Discussion:Unsecured emails banned?

From TaxAlmanac, A Free Online Resource for Tax Professionals
Note: You are using this website at your own risk, subject to our Disclaimer and Website Use and Contribution Terms.

From TaxAlmanac

Jump to: navigation, search

Discussion Forum Index --> Business Growth Community --> Unsecured emails banned?


PDXTaxman (talk|edits) said:

17 September 2013
Taking some CPE, and the topic of Circular 230 regulations came up. I read that thing at least once a year, albeit not with an eagle eye, so I was shocked when the (excellent) instructor said, "For a couple of years, now, it's been a violation of Circular 230 rules to send client documents by email." Actually, she never suggested that there IS a way to do it at all legally, but I would guess having a good encryption system would make it acceptable. In other threads here, folks have mentioned Secure Portals -- but even then, you still have the problem of sending unencrypted documents from your computer to the portal's host, no? Or is there something cleverly secure for that part of the trip, too?

Anyhow, I'm curious if anyone else is aware of (relatively) new and tough restrictions on sending non-public info via email or email attachments. How are you dealing with it? Also, can anyone recommend any easy-to-use, not-too-expensive encryption software (or Portals, if they're an answer)?

Norman-tx (talk|edits) said:

17 September 2013
I use www.truecrypt.com. It's free and has a very good interface. Also, don't ever forget your password.

PollyAdler (talk|edits) said:

17 September 2013
"but I would guess having a good encryption system would make it acceptable."

You're kidding us, right?

I used a system called tru-bull*chit.net, until I found out that encryption was not worth a plug nickle. What I mean is the kind us ordinary people can buy or tinker with.

I appreicate the information and trying to keep us up to date, but we are not in the Boy Scout phase in here. We don't carry pen knives. We cover the waterfront.

All professionals need to be reading schneier.com once a week, and on weekends catch up on the archives.

Gazoo (talk|edits) said:

17 September 2013
"Also, don't ever forget your password."

If you don't have a password you can't forget, you don't have a good password. You want a password that is so hard to remember that you will forget it under the pressure of torture.

All passwords should be at least 15 characters long, and changed every three days. And NO you cannot use the birthday's of your grandchildren, pet's names, the names of pre-steriod era baseball stars, or quotes from the Good Book.

On Mars, my name is 37 letters long, and that's just my first name. As a citizen of Mars, I grew up in the computer era (we've had them since 10,000BC). My teacher did let me just use the first 5 letters of my first name on standardized tests because there weren't no spaces to put all 37 letters.

PDXTaxman (talk|edits) said:

19 September 2013
Norman: thank you, that's a useful tip, and much appreciated.

Gazoo: looking past the humor, I'm still not entirely sure what you're saying here -- you've got a triple negative going ("if you don't, you can't, you don't ..."). Translating it into English, I think I get, "If you have a password you can forget, you have a good password." Okay, but if I adopt passwords that are so convoluted I could never remember them, how could I actually use them? How would I get access to ANYTHING when I need to? Or is that the point of your humor: a password that will actually provide meaningful protection is ALSO a password you yourself can never use?

Polly: I do thank you for the link to the Schneier blog, that's actually useful (I'd read some of his pieces before, and like him a lot, but was unaware of his blog and its many resources). But the rest of your posting alternates between obscure and marginally rude. I wasn't trying to "update" anyone; rather, I posted a straightforward request for information and dialog. Like virtually everyone in the field, we already have some level of security here (e.g., PDFs, QB, and Excel files are encrypted before being emailed as attachments, etc.), but my impression is that we've not been doing nearly enough. The actual email messages almost never have privileged information themselves, but that doesn't mean they couldn't be used to ill end if they were hijacked and their "basic" levels of security proved inadequate, as I now think they are. And the encryption on the attachments is what's provided by software itself (e.g., Adobe Acrobat with our own on-the-fly password for each client), which may be fine or completely lacking.

And if what you say is true -- that encryption we mere mortals can afford and manage is pretty worthless -- then what IS our choice? We have clients across the country and overseas also, and almost all of them demand we use email for everything. Even locally, we have clients who would surely go elsewhere if we stopped offering email transmittal of tax returns, 8879s, 8821s, and QB files.

In my research these past few days, I happened across one program, "Voltage SecureMail Cloud," used by such firms as Wells Fargo Bank and Columbia Sportswear, that might be a good choice (at $99 per user per year). If the manufacturer's claims are true, it's easy to implement and provides end-to-end protection for emails and their attachments. But it's surely not the only choice, and maybe not the best. I posted hoping that we'd get a goodly number of participants contributing their own experiences and the IT solutions that have worked for them. Maybe someone has experience with Voltage, good or bad, and with other tools including secure portals. I still hope we'll get some input here from many others who read this forum.

PollyAdler (talk|edits) said:

19 September 2013
I'm just a bookkeeper and I didn't have the advantages of the country clubs, the silver spoons and the mind-altering business school educations that most of you had. I may be ruff, but I'm ready. My sugar may be unrefined, but my taste is sweeter than honeysuckle. Gazoo, on the other hand, is certified crazy and can't be helped.

[Edit: Last sentence removed by Board Monitor. Too "ruff".]

Taxalmancer (talk|edits) said:

September 19, 2013
I'm curious as well.

I use TrueCrypt to secure documents or data on my hard drive. I use a secure portal to exchange documents with a client. I never email a return or document even with a password.

I don't know a thing about how information is "secured" but what's the point of having a secure portal if you need additional security on the trip between your computer and the secure portal itself.

It seems very hard to believe that use of a secure portal could be in violation of Circular 230.

PollyAdler (talk|edits) said:

19 September 2013
Look, they have one person in the country enforcing this particular new interpretation of Sec. 230 (subpart so and so), and he gets 60 days of vacation a year. So there is very little chance of you getting caught Taxalmanacer.

The problem you run into is that you may have a totally inncocent client who walks in, lets say a nun, and the NSA sweeps up her tax information and it gets blended in with someone elses and she ends up getting framed for espionage or something. Things like this just don't happen in the movies, they happen in the real world too.

So the extra security is to protect the innocent. The good news is is that there is nothing on the market to solve the problem anyway, so even if you are cited by the Service the judge has no choice but to let you go scot free.

Spiral (talk|edits) said:

20 September 2013
As a practitioner myself and an IT consultant I hope I can add to the discussion here.
I will have to review Circular 230 again as it pertains to this...

Agreed, Bruce Schneier is a great resource.

First, as has been mentioned, Truecrypt is a great solution for USB drives or a portable device like a laptop, but not very convenient for email. Truecrypt is faily bullet proof thus far, as long as a good pass-phase is used. Email contains some inherent security problems with the transport protocol it uses.

When email is sent, the SMTP (Simple Mail Transfer Protocol) protocol bounces the mail to other SMTP servers until it finally reaches it destination. Every server along the that could save a copy of the email traffic if inclined to do so. Even a SSL connection to “your” SMTP server will be bounced as a plain text connection at some point in the chain usually. The best option for securing email is to use authenticated email and protect the payload, ie the confidential info. Using a “good” encryption algorithm and implementation will make it exceedingly difficult for a would be data thief to use any of the information they may of intercepted. Because of nature of the insecure transfer they can use off-line methods such as brute forcing (http://en.wikipedia.org/wiki/Brute-force_attack), which is trying every possible combination until they get the correct one.

The most often and easiest method for encrypting attachments (payload), usually a pdf, is with the built in password encryption within the pdf specification. The earlier pdf encryption specifications have issues with brute force attacks, as you can test it your self by googling “pdf encryption hack” and do a little reading and brute force a few of your own encrypted pdfs. Lately, the choice for pdf encrytion options is AES 256 with a good password. Although, even this method is claimed to have weaknesses. Also, as Adobe strengthens their pdf encryption implementations in later versions, it breaks backward compatibility. So clients with older versions of Adobe Reader will not be able to open the documents. The reason using password encrypted pdf is so common, is because it is the simplest to use for the sender and the receiver.

The next more secure, but less simple options could be to use a different application to encrypt the payload, such as 7-zip. 7-zip's 7z archive has native AES 256 encryption which could be used. Other file encryption software such as AES Crypt, AxCrypt, PGP, or even TrueCrypt could be used. The issue with these are that the receiver must also install a similar application used to encrypt to decrypt.

After this, the next more secure method is to provide authentication and encryption with an application like PGP or GPG. See (http://en.wikipedia.org/wiki/Pretty_Good_Privacy) for details. The problem with this method, while very secure, it requires sender and receiver to exchange keys, and install software. Going along these lines you could also setup a VPN between all clients and transfer information securely, but this is not practical either.

Ideally, I guess what you really want is a point-to-point transport encryption, with the payload encrypted as well. Like when you log into you bank, therefore you see where portals have a place. With a portal, you have a web server with a SSL connection, which stores files, which are also should be encrypted while at rest waiting to be picked up by the receiver. While this does seem to solve the original security problem, it introduces another. The problem introduced is reliance on a third party secure portal provider, if firms do not have the resources to set this up and maintain in-house. There are many providers of this kind of service, but choose wisely as they are not all created equal. I do not have any real recommendation on this yet, as I am evaluating building my own first, then assess if a provider can do it better and cheaper than I can.

With trying to stay impenetrable of NSA spying, good luck...

PollyAdler (talk|edits) said:

20 September 2013
Excellent. Thanks for taking the time to write this.

WilsonCA (talk|edits) said:

21 September 2013
I have to admit, it strikes me that client portals that are specialized/marketed for CPAs are like a treasure trove of information just waiting to be hacked into. I'd be more comfortable using a generic file-sharing system (one that of course maintains encryption of documents stored on its servers), even something as basic/ubiquitous as Dropbox or Google Drive; my reasoning being that if someone hacks into Dropbox/Drive or in some other way defeats their encryption system, the sheer volume of information stored there is going to make it highly unlikely that anything sensitive gets stolen. Needle in an enormous haystack.

After sharing a file with a client, there's software out there that will sort through your Dropbox/Drive folder, pick out anything more than 7 or 14 or however many days old, and then delete it, ensuring (or at least increasing the likelihood) that sensitive information isn't sitting around on the servers for a long long time.

(Of course, there's still the issue of uploading/downloading the decrypted files. There's software out there that will maintain encryption throughout those steps, so that decryption only happens on the local computer, but clients generally don't have that software installed!)

Clients want easy electronic access to their returns. I think online portals or file-sharing systems are the easiest way to provide this, or at least the best balance between safety and convenience. I'm just inclined to think that CPA-specialized portals aren't the safest option...

WilsonCA (talk|edits) said:

21 September 2013
Deleted by author.

WilsonCA (talk|edits) said:

21 September 2013
Hah! I take it all back. I've been doing some more research into Dropbox, and I have questions about the security of sending links or sharing files with clients. I think they've made the choice to err on the side of ease rather than security; I'm sure they have their reasons, but it's obviously the wrong direction if you're looking for a more secure system.

CrowJD (talk|edits) said:

22 September 2013
I completely understand Wilson's two posts. I have often found myself driving down Technology 1 Avenue, then I realize I need to switch over to Digital Drive, and then I end up driving in endless circles at Technology 2 Circle, only to end up finally breaking out of the loop and motoring over to the main thoroughfare: Frustration Boulevard....then I stay on Frustration for a long looong time before deciding to make myself (by shear act of will) plunge down another side road (read: another dead end street).

PDXTaxman (talk|edits) said:

23 September 2013
Now THIS is what I was talking about! These are excellent posts, folks.

Spiral, I really appreciate the time you took and info you provided. I feel a little better about my ignorance and frustration now, and at the same time it appears I'm on the right path. I'll keep researching, with your comments in mind as I go along. We've been using an Adobe knockoff at work -- can't recall the firm's name, but the software produces perfectly useable PDFs. And it includes an encryption feature. I'm going to do some checking to see if it's really any good, but I have confidence that Adobe is probably pretty cutting-edge in what they offer so may switch to them on that basis alone. (On the other hand, they're big, hence a juicy target for crooks trying to develop hacking exploits).

WilsonCA, we've been using Dropbox, which appeared reasonably secure, but with a little research has come big questions which apparently parallels your journey of discovery too. We're actively investigating affordable alternatives. Yeah, a portal that is ONLY for accountants and tax preparers ought to be a very attractive target for the bad guys, just as the IRS itself is.

CrowJD: yep, that about rounds it up. Someone claimed a long time ago that all this computer stuff and The Internet would make our lives ever so much easier. Ha!

Completely off-topic: Polly, I got your private note, and appreciated it a lot. I wrote a nice reply and posted it to your page. I neglected to provide a Topic Title. My bad. But when I double-checked, my note appeared to simply append itself to the last previous note from another visitor here. Now I'm afraid to even try to fix it, lest I make it even worse. I don't understand why it lumped my message in with someone else's. I never hit "edit" or any such thing, but obviously did something stupid. All I can conclude is that the software here is Amazing and Mysterious.

Spiral (talk|edits) said:

24 September 2013
I would use https://spideroak.com/ before I was to consider DropBox for many reasons, but most important one security.

WilsonCA (talk|edits) said:

24 September 2013
FWIW, I spoke briefly to someone at the Oregon Board of Accountancy today; in response to my question about security of electronic document transfers, she said that the only thing the Board rules specify is that "client files must be confidential, and that confidentiality must be protected". She followed by saying that it was up to us (as preparers/accountants) to determine how to comply with that rule.

Given the recent Snowden/NSA revelations, one should assume that nothing transmitted online is ever confidential, right? :)

Gazoo (talk|edits) said:

24 September 2013
That is correct.

Gazoo (talk|edits) said:

24 September 2013
That is correct.

Gazoo (talk|edits) said:

24 September 2013
That is correct.

Sorry, my initial post must have got caught up in a NSA sweep and it went into a loop.

What I tried to say was "that is essentially correct". The only kinda hope is encryption, but there are NSA pressured "intental mistakes" in commercial encryption software, or backdoors into the encryption system of most commercial software.

If you buy foreign encryption software, it will have it's own government backdoor. Even the Swiss people are starting to store their money in large (huge) pocket watches now instead of the famous "private" Swiss bank accounts. It looks like a huge pocket watch but it's really a bank vault you can fold up your money real tiny and cram it in. Nothing is private. If it has ever even touched the net, it is compromised.

PDXTaxman (talk|edits) said:

2 October 2013
Hi folks, thanks for the feedback. I was speaking with an acquaintance who works at Norton Symantec and learned a little bit (this at a small party, we didn't talk long, but still he was helpful). Portals like Dropbox and others use SSL Sockets, the same as the banks when you do your online banking (and many retail sites as well, for online credit payments). Old hat stuff for people in the IT field, but vaguely mysterious to me. Apparently very secure, so my worry about the security of documents as they travel from my computer to the portal, and from the portal to the client, was misplaced.

This doesn't mean portals can't be compromised, especially is you use weak passwords, but it does mean that by using them we're exercising reasonable due diligence vis-a-vis security. (That, and having lots of professional liability insurance).

We're still looking at Voltage -- which allows you to send secure emails to anyone, no portal involved -- which seems excellent overall and not very expensive. I'd love to hear from anyone who has personal experience using it, but I've been unable to find a single bad word about it in reviews and the like. It's not clear to me yet what obstacles (if any) it imposes on the recipients of the emails.

Finally, if the NSA wants my clients' tax returns, they can have them so long as they don't ask my permission. I'm more worried about Russian and Chinese hackers.

An interesting side note: a client had thousands of photos on her computer, going back 25 years. She backed everything up with Carbonite, which I've seen and considered getting for my own use. She also dropped all her photos into Dropbox (a paid account due to memory requirements). Recent crash wiped out her hard drive AND Carbonite turned out to be loaded with corrupted files. So no restoring anything from there. But everything was saved because of Dropbox; she gives it an enthusiastic endorsement.

WilsonCA (talk|edits) said:

2 October 2013
[I think one of the security problems with Dropbox is that if you send a link to a client (either to share a file or a folder), then anyone who has that link can access the file/folder. Hopefully, there's SSL/encryption of the email message from end to end, but anyone who steals the link along the way (using whatever method) has access to the file/folder. No password necessary. That stealing process can happen anywhere in the chain: malware on your on computer (or malicious browser add-ons, for example), malware on the recipient's computer, etc.]

Norman-tx (talk|edits) said:

2 October 2013
Another security issue might be with dropbox company opening up your docs to have a look if they are not encrypted.

http://www.pcworld.com/article/2048680/dropbox-takes-a-peek-at-files.html

PollyAdler (talk|edits) said:

3 October 2013
No surprise there if it's true. The Gubment makes them do it.

I saw a great saying today. It's said to be an old internet adage: "If it's free, you are not the client, you are the product."

I traced it down. I think the original "adage" was: "If you get something for free on the internet, you are not the customer, you are the product."

Nowdays, even if you pay to be somewhere on the internet, or pay for services or goods, you are still the product. You are the thing they really want to package and sell.

We have allowed ourselves to be drawn into a huge corral, and now we are just waiting for the trucks to haul us to the slaughterhouse.

WilsonCA (talk|edits) said:

3 October 2013
One thing I've been trying to wrap my head around:

Strictly from a "meeting professional obligations" point of view (as opposed to going further, say, in the interest of providing a higher-quality service to your clients)... if the Board of Accountancy in Oregon requires only that the "confidentiality" of client files "be protected", are you meeting that requirement if it requires a criminal act (by a third party) to obtain those files? In which case, even an unencrypted email attachment would be "confidential" and "protected", in the sense that someone would have to illegally hack your email account (or illegally intercept the communication) to read the attachment.

If someone breaks into your house (your email account) and steals your TV (your name/SSN combo), and does it relatively easily because you have only one lock on the door (your email account password), it's still a crime. Are you negligent in protecting your household belongings if you have just the one lock on the door? Are you negligent in protecting the confidentiality of client files if there's only one password blocking access to them?

H.D. Freifunk (talk|edits) said:

3 October 2013
My understanding is no Email is considered confidential 180 days after it's sent vis a vis the government.

Now, the truth is the government is probably not looking at anyone here or at their clients (or course you never know lol), so there's your Email protection regarding the government.

However, when I first read about this, I was not that sure that it was just the government that the article was talking about. I remember being a little confused over the wording of the article. I can't remember what site I read about this, I've read so many over the past two months.

Keep in mind, of lot of this type thing is covered by the stuff you don't read when you sign up for internet service or when you sign up for an Email account. For instance, I have a gmail account. I don't assume that I have any privacy on that account whatsoever...and I think it's completely legal for them to look at it, and it's buried in that stuff I didn't read when I clicked "I accept".

The only thing I suggest is to try to check the law at sites like EFF, or take a look at the agreement with your Email provider(s). My rule of thumb is that if I'm confused, then I assume the worst. However, regarding Wilson's particular question, if it ever came before a board or a judge, I think they/he would hold that you did all you reasonably do considering that the law seems spread all over the place here, and some of the law and rulings we are not even told about. So how much time would a governing body expect a small businessman to spend trying to figure all this out? And the real truth is, they don't want us to know just how exposed we are.

You folks may have more advanced systems than I do. And I am in the process right now of preparing to change the way I do computering in general.

Norman-tx (talk|edits) said:

3 October 2013
It looks like Proseries 2013 will be addressing the security issue, to some extent. I couldn't find out any details about the feature.

"New in ProSeries 2013: Improved Security • Email password-protected client files • Increased data encryption "

PDXTaxman (talk|edits) said:

3 October 2013
Norman, we use Lacerte here. Hope they're taking similar steps, but I haven't seen anything about it as yet.

H.D. Freifunk (talk|edits) said:

3 October 2013
If I was in Oregon and I got accused of the charge of "Unsecure Emailing", then I would send an Email to the Oregon Board of Accountancy making all kinds of discovery demands. Demand to see their charter, demand a copy of the enabling law which created the board, I'd throw in everything but the kitchen sink. Size their ring finger, boxers or briefs. The whole nine yards.

Then I would word it so as to basically beg them to respond to my request by Email. Heh. Heh. (This is called setting the trap).

When I got THEIR Email, I would pick out its security flaws with a fine toothed comb, and afer finding a hundred or so holes in their security, I would file my OWN complaints of malfeasance of duty against every single member of the Board. I would play hard.

Then, since the Board itself had been so charged and could not judge itself, I would insist that meanest, hanging-est judge in the Oregon Territory be appointed to adjudicate the case against the board.

Spiral (talk|edits) said:

4 October 2013
Great disscussion btw.

The vulnerability with email is not the password you use. As the email sits on the email server, it is in plain view to everybody who has access to the email server, backups, or network.

An analogy:

In practice, before confidential digital files, confidential paper files used to be stored in file cabinets with locks in the office, or an off-site secure storage facility with a lock that only you have the key. Confidential digital files, should be handled similarly. Email is like storing the confidential files, in your buddies garage, then he moves some of the files to another friends garage because he needed the space, etc...

CrowJD (talk|edits) said:

5 October 2013
This is the time to take a break and assess what we have learned.

I present here a lecture given by philosopher Rick Roderick on the philosopher Jean Baudrillard.

The lecture was given in the 80s I think, however, you will easily see how it could be extended to today. Enjoy.

http://www.youtube.com/watch?v=2U9WMftV40c

Of course, the "Xerox" and so on has been completely replaced by the laptop, a digital file, an attachment, and the internet, but this only makes Baudrillard's philosophy more relevant today than it was at the time Roderick gave this lecture.

P.S. When he speaks of "the end" his does not mean the literal end. He means the end of the "human" as we understood the human.

Fsteincpa (talk|edits) said:

5 October 2013
PDX - A note on carbonite. This is what I believe, if it is not true, someone can address it, but I am pretty sure I am correct.

Carbonite backs up and replaces your previous files with the new files. As tax preparers, we may not touch files for months at a time, so if a file gets corrupted and you are using carbonite, then the next backup will take the good file and replace it with the corrupted one. So, not good.

Use carbonite as an add on back up system, not your primary. Go old school and use tape backups for Monday through Thursday, then have 5 Friday tapes so you have a new one each week. Then I also have an end of the month/quarterly backup tape and then one at the end of each year.

You can decide whether you need a monthly or a quarterly to keep. But, the price of tapes is very inexpensive.

It is not a matter of if, but when you have that hard drive crash. I just bought a new server with a dual mirrored hard drive and last Sunday I came in to do some work and had a fatal hard drive error. Luckily, I had the dual hard drives and my IT guy came in did a few things and was up and running a few hours later.

I am now running with only one hard drive, but that will be corrected in a few days.

Also, always test your restore feature and at least monthly review what is being backed up. Automatic is not good if you don't review. We add things, adjust things and this affects the backups occasionally. Would really suck to autopilot for years and then realize that the directory you needed backed up wasn't.

CrowJD (talk|edits) said:

5 October 2013
"I am now running with only one hard drive, but that will be corrected in a few days."

Slow down Fred, a man at your age is not expected to perform like a 16 year old boy could. Give it rest from time to time.

Adam13 (talk|edits) said:

5 November 2013
I'm curious as to what resources other CPAs are using. There are a few things at odds, affordability, effectiveness, meeting the standards on our profession, and actually protecting our data.

I'm guessing ShareFile is one that the participants in this thread would consider to be a nice big red target.

Gazoo (talk|edits) said:

7 November 2013
PDX used the words "very secure" up there somewhere. I couldn't help but get a chuckle out of the remark, however, I am not laughing at the poster, just the remark.

Nothing is secure when you are connected to the internet.

Gazoo (talk|edits) said:

7 November 2013
PDX used the words "very secure" up there somewhere. I couldn't help but get a chuckle out of the remark, however, I am not laughing at the poster, just the remark.

Nothing is secure when you are connected to the internet.

Gazoo (talk|edits) said:

7 November 2013
PDX used the words "very secure" up there somewhere. I couldn't help but get a chuckle out of the remark, however, I am not laughing at the poster, just the remark.

Nothing is secure when you are connected to the internet.

Taxaway (talk|edits) said:

8 November 2013
Speaking of hard drives, Gazoo must have just been excitedly spinning his.

To join in on this discussion, you must first log in.
Personal tools