Helping people with computers... one answer at a time.

In the quest to go paperless, many companies offer statements and other information in electronic form. I'll look at what's typically safe and secure.

From a security-wise perspective, should I get my receipts (i.e. from my insurance, ISP, or cellphone provider) by email or snail mail? I use https, but I don't know what kind of security goes on the sender's side. To my understanding, I cannot use PGP as corporations don't use it.

As I've discussed before, email is basically an unsecure medium.

Even if you use https to connect to your webmail provider or the equivalent ssl connections for the POP3, SMTP, or IMAP connections to your desktop email program, that's only securing the last leg of your email's journey to you. Most email remains "in the clear" as it travels from email server to email server on the internet.

From a practical perspective, that's typically good enough. Considering that most people don't use https or ssl when they should, however, it's important for you to think about ways to transfer important and sensitive information more securely.

When it probably doesn't matter

Before I get into some of the approaches that we might take, it's important to point out that the question is pretty general. Receipts, for example, could mean almost anything: purchase confirmations, individual sales receipts, and the like. Rarely are these of any sensitive nature.

So, in my opinion, no extraordinary steps are required for what most of us consider receipts.

"In order for email to be truly secure, the message must be encrypted from end-to-end."

Plain old email is just fine.

Given all of the online shopping that I do, it's a good thing - I do get these types of emails regularly.

Similarly, I've gone paperless with as many of my utility and other recurring bills as possible. For most, that monthly email notice is just fine.

For others, however ... not so much.

Why email might not cut it

As I said, when email leaves the sending mail server on its way to the mail server on which you get your email, it's sent in plain text. Anyone with access and desire could actually view that mail. Now, that's usually an extraordinarily small number of people; typically, it's the network and system administrators of those servers - people who have neither the time nor inclination to read your email.

But, it is indeed a number larger than zero.

The number of people who fail to use ssl connections to receive their mail is probably a larger problem. In these cases, other machines on the local or home network could see the email as it passed by. And not using SSL in an open WiFi hotspot makes your email (as well as your usernames and passwords) easily visible to anyone in range who cares to look.

There are just enough holes in the common email system that trusting it for truly sensitive information is not always a great idea.

What about encryption?

In order for email to be truly secure, the message must be encrypted from end-to-end. That means that it's encrypted before it's sent and decrypted only after it's received. At any point while the message is in transit, it appears as nothing more than random noise.

PGP is one such technology and there are others as well. In fact, the number of approaches and the fact that there is not a single widespread standard for encrypted mail is the problem.

Unfortunately, as you point out, the corporations that are sending you mail simply aren't using encryption and they probably aren't going to any time soon.

So as much as we would prefer encryption to be the answer, it simply isn't.

Bypassing email

The best compromise that I've seen is actually very simple and secure.

For example, my bank sends me an email that says, "Your statement is ready," and nothing more.

I then go to the bank's website - securely via https - login to my online banking account, and view or download the statement.

Because it's https, the transfer of that statement is encrypted from end-to-end: it's encrypted before leaving the bank's servers and decrypted only after it arrives on my machine.

I'm finding that most institutions that have secure data have moved to this model. My bank, my brokerage, my credit card providers, my phone company, and others all use this only to notify me that more information is available and that I can access that information securely by logging into my corresponding online account.

Going paperless

I'm trying to go as paperless as possible. In general, I'm finding that companies that have information that would normally be sent as paper often offer electronic equivalents.

By-and-large, I'm also finding that they're being sent out appropriately. Less secure information is being provided directly in email, while truly secure information is being provided using other more secure approaches, such as web downloads.

But it's definitely good to be aware of the security implications of each approach.

Article C4868 - July 7, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

1 Comment
July 12, 2011 12:27 PM

Receipts, as in "Your Payment has been received. Transaction #1,234,567.", or the like, from '' never was a secutity issue where I stand.
It's the starting point where I send money to 'UBought' for a purchase that I'm concerned with.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.