Privacy and security of notes in Evernote

[ibuljeta 0]

Various paperwork started taking over my life, so o got an idea to start scanning it with Office Lens and storing them to Evernote notebook. Anyone using it for something like that and are there any concerns regarding security and privacy, as among other things I would store there some not so critical contracts, but which probably might be abused if somebody with ill intentions gained access to them.

Any thoughts or additional information on that?

[PinkElephant 8,095]

Some reading stuff, with links to further information:

https://evernote.com/intl/en/security

The main problem when breaches were reported in the forum is usually that a user is making initial mistakes in setting up the account. These mistakes can lead to a compromised account. In many cases even then the hackers enter, use the EN search function to look for cryptocurrency keys, steal them (if stored in EN) and move on.

What to avoid, what to do ?

1) You can check if your user (mail address) is in one of many large security breaches circulating in the Internet on these Websites. No breach at EN where user information was stolen, fingers crossed, but you probably use your mail address on many other services as well:

https://sec.hpi.de/ilc/?lang=en

https://haveibeenpwned.com/

https://cybernews.com/personal-data-leak-check/
 

They use different data sources, so maybe check them all. If your user was compromised in the past, you should think about changing it.
 

2) Only use a strong and unique password with your account. A password manager can help to generate it, and to keep track.

BTW some people use EN to store passwords. It is not build for that, and nobody should use it that way.

3) Enable 2FA. When on a subscription, you can use any authenticator app, even if EN continues to ask for the Google Authenticator. No, any app that generates 2FA codes will do. I use Authy, an app designed to generate codes on several devices.

Free users can only use code by messaging. Even if an app would be better, any 2FA is much better than none. If an account holds relevant information, it should not go without this layer of protection.

4) Avoid to use a private EN Account on a computer you don’t control (like a work laptop, or even worse a public computer like the ones in libraries). If you need to, use the web client, and put the browser window to „Private“ first.

5) Do not store monetarily valuable information like crypto-keys, access data to banking or shopping sites or account / password information in EN. It is not build for that sort of information. IMHO it is no problem to store general documents, tax information, income documents and the like there. It is secure for all sort of documents, except the very few that need that extra notch of protection.

This is it, more or less. 

A word about scanning: The scanner build right into the app, behind the blue + button or in the new note - scan dialogue is completely up to the job. There is no need to employ an external scanner like Office Lens. EN will do the OCR to make the scans searchable. The only thing to think about: The OCR result is embedded into the note. If you ever take the document outside of EN, the OCR will not move along with it.

[ibuljeta 0]

Thank you for this comprehensive response.

I do have MFA turned on and reasonably confident nobody will be able to log in as me. Slight point of concern from my side are possibilities of breach from Evernote side, especially in regards with OCR capabilities, which I definitely like and count on, eg. bad faith actor from their side being in a position to just see some notes in my notebooks containing personal information regarding my mortgage or bills I pay and archive there. I will never store any kind of ultra sensitive information like passwords or pins there, but examples noted in previous sentence are relatively exploitable if somebody competent gains access to them.

Also thanks for built in scanner recommendation, but on first glance, Office Lens does much  better job keeping text clear and adjusting page layout. Maybe just need some more testing, but this was first impression

[PinkElephant 8,095]

On every service where things are stored outside of devices you control, it boils down to a question of trust. Because you can't go there and check, and even if you did, you see a huge rack with boxes and blinking lights, humming away. BTW these boxes in case of EN are located in Google data centers, with several distributed server locations, probably among the safest places on earth.

OCR is done by machines. EN says their staff is not allowed to access user data - all access is performed by bots (algorithms). The keys are under lock. Typical means in such a setup is for example that you always need at least 2 authorizations to open the key vault.

I doubt anybody would raise an eyebrow to see you pay a mortgage or your bills - I really don't bother about that sort of stuff in my account. It makes no sense to have a service like EN, and then not make use of it. It is very hard to monetarist this knowledge - who would pay for it ? Who is concerned already knows ...

[PinkElephant 8,095]

Scanning: Actually I employ 3 scanning solutions:

For bulk scanning, I use a ScanSnap ix500. It has a page feeder, is fast, scans duplex, solid scanning results and good software including OCR. I set the file name right after scanning, because it will become the notes title, and create the note through the import folder.

For everything with less pages, but serious scanning I use the app ScannerPro on my iPhone. IMHO much better than OfficeLens in the scanning department, does OCR as well, and it has workflows that send scans into EN, ready with a notebook selection and standard tags.

For a fast scan, mainly 1 pagers I use the build in scanning of the EN app. It is always there when using the app, is quick and in general does a good job.

[eric99 980]

10 hours ago, ibuljeta said:

Thank you for this comprehensive response.

I do have MFA turned on and reasonably confident nobody will be able to log in as me. Slight point of concern from my side are possibilities of breach from Evernote side, especially in regards with OCR capabilities, which I definitely like and count on, eg. bad faith actor from their side being in a position to just see some notes in my notebooks containing personal information regarding my mortgage or bills I pay and archive there.

I use  pdf encryption for sensitive data, with extra info in the note for searching purposes.  My open source scanning software (NAPS2) does it all in a few clicks: scanning, OCR, encryption and copying it in the EN import folder.