Hacker News new | past | comments | ask | show | jobs | submit login
Faxing is growing in popularity (washingtonpost.com)
96 points by JSeymourATL 14 days ago | hide | past | web | favorite | 128 comments

The intelligence community has been intercepting faxes for decades.[1] It's not very secure. Even worse, VoIP systems recognize fax modem signals, decode them, transmit them as data, and re-encode them as fax modem signals.[2] They have to; VoIP has such awful jitter and bandwidth that you can't send modem signals over it. So it's easy to peel off the fax data and log it. This is done routinely using fax servers.

[1] https://en.wikipedia.org/wiki/Black_site#The_Onyx-intercepte...

[2] https://www.dialogic.com/-/media/products/docs/whitepapers/1...

Isn’t the reason to fax not privacy from the government but rather that phone communications are subject to wiretapping laws that email/the internet isn’t so you have more options for recourse if someone non-government actor intercepts the message? At least, I heard that something like this was true.

How secure do I need my restaurant take-out order to be?

>By one private firm’s estimate, the fax accounts for about 75 percent of all medical communication


This is because fax is still considered by HIPAA to be a secure method of transferring patient information. Where email is unencrypted and this considered to be insecure.

[UK's] NHS world's biggest fax machine buyer due to 'stubborn' resistance to new technology, say medical leaders


There are jurisdictions outside of the US that transmit health records by fax to avoid them being subject to the USA PATRIOT Act when they transit routers in the United States.

Seems like you could fax an encrypted payload and just use the fax protocol for data transmission.

Possibly even attach it to another medium originally intended for data.

Also, I love your username in the context of this subthread.

Every single hotel that caters corporate clients in the USA still uses fax. We don't get reservations through fax, but that is the best way to get credit card authorization. A lot of corporate booking systems are automated to send out Fax for credit card authorization after they book the room online.

Also, it's much better for our Front desk staff, as they don't have to constantly check the email. There is only 1 fax number, and anyone can send out the fax and whoever is working at the front desk gets a printed copy without doing anything.

I really wish there is a modern alternative to FAX.

Edit: What I mean by a modern alternative to Fax is that the sender can send high-resolution color documents without going through multiple steps. Scan documents to a computer, convert to PDF, Send an email with an attachment, Check email periodically, Print Email.

I have converted most of our documents to digital forms, and sync to all computers. Yet all my employees rather copy documents as they think its much faster and convenient. They will make 100s of copies of the document.

We accept all documents through email or fax. Last week we received an email with a one-page contract that was broken into 4 images. We asked to send it again and they rescanned and send it again the same way. I used a word to print 4 images into one page and call it a day.

> I really wish there is a modern alternative to FAX

What's missing from email + a couple lines of script code? (Or if you prefer, a lightweight piece of software that does the same thing). It seems like that covers all the cases you describe: automatically prints, don't have to check it, you can have only one email, etc. I mean the fact that some other parties are stuck on a legacy system is of course always a good reason, but that's not really a lack of a modern alternative.

> What's missing from email + a couple lines of script code?

Medical use: I call someone to tell them to expect a fax. I send the fax. I call the person and ask if they got the fax.

When sending the fax I hit the button and hear a dial tone. I know my machine is connected to the exchange. I dial the number and hear the ring tone. I know the recipient's machine is connected to the exchange. I hear their machine pickup and negotiate with mine. I know our machines are connected. My fax goes through. If it doesn't go through I get an error. If it doesn't go through on the recipient's machine I get an error.

You don't need this for a hotel booking.

You do need this if your patient is suicidal and plans to end their life and you're making a referral to a crisis team.

Unfortunately, many places do not use real fax machines plugged into POTS. They use virtual fax machines which do goodness-knows-what over the Internet. So, we get the drawbacks of fax combined with the unknown status of Internet.

It's a real mess. There's a huge amount of money (in the UK NHS) to be made with a better replacement.

In many parts of the world they use WhatsApp for he equivalent workflow in multiple domains.

That little green tick when someone reads your message is a surprisingly critical part of the workflow.

You could always call before and after an email. I've done that before, when dealing with someone I didn't trust to read her email.

- Not all hotel owner/operator can write code.

- Spam: We get tons of spam FAXes too. But compare to emails, way less spam.

- Also, most of the people who send out fax have a hard time scanning and emailing documents.

> Not all hotel owner/operator can write code.

Yea, dont worry, I wasn't going for the "lol why doesn't everyone just learn Python and spin up a Docker container on ECS" trope. That's why I specified a lightweight piece of software, which is how everything used to work before the rise of the Web and mobile devices changed software distribution.

> Also, most of the people who send out fax have a hard time scanning and emailing documents.

Yes, this is the legacy third parties thing I was talking about. But this constraint doesn't have anything to do with the lack of a modern replacement for fax. On top of that, there are plenty of services (including free ones) that fake a fax number if necessary, with the standard caveat that inserting a service layer into your business workflow introduces risk.

Note that I'm not suggesting that you switch: when the road meets the rubber, it's often the rational choice for businesses to stick with old technologies for a variety of reasons. I was just puzzled by your more-general wish for a modern equivalent of fax, when there have existed "modern equivalents of fax" for decades that are superior on pretty much every axis.

Nah people complained about software bloat before the internet too. They e been doing that since the invention of compilers.

I'm outside the USA, but my employer organizes a lot of travel all around the world — on every continent, from the USA to Somalia to Fiji to some rainforest in Brazil.

The fax machine was thrown out last year, after sitting unused for years. I assume we reserve and pay for hotels over the WWW. Emails sent to (and from) 'travel@example.org' are seen in a single mailbox by the people who organize travel and their manager. Outlook goes "Ping!" when an email is received.

If it's necessary, the secretary can access those emails from home or holiday.

> Scan documents to a computer, convert to PDF, Send an email with an attachment, Check email periodically, Print Email.

Any scanner / printer-scanner / photocopier-printer-scanner made in the last 15 years will do the first half of this in one step (i.e. insert document, press "email", enter address or choose from the address book, press "Scan & Send").

Mail delegation covers "anyone can send it out" and 'there is only 1 fax number". Automatically print covers "paper automatically appears" and "don't have to constantly check the email".

What exactly are you hoping to modernize (other than "technology A has been around longer than technology B"). If it's hardware e.g. a physical fax machine with a physical line and you want to get rid of that line there are existing options to do that with or without getting rid of the fax machine and with or without changing the workflow to some other technology stack like email.

If it's "fax is insecure" I agree but until that actually becomes a problem for the businesses on the other end nobody is going to care enough to deal with the change.

> "fax is insecure"

Fax is not secure.

Something like "Sender goes to the machine, and he punches my number or identification and it prints the document at my hotel"

Also fax's tend to be horribly insecure at the recipient end. You're not sending to a person, you're sending to some physical location, usually public, and hoping nobody loses it or picks it up and read it.

This is fairly common at hospitals (when they don't have a fax server setup) and manifests as "oh the fax didn't come through" (even though it definitely sent successfully).

Satisfies HIPPA. Something like "stand by the fax machine and tell the person on the other end they can send the fax"

Imagine a future where faxes are a private alternative form of communication. Image machines specifically designed to send encrypted data using phone lines. Maybe there is room innovation there, fax 2.0 is encrypted private alternative form of communication when all others have been exhausted.

Maybe we can attach a typewriter to them as well so you can get all your private communication needs in one package. I know hipsters will be all over this.

Heck we could even use shortwave radio to transmit these: http://hamfax.sourceforge.net/

You may joke about SW, but there are not a few applications for a secure encrypted channel that is difficult to MITM and doesn't go through nation-state infrastructure.

The proper solution is to implement a way to pay hotels online with the proper verification procedures. They can still require photo IDs and credit cards for incidentals at checkin, but there's no reason I shouldn't be able to use Apple Pay to pay for someone else without ever sending any documentation to the hotel other than the name of the person they should be expecting.

A lot of small business owner has one company credit card. They send the credit card information to us through fax for the employees that are checking in without the company credit card. Employees are still using their personal card for incidentals.

Big companies use travel agencies. They fax a virtual credit card. Depending upon the company, the credit card in the reservation won't authorize. We can only charge the credit card in the fax.

Yes, my point is all of that can be obviated if the hotel offered an online payment system where you can just pay online, same as you can with Expedia.com or Hotel Tonight or Priceline or Amazon.com

However, the major brands would rather have all of their hotel guests be inconvenienced and have people's personal information and ID scans flying around insecure systems operated by minimum wage hotel personnel with high turnover.

This is so that they (Hyatt, Marriott, Hilton, IHG, Choice, Wyndham, etc) can offload the chargeback risks and payment processing costs onto the franchisees.

all of that can be obviated if the hotel offered an online payment system

I spent the weekend making reservations at nine hotels for a two-week trip. Of the nine, three could be paid online. Two could be reserved online, but will have to be paid with plastic at check-in. Two had web sites, but I had to call to make a reservation. Three didn't have web sites at all.

The vast majority of lodging options in the United States are not chains, or hooked up to an app.

This Aug 2015 article says US hotel room supply broke 5 million rooms:


and this Mar 2015 infographic on HotelNewsNow.com shows over the 10 biggest brands having over 4 million rooms, worldwide.


Some of those brands have hit 1 million rooms each, so I think it's safe to say that the vast majority of rooms in the US are able to be reserved online, and even the boutique hotels not affiliated with bigger brands have an online presence in my experience.

The only hotels I've seen not online are the low budget motels or smaller lifestyle businesses in a few niche locales here and there. Even then, I've seen them on booking.com where you enter your details, and booking.com emails or faxes the motel operator the details of your reservation.

I stated lodging option, meaning places to stay. I was not tallying hotel rooms, which is another metric.

You and I apparently travel different places, so my experience is different than yours.

But you're right about booking.com having the best chances of booking online in very small places.

> Also, it's much better for our Front desk staff, as they don't have to constantly check the email. There is only 1 fax number, and anyone can send out the fax and whoever is working at the front desk gets a printed copy without doing anything.

Seems like the answer here is to just have a "fax machine" but replace "phone number" with "email address" and automatically print any documents sent to it ("documents" being defined as the emails themselves and/or - if present - attachments in specific formats like PDF, DOC(X), ODF, etc.). Shouldn't be terribly difficult even for a DIY project, let alone as a full-blown commercial product.

A spam filter would of course be a given.

Now there's a spam filter and suddenly you get all the unreliability that comes with that from email (someone can claim the filter must have blocked it, and there's no proving otherwise).

Well yeah, you either guarantee that all messages are received or you filter out unwanted messages. Depends on what's the more pressing issue.

If I may, I would add that it is (obviously) unheard of computer viruses sent by FAX, whilst - besides the "benign" (if we can call it so) spam - a generic hotel e-mail is bombarded by phishing attempts and more generally "check this attachment (enclosed invoice)" or "booking confirmation check the attached image for credit card number" kind of letters, so, besides the time needed to open the e-mail, the e-mails are anyway a "risk".

The worst that can happen with a FAX is that the "attacker" can make you consume some paper and printer ink.

It's not exactly a virus, but last fall some folks put together a PoC showing how certain fax machines could be compromised over the phone line, and used to gain access to their connected networks. [1]

[1] https://blog.checkpoint.com/2018/08/12/faxploit-hp-printer-f...

Yep, IF the FAX is connected to network (some are, some aren't) and I would be surprised (even if the researchers do state that) that a "generic" exploit (meaning ALL brand/model of all-in-ones) is possible (maybe they would need a "library" of similar exploits and test them until they find the "right" one for the given brand/model at the other end).

Most exploitation is not "generic" in that way.

There is an alternative, called internet.

Faxing for CC authorizations certainly is not the best. Or I’m way confused and don’t understand your conditions of “best”

There is an alternative, called internet.

I routinely stay in places that don't have internet service, either deliberately (ranches and luxury off-grid getaway places), or because there is no infrastructure.

Internet isn't the solution to everything. In fact, some very high-end restaurants are now only taking reservations by telephone. And there was an article (NYT?) a few months ago about exclusive restaurants now only taking reservations by letter.

If internet was the answer to all of this, then Google wouldn't have spent billions of dollars on a system to call businesses to place orders and make reservations for you.

If you have a phone line to fax, you have a phone line to dial in to an isp. Then you can setup a secure connection? I don’t see the issue you are describing.

Also totally unclear how a reservation to eat compares to my credit card details going over plain phone line?

Google just wants market share in every market that exists.

I have a cheap home scanner, which can scan and email by pushing one button, and (I think) just attaches a pdf. PDF pretty much is the modern version of the fax.

Similarly, pretty much any large multi-function printer (the thing as big as a photocopier) has a scan-to-email function.

The one at my work can scan both sides of a sheaf of papers at about 2 sheets per second, and attach it as a single PDF or set of JPEGs etc.

I have traveled quite a bit over the years and never been asked to fax. I just give card info over the phone

u dont have to keep checking email. u can actually create a separeate email address that will automatically print everything it receives and give that email address to those people who faxes u confirmations.

Interestingly I started using a web based Fax solution in Germany two years ago when I realized that Doctor‘s offices won‘t answer the phone anymore whenever I wanted to get an appointment. Good Doctors are drowning in emails requesting an appointment. And their phones are ringing from nine to five, so its super hard to get through. Sometimes I was on hold for half an hour witout success. Even though I am able to afford the most expensive Doctors I would not get a chance to make an appointment! So phone won‘t work, neither would they reply to emails, generally. Then I realized that all of them have Fax machines! For various (legacy and regulatory) reasons. When I started requesting an appoitment or a callback via Fax I was delighted to see that they would reply almost immediately!

So now whenever I need to get in contact with a Doctor‘s office in Germany or public authorities, I don’t even try to call, but send a Fax immediately.

It comes down to convenience and ease of use... put your pages in, enter a phone number, hit send. Verses scanning pages using a computer, compositing into a PDF, or otherwise emailing loose pages... and since network monitoring is more likely than phone taps (except the govt) may be more secure fax to fax over pots.

It's more a matter of ergonomics. I've also used fancier systems that scan to pdf and email or drop location internally, then you have to email the document out. Frankly, faxing direct is usually far easier.

You pay for this in data entry. Sending pages, means that someone has to retype the data into a database compared to sending it in some kind of data structure that can be imported. Or worse the data doesnt get entered, and it ends up in a filing cabinet.

>Or worse the data doesnt get entered, and it ends up in a filing cabinet.

God forbid that data not be vacuumed up never to be seen again except by the advertisers. /s

A file cabinet in the back office probably handles most people's use cases for documents they receive by fax 90% as well as any digital solution with a heck of a lot less effort.

In the context of medical records, as a patient, id like to be able to download and transport my records without an office needing to pull out paper and copy it for me.

They can always scan them and send you the image.

So instead of me making a call to a database, a human has to be involved before I get my data.

There's no reason they have to store the faxed doucments in paper form (except, possibly, for questions of authenticity but, even then, they could also save a digital version of every fax they receive)

The study (https://www.opentext.com/file_source/OpenText/en_US/PDF/open...) as sponsored by OpenText (https://en.wikipedia.org/wiki/OpenText) It shows growing fax usage in the segment of large companies. At the same time need for integrating fax into other systems and cloud. It sound more like OpenText will use the finding (and list of companies surveyed) in their sales process.

Germany 2018: oohh you like to cancel your online account for our service? Her is our fax number: 0FUCK / YOU

Yes I send one fax per year for most stupid reasons.

Like: hey I have to send more documents to my state for taxes which I originally sent digitally through there secured service page: yes no problem here is our fax number...

> What happened was that competing companies deliberately created incompatible systems. Doctors’ offices and hospitals that use different records databases can’t communicate with each other digitally — but they can via fax.

I cannot imagine why people prefer an established, well-documented, open exchange format over some closed, proprietary, and probably obfuscated one.

Direct Project secure messaging is an established, well-documented, open exchange format that works over SMTP. It is specifically designed to replace faxing for the healthcare industry.


Says someone in a world where slack and facebook are prevalent.

The reason in this case is because the purchasing admin isn't the user and most certainly doesn't have a clue when it comes to tech, they liked the lunch the Epic rep provided and went with their gut (pun intended).

Dictatorship of the minority. If you have a subset that uses fax, then everyone needs to support fax, because otherwise you cant work.

The implications of that to accessibility are atrocious. I had a blind friend who lived outside US and had to deal with english faxes once. That was a nightmare, both in the financial and accessibility sense. If everyone just used email...

Faxing provides some advantages that can't be easily matched by competing communications tech: it's solid tech that works well, it can operate without requiring access to a computer network, it's cheap, it's dead easy to use, etc.

I'm not surprised to hear that it is growing in popularity. I think that we'll find an increasing number of other "antique" technologies that will find a resurgence for the same reasons.

im not sure about dead easy to use? i have figured out how to use all the tech devices including old school iptv cameras, smart cash registers and connecting thermal receipt printers but the fax machine is absolutely the shittiest gadget i have had to deal with in my life despite being shown how to operate it multiple times.

The people who say faxes are easier than email are like the old mechanics who complain about how EFI is complicated and carbs were so much simpler.

It's not actually any better, just a lot of people learned how to use it 20 years ago and don't want to learn anything new because they're wastes of space.

This is just not true as a blanket statement. I am as cutting-edge tech-wise as anybody (it is my industry, after all), but that doesn't blind me to the fact that there do, in fact, exist use cases for which the fax is the best solution.

Everyone has a camera on a device that can send emails. Unless the internet went down and for some reason the phone system still worked, I can't think of any scenario where fax is better than emailing photos.

The fax protocol includes a strong "read receipt" type mechanism that the machines can't ignore. "Did you get the last page?" "Yes, no bad lines."

Legally, this is interesting because it doesn't exist in email. You had the machines agree that the complete document was sent and was received. You will certainly find that it other transfer protocols, but not email, where the machines don't talk to each other directly.

Simple scenario: you need to transmit multiple legible pages of black and white text, in that case a fax machine is far superior to anything you can do with a phone camera.

I can think of a few. For instance, the internet is not available to a lot of people. For those people, the alternative to faxing is snail mail. Also, not everyone has an internet-connected device that also has a camera. I know it's hard to believe, but it's true.

Also, even when you have both an internet connection and a camera, there remain numerous possible reasons why you may not want to use the internet to send certain things.

I'm certainly not saying that everyone should start faxing, but I totally understand why there may be a substantial minority for whom it makes sense at least from time to time.

It is very dangerous to hold third party medical records in everyone's devices. It is also not integrated with the systems required to record care, so you still need to build a custom integration.

I'd say the opposite. Probably 99% of people in this thread has never sent a fax.

Not that solid. "POTS" lines only really exist at the last mile to customers, otherwise its all digital/VoIP. Plenty of places faxing will fail do to "line quality" issues. Fax only continues to work at all because the infrastructure takes great pains to keep them working.

The IRS also only accepts faxes for sending documents directly to an agent. If you have a fax machine maybe it’s secure, but the internet services are very shady and using a local store I’m still concerned the machines store the documents in memory after sending them (not 100% sure if that’s the case but I see no reason for the manufacturers to care to wipe them).

I work in healthcare and in my office we likely receive 100-200 pages of faxes everyday. Every single microbiology report in my large urban hospital prints out (including preliminary results. This includes a cover page for every single fax. It's a huge waste of paper. Luckily we are moving to Epic and all results will come through that system instead.

> Luckily we are moving to Epic

This may be the first time those words were used together in a sentence.

I work in Alberta and we have 5 distinct health care regions although we all work under one umbrella organization. All regions use different EMR systems, some regions and major hospitals are still not currently using any system, and all orders are written by hand. So an opinion on Epic as an EMR is perhaps minor compared to EMR vs hand written systems.

Of course. It is definitely exciting to have a computerized system. I just found it somewhat amusing considering Epic's reputation.

What is Epic's reputation? It's coming with pretty big fanfare here in Alberta.

Literally lol'd at this.

I'm mildly concerned with how many people that aren't directly involved with my medical care could read those reports. It's not like they have to break open an envelope or a filing cabinet or something either. Just another piece of paper to be casually picked up and scanned for filing.

I know someone whose medical records - including full details of the removal of her brain tumour - were faxed to a hairdresser because the operator swapped a couple of digits in the number.

That thought gives me so much anxiety.

I'm not the OP, but I do work pushing buttons in healthcare. In our company incoming faxes are OCR'ed and routed to the proper person by e-mail.

I can't say how well it works because nobody's faxed me (nor should anyone), but since every employee gets HIPAA training, I don't think there's much cause for worry about misdirected faxes.

What did you use for OCR? Can you identify patients or do you only use it to identify document types?

Epic will work fine for this, but every other EHR released in the past several years is also capable of receiving electronic microbiology reports. Your office must have been using something really obsolete before that.

The hospitals in my city were using Sunrise and the micro reports are included in Results tab but for some reason we still get faxes (legacy practices maybe). The problem is the province wanted one system across all sites. Currently there are a ton of different EMRs used by different hospitals that obviously don't talk to each other. So transferring a patient between sites, even down the road basically involves printing/photocopying every single piece of paper and physically sending it with the patient. I'm sure less than 5% of that ever gets read.

In theory any modern EHR should be able to export an HL7 C-CDA 2.1 CCD containing all essential parts of the patient's chart, and then deliver that to another provider via secure Direct Project messaging. But in practice many organizations don't have those features properly configured, or the connections haven't been established, or staff haven't been properly trained.

For what it's worth, paper is a renewable resource, and trashing it is literally burying carbon from the atmosphere. (not using bleached-white paper would be an improvement though)

As long people uses faxes as printers with an attached email address I don't see them disappear anytime soon.

Faxing is to email as VoIP is to the PSTN

Until we can get over the threshold of assuming nobody has a fax machine anymore, faxing is here to stay. Once we push that threshold, the remaining users can be forced out (by not having fax as an option, and faxing will fizzle away over time).

Think of it like supporting IE6. A lot of the holdouts for IE6 were large health care organizations and VA/gov centers... the same exact places still holding onto fax.

Faxing is a headache for a lot of people. The problem is that the industries that use fax are in a position to force it on others. Certain healthcare departments, some mortgage related stuff, financial garbage, etc. Places where if you HAVE to do business with that entity for some reason, and the say "fax this to us", you're stuck hunting down a fax machine or using an online service. They thus have no reason to change.

> Places where if you HAVE to do business with that entity for some reason, and the say "fax this to us", you're stuck hunting down a fax machine

I just head to the local copy center when I'm forced to send (or receive) a fax, so for me "fax this to us" means "pay an extra $2 for no good reason".

Last time I did business with someone who told me to fax them something, I asked them what millennium they thought it was. They promptly suggested an alternative. We did it that way.

Just because they prefer fax doesn't (usually) mean that it's the only way it can work. It doesn't mean you have to do it their preferred way.

Depends. Quite often people think they _have_ to do as they are told, where you can quite often come back with an alternative.

"I can't send a fax from where I'm at"

"Where are you?"

"2019. I'm in the year 2019"

I'm guessing part of the appeal is the simplicity. At its purest, faxing is point-to-point, and unlike email doesn't need any servers/other infra (read: potential points of failure) beyond the telephone system itself.

Are phone systems more resilient than internet and email protocols? A phone number relies on a single vendor, whereas internet and email can be accessed through a variety of vendors, and MX records can be changed by the user. If the power goes out, I can still use email via wireless providers, or I can go to a different location and use it.

> Are phone systems more resilient than internet and email protocols?

When was it the last time a land-line had an interruption of service. I can't even recall it happening to me.

Talking about FAX machines, Hack.lu 2018: What The Fax?! - Eyal Itkin and Yaniv Balmas


This hits close to home.

Anybody has thought of sending faxes with QR codes? Receiving systems that have the ability can get the fax's information quickly via QR code, instead of having to OCR the fax. If the system doesn't support the capability, it's just ignored (by the fax machine and humans).

Might be helpful.

Already exists. Not a silver bullet. Each place has to transform the incoming fax format into their own emr format.

People think it's secure, but it's worse now than ever since many faxes are now emailed as PDFs

You need to look at countries like Estonia with strong cryptographic signatures for how to effectively move away from faxes (I believe crpytographic signatures are far better than "digital signatures", i.e. a jpg of your handwriting)

You read it here first: Faxing is the new Vinyl.

(Seriously: I like how it talked about fax being more secure than email while also talking about computer-based fax services.)

It's been so long since I've heard about faxing that reading the headline I thought "Faxing" was some fancy new tech that all the kids are playing with.

> What happened was that competing companies deliberately created incompatible systems. Doctors’ offices and hospitals that use different records databases can’t communicate with each other digitally — but they can via fax.

Yeah, that's a common failure, which impedes progress. Anti-competitive NIH and lock-in. And indeed, bad players usually fall in line only when they have no choice.

Some countries never moved away from the fax: Japan and Israel in particular.

For legal documents that have to be sent in a timely manner and give you a verifiable receipt of delivery, you need to go with a fax rather than email.

Your fax isn't going to disappear without a trace due your email server not being reputable enough or looking like spam, or exceeding your delivery rate.

Fax machine -> fax machine : secure

And fax machines are easy to use.

Securing document exchange by email is a PITA for 99.9% users. Explain to your mother how to use PGP/GPG to encrypt the email she have to send to financial institutions, government, ... And imagine the government employee receiving the encrypted email. He will probably just delete it. :)

> Fax machine -> fax machine : secure

Fax-to-fax is completely vulnerable to all kinds of attacks (even before considering situations where what seems to be fax-to-fax involves one end or the other actually being a gateway to some insecure system that pretends to be a fax machine), because:

(1) phone number hijacking is a thing,

(2) phone lines can be eavesdropped on,

(3) fax lacks authentication between endpoints,

(4) fax lacks encryption.

OTOH, in HIPAA environments it's often preferred because fax is not considered “electronic media”, so it is not covered by either the transaction standards or security standards that apply to transactions conducted via electronic media.

>Fax machine -> fax machine : secure

Great in theory, until you realize that most people don't have fax machines, so they use some online fax service that's probably less secure than sending email.

Well, completely unencrypted, but depends on what you consider the threat to be.

I feel with you. I was shocked to learn that fax is still the default for Doctor 2 Doctor communication here in Germany.

Turns out the reason is rather simple: the law explicitly requires phone lines to be confidential in terms of eavesdropping. (You need a warrant, else it‘s illegal). While all other means of transport are not covered by this. So everyone who wants to legally cover his ass, would rather use the legally privileged, but technically wide open phone line over technically sound solutions missing such a legal framework.

> the law explicitly requires phone lines to be confidential in terms of eavesdropping

However, POTS these days commonly uses VoIP as an intermediary. I don't know if the law covers the same phone call during its passage through a VoIP segment.

As I understand the law here in Germany, it's technology independent. So VoIP falls under the same rules, as long as you sell/market phone and fax services. How this relates to something like Skype I have no idea.

>Turns out the reason is rather simple: the law explicitly requires phone lines to be confidential in terms of eavesdropping. (You need a warrant, else it‘s illegal). While all other means of transport are not covered by this.

What about VOIP? Cell phones? WIFI calling?

What about them? (Can you send a fax over those media, and are they protected similarly?) Or are you asking a different question?

If it's not on a phone line, then it's not afforded those legal protections. None of those communication media you just mentioned are using a phone line as a transport mechanism. (They're also not similar to fax from a UX standpoint.)

>Or are you asking a different question?

I was asking whether those protections applied to only landlines, or all telephone conversations (eg. cellphones).

>If it's not on a phone line, then it's not afforded those legal protections.

This sounds problematic considering that for PSTN, "phone lines" only cover the last few miles of transport[1]. Does that mean you can't tap outside someone's house (where it's a phone line), but you could tap outside the CO, where it's fiber or even public internet?

[1] https://en.wikipedia.org/wiki/Public_switched_telephone_netw...

I think that was exactly the story behind Room 641a, wasn't it?

(And it was illegal, although now, in the USA, I don't think it would be anymore.) Largely depends on what TLA you are, and whether or which secret court you derive your authority from / are required to report to for renewal of your secret warrant.

Of course the GP was about doctors in Germany, and this 641a business was about an NSA facility operated on an AT&T switching office in San Francisco, USA (so this does not also preclude that.)

I think based on what I know about Germany and privacy laws, the court would use a favorable liberal interpretation of "phone line" to mean, say, any connection that begins and ends with a phone line, and terminates with a dial-tone. I don't know much about German courts though, so take that only for what it's worth.

So it turns out the US Postal Service is very easy to trick. You merely fill out a simple form with no real verification and get them to forward somebody else's mail to your address, which enables all manner of profitable fraud.

HOWEVER doing that is a hardcore crime. You can be sent to federal prison for years for doing that. So the USPS is not secure in any sort of mathematical sense, but in practice most people trust it most of the time, because security isn't just about technical implementation details like encryption.

Similarly wiretapping telephone lines may be straight forward, but you'd have to be exceptionally daring or stupid to actually do it.

> HOWEVER doing that is a hardcore crime. You can be sent to federal prison for years for doing that. So the USPS is not secure in any sort of mathematical sense, but in practice most people trust it most of the time, because security isn't just about technical implementation details like encryption.

But if your data is such that it would be a “hardcore crime” to seek access to it fraudulently, or the main reason people would do so is to commit a “hardcore crime”, using an information channel that is only considered secure because of the social safeguard that breaching it's trivial protection is itself a “hardcore crime” is probably foolhardy, since engaging in such a crime is cost already accepted by the attackers you are concerned about.

That's true. However most of what people would prefer be confidential isn't data that would be sufficiently profitable to make risking federal prison rational. e.g. medical records. I don't want my medical records made public, but nobody is going to make themselves rich by violating my privacy.

So, for example, doctors using faxes makes a lot of sense. Maybe not for doctors with high profile celebrity or politician clients who value their privacy, but for the most part.

> However most of what people would prefer be confidential isn't data that would be sufficiently profitable to make risking federal prison rational.

(1) Don't assume you know all potential criminals’ utility functions (especially, don't assume all of their utility is financial), and, more important

(2) Don't presume crime is usually rational, in the first place.

It's not so much a presumption as an observation that the system works most of the time for most people. Yes there are edge cases, nobody would deny that.

I am quite certain the reason this works is analog vs digital.

You can only pull off something like this in the analog world a couple of times max, before you are caught and sentenced. And the average expected outcome (expressed in some financial unit) is probably quite small. Alternatively, the (financial) costs in the analog world are higher than the expected gains, so no sane persons would bother trying.

It is probably equally small for doing similar things digital (like over the internet) BUT you can expect to be able to perform it multi times over AND if you choose your country of residence sensibly, you will not go to jail - ever.

We can probably model this something like this:

    Expected Outcome:
    (1 - propabilityOfGettingCaught)^timesExecuted * timesExecuted * money
    The more often executed, the more likely to be caught

    (1 - .1)^10 + 10 * 10,000 ~= 35k

    (1 - .00001)^100,000 + 100,000 * 10 ~= 370k

    Digital, save location:
    (1-0)^100,000 + 100,00 * 10 ~= 1m

Not necessarily - if your all-in-one printer/fax/scanner combo machine is also connected to both the POTS and your internal network (as most probably are), it can be used as an attack vector: https://blog.checkpoint.com/2018/08/12/faxploit-hp-printer-f...

> Fax machine -> fax machine : secure

Not even close.

I can think of a lot of advantages to using old-school faxes, but security is not one of them. In fact, the complete lack of security is a big disadvantage to using old-school faxes.

One of my former clients was eFax, which parlayed the money it earned from eFax subscriptions into becoming a publicly-traded internet holding company behemoth. They own dozens of second-tier internet media and e-telecommunications sites.

There's a lot of money in fax.

If you have a number that can receive fax, then getting stuff into a format that you can use becomes the sender's problem.

IT's a 0-trust system!

faxzero.com is awesome. Free for the sender.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact