounced back by their server complaining that the attachment is too large, but you're also risking the wrath of the recipient, who will be less than impressed if his or her computer gets tied up slowly downloading your 75MB attachment alongside regular email.

The Doctor Who Leak

An obvious "solution" to this, of course, is to not send the file as an email attachment, but to share a URL instead — but this can backfire.

That seems to be what happened recently to the British Broadcasting Corporation (BBC), whose Latin American headquarters in Miami were tasked with creating Spanish-language subtitles for the upcoming TV series of "Doctor Who".

Unfortunately, the web server directory that it placed the scripts wasn't as private as it imagined — and before the BBC knew it, frenzied fans were able to learn all about upcoming episodes featuring the new Doctor, Peter Capaldi.

Doctor Who Leak


Regardless of whether your company is using a secret URL on its website, or one of the well-known online services that give you a few gigabytes of free web space, it doesn't necessarily improve things that much more when it comes to the issues of privacy and security.

Key Questions to Ask

Here are some of the questions you should be asking yourself:

  1. Does the file contain private information, perhaps about you or a company, that you wouldn't like to see become public?
  2. Maybe you can trust the recipients not to publish the data, but can you be sure that they're following security best practices and properly defending their own computers and accounts?
  3. Can you trust the recipients to securely erase the file from their computers after they have accessed the information, to prevent it from falling into the wrong hands? Or is there a way for you to easily and electronically unshare it?
  4. And what confidence can you have that your email communications — with its secret URL to the content being shared — isn't being intercepted en route by someone interested in snooping on your conversations?
  5. Has the file sharing site been built with enterprise security in mind, with a dedicated team devoted to hardening accounts from the threat of hackers, and enforcing authentication of users to check that they are truly authorised to access the content?
  6. Is encryption built into the system? Is there a way for the cloud storage service to read your files, or share their contents with the authorities? Or is it up to the user to remember never to upload content without encrypting it first?

The issue with some file sync and sharing sites is that they were clearly designed with outdated consumer requirements in mind. Home users inevitably have conflicting priorities from organisations when it comes to a service, and security and privacy may come some way down the list. The danger is that millions of users may not realize the data they store on those consumer file sharing sites could be accessible to people other than initially intended.

Recent research found that an alarming 38 percent of workers trusted consumer apps like Dropbox to share company files marked "Confidential." That's despite such apps having had a sullied history when it comes to privacy and security, with vulnerabilities such as the leaking of what should have been private links, the exposure of mortgage details and tax returns or inserting bugs that meant every single file was left accessible without any requirement for a password.

However you decide to share your work files, internally and with external partners, make sure that you have considered the security and privacy implications.

Otherwise, if there is a data leak, it could be your organisation making the headlines for all the wrong reasons.

Graham Cluley

Graham Cluley

Graham Cluley is an award-winning veteran of the anti-virus industry, fighting cybercrime and raising awareness of computer security and privacy issues since the early 1990s. Find out more on his computer security blog or follow him on Twitter.

Stay IN the know

Sign up for our newsletter for must-read market analysis and thought leadership, delivered right to your inbox.