WeTransfer Security, Privacy Risks, and Alternatives

WeTransfer security

WeTransfer security and privacy have become a hot topic since its recent addition to AI usage in its privacy policy.

This, including past security breaches, data collection, monitoring, and lack of end-to-end encryption security, has caused many people to question if WeTransfer is a security risk.

Therefore, this article will take a look at WeTransfer security, privacy policy, and other alternatives available so you can gain total privacy and peace of mind when sharing your files online.

Table of contents

What is WeTransfer and how does it work?

WeTransfer is an online file-sharing platform for sending large files over the internet, such as photos, videos, and files that may be too large to send via email or messaging apps.

It offers paid and free accounts, with paid accounts offering more features such as unlimited file-sharing, malware detection, custom branding, and adding team members.

Sharing files for free is easy enough; you upload your files to the website, enter the recipient’s email address, and it sends them a link to download the files. Free accounts are limited to 2GB, which is smaller than other platforms, such as Internxt Send, which offers unlimited and zero-knowledge encrypted file sharing for up to 5GB.

WeTransfer pricing

WeTransfer offers monthly and annual plans for personal, team, and enterprise use. Below is a breakdown of the WeTransfer pricing structure and the features of each plan.

  1. Free
  • Share and receive up to 3 GB / month
  • 10 transfers per month
  • Transfer expiry up to 3 days

(Individual, non-commercial use only)

Ultimate: €23/month

Everything in the free plan, plus:

  • Share and receive limitless
  • Unlimited transfers per month
  • Unlimited transfer expiration
  • Custom branding per transfer
  • Automatic malware scanning
  • Subscribers benefits

(Individual use only)

Teams: €30/ month, up to 25 members

Everything in the Ultimate plan, plus:

  • Invite your team members
  • Up to 25 members in your team
  • Centralized billing

Enterprise: Custom, contact WeTransfer

Everything in the Teams plan, plus:

  • Unlimited members in your team
  • Custom transfer rules
  • Premium support
  • Single sign-on (SSO)
  • Advanced access management
  • Usage and security logs

Is WeTransfer a security risk? WeTransfer security features

Internxt pricing plans

Encryption

The WeTransfer security features that protect your data include Transport Layer Security (TLS) and AES-256 encryption, which encrypts files during the upload and download process.

However, WeTransfer doesn’t implement zero-knowledge encryption in its service. Instead, the company retains full control over the encryption and decryption keys.

This means the files are decrypted and encrypted on WeTransfer’s servers, as opposed to directly on your device. Similar to cloud storage providers that don’t offer ZKE, (Google Drive, Dropbox, OneDrive, etc.), by encrypting keys on its own servers, WeTransfer, or anyone with access to its servers, could read the content you share.

In contrast, cloud storage with zero-knowledge encryption and other file sharing providers provide encryption that ensures only the sender and recipient can decrypt the files, making those less of a security risk.

WeTransfer privacy policy

According to its privacy policy, WeTransfer collects your personal data from users through three main sources:

  1. Information you provide,
  2. Information collected automatically
  3. Information received from other sources.

When reading the privacy policy, we can see that WeTransfer collects a lot of data about you and your activities.

Personal data

As well as collecting your basic information like name, email, and billing details, WeTransfer also collects information from your

"files, photos, videos, audio, metadata, messages, comments, reviews, and descriptions."

As a result, your files are not truly shared in privacy due to the amount of information that can be viewed, especially as WeTransfer security doesn’t use full end-to-end encryption of your files.

Device and location tracking

WeTransfer collects technical data from your devices, such as the

"device model, OS, IP address, system language, device ID" and uses this to determine "your approximate (geo)location, such as the city or country you reside in."

For a service that offers simple file sharing, this level of tracking is way too intrusive and more of a security risk if you want to maintain a level of privacy online.

User profiling

WeTransfer admits to collecting "inferred information" such as "attributes (e.g. age-range) and interests based on your data."

This data can then be used for internal analytics, personalization, or shared with marketing and advertising partners. They specifically mention receiving

"inferences from certain advertising or marketing partners,"

Sharing data with third parties increases the risk of a data breach significantly, so you should exercise caution when entering any kind of information on WeTransfer, as it can receive your

"email address, user ID, and public profile."

Internxt post quantum encryption

Date retention

Many platforms will delete your files once you have finished using the service; however, with WeTransfer, this is not the case.

Files you upload are stored for 3 days for free users, or up to a year for paid users. This significantly increases the risk of hackers or unauthorized parties viewing your files, the longer it sits on the WeTransfer servers.

Even if your files are deleted, your metadata, IP address, and location may still be stored, contributing to a bigger security risk due to the long-term profiling of your information.

Content moderation

Finally, within this policy, WeTransfer can remove files, suspend your account, and/or report you to the authorities if the following content is shared on its platform.

  • Illegal content or content that encourages illegal activity
  • Content that infringes on intellectual property rights
  • Hate speech, threats, or harassment
  • Pornography or sexually explicit content
  • Violent content or content that encourages violence
  • Deceptive content, including scams, deep fakes, fake news, conspiracy theories, etc.
  • Content that's inappropriate for minors
  • Content promoting or glorifying extremist groups or ideologies
  • Content relating to self-harm or suicide
  • Content that invades an individual's privacy or violates their rights
  • Content that depicts or glorifies the exploitation of children

WeTransfer terms of service update

WeTransfer recently faced backlash when it expanded its terms of service to include AI and machine learning training on the files you upload to the platform.

Aside from the privacy concerns of AI scanning your content, it faced rightfully harsh criticism because of the lack of clarity regarding how WeTransfer presented this feature. The main problems being:

  • It was too broad, extending to features beyond what’s needed for a file-sharing service to operate.
  • Vague language. Many people read the terms of service and were unsure as to whether the content uploaded would be used to train AI and use it to make money from your work.
  • Lack of consent, there was no opt-out, data segmentation, or clarification about the scope of how AI would be used in the platform.

As a result of the backlash, WeTransfer updated its terms, clarifying that it does not use customer data to train AI, nor does it sell or share content with third parties.

WeTransfer isn’t the only company to backtrack on its use of AI; Adobe, Zoom, Dropbox, and Slack all modified their privacy policy to include AI use, but quickly edited them after user complaints.

WeTransfer security breach 2019

In 2019, a system error led to a security incident where many user emails were leaked, and the download links of user files were delivered to the wrong recipients

The leak affected the delivery of user files for two days, so when users uploaded files to share with specific recipients, the system mistakenly sent the download links to unrelated third parties.

Internxt file compressor

This caused a massive security risk for WeTransfer users, as during this period, confidential documents, personal data, and private files could be accessed by people who were never meant to receive this sensitive information.

Although WeTransfer took action by disabling affected transfers, logging out all users, and launching an investigation, the incident highlights concerns about the lack of WeTransfer security.

WeTransfer security and industry standards

WeTransfer is based in the Netherlands, so it must comply with Dutch and EU laws, including the GDPR.

The Netherlands has been known to give government power to monitor internet traffic and collect data, and it’s also part of the 5/9/14 Eyes alliance, meaning they could share your files with foreign governments if intelligence agencies feel it's relevant.

Although GDPR compliant, WeTransfer security protocols do not meet several industry data standards, including:

  • Payment Card Industry (PCI) Data Security Standard
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Federal Information Security Management Act (FISMA)
  • Association of International Certified Public Accountants (AICPA) Service Organization Controls Standard

WeTransfer security and privacy risks

As is the case with many scam attempts, scammers can spoof emails to look like a genuine email from WeTransfer, which sends you to a fake website that’s infected with malware, or a spoofed version of WeTransfer asking you to enter your password, which cybercriminals will then use to access your accounts.

Always verify suspicious links by verifying the email and hovering over the link to check if it’s genuine. If you receive an email out of nowhere, take extra caution, as it could be a scam attempt.

Malware and phishing

If your email has leaked online, then anyone can send you malware files using WeTransfer. A free account also doesn’t include additional WeTransfer security features, such as malware scanning, which increases the risk of malware being installed on your device.  

To prevent this, check out our article on how to spot phishing emails, and use services like Internxt antivirus to scan and delete malware from your device.

Data interception

There are other vulnerabilities in the WeTransfer communication architecture, since the files are only encrypted during upload and storage; if a hacker intercepts files during the upload process or before encryption is applied, they will gain access to their contents.

WeTransfer alternatives

Internxt Send

Internxt Send provides free, unlimited file transfers with zero-knowledge and end-to-end encryption to send up to 5GB of photos, files, and videos in total privacy. All files are encrypted on your device, so nobody except you and who you share your files with can access the files.

Internxt is a company with a mission to provide privacy for everyone online, so we never collect or share your data with third parties.

On top of Send, Internxt also provides post-quantum encrypted cloud storage, which also includes private file sharing for files up to 10GB. Paid Internxt plans also include an Antivirus to protect your device from malware, a VPN to keep you safe on public wifi, and will soon include a Dark Web Monitor, Device Cleaner, Mail, and Meet.

It also includes free tools to help you stay anonymous online, including a metadata remover, a dark web monitor, and a temporary email.

Internxt plans start from €3/month, with lifetime plans also available. If you’re looking for a fully private alternative to WeTransfer and other services like Google Drive and Dropbox, switch to Internxt today!

Internxt Dark Web Monitor checks if your email has leaked online

OnionShare

If you have a more extensive knowledge of online tools and services, you can also try OnionShare.

This service lets you share files over the Tor network, giving you a temporary server on your computer, and a unique .onion URL. For increased privacy, files aren’t uploaded to external servers; they stay on your computer until the recipient downloads them. Once downloaded or the app is closed, the link will stop working.

You can use this service without creating an account, and no one can access the file without the exact .onion URL, and because it runs through Tor, your IP address and identity are hidden.

SwissTransfer

SwissTransfer is a free file-sharing service developed by Infomaniak, a Swiss company known for its privacy-friendly policies.

It allows file sharing for up to 50GB, and although it’s based in Switzerland, known for its strict data protection laws, it is not suitable for sending highly sensitive information because the service controls the encryption keys.

For a free, uncomplicated, and private method to share files, try Internxt Send to keep your files safe from data breaches, AI scanning, and government spying.