Sendstone¶

Sendstone is a free-tier file transfer service, similar to WeTransfer, used intermittently by various members of staff to send files that are too large for email and for which SharePoint sharing either did not occur to them or produced an error that they did not want to spend time investigating.

It is not one person’s shadow IT. It is everyone’s shadow IT, used independently and without coordination, which makes it harder to scope than a workspace one person owns or a group one person created. Staff have used Sendstone to send files to the Consortium, to external veterinary consultants, to grant funders requesting supporting documentation, to journalists, to the print company that produces the Adopt-a-Legend welcome packs, and on at least two occasions to each other, because sending a file via Sendstone and sharing the link was faster than navigating SharePoint’s external sharing configuration.

The service requires no account for basic use. You drag the files in, enter a recipient email address, and send. The recipient receives a link. The link is valid for seven days. After seven days, Sendstone deletes the files from its servers, according to its terms of service. What Sendstone does with the files during those seven days, and what data it retains about transfers after they are deleted, is addressed in its privacy policy, which has not been reviewed by the Home.

What has gone through it¶

A full inventory of Sendstone transfers is not possible because the service does not require an account and therefore no central record exists. What is known comes from a combination of email trails, staff recollections, and a discovery made during an unrelated review of the programmes team’s outgoing email.

Known transfers include: a Bestiary data export sent to an external veterinary specialist for a case review, containing records for seven residents including full medical histories; a volunteer contact list sent to the event coordinator for the Home’s annual fundraising dinner, containing names, personal email addresses, and telephone numbers for 340 volunteers; three grant applications with supporting budgets sent to funding bodies in Germany and the Netherlands; and a folder of photographs from the therapy programme sent to a journalist writing a feature on creature welfare in Ankh-Morpork, which was the least sensitive transfer but the one that most clearly illustrated that the process had no oversight.

The Bestiary export is the item of most concern. The external specialist received the files, completed the case review, and billed the Home. Whether the files were downloaded before the Sendstone link expired is not known. Whether they were retained afterwards is not known. The specialist was not operating under a Data Processing Agreement with the Home at the time of the transfer. A DPA was subsequently drafted after the programmes team raised the case with the Data Protection Officer for a different reason.

How it came to IT’s attention¶

The programmes coordinator mentioned Sendstone during a routine conversation with the IT coordinator about large file sharing options, specifically to ask whether there was an approved alternative because Sendstone “sometimes blocks things and it is a bit annoying”. The IT coordinator’s response to learning that Sendstone was in active use was professional. The conversation that followed was productive. The IT coordinator’s notes from that conversation are the primary source of information about Sendstone’s use at the Home.

The SharePoint external sharing configuration, which would have addressed the underlying need if it had been working reliably, was reviewed and corrected the following week. The correction involved a tenant-level setting that had been in a restrictive state since a policy change fourteen months prior, when an unrelated external sharing incident had prompted a blanket tightening that was intended to be temporary and had not been revisited.

Current status¶

IT has communicated to all staff that Sendstone and similar personal file transfer services are not approved for organisational use and should not be used for files containing personal data or confidential information. The communication went out by email. It was read by an unknown proportion of staff. The SharePoint external sharing workflow now functions correctly for most cases.

Sendstone continues to receive occasional use. This is known because three staff members have mentioned it since the communication went out, in contexts that suggested they had not connected the communication to the tool they were using. The pattern is not defiance. It is the natural half-life of a habit that was convenient and is now slightly less convenient than the approved alternative.