What is WeTransfer
WeTransfer is a cloud-based file transfer service that allows users to send large files securely through the internet. The company provides an easy-to-use platform to transfer files when their size exceeds the limitations of an email attachment. Using the free WeTransfer service, you can send up to 2GB of data without even the hassle of creating an account. If you’d like to send larger files, you can subscribe to the WeTransfer Pro or WeTransfer Premium paid services. WeTransfer Pro allows sending up to 200GB of data and comes with 1TB of cloud storage space, whereas WeTransfer Premium offers unlimited transfer data and cloud storage space.
WeTransfer is user friendly and works in a pretty intuitive way.
- Visit westransfer.com and drop or upload files from your computer.
- You can choose “Send email transfer” or “Get transfer link” if you click the three little dots. If you choose to send files via email, you have to enter both your and the recipient’s email addresses. You can also include a message.
- Press “Transfer” and voila — WeTransfer generates a unique download link that it sends to you and the recipient or appears only to you on the screen. The link remains active for seven days for free and 28 days or more for paid users.
- When the recipient clicks on the link, they are transferred to a WeTransfer page where they can retrieve the files.
How secure is WeTransfer
WeTransfer is a secure enough service to send files as long as they don’t contain sensitive data. Though it doesn’t provide end-to-end encryption, the company encrypts files while they are transferred and held in the servers. WeTransfer also uses two-factor authentication and offers additional password protection.
WeTransfer claims to work with two independent companies that consult on security, monitor their systems, and perform regular penetration tests. The company is also using the services of ethical “white-hat” hackers who search for vulnerabilities in the company’s services.
To implement a more effective monitoring system for phishing, spam, and other types of malicious content, WeTransfer has started a collaboration with Microsoft based on threat intelligence. Microsoft can see if its customers are hosting sources for cyberattacks, so WeTransfer opened its platform for Microsoft to actively analyze the content there, too. This way, Microsoft can be sure that malicious content won’t reach its customers via transfers from WeTransfer and vice versa.
Moving forward, let’s look into security measures that WeTransfer has taken to make data sharing more secure.
Encryption is one of the key measures to secure information from prying eyes. File encryption means the files are encoded in a way that is only legible to authorized parties. To ensure the security of its services, WeTransfer creates an encrypted tunnel to every file you share. Once you upload your files to WeTransfer, they travel to the company’s servers through the encrypted connection using Transport Layer Security (TLS). When the uploaded files reach the servers and are stored there, they are encrypted once more using Advanced Encryption Standard (AES)-256.
However, even though files are encrypted during upload, sending, and storage, they become unencrypted once they’re accessed or downloaded through the link. However, if the link is intercepted, unauthorized people can easily gain access to your files. This remains one of the main reasons why using WeTransfer as a file sharing service to transfer sensitive information is not recommended.
WeTransfer has implemented two-factor authentication (2FA) for users who create an account with the company. This feature adds a layer of security because the system not only asks for your password but also verifies your identity through an authentication app on your mobile phone. Once set up, it links you to your devices and asks you to enter a code in the app as an extra step so that no one can enter your account with your password alone.
WeTransfer has added one more feature for its Pro and Premium subscribers — an option to secure each transfer with a dedicated password. This facet adds an extra layer of security because only authorized people possessing a password can access the files. With password protection, WeTransfer users can be sure there won’t be any unsolicited intrusions into their files.
WeTransfer collects your personal information, such as your contact and payment details as well as your type of browser or device, your network, and your location data. The company claims to retain your personal information for as long as it is necessary for it to provide its services and comply with applicable laws. However, suppose you wish WeTransfer to no longer process your personal information. In that case, the company will move your data to a separate file and use it only when its legitimate interest outweighs your right to object.
Regarding file sharing and storage, files that free users upload to WeTransfer are deleted seven days after they upload them. In contrast, the content of Pro or Premium subscribers is stored for 28 days by default or until the expiry date that the user sets manually. WeTransfer also claims that when your personal data accompanying files is older than 12 months, it is automatically anonymized for further analysis.
Your personal information is available to WeTransfer’s service providers, such as companies that deliver IT, software, and user support or process payments. Through cookies, your personal data is also available to WeTransfer’s business partners for interest-based advertising.
The risks of using WeTransfer
One of the main risks of using WeTransfer is that the generated file links can easily end up in the wrong hands, either through user error or security breaches. If the company’s servers are hacked or compromised, specific user data could get into the hands of hackers. Cybercriminals can also send files infected with malware via WeTransfer, which is a big security gap. In addition, WeTransfer can be subject to government surveillance requests, which means government agencies could access your user data without your knowledge or consent.
Let’s take a closer look at the possible risks involved when using WeTransfer.
Data breaches and security incidents
WeTransfer, like many other online services, can become the subject of a data breach. For instance, in 2019 the company was hit by a security incident during which it transferred files to the wrong people for two days. After WeTransfer realized what had happened, it blocked all the links to the files involved in the incident. It’s a good example of how a third party’s involvement in file transfer raises additional security issues.
If you are a fan of WeTransfer because it’s an easy-to-use service, bear in mind that it’s almost as easy to use to you as it is to a potential hacker. Though WeTransfer works hard to banish cybercriminals from using its services, the company cannot guarantee an absolute block on hackers. Hackers tend to use WeTransfer to generate malicious URLs or files holding malware and send it to unaware web users through anonymous emails. The most important things you can do is not click on any phishy-looking links or download files you weren’t expecting to receive.
WeTransfer’s free version is prone to information leakage because the company only encrypts files and user data during transmission and storage stages and doesn’t provide an option to secure the files with a password. This means that the download links are sent to the recipient in a form that can be easily accessed by unauthorized parties through the sender’s error or a service malfunction, as mentioned before.
So once a file has been uploaded to WeTransfer, the sender has limited control over who can access it. This illustrates why you should avoid sharing sensitive files through third-party service providers.
Surveillance and government access
WeTransfer is based in Amsterdam, so it complies with the EU’s General Data Protection Regulation (GDPR). This means that the company must process and store the personal data of EU citizens and residents with the highest security standards. The company also complies with EU Privacy Directive (95/46/EC) and the Dutch Personal Data Protection Act. WeTransfer claims that when the data is shared with non-EU entities, WeTransfer requires them to be certified under the EU-US Privacy Shield. Otherwise, EU Standard Contractual Clauses are signed. WeTransfer is not bound by US laws, so the company is not obliged to comply with HIPAA regulations, which protect sensitive patient health information from being disclosed. WeTransfer also doesn’t comply with the following:
- The Payment Card Industry (PCI) Data Security Standard
- The Federal Information Security Management Act (FISMA)
- The Association of International Certified Public Accountants (AICPA) Service Organization Controls Standard
The WeTransfer servers that store your files are located in the EU and the US, raising questions about your data being protected from government snooping. The Netherlands, where WeTransfer is based, has a track record of surveilling its citizens. Meanwhile, the USA Patriot Act obliges every US company to reveal its customers’ files whenever intelligence agencies are involved.
In short, WeTransfer may be subject to government surveillance requests, and government agencies can access your data without your knowledge.
The secure alternative to WeTransfer would be a service that doesn’t require a third party’s intervention when sending files. One such service is NordVPN’s Meshnet File sharing feature. It’s software for secure file sharing directly between peers: Meshnet lets you create your own secure network for various devices. With Meshnet, you can connect up to 10 internal and 50 external devices. It’s free for everyone and extremely easy to use. You only need to:
- Set up Meshnet on your devices.
- Link your devices to external ones.
- Select and share files.
Once you accomplish these steps, you can share files of any size without limitation. Meshnet is extra safe because instead of using cloud service, it lets you transfer large files from device to device directly. It works within your own secure network, making it bulletproof to any intrusions.