Table of Contents

Alternatives to email

Key points:

Email is probably not the most secure choice, so consider alternatives

You probably use email many tens, perhaps even hundreds, of times a day for exchanging information.

Chances are email is not the best tool for the job, but it is so engrained in the corporate world that moving away from it completely is unlikely to be viable.

Even with PGP/GPG, email is not particularly secure. If you can fit them into your operating model, alternatives to email are likely to offer better security.

While the solutions here offer strong security, they lack (by design) some of the features which make email so popular and useful. For example, the ability to forward a message chain to someone, or to create “matters” and file correspondence against them.

Consider a client portal

Some practice management systems include a client portal: an online system where you can send and receive messages, and drop off (and perhaps receive) documents for clients.

Some file transfer tools offer similar functionality, but are not integrated into a practice management system.

Before relying on this, you'll want to make sure it offers appropriate security for your needs, especially if it is hosted by a third party, who might have access to your privileged messages and documents.

As with any software, if you do make use of a practice management system and a client portal, make sure you, and your clients, have a convenient way of getting your and their data out of the portal and onto some other system, in case you want to move away from it.

End-to-end encryption may not protect you from a compromised device

End-to-end encryption is a method of securing communications, designed to mean that other the sender and recipient of the communication are capable of seeing the content of what has been sent. Someone in control of a network element carrying the communication may still see the existence of the communication, and the parties to it (i.e. the sender and the recipients) but, because they do not have the ability to decrypt the communication, they cannot see the content of what is being exchanged.

This can be contrasted with the server-to-server encryption you're encouraged to set up on your mail server. This should prevent someone spying on network traffic from seeing the communications between your server and the sender's, but it does not protect you if someone has lawful access to, or has compromised, the sender's mailserver or your own mailserver.

While end-to-end encryption protects against some infrastructure access or compromises, it does not necessarily guarantee protection in all situations. In particular, if the device on which you receive and decrypt the encrypted communication (e.g. your phone, or your computer) is compromised, the attacker may have access to the plain text (decrypted) communications content, because they are attacking it once the encryption has been removed.

The implant also has access to the user's keychain, which contains passwords, as well as the databases of various end-to-end encrypted messaging apps, such as Telegram, WhatsApp, and iMessage, Beer's post continues. (Vice report on iOS vulnerability.)

End-to-end encryption remains valuable, but you need to protect the device you are using for those communications. For example, encrypting your computer's disk not using an account with administrative rights for your day-to-day activities, and only installing software from trusted sources.

Instant message or SMS-like apps

If you want a secure alternative to instant messaging or SMS, consider these.

Unlike email, none of these are interoperable, meaning that, if you want to use one of them, the people you want to talk with need to use that service too. Conversely, if the people you speak with each prefer a different service, you may have to sign up to multiple services, so you can chat with each of them.

Matrix / Element (used to be called Riot.im)

Matrix offers a web interface, as well as native applications (e.g. for macOS, iOS, and Android).

It offers text-based chats between individuals and groups, as well as file transfer, and voice and video calls.

It offers end-to-end encryption across devices, mobile phones and web interface, allowing for easy synchronisation of the encryption keys through QR codes or emoji.

You can run your own server, if you wish (a bit like email), or else you can sign up to someone else's server, such as the project's own matrix.org server.

You do not need a phone number to sign up.

Signal

Signal is mainly a mobile app, but it has desktop counterparts.

It offers end-to-end encryption, without you needing to do anything (although it may not protect you if your device itself has been compromised).

It requires the other person (or people, as it has group messaging) to also have Signal.

As well as text-based messaging, you can share files, and make encrypted audio and video calls.

You need a mobile phone number to set up Signal but, if you do not have a mobile phone, or do not want to give our your actual mobile phone number, you could rent a mobile phone number and use that to set up Signal. You should keep renting that phone number for as long as you use Signal with it.

You can download it here.

WhatsApp

If you don't mind telling Facebook who you talk with and when, WhatsApp offers simple end-to-end encryption.

Like Signal, it offers group messaging.

As well as text-based messaging, you can share files, and make encrypted audio and video calls.

You need a mobile phone number to set up WhatsApp but, if you do not have a mobile phone, or do not want to give our your actual mobile phone number, you could rent a mobile phone number and use that to set up WhatsApp. You should keep renting that phone number for as long as you use WhatsApp with it.

You can download it here.

Threema

Unlike Signal and WhatsApp, Threema does not require a phone number to set it up. If you don't have a phone number, or just don't want to link a phone number to an app, this might be worth a look.

Real-time chat (i.e. alternatives to Slack)

rocket.chat

rocket.chat is a self-hosted alternative to Slack. You can have real-time chat between other lawyers in your firm, and it also integrates with Jitsi for audio and video conferencing.

You can also configure permissions to enable secure chat channels with clients, separating them from each other.

Ways of sharing large or sensitive files

Email is often used as a convenient way of sharing large files.

However, while used commonly for this purpose, it's not a great use of email, especially as you do not know what size files your recipient may be permitted to receive by email. If you find yourself needing to transfer large files, or sensitive files, on a regular basis, you may be better off looking for something more suited to the task

If you only do this infrequently, you're probably better off with PGP/GPG-encrypted email, or using something like Signal or WhatsApp.

zend.to

zend.to (available from here) is a free, open source, server-based file hosting platform, which you install and run on your own server.

Installation is easy, and you can configure it readily to reflect your own name and logo.

It can also be used for requesting files from clients, as well as transferring files to them.

Dropbox

If you are comfortable storing your files on someone else's computer.

Make sure you delete the file from the platform when it has been transferred.

As Dropbox is very popular, it may be used as a vector for phishing campaigns, where someone is sent an email purportedly linking to an attachment on Dropbox, but actually serving up malware.

Nextcloud

A self-hosted alternative to Dropbox, Nextcloud not only offers file synchronisation across multiple devices, but also allows file sharing.

You can also integrate it with Collabora Online, and offer a self-hosted alternative to Google docs. This allows real-time collaborative online document editing, running on your own server. (It can struggle with documents with lots of tracked changes, unfortunately.)

OnionShare

OnionShare is a very easy to use, peer-to-peer file sharing system, which makes use of the Tor protocol. You run it on your own computer, and it does not require a separate server.

You get a temporary, unique address, which you need to give to your recipients via some other secure channel (e.g. Signal, or PGP'd email).

To collect the file, the recipient has to connect to the address you give them using Tor. If they already use TorBrowser, then it's very convenient. If they don't, it's not very convenient.

The transfer is as fast (or so) as your Internet connection, since you are sending the file to them directly.

It is free of charge, and you can download it from onionshare.org. It's available for macOS, Windows, and Linux.

magic-wormhole

If you are interested in trying something new, and a bit geeky, magic-wormhole offers a relatively simple way of transferring files.

You need to be comfortable using the command line or terminal, so it is not for everyone.

Instructions for installing it are here.