Jump to content
  • 0

REQUEST: Password-protect notebooks


Toontje

Idea

I'm going to ask it again: Are there any plans to implement password protection for individual notebooks?

I know it's been asked many times before, but maybe if I ask again someone will wake up and spend some time building it. After all, it's been asked enough times now.

Thanks,

Ton.

Link to comment

Recommended Posts

Should I take that as a "Shut up. We are aware of the request but we prefer Twitter, Facebook, etc first"? You are probably right, that would serve all the non-professional (and probably non-paying, but that's an assumption from my end) users well.

Password protecting a notebook has nothing to do with encryption, is IMHO NOT a pony and should have been in the product in the first place.

Anyway, my opinion. I'm not a developer. I'm just a customer.

Ton.

Link to comment
Should I take that as a "Shut up.

How you could read that thread & come away with that opinion is beyond me.

Password protecting a notebook has nothing to do with encryption, is IMHO NOT a pony and should have been in the product in the first place.

Funny how everyone seems to think their pony (yes, it's the same as repeatedly asking for a pony) is the pony that will double the number of people using Evernote overnight, double revenue overnight, should have been included in the first place, etc.

Should I take that as a "Shut up. We are aware of the request but we prefer Twitter, Facebook, etc first"?

It's certainly your right to think password protecting a notebook should have been included from the get go. But it's also their company & their right to prioritize the features they implement that will better serve their product & the direction they are going. No one app will do everything that everyone wants it to do. There will always be another pony.

Link to comment
Found the fix! MS OneNote, password protect every note, easy

You get what you pay for.......

:D

Actually, it's more of what the app's focus is, IMO. I also use Onenote. (shrug) Some people seem to think EN & ON are mutually exclusive, but I don't. And I don't store sensitive info in Evernote. (shrug) IMO, Onenote is better geared toward brainstorming. But it's overkill for storing contact info or which sandwich my husband prefers from Quizno's or what changes I made to a program at work last week. OTOH, for that as well as pretty much all other information I want to keep & have easily accessible, no matter where I am, then Evernote is my program of choice.

Link to comment

I understand you can encrypt the text within a note. However, I would really like to have full password protection for the text, images, etc. within an entire notebook.

This would be very valueable - like in Onenote.

Thanks!

Link to comment
  • Level 5*

This has been requested elsewhere (also the desire to password protect a whole note). I haven't heard anything that leads me to believe that Evernote intends to implement this feature, but they certainly know about the feature request.

~Jeff

Link to comment

I have installed Evernote for Mac on a shared computer.

I was wondering if I can lock or password protect my notebook, so each users can only access theirs.

At the moment, anyone can open up Evernote and read/write any of the notebooks.

I could not find any options anywhere that allows me to do that.

Am I missing something?

Thanks

Link to comment

Thanks guys for your prompt replies.

That might not work in my case :-S

Different people using this Mac will have different notes, and in most cases have to be private.

The web app by nature has that protection.

That would be a really valuable feature for the desktop solution,

to choose whether a notebook is password protected or not.

I will submit that as a feature request will look at where i can do that.

Thanks guys

Link to comment

Is there anything coming out that will password protect notebooks? I'd be willing to pay for a premium edition if this was available. I use the encryption but it's not very efficient since constantly having to highlight text to encrypt. Far easier to either fully encrypt notebook or passcode protect.

Thanks

mike

Link to comment

It would be extremely useful to have the ability to password protect individual notes. For instance, if i'm thinking of birthday presents for my mom and I dont want her to be able to look at the note "Mom Birthday Ideas" so as not to ruin the surprise i could put a password on *just that note* so that when she clicks on it it prompts her for a password and she is thwarted! This would be extremely easy to implement and you could bundle it in the premium version as an up-sell item.

Link to comment

I use such ridiculously obscure passwords that I haven't a hope of remembering them so I'm very happy to be able to have a few words of plain text in the note which is my reminder and then encrypt the rest of it.

Yes, I have spent a good ten minutes at one time trying to work out what I'd meant by the reminder, but it did work in the end and there is no way I'd be able to remember without it.

If I had a better memory I wouldn't rely on Evenote so much! :)

Link to comment

I would also like to password protect a few notes as well and would be happy if the password protection could be applied at a notebook level.

I could then have a notebook called private and within that have multiple notes - one for registration details (eg website logins), one for financial info etc.

PS looking forward to being able to add notebooks from mobile device.

Link to comment
  • Level 5

I have found LastPass to be a great free program to manage all my passwords and confidential notes. Just to be extra safe, I use the LastPass export encrypted feature and save a copy in an Evernote non-sync'd local notebook.

Link to comment

If they are notes you want to regularly edit, I would suggest you look into an app designed for that purpose & for your device. Those apps do encrypt the data as it's stored on the device. I use SplashID for my passwords but there are many other options.

Link to comment

Are there notes you *dont* regularly edit? So instead of adding an extremely simple and powerful feature you think i should use multiple products and put my notes all over the place to forget where i put which note? Its not just about passwords. There are obviously many great password keeper products better suited for that task.

Scenarios:

1. I have personal notebooks I write personal stuff in and I dont want my work buddies to be snooping in on and be able to easily read them if i step away from my desk for a minute.

2. A business partner and I are working on a shared notebook together to toss around a potential new business idea and capturing our notes. I might not want my current boss or employer or even friends to be able to read this note if they somehow look in my EN (which is probably running on my desktop at home and on my iphone and ipad if they get stolen).

3. I write personal poems i dont want my spouse to read and she's snoopy when i'm not around.

Anyway I could go on forever and of course there's "another answer" for every one of them but none simpler and more elegant than just being able to right click on a particular note OR notebook and password protect it. I love EN and want to be able to use it for all my note taking needs and not have 6 different apps for taking notes.

Link to comment
Are there notes you *dont* regularly edit?

Of course. Things like bank statements, credit card statements, tax returns, etc.

So instead of adding an extremely simple and powerful feature you think i should use multiple products and put my notes all over the place to forget where i put which note?

Well, since EN only allows you to encrypt text, then yes. It's really not that big of a deal, if you think about it. Since I keep all my passwords in SplashID, I don't have to think twice about where it's located. And there has been nothing posted by EN (AFAIK) to indicate EN will be adding any other type of encryption to their database, at least in the near to not-so-near future.

1. I have personal notebooks I write personal stuff in and I dont want my work buddies to be snooping in on and be able to easily read them if i step away from my desk for a minute.

2. A business partner and I are working on a shared notebook together to toss around a potential new business idea and capturing our notes. I might not want my current boss or employer or even friends to be able to read this note if they somehow look in my EN (which is probably running on my desktop at home and on my iphone and ipad if they get stolen).

3. I write personal poems i dont want my spouse to read and she's snoopy when i'm not around.

These scenarios have all been posed before. Please search on the word security for the various threads. The most encompassing one is the one with the title "wide open databases".

Link to comment
  • Level 5*
It would be extremely useful to have the ability to password protect individual notes. . .

It appears that Evernote may be working on just such a feature.

We are working on a pin code feature similar to the Android. I have no dates when this will become available but more likely it is weeks not months away :D

However, this was posted in the iPhone/iPad forum, so it is possible that it might only apply to the iOS devices and the Android.

Link to comment

+1 for this feature request.

I often scan and upload receipts, tax docs, mortgage stuff, etc etc that's somewhat sensitive, and since anyone can just get on my machine and open EN, it would be nice to password protect notes/notebooks.

Link to comment
  • Level 5*

It is not possible, at least at this time. Couldn't tell you whether it's being considered for implementation or not. There's been prior discussion in the forums on this topic, if you care to search for it.

Link to comment

I am new to Evernote and am very disappointed that there is no password protection for the PC version.

I assumed that there would be a way of securing at the application or notebook level since the android app said a PIN feature was available with a premium account.

Now I have a ton of stuff in notebooks, paid for the premium account and learn that there is no way of password protecting on the PC.

Not sure I would have gone this far if I knew. :(

Link to comment
  • Level 5*
I am new to Evernote and am very disappointed that there is no password protection for the PC version.

The Windows version depends on your login account being secure. If you need things kept private, then you should set up a separate login account for yourself.

Link to comment

Very BIG +1 to this request. I'm not bothered if it's the ability to protect individual notes or an entire Notebook but there is definitely a need for more granular control over who can see what in EN.

I would happily upgrade to Premium for this feature done correctly...

Link to comment

Another big +1 from me too.

I especially use EN on job, but I'm a o prof writer, and I would like using EN for this too. Obviously I need that my writings have to be protected by every sight!

Encryption function is not the best way to manage this request, it's like shoot to a mosquito with a cannon...

Inviato dal mio Transformer TF101 usando Tapatalk

Link to comment

I know that this has been requested in the past, but I find myself wanting this feature more and more as I use evernote for everything including personal journals and storing sensitive information.

The one thing that would tip me over into buying Premium would be the ability to Password Protect and Encrypt an entire notebook or a single note. I know you can select entire blocks of text and encrypt that, but that is quite a hassle and difficult to do when you want to view an entire notebook full of these. I'd like to know that if someone sat down at my computer and managed to view my Evernote (which is open as much as my web browser), they wouldn't be able to easily access my protected notebooks.

Also as a general tip, I think that if Evernote wants to focus on bringing the most value to its customers at every release, it should give us some ability to vote on what which features we would like to see the most.

Link to comment

It's doubtful EN will include encrypted notebooks any time soon. There are a myriad of other ways to add encrypted information to the cloud including Dropbox. EN's "value added" is the ability to index & quickly retrieve your notes, which cannot be done if the files are encrypted.

EN has also repeatedly stated their stance on voting/feature polls. Even as recently as four days ago. .

Link to comment

There are technical challenges but none that I believe are insurmountable given that the encryption and indexing are not mutually exclusive. If they have the ability to encrypt text blocks, the same concept can be applied to notes.

However, I don't know what the technical architecture of the Evernote cloud is, so I don't know how difficult it would be for them. I'd be willing to pass on the encrypted note feature and would settle for simple password protected notebooks / notes, as I am more worried about sneaky people accessing my notes than I am worried about hackers. ;)

Link to comment

There are technical challenges but none that I believe are insurmountable given that the encryption and indexing are not mutually exclusive.

They absolutely are mutually exclusive, if the file(s) are truly "secure" because Evernote would have no access to the encryption password & therefore no way to decrypt the text & index it.

If they have the ability to encrypt text blocks, the same concept can be applied to notes.

The text you encrypt in Evernote is NOT indexed. See above paragraph and for more information about encryption.

"Any time a cloud service can tell you your password (click "forgot password') and/or can help you restore your data, your data is NOT secure from hackers. Do you think hackers are smart enough to be able to hack into a cloud server but not smart enough to figure out where the encryption passwords are located???"

And from Heather's post in that thread:

"Just to give you a little bit of a real-world perspective on this: we've had a handful of people over the years contact us to attempt to retrieve their lost encryption passwords, and the reaction was overwhelmingly positive - in the end.

However, until it really sunk in that their notes were well and truly lost unless they, themselves, remember the passwords, and that we honestly have no way of retrieving them, at all, we have been ... well, not treated with the nicest of manners."

Link to comment
The text you encrypt in Evernote is NOT indexed. See above paragraph and for more information about encryption.

Of course the encrypted text is not indexed. It must not be indexed. This is the reason of encrypt notes: You can't access the content without a password. Of course the index is and should also be unable to access this content. Otherwise encryption would make no sense. I don't see there a problem. The currently included text-encryption also can't be indexed and that is what the people ask for.

Currently I have attached many encrypted attachments for all content that I want to be encrypted (example: every password). It woud be very helpful when this workaround would be not necessary. The most handycap of this workaraound is that I can't see this encrypted attachments on my mobile devices. And that is not the meaning of evernote. And no, you can't use the already included text-encryption for this because it is very weak (RC4 64bit) as mentiond in several discussions before.

I wish, EN would at least make this already impemented text-encryption more secure and therefore usable.

Marcel.

Link to comment

I'm not too fussed about the fact you can't password protect entire notebooks, but it would be handy to protect the odd note from time to time.

The current functionality works well if you have raw text in a note, but what if you have a sensitive document like a PDF or Word doc? At that point, the encryption feature is a moot point because you're stuck. Yes, you could password protect the files themselves I suppose but I'd much rather do this within Evernote.

Link to comment
The text you encrypt in Evernote is NOT indexed. See above paragraph and for more information about encryption.

Of course the encrypted text is not indexed. It must not be indexed. This is the reason of encrypt notes: You can't access the content without a password. Of course the index is and should also be unable to access this content. Otherwise encryption would make no sense. I don't see there a problem.

I don't see a problem, either. That was my point.

Currently I have attached many encrypted attachments for all content that I want to be encrypted (example: every password). It woud be very helpful when this workaround would be not necessary. The most handycap of this workaraound is that I can't see this encrypted attachments on my mobile devices. And that is not the meaning of evernote. And no, you can't use the already included text-encryption for this because it is very weak (RC4 64bit) as mentiond in several discussions before.

Not sure I'm really understanding what you're saying. But I use a true password manager for my passwords. It has an iPhone app so I can access them on my desktop or from my phone.

I wish, EN would at least make this already impemented text-encryption more secure and therefore usable.

Based upon Evernote's often stated stance on security (which is leaving it in the hands of the user and I have not seen anything to indicate this has changed), I suspect it's a low priority because:

There are a myriad of other ways to add encrypted information to the cloud including Dropbox. EN's "value added" is the ability to index & quickly retrieve your notes, which cannot be done if the files are encrypted.

Link to comment

I have tried multi-platform password managers. But I would like to store all information in the note where it belongs to and not spread them in different applications.

Marcel.

Link to comment

I have tried multi-platform password managers. But I would like to store all information in the note where it belongs to and not spread them in different applications.

It's fine that that's what you want to do. My point is that there is no indication that EN will expand on the current, limited method of encryption they currently have. (shrug)

Link to comment
  • Level 5*

I think I have seen a suggestion like this before, so you are not alone. Currently, you can encrypt information in individual notes, place password protection on files you upload, and designate folders as local and not to be synced. Personally, I figure that if you are using a strong, unique password, and changing it regularly, then you shouldn't have any problems. However, in the end it may be best not to put anything on the web or in the cloud that you are concerned about, even if there are multiple password systems.

Link to comment

Hi, I realise this has been raised previously, but so far I cannot find any formal response from Evernote to the often raised concern as to how user can ensure the security of my notes once their notebooks have been made available to external service providers.

So let me try once again.

I, and many other users will not authorise any external applications to view or add to my Notebooks. Once I have to agree to the request that an external application can view and add to my notebooks I will not proceed. I have seem a number of comments regarding the "trustworthiness" of the external companies or the limited access should Evernote user data be hacked into but this is not that we are being asked to agree to when we need to tick the box.

I have suggested two possible solutions:

  1. Limit access to just one Notebook and not all notebooks, so we can control and restrict access.
  2. Provide encryption of at least one Notebook (not individual notes).

So please will Dave or someone else from Evernote let us know if you have plans to improve notebook security, which as far as I can recall as not been changed since the very early days of Evernote.

Thanks, Greg

Evernote Premium user of over 3 years with almost 7,000 notes (10% would be confidential)

Link to comment
  • Level 5*

Of course, Evernote cannot control what other companies put in their terms of service, or how well they honor their obligations. So, regardless of how trustworthy other companies are, I think it would be great if Evernote provided a way for us to wall off data. Encrypting 700 notes (in your case) one by one is a pretty clunky solution to the problem. An encrypted notebook would be greatly appreciated.

In my case, I don't generally use third party services, but I would just find it a lot more convenient to put sensitive notes into a single location, rather than going through them one by one to encrypt them. Obviously, we can keep things local and so forth, but that is a workaround for the current situation, and an inadequate solution if you have many notes you want to be able to access away from your home computer, but don't want to leave un-encrypted. This has all been said before, of course, on the forum.

But, I see a problem with the request, and I think your question has already been answered. Unfortunately. Evernote has not shown any interest in encrypting our files, and if you think about real-world use of an encrypted folder, then I have to be honest and say that I would probably dump everything into it. Then, people who organize with folders will ask for encryption on everything. The next thing you know, you have exactly the system that Evernote has (apparently) said they do not want.

So, I don't have high hopes for this one.

Link to comment

I am going to try and tiptoe around this as gracefully as possible while still trying to be useful. I'll put out the disclaimer now, I don't have a security background, I am not an expert in any shape or form on the subject of security, encryption, hacking or anything in that arena. I can barely get back into my own accounts when I forget my password. I am certainly not anywhere near Dave's level of fluency on security or on many of the technical aspects of Evernote. I am also not a lawyer, if this at all gets into a discussion about our terms of service or anything like that, I know nothing. NOTHING. Treat what I say as if a 5 year old said it.

Also, I have no idea or influence on this type of stuff at Evernote. No idea about notebook security. Nada.

Now onto the good stuff.

First, is your primary concern with sync'd notebooks and the external applications? (Aka companies not Evernote)

Or is your concern with any notebook that might be created using and Evernote Client, including local notebooks? Or perhaps something in between these two?

Does your first suggestion that imply we would need to create infrastructure for notebooks allowed to be accessed by external applications and one for notebooks not allowed to be accessed by external applications? If so, is it unfair if we make the default to allow notebooks to be accessed by external applications? And if so, do we basically have to in-house every aspect of our service? (Perhaps an unfair series of questions, but I really am not sure, I don't ask to be facetious.)

Also, it is my understanding (see disclaimer above) that if content is encrypted, we wouldn't be able to index and search it. Which removes a lot of the usefulness of Evernote. I would probably do what GrumpyMonkey suggested if I had an encrypted folder, and dump almost everything into it. Ok maybe not "everything" but enough to make Evernote a completely different experience. What's a good balance?

Link to comment
  • Level 5*

whoops. good point. my data in the encrypted folder would not be indexed. i guess i wouldn't put much in there after all.

as for the third party apps, i am unwilling to give them access to my entire life (all my files) just to use their services. the op's suggestion of having their access restricted to a single folder, sort of like a shared folder, would be most realistic. i don't think anyone expects evernote to take over the services. we just want a way to wall off data.

Link to comment
  • Level 5*

I've had some experiences with government-level secure encryption, and they all suffer from one main drawback. You also need access to your data with a -reasonable- level of convenience.

If you can get access, so can someone else - in extreme cases by removing the necessary body parts to convince a scanner you're present.

At a somewhat lower level you may use names and birthdays as passwords or (for the seriously security challenged) write it down somewhere. You have to remember passwords - at least the ones you use to get started up - so they can't be too random.

There's no such thing as absolute security, you're just trying to make it impractical for anyone to expend serious effort cracking the file or the system open.

Granny, eggs, I know - just trying to maintain a perspective here...

Link to comment

as for the third party apps, i am unwilling to give them access to my entire life (all my files) just to use their services. the op's suggestion of having their access restricted to a single folder, sort of like a shared folder, would be most realistic. i don't think anyone expects evernote to take over the services. we just want a way to wall off data.

Would this be just for third party apps such as the ones in the Trunk? What if Evernote rents out a datacenter somewhere for some reason. Would it be ok if your walled off notebookw as stored there, even though technically it isn't Evernote? The latter seemed unrealistic.

Link to comment

I've had some experiences with government-level secure encryption, and they all suffer from one main drawback. You also need access to your data with a -reasonable- level of convenience.

If you can get access, so can someone else - in extreme cases by removing the necessary body parts to convince a scanner you're present.

At a somewhat lower level you may use names and birthdays as passwords or (for the seriously security challenged) write it down somewhere. You have to remember passwords - at least the ones you use to get started up - so they can't be too random.

There's no such thing as absolute security, you're just trying to make it impractical for anyone to expend serious effort cracking the file or the system open.

Granny, eggs, I know - just trying to maintain a perspective here...

Yeah and that's the balancing act with security

Link to comment
  • Level 5*

as for the third party apps, i am unwilling to give them access to my entire life (all my files) just to use their services. the op's suggestion of having their access restricted to a single folder, sort of like a shared folder, would be most realistic. i don't think anyone expects evernote to take over the services. we just want a way to wall off data.

Would this be just for third party apps such as the ones in the Trunk? What if Evernote rents out a datacenter somewhere for some reason. Would it be ok if your walled off notebookw as stored there, even though technically it isn't Evernote? The latter seemed unrealistic.

only for third party apps. i don't understand what you mean by the datacenter. my point is that in order to use a third party app, i have to give them complete access to my account.

it is akin to locking up my apartment with a massive deadbolt and turning on the alarm system when i go out of town, but handing out keys to everyone in the office and my access codes so that they can water my plants. sure, i trust them to a point, but why do i have to give up everything for a single service? i'll just put the plants outside on the sunporch or bring them to work if i want to ask them to help me out.

in this analogy, i don't know where the datacenter would fit :)

anyhow, the simple solution is to just give third party apps access to shared folders, and not to your entire account.

Link to comment

I had made up a story where I fit in the datacenter in your apartment analogy, and it was all typed out, but it was really bad and didn't really work. Anyways, I have my answer. If the OP agrees with you, then that makes sense to me.

Link to comment

Would this be just for third party apps such as the ones in the Trunk? What if Evernote rents out a datacenter somewhere for some reason. Would it be ok if your walled off notebookw as stored there, even though technically it isn't Evernote? The latter seemed unrealistic.

only for third party apps. i don't understand what you mean by the datacenter.

I think...when dlu is talking about renting a datacenter, it's a situation where say, Evernote needs more disk space (a rather simplified comparison) and didn't want to spend the money to buy their own. (For whatever reason. Could be they don't want to spend the lump sum $$$, could be they don't mind spending the $$$ but the engineer time on their part getting it all installed, implemented & tested is not currently available, etc.) So they outsource it to someone else. IOW, my Evernote database may be residing on a server that is not owned by Evernote but is "rented" by Evernote. Since the datacenter is owned by someone else, there is another option for a security breach. So his question is do I, as a user, have a problem with that. (I think that's what he's asking/saying.)

And personally, I don't care. I implement security on my end (by not having sensitive info in my EN cloud either b/c I used an image editor to mark out the info or b/c I password encrypted a PDF or (old skool) put the item in a local (non-sync'd notebook) or not in Evernote at all), knowing that my EN database in the cloud is not stored encrypted. Additionally, I have confidence in the EN team that if they were to outsource, they would be very dilgient about selecting a vendor.

Link to comment
  • Level 5*

i am not thrilled with bnf's data mercenary scenario, but i think that is a different issue. presumably, they have a contract with en and are legally bound by it. third party apps are independent of evernote and only bound by their own terms of service. more importantly, though, the data mercenaries stand guard at our apartment door, and the third party apps are invited inside to rummage around.

as for bnf's policy, i do something similar. while i wouldn't mind peeping tom's seeing me naked in my apartment, all things considered, i'd like to send out invitations to that show.

Link to comment

I would like to have access by third parties to be more granular by notebooks. Select the set of notebooks accessible with each service grant. That way, I could organize my stuff so that third-party service access would be limited to the particular notebooks related to their service. It would be my job to store my stuff appropriately. I could grant access to all of my notebooks if needed. I can choose which notebooks are accessilble to other EN accounts, so I see no reason why I shoudn't be able to select the notebooks I allow a third-party to access throught the API.

This would have to be transparent to the third-party service - it would have to look like to the API as if they had global access, otherwise, it would break existing third-party services. When you grant access to zendone, you choose from a list which stacks and or notebooks zendone can access.

I'm more concerned about third-parties that don't understand the TOS / security requirements needed to protect EN data than I am about them deliberately causing problems or inadvertently creating hack opportunities. EN could create a TOS / security model for third-party providers and then indicate which ones claim to have impmented that model. Note I said "claimed to have" because I'm not talking about a certification program, simply an indication of which third-parties have promised to meet the standard.

Link to comment

First, is your primary concern with sync'd notebooks and the external applications? (Aka companies not Evernote)

Or is your concern with any notebook that might be created using and Evernote Client, including local notebooks? Or perhaps something in between these two?

Hi thanks for the responses, to answer your questions:

Does your first suggestion that imply we would need to create infrastructure for notebooks allowed to be accessed by external applications and one for notebooks not allowed to be accessed by external applications? If so, is it unfair if we make the default to allow notebooks to be accessed by external applications? And if so, do we basically have to in-house every aspect of our service? (Perhaps an unfair series of questions, but I really am not sure, I don't ask to be facetious.)

Also, it is my understanding (see disclaimer above) that if content is encrypted, we wouldn't be able to index and search it. Which removes a lot of the usefulness of Evernote. I would probably do what GrumpyMonkey suggested if I had an encrypted folder, and dump almost everything into it. Ok maybe not "everything" but enough to make Evernote a completely different experience. What's a good balance?

My primary concern is with Synced notebooks accessible by external apps, either from the Evernote Trunk or downloaded iPhone (or other) Apps. I have a basic trust in Evernote to store and safeguard my data, let's take that as as given. I don't have the same trust and confidence in the other external app companies, for what I believe are valid (and in these days not too paranoid) reasons - the companies can be small, they are unknown to me, they may not survive, they may get hacked into and I don't want to give access to all my Notes in all my notebooks to multiple companies where I have a lack of confidence. Evernote wants to be seen as your lifetime storage facility and just like a real life filing cabinet, while most files can be open to be the public but there are some files that need to be locked away.

I don't understand enough regarding your infrastructure questions, but if access (ability to read and write into) to the external apps could be limited to just the default notebook that would work for me or why can't you just provide write only access, this may limit functionality for some apps but again this would be a choice that I would at least use some app and maybe not others.

If the content was encrypted by a specific notebook when synced to your server then I would be willing to accept the loss of index and seach, it's my my choice what I put into this "confidential" notebook.

Thanks, Greg

Link to comment

First, is your primary concern with sync'd notebooks and the external applications? (Aka companies not Evernote)

Or is your concern with any notebook that might be created using and Evernote Client, including local notebooks? Or perhaps something in between these two?

Hi thanks for the responses, to answer your questions:

Does your first suggestion that imply we would need to create infrastructure for notebooks allowed to be accessed by external applications and one for notebooks not allowed to be accessed by external applications? If so, is it unfair if we make the default to allow notebooks to be accessed by external applications? And if so, do we basically have to in-house every aspect of our service? (Perhaps an unfair series of questions, but I really am not sure, I don't ask to be facetious.)

Also, it is my understanding (see disclaimer above) that if content is encrypted, we wouldn't be able to index and search it. Which removes a lot of the usefulness of Evernote. I would probably do what GrumpyMonkey suggested if I had an encrypted folder, and dump almost everything into it. Ok maybe not "everything" but enough to make Evernote a completely different experience. What's a good balance?

My primary concern is with Synced notebooks accessible by external apps, either from the Evernote Trunk or downloaded iPhone (or other) Apps. I have a basic trust in Evernote to store and safeguard my data, let's take that as as given. I don't have the same trust and confidence in the other external app companies, for what I believe are valid (and in these days not too paranoid) reasons - the companies can be small, they are unknown to me, they may not survive, they may get hacked into and I don't want to give access to all my Notes in all my notebooks to multiple companies where I have a lack of confidence. Evernote wants to be seen as your lifetime storage facility and just like a real life filing cabinet, while most files can be open to be the public but there are some files that need to be locked away.

I don't understand enough regarding your infrastructure questions, but if access (ability to read and write into) to the external apps could be limited to just the default notebook that would work for me or why can't you just provide write only access, this may limit functionality for some apps but again this would be a choice that I would at least use some app and maybe not others.

If the content was encrypted by a specific notebook when synced to your server then I would be willing to accept the loss of index and seach, it's my my choice what I put into this "confidential" notebook.

Thanks, Greg

Makes sense, I think giving one-off controls might be a bit of a hassle. What would suck for Trunk partners is if a user's first experience with their app was always a notebook picker of some sort. Ideally it'd just work and be magical. Perhaps something to mark a notebook as private, and 3rd party apps get access to non-private notebooks would be simpler, but cover most of the concerns

Link to comment

Makes sense, I think giving one-off controls might be a bit of a hassle. What would suck for Trunk partners is if a user's first experience with their app was always a notebook picker of some sort. Ideally it'd just work and be magical. Perhaps something to mark a notebook as private, and 3rd party apps get access to non-private notebooks would be simpler, but cover most of the concerns

Maybe what would suck more is that people won't use Trunk Partners apps becuase they are concerned about the security of their notebooks?

Link to comment
  • Level 5*

I definitely think that a more granular level of permissions is needed when giving 3rd party access to my Evernote account.

Currently, I believe it is an all or nothing permission.

So for apps that are supposed to ONLY add new Notes (like a Fastever or Genius Scan), when I give them my account login credentials the app actually has full permissions, including delete, correct?

So here are some ideas on more granular permissions:

  • Limit access to specific Notebook(s)
  • Limit access to ONLY ADD new notes
  • Limit access to only change Note text (do NOT allow edit/delete of attachments)

Of course you would probably want to set this up as a list of individual permissions that the user could check.

The ideal approach would be for the user to log into their Evernote account and set permissions, either for all apps, or specific apps.

Link to comment

Maybe what would suck more is that people won't use Trunk Partners apps becuase they are concerned about the security of their notebooks?

Yep also a concern. I didn't mean to say privacy/security wasn't important. Just wanted to emphasize that making the setup novice friendly is important. Having security options that no one uses is probably worse than not having them at all. (Worse in the sense that we could have added other useful features instead).

Link to comment

I definitely think that a more granular level of permissions is needed when giving 3rd party access to my Evernote account.

Currently, I believe it is an all or nothing permission.

So for apps that are supposed to ONLY add new Notes (like a Fastever or Genius Scan), when I give them my account login credentials the app actually has full permissions, including delete, correct?

So here are some ideas on more granular permissions:

  • Limit access to specific Notebook(s)
  • Limit access to ONLY ADD new notes
  • Limit access to only change Note text (do NOT allow edit/delete of attachments)

Of course you would probably want to set this up as a list of individual permissions that the user could check.

The ideal approach would be for the user to log into their Evernote account and set permissions, either for all apps, or specific apps.

I can see that being useful, just want to make sure that ahem certain un-named family/friends wouldn't get lost and confused in it.

Link to comment
  • Level 5*

I can see that being useful, just want to make sure that ahem certain un-named family/friends wouldn't get lost and confused in it.

Yeah, I get your point. The large majority of Evernote users could probably care less about the details of security, and just want it to work while keeping their data safe.

But there are definitely some users who have concerns about security. I think most of these are also the more technically experienced users and can easily understand about setting permissions.

So, you would want a UI that defaults to providing the security that most users want/need, while providing "advanced" permissions for those who want it. A well thought out UI design and end-user testing of setting permissons would be key to making this work.

One thought/question: Would it make sense to change the API for 3rd party apps asking the user for permission to use their Evernote account to ask the user for at least top-level permission like:

Select Access Permission for this App:
  • Read Only
  • Add Only
  • Edit Only
  • Add and Edit
  • Add, Edit, and Delete

Of course for this to be secure this dialog would have to be directly between Evernote and the User. Don't know if this is feasible or not.

I keep coming back to my own use of 3rd pary trunk apps. All of them are for adding new Notes only. I definitely would like to make sure these apps can NOT do anything else but ADD. This includes READ.

Link to comment
  • Level 5*

i think security is actually a big concern for lots of people. it comes up on the forums a lot, it is discussed on the internet especially in terms of privacy for third-party info in evernote, and security concerns are something anyone with multiple users on their computer deals with on a daily basis (multiple user accounts).

as you said, a well thought out interface will avoid any problems.

Link to comment

To be honest, I'm not experienced enough with the handling of API's to give you a great opinion on whether breaking up the permissions like that makes sense. There's a bunch of technical (and probably non-technical) nuances that I'm completely unaware of. But other than that, your suggestion seems reasonable.

I know Android has intents and Windows 8 has share/search contracts. Perhaps a system like that could solve some of the issues by carving out specific functions an app can sign up for. (Again, I'm not at all saying that we'll do this).

Link to comment

Makes sense, I think giving one-off controls might be a bit of a hassle. What would suck for Trunk partners is if a user's first experience with their app was always a notebook picker of some sort. Ideally it'd just work and be magical. Perhaps something to mark a notebook as private, and 3rd party apps get access to non-private notebooks would be simpler, but cover most of the concerns

Maybe what would suck more is that people won't use Trunk Partners apps because they are concerned about the security of their notebooks?

I don't use Trunk Partners apps because I am concerned about the security of my notebooks. :)

I'd rather have a notebook picker, then I could give different apps different notebooks. When sharing, I don't have to choose share all my notebooks or none, so I think it should be the same with Trunk Partners apps.

Link to comment
  • Level 5*

I don't use Trunk Partners apps because I am concerned about the security of my notebooks. :)

I'd rather have a notebook picker, then I could give different apps different notebooks. When sharing, I don't have to choose share all my notebooks or none, so I think it should be the same with Trunk Partners apps.

Unfortunately I have been actively using a few Trunk apps, but that is about to change drastically.

I had no idea that the permissions given to Trunk app were wide open, even if all the app does is send a photo/image to your Evernote account.

As I stated in my post above, IMO we need very granular permissions for Trunk Apps, way beyond just NB. But NB would be a good start!

Link to comment
  • Level 5*

i'm the same. i am interested in the trunk apps, but the lack of control (perceived or real?) over the data i share with them pretty much ensures that i won't ever use them. it's too bad, but i think it is just common sense.

personally, i think it is in everyone's best interest to give users control over this.

Link to comment

The newest update to permissions required by Evernote (for Android) is boardering on spyware! The is no need for the access they have. I have uninstalled until they start to respect thier users securtiy and reduce the permissions.

  • Your personal information
    read contact data
    -Allows an application to read all of the contact (address) data stored on your device. Malicious applications can use this to send your data to other people.
    read sensitive log data
    -Allows an application to read from the system's various log files. This allows it to discover general information about what you are doing with the device, potentially including personal or private information.
    read calendar events
    -Allows an application to read all of the calendar events stored on your device. Malicious applications can use this to send your calendar events to other people.

I don't think so.... I'm out of here.

Link to comment
  • Level 5*

@deanb

I don't know anything about the Android app, but I think a support ticket asking them how to use Evernote without enabling access you don't want would be a good idea. It would be a shame not to be able to use Evernote because of something like this. Maybe time to get an iPhone? Just kidding :)

Link to comment
  • Level 5*

The newest update to permissions required by Evernote (for Android) is boardering on spyware! The is no need for the access they have. I have uninstalled until they start to respect thier users securtiy and reduce the permissions.

@deanb:

How were you able to obtain this list of permissions, is there some document that Evernote provides?

@GM: I don't know, but I would not be surprised if Evernote permissions on iOS devices are the same or similar to that of EN Android. We already know Evernote violated our privacy by accessing our iPhone/iPad calendar without our permission, and without any notification.

Link to comment

Thanks for raising the issue. We're happy to explain in detail why we request this access.

For starters, you may want to read Evernote's 3 Laws of Data Privacy.

Each permissions requests exists only to provide you a better customer experience, not to help Evernote, or invade your privacy:

- Read Personal Contact Data is used to pre-populate this registration form.

- Allows an application to read all of the contact is used to support address book integration when you email a note or share a notebook

- Allows an application to read from the system's various log files is used to let users send their logs (available under Settings).

- Allows an application to read all of the calendar events stored on your device is new. We now have some cool features that will automatically title notes based on your calendar (and location information).

Evernote gathers this information to help you have a better experience. We don't capture this information unless you're performing an operation that needs it (we don't grab your contact info unless we're showing it to you.). We don't look at your calendar unless we're recommending a title for your notes. We don't look at your logs unless you've requested to send us logs.

These types of concerns have come up in the past and our goal is to be as transparent as possible. Sadly the AppStores/Markets don't give us a good clear way to communicate why we need this information so we appreciate you giving us the chance to explain.

The newest update to permissions required by Evernote (for Android) is boardering on spyware! The is no need for the access they have. I have uninstalled until they start to respect thier users securtiy and reduce the permissions.

  • Your personal information
    read contact data
    -Allows an application to read all of the contact (address) data stored on your device. Malicious applications can use this to send your data to other people.
    read sensitive log data
    -Allows an application to read from the system's various log files. This allows it to discover general information about what you are doing with the device, potentially including personal or private information.
    read calendar events
    -Allows an application to read all of the calendar events stored on your device. Malicious applications can use this to send your calendar events to other people.

I don't think so.... I'm out of here.

Link to comment

The newest update to permissions required by Evernote (for Android) is boardering on spyware! The is no need for the access they have. I have uninstalled until they start to respect thier users securtiy and reduce the permissions.

@deanb:

How were you able to obtain this list of permissions, is there some document that Evernote provides?

@GM: I don't know, but I would not be surprised if Evernote permissions on iOS devices are the same or similar to that of EN Android. We already know Evernote violated our privacy by accessing our iPhone/iPad calendar without our permission, and without any notification.

@explorer: To look at the permissions go to Android Market then search for EverNote then click on the Permissions tab.

Link to comment
  • Level 5*

Thanks for raising the issue. We're happy to explain in detail why we request this access.

. . .

- Allows an application to read all of the calendar events stored on your device is new. We now have some cool features that will automatically title notes based on your calendar (and location information).

Phil, I have a few questions for you:

  1. How do I access the Evernote Terms of Service and Permissions for iOS devices (iPhone, iPad)?
  2. Where did Evernote ask for permission to access my iPhone/iPad calendar?
  3. Where did Evernote notify me that you would be using my calendar?
  4. Is Evernote accessing any other data, on any platform, that I have not been notified about?
    • For example, are you accessing any of my Outlook data on my PC or Mac?

Link to comment

1. A link to the terms of service are presented at registration on and on our web site. You agree to them when you register. We don't enumerate the technical permissions requested for the iOS app. We follow the iOS/AppStore guidelines.

2. Evernote for iOS doesn't explicitly request access for any information accept location per iOS guidelines.

3. During the upgrade or install from the Android Market. Android doesn't allow automatic install of applications that change permissions.

4. That question is quite broad. For example Android and iOS both access the gallery if you want to import a picture. Both access the address book as I mentioned above. You can copy and paste into Evernote so we need to use the clipboard. Mac and Windows both support screen capture. We haven't implemented smart auto-titles on the desktop or web yet. The Mac client also accesses your address book when emailing notes (to give address completion) this feature isn't supported as a general operating system capability on Windows.

Evernote doesn't grab any information from Outlook. We used to have an Outlook extension that would allow you to copy an email into Evernote but it's no longer supported.

Evernote access this information based on actions the user takes. Your personal data is only used to improve the user experience.

FYI - The Android permissions list is also in Settings -> Apps -> [App name]. You may view the permissions of any app. Android does not automatically update applications if their permissions change.

Link to comment

Also, it is my understanding (see disclaimer above) that if content is encrypted, we wouldn't be able to index and search it. Which removes a lot of the usefulness of Evernote. I would probably do what GrumpyMonkey suggested if I had an encrypted folder, and dump almost everything into it. Ok maybe not "everything" but enough to make Evernote a completely different experience. What's a good balance?

I vote for indexing the metadata (title, tags, etc.) but not the note contents/attachments. I find this a good compromise between security and ease-of-use.

Link to comment

Evernote access this information based on actions the user takes. Your personal data is only used to improve the user experience.

And here's your problem. On the internet, everyone, legit or not, claims this. While I trust Evernote more than most companies out there, an internet-based company simply can't rely on *trust*. What *can* be done is being proactively transparent about the half-dozen or so *personal* things that really matter:

- Photos

- Location

- Contacts

- Calendar

- Personal communication (E-Mails sent/received, Texts)

- Browser history

… that's probably about it.

Currently in my personal opinion, you're not proactive enough in making these transparent. You refer to the Terms of Service (which contain about 95% information nobody reads, maybe some information is also sitting in the KB which 90% users don't know of). You answer questions politely, patiently and thoroughly (*when* asked). You say that, alas, the App Stores/Markets don't give you a clear way to communicate this information beforehand (well, they *do* all give you a thousands-of-characters description field).

All I want to say is, Evernote comes over reluctant and passive/defensive in this. Being straightforward, up-front, would help. I'm afraid discussions/blog posts/FAQs reach only a small percentage of users.

Today's users are rightly told be vigilant and to give only as many rights/privileges away as strictly possible. When you have a nice-to-have function (like predictive note titles), that's great, only make users aware of it and give them a chance to opt-out of it in the settings if they wish to do so. Build trust through transparency (and choice).

Edit: That said, I really appreciate you (Philip and dlu) taking the time to discuss this.

Link to comment

Phil,

thanks for your clarifications regarding Evernote's apps. Could you comment on the concerns of the original poster: If I grant access to a third party, I currently grant unrestricted access to my whole life.

Are you planning to change this, i.e. impose restrictions on 3rd party apps?

Thanks

Stephan

PS: Evernote for iOS (latest version) accesses calendar information in the same way as Android does.

1. A link to the terms of service are presented at registration on and on our web site. You agree to them when you register. We don't enumerate the technical permissions requested for the iOS app. We follow the iOS/AppStore guidelines.

2. Evernote for iOS doesn't explicitly request access for any information accept location per iOS guidelines.

3. During the upgrade or install from the Android Market. Android doesn't allow automatic install of applications that change permissions.

4. That question is quite broad. For example Android and iOS both access the gallery if you want to import a picture. Both access the address book as I mentioned above. You can copy and paste into Evernote so we need to use the clipboard. Mac and Windows both support screen capture. We haven't implemented smart auto-titles on the desktop or web yet. The Mac client also accesses your address book when emailing notes (to give address completion) this feature isn't supported as a general operating system capability on Windows.

Evernote doesn't grab any information from Outlook. We used to have an Outlook extension that would allow you to copy an email into Evernote but it's no longer supported.

Evernote access this information based on actions the user takes. Your personal data is only used to improve the user experience.

FYI - The Android permissions list is also in Settings -> Apps -> [App name]. You may view the permissions of any app. Android does not automatically update applications if their permissions change.

Link to comment
  • Level 5*

i'm not terribly concerned about evernote. i have more personal stuff in my account than i do in my phone or contacts. and, as i said several times, i do not know of any tos violations by evernote. i think the claima about this are coming (as mentioned above) because of lack of transparency. to be fair, few apps provide satisfactory levels of it.

the third party total access situation is a bummer, because it keeps me from supporting many of the developers. here is where control over access, or an encrypted folder would come in handy.

Link to comment

Regarding the 3rd party access, we do have access controls for 3rd party (OAuth tokens). We can limit access to create only, read, update, delete anything but notes, delete notes, and read user information. These permissions are displayed when you grant OAuth access and can be view and managed within the Applications tab within Setting.

This is distinct from 3rd party applications like, for example, a iOS app the integrates with the Evernote service. If you give a 3rd party application your username and password then, from a security perspective they have full access.

If you've got questions or requests about this it would be great to bring them up in the Evernote Developers forum. Evernote has a group dedicated to partners. I'm not an expert on this area.

Link to comment
  • Level 5*

Not whole notes, no, but you can select all of a note's content and encrypt that. Make a selection in your note, right-click on it, and select "Encrypt Selected Text...", then follow the directions.

Link to comment

I right-click after selecting the text in the note, and the text disappears and the enctryped icon appears (padlock, etc).

Evernote doesn't ask me for a password or anything.

And when I double-click on the encrypt icon, my "encrypted" text re-appears. Some security, eh!

What's going on?

Using Evernote 4.5.3.6131

Link to comment

I right-click after selecting the text in the note, and the text disappears and the enctryped icon appears (padlock, etc).

Evernote doesn't ask me for a password or anything.

And when I double-click on the encrypt icon, my "encrypted" text re-appears. Some security, eh!

What's going on?

Using Evernote 4.5.3.6131

Encryption: you can encrypt part or all of a note. Just highlight the part you want to encrypt then from the Format drop down “encrypt selected text” a box will appear and you will be asked to enter the encryption passphrase. When you enter OK the text selected will be covered with a gray box and a padlock. To open this box just right click and select “show encrypted text” enter the passphrase you use to encrypt the text, and enter OK. The text will now reappear, when you leave this note it will be re encrypted. To search for the notes that have been encrypted, put "encryption:" into the search field.

Link to comment

I right-click after selecting the text in the note, and the text disappears and the enctryped icon appears (padlock, etc).

Evernote doesn't ask me for a password or anything.

And when I double-click on the encrypt icon, my "encrypted" text re-appears. Some security, eh!

What's going on?

Using Evernote 4.5.3.6131

Ummm...well, if you tell it to remember the password, that's what it will do...

post-48228-0-31668200-1330357375_thumb.p

Link to comment

Would it be possible to include todos, images, PDFs, and attachments to encryption? Just leave encrypted things out from note attibutes and image recognition.

It's probably possible. But doesn't sound like it's something high on Evernote's to do list. Please search the board on security and/or encryption, if for more info. Basically, EN allows you to encrypt text. If you want other types of info encrypted, EN leaves that up to the user & the third party app of the user's choice. They have been very, very clear on this subject.

Link to comment
Basically, EN allows you to encrypt text. If you want other types of info encrypted, EN leaves that up to the user & the third party app of the user's choice. They have been very, very clear on this subject.

I know your point, that users could always use 3rd-party programs for encryption and attach them into the Evernote.

In my personal point of view, the value of encryption from Evernote is being portable. I want something encrypted being available everywhere - on the PC, on the web via browser, on the mobile phone, or so anywhere, without the need to install a program or depack a portable 3rd-party program.

Hmmm.. in this point, maybe encryption of texts is enough. Something more important than encryption of objects may be to make Evernote Web, Evernote Mobile Web, and other apps fully able to encrypt and decrypt (securely of course).

Link to comment

It's a matter of cost and effect. As so far, I don't see how Evernote encryption is superior than, for instance, attachment encryption with 7-zip.

For portability, the latter is available for any PC, on saving, loading, and modifying; while the former you can only save on Evernote Windows and load on a public computer. In my point of view, Evernote encryption was only good when before Evernote didn't support limitless extension of attachment.

Evernote encryption doesn't need to be and shouldn't be another 7-zip. It should develop its own style, for example as I mentioned above, the full portability of decryption and if possible, encryption. I just don't know what was the purpose and the target of this function. Why cost time to develop a function with a plenty of alternatives? And why not improve it since it has been invented? Is there something I missed that makes web client decryption/encryption inappropriate?

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...