SecureMint

How to Convince Your Boss to Stop PPAP

PPAP (password-protected ZIP sent by email, with the password following in a second email) is still standard practice at many Japanese companies — even though the Japanese government (内閣府) officially abolished it in 2020. If you want to stop doing it but your boss won't budge, this guide gives you the authoritative references, the exact talking points, and a safer alternative to propose.

See PPAP Alternative
SecureMint uses zero-knowledge design. The server cannot read your data.

Steps

1

Cite the 内閣府 2020 abolishment

Japan's Cabinet Office announced in November 2020 that it would stop using PPAP internally. Major firms (NTT, Softbank, Hitachi) followed. This is the strongest authority card.

2

Explain why PPAP is not secure

Both emails usually travel through the same channel — if one is intercepted, both are. ZipCrypto is cryptographically weak. Malware can hide inside password-protected ZIPs and evade filters.

3

Show the business risk

Gmail and Microsoft 365 now block encrypted ZIPs — your deliverables bounce back. Clients overseas may see it as unprofessional. This is a lost-deal risk, not just an IT issue.

4

Propose a concrete replacement

Propose link-based E2E-encrypted sharing (e.g. SecureMint) with per-link passwords shared over chat/phone. Show it takes the same or fewer steps than PPAP.

5

Offer a pilot

Suggest a 1-month trial on one team or one client relationship. Low commitment, easy to say yes to.

Why It's Secure

  • Japan's Cabinet Office (内閣府) officially stopped PPAP in November 2020.
  • NTT, SoftBank, Hitachi, and many other majors have published PPAP abolishment policies.
  • JIPDEC and IPA Japan have warned about PPAP risks repeatedly.
  • Microsoft Defender for Office 365 explicitly flags password-protected archives.

FAQ

My boss says 'PPAP is what everyone does'. What do I say?
Cite the Cabinet Office 2020 abolishment and the public announcements by NTT, Softbank, Hitachi. 'Everyone' already stopped — your company is behind.
What if the client insists on PPAP?
Offer a SecureMint link with a strong password delivered by phone. If they insist, comply once but document it and escalate — many major clients now prohibit PPAP.
Is this just a security theater issue?
No — real incidents of data leaks via intercepted PPAP emails and malware hidden in encrypted ZIPs have been documented by IPA. It's a concrete, measured risk.

Related Tools

PPAP AlternativeEncrypted ZIP BlockedSend Files Securely

Related Articles

PPAP Alternative: Secure File Sharing with SecureMint

Replace insecure PPAP (password-protected ZIP via email) with E2E encrypted file sharing. No more sending passwords in separate emails.

PPAP Alternative for Japanese SMBs: Free, No Install

Japanese SMBs need a free, no-install PPAP replacement that works today. SecureMint is ready out of the box — zero knowledge, browser only, $0 to try.

Encrypted ZIP Blocked by Email? Do This Instead

Gmail, Outlook, and Microsoft 365 increasingly block password-protected ZIPs as malware. Learn why, and how to send encrypted files via SecureMint links instead — without getting bounced.