Jump to content

Privacy concerns


Go to solution Solved by PaperlessBrian,

Recommended Posts

Posted

First off, I'm very happy to see a revival of Evernote.  The addition of an AI search is good move though it does need some work.  While it helped me find a difficult to find (and mistagged) invoice - "Help me find that darn invoice from the company that installed my water heater" it got confused by "W-2" and instead of finding my W-2 tax form it searched for "week 2".. odd.

On to my question...  I've compared Evernote, Dropbox, Google Docs, Apple Notes, and Paperless-NGX against all of my paperless needs and Evernote is the clear winner except for the most important category - PRIVACY.  I have a few questions and perhaps a feature request that would really set you apart.

Questions:

  • Is it possible to encrypt an entire note (or it's PDF attachment already inside Evernote)?  If yes, will the search still function with that note?  (i.e. Is the key stored in the Evernote local client.)
  • Is the AI search trained on your customer data?

My guess is that the answer to the above questions is no.  In that case I have a KILLER $$ idea for Evernote that probably wouldn't be that difficult to build.  Nearly every cloud storage service currently has "zero knowledge encryption" which basically means that their local application performs the encryption/decryption and the cloud company doesn't know the encryption keys.  You could build this into the Evernote Mac/Windows client such that even if data was leaked by Evernote, it would still be encrypted.  Search may be compromised but not if the AI search engine executed on the client side (post decryption).

Dropbox requires customers to upgrade to a business account for this feature which is roughly $15 more a month.  I. WOULD. PAY. THAT.  This would certainly drive me me to upgrade to Pro.  My use case:  TAXES..  I really don't want this information leaked.  Recipes, phone bills, etc.. Don't care.  Taxes.. DO CARE.  You could link this encryption to a notebook for each of use.

What say you, Evernote?

  • Level 5
Posted

Zero knowledge encryption does not allow for a server based search index working the same on all devices. What is information worth that you are not able to locate when you need it ?

You can encrypt most files (and PDFs for sure) before uploading them. Problem solved.

The AI bots will not use users data to train their models - at least that’s what declared in the AI disclosure statement. Trust it or not, this depends entirely on yourself. Problem solved.

The rest of the story is really simple: Trust EN to protect your data properly, and use the service. Don’t trust, and stop using it.

There is no cloud, there is just another computer (aka server) holding your data. Honestly, if that’s what’s bugging you, get a NAS and host your data yourself.

Posted
16 minutes ago, PinkElephant said:

Zero knowledge encryption does not allow for a server based search index working the same on all devices. What is information worth that you are not able to locate when you need it ?

You can encrypt most files (and PDFs for sure) before uploading them. Problem solved.

The AI bots will not use users data to train their models - at least that’s what declared in the AI disclosure statement. Trust it or not, this depends entirely on yourself. Problem solved.

The rest of the story is really simple: Trust EN to protect your data properly, and use the service. Don’t trust, and stop using it.

There is no cloud, there is just another computer (aka server) holding your data. Honestly, if that’s what’s bugging you, get a NAS and host your data yourself.

While I appreciate your response, I think you're missing the entire point here.  I already said this would require a local index but if that's not possible, I'd still trade searchability for security.  I can easily put the data into notebooks - it's the same thing I would do on my PC.  And if this weren't a thing then why are nearly all of the cloud storage providers racing to offer this?

The very fact that I would ask for this should tell you that I DON'T trust any cloud service with sensitive data.  I think a lot of people are in that camp - the same folks that didn't like when EN got rid of local notebooks, which, I might add, would also solve my problem.  While I don't think Evernote would do anything on purpose, a bad actor would simply need to steal the encryption keys and there you go.

So why shouldn't I just use a local NAS or cloud service with ZKE?  Evernote has some distinct advantages over a filesystem approach - file from email, ability to easily add comments to a note with a pdf, breadth of media capture in a single note, etc. There's no perfect paperless system for me but EN is close..  Zero knowledge encryption for notes in a notebook would be perfect for this.  Encrypting before upload is possible, but adds more work on me.  I could use Hazel or a folder script but it's better if I just have the client do it automatically.

Posted

You're probably better off with a selfhosted solution given your threat model. Joplin is likely the closest thing and the server can be run in Docker I believe. It supports on device OCR and while it wouldn't be encrypted, you'd be hosting it. 

  • Level 5
Posted

@PaperlessBrian There may be people in that camp where you see yourself - but if you think you belong there, you for sure shouldn’t think about any cloud based service.

That’s not only another camp, it’s from a different tribe altogether.

Nobody needs your sermon about technical details left and right. You probably should read this white paper to improve your own understanding of the applied security:

https://evernote.com/security

Behind all that there is a basic question: Do you trust others (in this case EN) with your content ? From what you post you don’t (which we don’t need to discuss, whom to trust is your very personal decision).

The only logical conclusion is to entrust only yourself with your data. This means a self hosted solution, nothing else will be a 100% answer to your demand.

Given you seem to be in the Apple Ecosystem, I think you should take a closer look at DEVONThink. They only support MacOS and iOS, but they are offering a secure, pretty feature complete alternative to EN. The most significant difference is that it itself hosted, on a Mac.

It is my best bet for an answer to your topic.

  • Solution
Posted

@PinkElephant I appreciate your help but not your haughty and flippant tone.  Please just ignore this tread from now on.

One obvious solution here is to store my tax files on my filesystem and my low risk files on Evernote - that was my plan.  My feature suggestion, which I still think is a good one, is for Evernote.  They can take it or leave it.

  • Thanks 1
  • Level 5
Posted

If you would think it from the beginning (and invest a little time to understand how things are working) you would know that the ideas are incompatible with how EN is designed. I doubt you took the time to read the security white paper, including researching the mentioned technologies before posting answers here. The time was too short. So I have to assume you are posting in good faith concerning your ideas, but still ill informed.

Beside this we have little indication EN is taking input from this forum. You can send your ideas here: feedback@evernote.com . They will be read (we assume because they told) but usually not answered.

What you can’t do is control who is posting in any thread, or if what is posted deems delightful for your opinion. The forum is an open space. If you only accept acclamation, you picked the wrong place.

  • Level 5*
Posted

I'm in the "if it's sensitive,  don't put it online" camp.  I have four levels of security - on paper / local storage / online encrypted / online .  We're (mostly) only other users here - feedback@evernote.com to alert Evernote in a timely manner,  or  https://help.evernote.com/hc/en-us/articles/29101069844371-How-to-contact-Evernote-Support if it's something you want to discuss.

Posted
16 horas atrás, PaperlessBrian disse:

 Please just ignore this tread from now on.

 

Haha, no way that's happening!

Posted

I'm like @gazumped, only my threshold is higher.  I'm more like, "if somebody finding this means I might go to jail, don't put it in Evernote."  

  • Haha 1
  • Level 5*
Posted
21 hours ago, PaperlessBrian said:

I think a lot of people are in that camp - the same folks that didn't like when EN got rid of local notebooks, which, I might add, would also solve my problem.

I thought local notebooks were a brilliant and unique solution to the security concern.  I was also very sorry to see them go.  I almost left Evernote because of this change. Zero-knowledge encrypted notebooks with local client searching would be a welcome addition to an app, especially one that wants to consider and prices itself to be a premium app.  I would even be happy if searching remained on the backend and only metadata could be searched in encrypted notebooks.  I'm easy to please.  I really hope that Evernote doesn't feel that the encrypted text option we have now is good enough.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...