Sensitive Documents

[stellla 0]

Is it safe to scan sensitive documents through evernote? I don't want to scan governmental documents unless I know it is safe.  

[PinkElephant 8,150]

No, it is unsafe, if you work for the North Korean government. This I can tell for sure, but not much more. You do not post where in the world you are located. So we excluded 1 country, leaving 199 (depending on the count) open for discourse.

2 relevant pieces of information may be this - it is stated for EN Teams, but is the same for the whole service:

[gazumped 11,686]

Hi.  You might wish to look into secure document storage and password-protected PDF files.  

[Beartooth 9]

Hey everyone, this is what I do.

Please tell me if you think if this is a safe procedure.

I scan all documents into pdf's on the SwiftScan app on my iPhone.

SwiftScan has an option to encrypt a pdf.  If any doc I feel is sensitive

I encrypt it.  It is a simple process and works quite well.

Generally, daily I upload all the latest files to a Dropbox import folder.

When I invoke Evernote on the PC the files are imported, and if I wish to view

the encrypted file/s I type in the password.

I have been doing this ever since V10 came out without local notebooks,

however,  I am still using legacy.

[PinkElephant 8,150]

If the question is whether this is safe enough: Probably yes.

If the question is whether this is compliant for use with governmental information, in most western jurisdictions: Most likely not - because in that case all elements used must have been audited before.

How do you know that SwiftScan will not keep a copy and send it to a C&C server ? How sure are you about the encryption algorithm ? How sure are you that SwiftScan is not using a poisoned SDK, that does bad things without Swift even knowing about it ? Etc …

[Beartooth 9]

Here, I thought I was safe and secure.

I am not sure to any of those questions.

Got any suggestions to putting a secure doc in Evernote.

[DTLow 5,736]

1 hour ago, Beartooth said:

Got any suggestions to putting a secure doc in Evernote.

Encryption

[PinkElephant 8,150]

Personally I warn against dropping a word like "encryption", and think everything would be said.

EN in itself is secure - this means secure enough for any regular type of information or document.

Would I store the secret strawberry-cake recipe of my grandma ? Yes

Would I store my tax declaration (my own) ? Yes

Would I store the tax declaration of my clients ? No, I would violate the special trust of my client-consultant relation by using a non audited tool.

Would I store my own medical records ? Yes

Would I store the medical records of my patients ? No, since it is not HIPAA-compliant.

Would I store my passwords ? No, even if they are my passwords, I use a specially protected service for that.

Would I store my bitcoin wallet key ? No, it is not safe enough for this sort of information. No server connected to the web is secure enough !

Enough examples to decide what is what ?

You can use an external tool to encrypt any file with a very high level of encryption, and store the encrypted file in EN. Even if this may look very secure, when it is not audited it probably violates some legislation, depending on the place under the sun where you are and do your business.

[amfeather 27]

If you work for the government, and if you handle government documents, then you may have an approved IT specialist or consultant in your department. You should consult with that IT specialist or consultant about what procedures and applications are appropriate.

I work for the State of Kansas. I have a personal computer (owned by me) and a work computer (owned by the state). I do not connect the two computers. I do not download unapproved applications on the work computer—so I cannot use Evernote, Todoist, or 1Password (my preferred applications). It hurts productivity, but it preserves institutional security and prevents personal liability.

If you download government documents to Evernote, Dropbox, etc. on a personal account, then you have "shared" those government documents with third parties, encrypted or not. I would recommend consulting with your approved IT specialist or consultant. Anything else could be "fine" but it would not be "best practice."

Hope this helps.

[PinkElephant 8,150]

This describes it more or less - not only for governments, but for larger corporations as well.

[gazumped 11,686]

The whole subject of security is too complicated and involved to go into properly as a single post.  Broadly,  your information is as safe as it reasonably can be with Evernote - something on a par with internet banking;  so if you bank online,  you could use Evernote for your document storage. 

If you really REALLY don't ever want anyone to see your content,  don't save it online at all - I've confessed several times here that my Secret Plans for World Domination are on paper in my desk drawer (with my lotto numbers...).  Having said that I have also worked for government agencies and Evernote would not have been an accepted storage for any work documentation.  The only authorised servers were local and work-controlled and access to the internet was highly restricted.

Just bear in mind that if you have access to your notes,  someone else pretending to be you can also get access.  The safer you keep your user details,  and the more secure your own access,  the more protected your data is.

[lost_gweedo 73]

@Beartooth Obviously there is a lot of passion about the subject.  I've taken some of the steps mentioned above, as well as some others such as usb storage with physical keys.  It really depends on the material.  Build yourself a list of the items you want to protect.  Figure out if there are legal requirements (employee info, medical, etc) and make sure you're following them first.  Make sure you're running good and updated anti virus/malware.  The rest has been said already.  have fun.