Zero knowledge, zero worry: sharing sensitive data without handing it to the cloud

Let's be honest: in SMEs, non-profits and educational settings, sensitive information is shared every day. A password. A student list. An HR file. An incident report. A grant application.

And too often, it ends up in an email, an attached PDF, or a "shared with everyone" link that will remain active... long after the urgency has passed.

So-called zero-knowledge solutions address a very concrete need: sharing quickly, without the service that transports or hosts the information being able to read it. In other words, even if the server is hacked, the attacker mostly steals... gibberish.

In this article, we discuss PrivateBin (the classic tool), and a simple way to integrate it into your practices while staying aligned with Bill 25 (Loi 25).

Introduction: the problem isn't bad intentions, it's daily life

"Quick" sharing is often the enemy of confidentiality. Not because teams don't care, but because they want things to work.

• "I'll send it to you right away."
• "I'll put it in the chat."
• "I'll forward you the email with the attachment."
• "I created a link, you can open it whenever you want."

The result is predictable: personal information ends up duplicated everywhere, with no clear control. And when you want to clean up, it's too late. The copies already exist.

Zero-knowledge doesn't solve all governance issues, but it provides a huge advantage: it makes bad sharing less dangerous.

1) Zero-knowledge: the mental image that really helps

Think of three levels of sharing.

1. Email + attachment
2. Classic cloud link
3. Zero-knowledge

In real life, this translates to: encryption happens client-side (in the browser or application). The server stores encrypted content, period.

2) Why it's relevant for Bill 25 (without turning your organization into a law firm)

Quick reminder: this is not legal advice. It's a "field" reading of organizational reality.

Bill 25 doesn't tell you: "use PrivateBin." It tells you, in essence: take reasonable and demonstrable measures.

Concretely, this touches at least four reflexes.

2.1 Proportionate security measures

The more sensitive the data, the stronger your measures need to be. Zero-knowledge is a very defensible argument, because it reduces the exposure surface.

2.2 Incident register and management

When an incident occurs (wrong recipient, public link, compromised inbox), you must be able to document it, assess the risk, and notify if necessary. Having tools that limit the impact helps with both security and due diligence.

2.3 PIA when cloud services or transfers outside Quebec are involved

As soon as you entrust a third party with a task involving personal information, especially outside Quebec, the PIA (Privacy Impact Assessment) and written agreement quickly come back into the discussion. Zero-knowledge doesn't "eliminate" the obligation, but it can reduce the identified risks.

2.4 Accountability: you remain responsible

Even if an external provider hosts the data, your organization must be able to explain its choices.

3) PrivateBin: the simplest tool to stop sending secrets by email

PrivateBin is the pastebin that grew up and learned discretion.

It's used for sharing:

• temporary passwords
• document excerpts (HR, finance, records)
• sensitive instructions
• diagnostic information (e.g. "here's the admin access while we fix this")
• internal notes between managers

What PrivateBin does very well

• browser-side encryption (zero-knowledge)
• expiration (10 minutes, 1 day, etc.)
• burn after reading option
• additional password protection
• simple self-hosted installation

What PrivateBin doesn't do for you

• choose a strong password
• prevent an employee from copying and pasting elsewhere
• protect a compromised workstation
• prevent a link from leaking

In short: PrivateBin is excellent for preventing your secret from travelling through systems that read it in plain text. But it's still sharing. So a bit of discipline is needed.

4) The real user guide (SME friendly): a 90-second procedure

Here is a procedure that Blue Fox often recommends, because it's simple, memorable, and realistic.

Step A: create the note in PrivateBin

• Short expiration (e.g. 1 day maximum, often 10 minutes is enough)
• Enable "burn after reading" if it's truly a one-time secret
• Add a password if the information is sensitive (usually yes)
• Avoid pasting unnecessary information (minimization)

Step B: share via two channels

• Channel 1: the PrivateBin link
• Channel 2: the password (SMS, phone call, encrypted messaging, or even a second internal email address if you have nothing else)

Why? Because the link in PrivateBin contains a "key" portion. If someone obtains both the link and the password, it's game over. Separating channels dramatically reduces the risk.

Step C: close the loop

• "Confirm when you've received it."
• If it's critical: use the burn after reading option
• If it's an access credential: change the password after use

5) The 6 mistakes we see all the time (and how to avoid them)

1. Expiration set too long
2. No password "because the link is already secret"
3. Unknown public instance
4. No HTTPS (or misconfigured)
5. Pasting too much
6. Forgetting the "after"

6) What about files, not just text?

PrivateBin can handle attachments depending on the configuration, but let's be honest: it's not the ideal tool for complete folders.

In a zero-knowledge toolbox, a trio is often appreciated:

A) PrivateBin for short secrets

Passwords, instructions, excerpts, keys.

B) A zero-knowledge collaborative suite for working (if needed)

Typical example: governance documents, HR, planning, projects. The benefit is the same: the host cannot see the content.

C) A one-time file sending tool that doesn't depend on a cloud

If you need to send a sensitive file to an external partner without giving them permanent access, OnionShare is an interesting option: it creates a temporary share and can shut down automatically after the download.

We're not saying it's the solution for everyone. We're saying it's an excellent "special case" option when you want to avoid cloud links that linger.

7) Concrete implementation examples (SMEs, non-profits, education)

Example 1: Professional services SME (IT, accounting, engineering)

Problem: exchanging client passwords and admin access in email threads.

Implementation:

• Self-hosted PrivateBin
• Internal rule: "no passwords by email"
• Message template: "I'm sending you a link + separate password"
• Credential rotation after each intervention

Result: you eliminate a major source of "dumb" and recurring incidents.

Example 2: Non-profit with volunteers and turnover

Problem: sensitive documents (participants, personal situations) circulating via reused links.

Implementation:

• Secrets and one-time information via PrivateBin
• Files via temporary sharing, systematic expiration
• Volunteer departure checklist: access revocation, password rotation

Result: the reality of turnover becomes less risky.

Example 3: Educational settings and student services

Problem: intervention plans, follow-ups, supporting documents sent by email.

Implementation:

• Sensitive text sharing: PrivateBin (e.g. instructions, codes, one-time details)
• File sharing: secure repository with minimal access, or one-time ephemeral sending as needed
• Awareness: "no complete files in an email thread"

Result: fewer scattered copies, better lifecycle control.

Example 4: SME HR (or management) and sensitive internal documents

Problem: disciplinary letters, employee files, evaluations shared in chats.

Implementation:

• PrivateBin for excerpts and instructions
• Central encrypted folder for official documents
• Role-based access, not "who's in the conversation"

Result: you prevent confidentiality from depending on a messaging channel.

Blue Fox's position

Zero-knowledge is an excellent way to restore "default" confidentiality in daily operations, without asking your teams to become experts.

But we insist on one point: the best technology in the world doesn't replace a simple rule.

It's rarely more complicated than that. And the impact is immediate.

Sources and references

• Commission d'accès à l'information du Québec: confidentiality incidents (businesses), register, notice, risk of serious harm.
• Commission d'accès à l'information du Québec: key amendments (including PIA before communication outside Quebec).
• Commission d'accès à l'information du Québec: use and communication of personal information (businesses, communication outside Quebec, PIA, written agreement).
• Government of Quebec: communication or performance of a task involving personal information outside Quebec (PIA, adequate protection, written agreement).
• PrivateBin (GitHub): zero-knowledge principle, features (expiration, burn after reading), limitations and warnings (trust, JavaScript, HTTPS).
• PrivateBin (official website): options and warning in case of compromised instance.
• OnionShare: "How OnionShare Works" documentation (temporary sharing, automatic shutdown, best practices).

#Bill25 #Privacy #Cybersecurity #SME #NonProfit #Education #DigitalSovereignty #OpenSource