Jump to content
  • 0

REQUEST: Password-protect notebooks


Toontje

Idea

I'm going to ask it again: Are there any plans to implement password protection for individual notebooks?

I know it's been asked many times before, but maybe if I ask again someone will wake up and spend some time building it. After all, it's been asked enough times now.

Thanks,

Ton.

Link to post

Recommended Posts

The newest update to permissions required by Evernote (for Android) is boardering on spyware! The is no need for the access they have. I have uninstalled until they start to respect thier users securtiy and reduce the permissions.

@deanb:

How were you able to obtain this list of permissions, is there some document that Evernote provides?

@GM: I don't know, but I would not be surprised if Evernote permissions on iOS devices are the same or similar to that of EN Android. We already know Evernote violated our privacy by accessing our iPhone/iPad calendar without our permission, and without any notification.

@explorer: To look at the permissions go to Android Market then search for EverNote then click on the Permissions tab.

Link to post
  • Level 5*

Thanks for raising the issue. We're happy to explain in detail why we request this access.

. . .

- Allows an application to read all of the calendar events stored on your device is new. We now have some cool features that will automatically title notes based on your calendar (and location information).

Phil, I have a few questions for you:

  1. How do I access the Evernote Terms of Service and Permissions for iOS devices (iPhone, iPad)?
  2. Where did Evernote ask for permission to access my iPhone/iPad calendar?
  3. Where did Evernote notify me that you would be using my calendar?
  4. Is Evernote accessing any other data, on any platform, that I have not been notified about?
    • For example, are you accessing any of my Outlook data on my PC or Mac?

Link to post

I have installed Evernote for Mac on a shared computer.

I was wondering if I can lock or password protect my notebook, so each users can only access theirs.

At the moment, anyone can open up Evernote and read/write any of the notebooks.

I could not find any options anywhere that allows me to do that.

Am I missing something?

Thanks

Link to post

Hi, I realise this has been raised previously, but so far I cannot find any formal response from Evernote to the often raised concern as to how user can ensure the security of my notes once their notebooks have been made available to external service providers.

So let me try once again.

I, and many other users will not authorise any external applications to view or add to my Notebooks. Once I have to agree to the request that an external application can view and add to my notebooks I will not proceed. I have seem a number of comments regarding the "trustworthiness" of the external companies or the limited access should Evernote user data be hacked into but this is not that we are being asked to agree to when we need to tick the box.

I have suggested two possible solutions:

  1. Limit access to just one Notebook and not all notebooks, so we can control and restrict access.
  2. Provide encryption of at least one Notebook (not individual notes).

So please will Dave or someone else from Evernote let us know if you have plans to improve notebook security, which as far as I can recall as not been changed since the very early days of Evernote.

Thanks, Greg

Evernote Premium user of over 3 years with almost 7,000 notes (10% would be confidential)

Link to post
  • Level 5*

Of course, Evernote cannot control what other companies put in their terms of service, or how well they honor their obligations. So, regardless of how trustworthy other companies are, I think it would be great if Evernote provided a way for us to wall off data. Encrypting 700 notes (in your case) one by one is a pretty clunky solution to the problem. An encrypted notebook would be greatly appreciated.

In my case, I don't generally use third party services, but I would just find it a lot more convenient to put sensitive notes into a single location, rather than going through them one by one to encrypt them. Obviously, we can keep things local and so forth, but that is a workaround for the current situation, and an inadequate solution if you have many notes you want to be able to access away from your home computer, but don't want to leave un-encrypted. This has all been said before, of course, on the forum.

But, I see a problem with the request, and I think your question has already been answered. Unfortunately. Evernote has not shown any interest in encrypting our files, and if you think about real-world use of an encrypted folder, then I have to be honest and say that I would probably dump everything into it. Then, people who organize with folders will ask for encryption on everything. The next thing you know, you have exactly the system that Evernote has (apparently) said they do not want.

So, I don't have high hopes for this one.

Link to post

Thanks guys for your prompt replies.

That might not work in my case :-S

Different people using this Mac will have different notes, and in most cases have to be private.

The web app by nature has that protection.

That would be a really valuable feature for the desktop solution,

to choose whether a notebook is password protected or not.

I will submit that as a feature request will look at where i can do that.

Thanks guys

Link to post
  • Level 5*

This has been requested elsewhere (also the desire to password protect a whole note). I haven't heard anything that leads me to believe that Evernote intends to implement this feature, but they certainly know about the feature request.

~Jeff

Link to post

1. A link to the terms of service are presented at registration on and on our web site. You agree to them when you register. We don't enumerate the technical permissions requested for the iOS app. We follow the iOS/AppStore guidelines.

2. Evernote for iOS doesn't explicitly request access for any information accept location per iOS guidelines.

3. During the upgrade or install from the Android Market. Android doesn't allow automatic install of applications that change permissions.

4. That question is quite broad. For example Android and iOS both access the gallery if you want to import a picture. Both access the address book as I mentioned above. You can copy and paste into Evernote so we need to use the clipboard. Mac and Windows both support screen capture. We haven't implemented smart auto-titles on the desktop or web yet. The Mac client also accesses your address book when emailing notes (to give address completion) this feature isn't supported as a general operating system capability on Windows.

Evernote doesn't grab any information from Outlook. We used to have an Outlook extension that would allow you to copy an email into Evernote but it's no longer supported.

Evernote access this information based on actions the user takes. Your personal data is only used to improve the user experience.

FYI - The Android permissions list is also in Settings -> Apps -> [App name]. You may view the permissions of any app. Android does not automatically update applications if their permissions change.

Link to post

Also, it is my understanding (see disclaimer above) that if content is encrypted, we wouldn't be able to index and search it. Which removes a lot of the usefulness of Evernote. I would probably do what GrumpyMonkey suggested if I had an encrypted folder, and dump almost everything into it. Ok maybe not "everything" but enough to make Evernote a completely different experience. What's a good balance?

I vote for indexing the metadata (title, tags, etc.) but not the note contents/attachments. I find this a good compromise between security and ease-of-use.

Link to post

Evernote access this information based on actions the user takes. Your personal data is only used to improve the user experience.

And here's your problem. On the internet, everyone, legit or not, claims this. While I trust Evernote more than most companies out there, an internet-based company simply can't rely on *trust*. What *can* be done is being proactively transparent about the half-dozen or so *personal* things that really matter:

- Photos

- Location

- Contacts

- Calendar

- Personal communication (E-Mails sent/received, Texts)

- Browser history

… that's probably about it.

Currently in my personal opinion, you're not proactive enough in making these transparent. You refer to the Terms of Service (which contain about 95% information nobody reads, maybe some information is also sitting in the KB which 90% users don't know of). You answer questions politely, patiently and thoroughly (*when* asked). You say that, alas, the App Stores/Markets don't give you a clear way to communicate this information beforehand (well, they *do* all give you a thousands-of-characters description field).

All I want to say is, Evernote comes over reluctant and passive/defensive in this. Being straightforward, up-front, would help. I'm afraid discussions/blog posts/FAQs reach only a small percentage of users.

Today's users are rightly told be vigilant and to give only as many rights/privileges away as strictly possible. When you have a nice-to-have function (like predictive note titles), that's great, only make users aware of it and give them a chance to opt-out of it in the settings if they wish to do so. Build trust through transparency (and choice).

Edit: That said, I really appreciate you (Philip and dlu) taking the time to discuss this.

Link to post

I am going to try and tiptoe around this as gracefully as possible while still trying to be useful. I'll put out the disclaimer now, I don't have a security background, I am not an expert in any shape or form on the subject of security, encryption, hacking or anything in that arena. I can barely get back into my own accounts when I forget my password. I am certainly not anywhere near Dave's level of fluency on security or on many of the technical aspects of Evernote. I am also not a lawyer, if this at all gets into a discussion about our terms of service or anything like that, I know nothing. NOTHING. Treat what I say as if a 5 year old said it.

Also, I have no idea or influence on this type of stuff at Evernote. No idea about notebook security. Nada.

Now onto the good stuff.

First, is your primary concern with sync'd notebooks and the external applications? (Aka companies not Evernote)

Or is your concern with any notebook that might be created using and Evernote Client, including local notebooks? Or perhaps something in between these two?

Does your first suggestion that imply we would need to create infrastructure for notebooks allowed to be accessed by external applications and one for notebooks not allowed to be accessed by external applications? If so, is it unfair if we make the default to allow notebooks to be accessed by external applications? And if so, do we basically have to in-house every aspect of our service? (Perhaps an unfair series of questions, but I really am not sure, I don't ask to be facetious.)

Also, it is my understanding (see disclaimer above) that if content is encrypted, we wouldn't be able to index and search it. Which removes a lot of the usefulness of Evernote. I would probably do what GrumpyMonkey suggested if I had an encrypted folder, and dump almost everything into it. Ok maybe not "everything" but enough to make Evernote a completely different experience. What's a good balance?

Link to post

Phil,

thanks for your clarifications regarding Evernote's apps. Could you comment on the concerns of the original poster: If I grant access to a third party, I currently grant unrestricted access to my whole life.

Are you planning to change this, i.e. impose restrictions on 3rd party apps?

Thanks

Stephan

PS: Evernote for iOS (latest version) accesses calendar information in the same way as Android does.

1. A link to the terms of service are presented at registration on and on our web site. You agree to them when you register. We don't enumerate the technical permissions requested for the iOS app. We follow the iOS/AppStore guidelines.

2. Evernote for iOS doesn't explicitly request access for any information accept location per iOS guidelines.

3. During the upgrade or install from the Android Market. Android doesn't allow automatic install of applications that change permissions.

4. That question is quite broad. For example Android and iOS both access the gallery if you want to import a picture. Both access the address book as I mentioned above. You can copy and paste into Evernote so we need to use the clipboard. Mac and Windows both support screen capture. We haven't implemented smart auto-titles on the desktop or web yet. The Mac client also accesses your address book when emailing notes (to give address completion) this feature isn't supported as a general operating system capability on Windows.

Evernote doesn't grab any information from Outlook. We used to have an Outlook extension that would allow you to copy an email into Evernote but it's no longer supported.

Evernote access this information based on actions the user takes. Your personal data is only used to improve the user experience.

FYI - The Android permissions list is also in Settings -> Apps -> [App name]. You may view the permissions of any app. Android does not automatically update applications if their permissions change.

Link to post

Maybe what would suck more is that people won't use Trunk Partners apps becuase they are concerned about the security of their notebooks?

Yep also a concern. I didn't mean to say privacy/security wasn't important. Just wanted to emphasize that making the setup novice friendly is important. Having security options that no one uses is probably worse than not having them at all. (Worse in the sense that we could have added other useful features instead).

Link to post

I definitely think that a more granular level of permissions is needed when giving 3rd party access to my Evernote account.

Currently, I believe it is an all or nothing permission.

So for apps that are supposed to ONLY add new Notes (like a Fastever or Genius Scan), when I give them my account login credentials the app actually has full permissions, including delete, correct?

So here are some ideas on more granular permissions:

  • Limit access to specific Notebook(s)
  • Limit access to ONLY ADD new notes
  • Limit access to only change Note text (do NOT allow edit/delete of attachments)

Of course you would probably want to set this up as a list of individual permissions that the user could check.

The ideal approach would be for the user to log into their Evernote account and set permissions, either for all apps, or specific apps.

I can see that being useful, just want to make sure that ahem certain un-named family/friends wouldn't get lost and confused in it.

Link to post
  • Level 5*

i'm not terribly concerned about evernote. i have more personal stuff in my account than i do in my phone or contacts. and, as i said several times, i do not know of any tos violations by evernote. i think the claima about this are coming (as mentioned above) because of lack of transparency. to be fair, few apps provide satisfactory levels of it.

the third party total access situation is a bummer, because it keeps me from supporting many of the developers. here is where control over access, or an encrypted folder would come in handy.

Link to post
  • Level 5*

whoops. good point. my data in the encrypted folder would not be indexed. i guess i wouldn't put much in there after all.

as for the third party apps, i am unwilling to give them access to my entire life (all my files) just to use their services. the op's suggestion of having their access restricted to a single folder, sort of like a shared folder, would be most realistic. i don't think anyone expects evernote to take over the services. we just want a way to wall off data.

Link to post

Hi

I have started using EN extensively and would find the ability to password protect individual notes and notebooks really useful. Can anyone from Evernote confirm if this is something they are looking at? Reading through the forums it seems to be something that a lot of users would like.

Thanks

Link to post

Hi

I have started using EN extensively and would find the ability to password protect individual notes and notebooks really useful. Can anyone from Evernote confirm if this is something they are looking at? Reading through the forums it seems to be something that a lot of users would like.

Thanks

I'm pretty sure this has been addressed in the message board and even in this thread.

Link to post

I'm new to this so bear with me. Other family members use my laptop. I want to use evernote as a diary, so I don't want a family member to click the elephant icon and Viola there it is---my private thoughts. I was just wondering if there was a feature that when you click the icon a password request would show up. You'd enter it and be in. I purchased Evernote because it syncs with other devices for exampleI could post a thought on my iphone on the fly and later at home pursue that thought on my laptop.

Link to post
  • Level 5*

I'm new to this so bear with me. Other family members use my laptop. I want to use evernote as a diary, so I don't want a family member to click the elephant icon and Viola there it is---my private thoughts. I was just wondering if there was a feature that when you click the icon a password request would show up. You'd enter it and be in. I purchased Evernote because it syncs with other devices for exampleI could post a thought on my iphone on the fly and later at home pursue that thought on my laptop.

Hi. Welcome to the forums!

There are two solutions to the problem at the moment. You could logout of your account when you are done using it. This will prevent casual access. Your notes, though, will still be visible if someone searches through the Library folders on your drive, and a simple Spotlight search will find them.

You could create a user account for everyone else and one for yourself on the mac. This is the best method, in my opinion, because you establish a clear boundary between all of our data (browser histories, regular files, etc.) and others. It is the same amount of work as a password on a notebook in Evernote, but offers much better protection.

Link to post
  • Level 5*

I've had some experiences with government-level secure encryption, and they all suffer from one main drawback. You also need access to your data with a -reasonable- level of convenience.

If you can get access, so can someone else - in extreme cases by removing the necessary body parts to convince a scanner you're present.

At a somewhat lower level you may use names and birthdays as passwords or (for the seriously security challenged) write it down somewhere. You have to remember passwords - at least the ones you use to get started up - so they can't be too random.

There's no such thing as absolute security, you're just trying to make it impractical for anyone to expend serious effort cracking the file or the system open.

Granny, eggs, I know - just trying to maintain a perspective here...

Link to post
  • Level 5*

Not whole notes, no, but you can select all of a note's content and encrypt that. Make a selection in your note, right-click on it, and select "Encrypt Selected Text...", then follow the directions.

Link to post

I am new to Evernote and am very disappointed that there is no password protection for the PC version.

I assumed that there would be a way of securing at the application or notebook level since the android app said a PIN feature was available with a premium account.

Now I have a ton of stuff in notebooks, paid for the premium account and learn that there is no way of password protecting on the PC.

Not sure I would have gone this far if I knew. :(

Link to post
  • Level 5*

I think I have seen a suggestion like this before, so you are not alone. Currently, you can encrypt information in individual notes, place password protection on files you upload, and designate folders as local and not to be synced. Personally, I figure that if you are using a strong, unique password, and changing it regularly, then you shouldn't have any problems. However, in the end it may be best not to put anything on the web or in the cloud that you are concerned about, even if there are multiple password systems.

Link to post

Should I take that as a "Shut up. We are aware of the request but we prefer Twitter, Facebook, etc first"? You are probably right, that would serve all the non-professional (and probably non-paying, but that's an assumption from my end) users well.

Password protecting a notebook has nothing to do with encryption, is IMHO NOT a pony and should have been in the product in the first place.

Anyway, my opinion. I'm not a developer. I'm just a customer.

Ton.

Link to post
Should I take that as a "Shut up.

How you could read that thread & come away with that opinion is beyond me.

Password protecting a notebook has nothing to do with encryption, is IMHO NOT a pony and should have been in the product in the first place.

Funny how everyone seems to think their pony (yes, it's the same as repeatedly asking for a pony) is the pony that will double the number of people using Evernote overnight, double revenue overnight, should have been included in the first place, etc.

Should I take that as a "Shut up. We are aware of the request but we prefer Twitter, Facebook, etc first"?

It's certainly your right to think password protecting a notebook should have been included from the get go. But it's also their company & their right to prioritize the features they implement that will better serve their product & the direction they are going. No one app will do everything that everyone wants it to do. There will always be another pony.

Link to post

Regarding the 3rd party access, we do have access controls for 3rd party (OAuth tokens). We can limit access to create only, read, update, delete anything but notes, delete notes, and read user information. These permissions are displayed when you grant OAuth access and can be view and managed within the Applications tab within Setting.

This is distinct from 3rd party applications like, for example, a iOS app the integrates with the Evernote service. If you give a 3rd party application your username and password then, from a security perspective they have full access.

If you've got questions or requests about this it would be great to bring them up in the Evernote Developers forum. Evernote has a group dedicated to partners. I'm not an expert on this area.

Link to post

I right-click after selecting the text in the note, and the text disappears and the enctryped icon appears (padlock, etc).

Evernote doesn't ask me for a password or anything.

And when I double-click on the encrypt icon, my "encrypted" text re-appears. Some security, eh!

What's going on?

Using Evernote 4.5.3.6131

Link to post

I know that this has been requested in the past, but I find myself wanting this feature more and more as I use evernote for everything including personal journals and storing sensitive information.

The one thing that would tip me over into buying Premium would be the ability to Password Protect and Encrypt an entire notebook or a single note. I know you can select entire blocks of text and encrypt that, but that is quite a hassle and difficult to do when you want to view an entire notebook full of these. I'd like to know that if someone sat down at my computer and managed to view my Evernote (which is open as much as my web browser), they wouldn't be able to easily access my protected notebooks.

Also as a general tip, I think that if Evernote wants to focus on bringing the most value to its customers at every release, it should give us some ability to vote on what which features we would like to see the most.

Link to post

It's doubtful EN will include encrypted notebooks any time soon. There are a myriad of other ways to add encrypted information to the cloud including Dropbox. EN's "value added" is the ability to index & quickly retrieve your notes, which cannot be done if the files are encrypted.

EN has also repeatedly stated their stance on voting/feature polls. Even as recently as four days ago. .

Link to post

as for the third party apps, i am unwilling to give them access to my entire life (all my files) just to use their services. the op's suggestion of having their access restricted to a single folder, sort of like a shared folder, would be most realistic. i don't think anyone expects evernote to take over the services. we just want a way to wall off data.

Would this be just for third party apps such as the ones in the Trunk? What if Evernote rents out a datacenter somewhere for some reason. Would it be ok if your walled off notebookw as stored there, even though technically it isn't Evernote? The latter seemed unrealistic.

Link to post

I've had some experiences with government-level secure encryption, and they all suffer from one main drawback. You also need access to your data with a -reasonable- level of convenience.

If you can get access, so can someone else - in extreme cases by removing the necessary body parts to convince a scanner you're present.

At a somewhat lower level you may use names and birthdays as passwords or (for the seriously security challenged) write it down somewhere. You have to remember passwords - at least the ones you use to get started up - so they can't be too random.

There's no such thing as absolute security, you're just trying to make it impractical for anyone to expend serious effort cracking the file or the system open.

Granny, eggs, I know - just trying to maintain a perspective here...

Yeah and that's the balancing act with security

Link to post
  • Level 5*

as for the third party apps, i am unwilling to give them access to my entire life (all my files) just to use their services. the op's suggestion of having their access restricted to a single folder, sort of like a shared folder, would be most realistic. i don't think anyone expects evernote to take over the services. we just want a way to wall off data.

Would this be just for third party apps such as the ones in the Trunk? What if Evernote rents out a datacenter somewhere for some reason. Would it be ok if your walled off notebookw as stored there, even though technically it isn't Evernote? The latter seemed unrealistic.

only for third party apps. i don't understand what you mean by the datacenter. my point is that in order to use a third party app, i have to give them complete access to my account.

it is akin to locking up my apartment with a massive deadbolt and turning on the alarm system when i go out of town, but handing out keys to everyone in the office and my access codes so that they can water my plants. sure, i trust them to a point, but why do i have to give up everything for a single service? i'll just put the plants outside on the sunporch or bring them to work if i want to ask them to help me out.

in this analogy, i don't know where the datacenter would fit :)

anyhow, the simple solution is to just give third party apps access to shared folders, and not to your entire account.

Link to post
  • Level 5*
I am new to Evernote and am very disappointed that there is no password protection for the PC version.

The Windows version depends on your login account being secure. If you need things kept private, then you should set up a separate login account for yourself.

Link to post

I right-click after selecting the text in the note, and the text disappears and the enctryped icon appears (padlock, etc).

Evernote doesn't ask me for a password or anything.

And when I double-click on the encrypt icon, my "encrypted" text re-appears. Some security, eh!

What's going on?

Using Evernote 4.5.3.6131

Encryption: you can encrypt part or all of a note. Just highlight the part you want to encrypt then from the Format drop down “encrypt selected text” a box will appear and you will be asked to enter the encryption passphrase. When you enter OK the text selected will be covered with a gray box and a padlock. To open this box just right click and select “show encrypted text” enter the passphrase you use to encrypt the text, and enter OK. The text will now reappear, when you leave this note it will be re encrypted. To search for the notes that have been encrypted, put "encryption:" into the search field.

Link to post
  • Level 5*

I can see that being useful, just want to make sure that ahem certain un-named family/friends wouldn't get lost and confused in it.

Yeah, I get your point. The large majority of Evernote users could probably care less about the details of security, and just want it to work while keeping their data safe.

But there are definitely some users who have concerns about security. I think most of these are also the more technically experienced users and can easily understand about setting permissions.

So, you would want a UI that defaults to providing the security that most users want/need, while providing "advanced" permissions for those who want it. A well thought out UI design and end-user testing of setting permissons would be key to making this work.

One thought/question: Would it make sense to change the API for 3rd party apps asking the user for permission to use their Evernote account to ask the user for at least top-level permission like:

Select Access Permission for this App:
  • Read Only
  • Add Only
  • Edit Only
  • Add and Edit
  • Add, Edit, and Delete

Of course for this to be secure this dialog would have to be directly between Evernote and the User. Don't know if this is feasible or not.

I keep coming back to my own use of 3rd pary trunk apps. All of them are for adding new Notes only. I definitely would like to make sure these apps can NOT do anything else but ADD. This includes READ.

Link to post
  • Level 5*

i think security is actually a big concern for lots of people. it comes up on the forums a lot, it is discussed on the internet especially in terms of privacy for third-party info in evernote, and security concerns are something anyone with multiple users on their computer deals with on a daily basis (multiple user accounts).

as you said, a well thought out interface will avoid any problems.

Link to post
  • Level 5*

It is not possible, at least at this time. Couldn't tell you whether it's being considered for implementation or not. There's been prior discussion in the forums on this topic, if you care to search for it.

Link to post

I right-click after selecting the text in the note, and the text disappears and the enctryped icon appears (padlock, etc).

Evernote doesn't ask me for a password or anything.

And when I double-click on the encrypt icon, my "encrypted" text re-appears. Some security, eh!

What's going on?

Using Evernote 4.5.3.6131

Ummm...well, if you tell it to remember the password, that's what it will do...

post-48228-0-31668200-1330357375_thumb.p

Link to post

There are technical challenges but none that I believe are insurmountable given that the encryption and indexing are not mutually exclusive. If they have the ability to encrypt text blocks, the same concept can be applied to notes.

However, I don't know what the technical architecture of the Evernote cloud is, so I don't know how difficult it would be for them. I'd be willing to pass on the encrypted note feature and would settle for simple password protected notebooks / notes, as I am more worried about sneaky people accessing my notes than I am worried about hackers. ;)

Link to post

Makes sense, I think giving one-off controls might be a bit of a hassle. What would suck for Trunk partners is if a user's first experience with their app was always a notebook picker of some sort. Ideally it'd just work and be magical. Perhaps something to mark a notebook as private, and 3rd party apps get access to non-private notebooks would be simpler, but cover most of the concerns

Maybe what would suck more is that people won't use Trunk Partners apps because they are concerned about the security of their notebooks?

I don't use Trunk Partners apps because I am concerned about the security of my notebooks. :)

I'd rather have a notebook picker, then I could give different apps different notebooks. When sharing, I don't have to choose share all my notebooks or none, so I think it should be the same with Trunk Partners apps.

Link to post

I had made up a story where I fit in the datacenter in your apartment analogy, and it was all typed out, but it was really bad and didn't really work. Anyways, I have my answer. If the OP agrees with you, then that makes sense to me.

Link to post
  • Level 5*

I don't use Trunk Partners apps because I am concerned about the security of my notebooks. :)

I'd rather have a notebook picker, then I could give different apps different notebooks. When sharing, I don't have to choose share all my notebooks or none, so I think it should be the same with Trunk Partners apps.

Unfortunately I have been actively using a few Trunk apps, but that is about to change drastically.

I had no idea that the permissions given to Trunk app were wide open, even if all the app does is send a photo/image to your Evernote account.

As I stated in my post above, IMO we need very granular permissions for Trunk Apps, way beyond just NB. But NB would be a good start!

Link to post

Very BIG +1 to this request. I'm not bothered if it's the ability to protect individual notes or an entire Notebook but there is definitely a need for more granular control over who can see what in EN.

I would happily upgrade to Premium for this feature done correctly...

Link to post

Would it be possible to include todos, images, PDFs, and attachments to encryption? Just leave encrypted things out from note attibutes and image recognition.

It's probably possible. But doesn't sound like it's something high on Evernote's to do list. Please search the board on security and/or encryption, if for more info. Basically, EN allows you to encrypt text. If you want other types of info encrypted, EN leaves that up to the user & the third party app of the user's choice. They have been very, very clear on this subject.

Link to post
  • Level 5*

i'm the same. i am interested in the trunk apps, but the lack of control (perceived or real?) over the data i share with them pretty much ensures that i won't ever use them. it's too bad, but i think it is just common sense.

personally, i think it is in everyone's best interest to give users control over this.

Link to post

I would also like to password protect a few notes as well and would be happy if the password protection could be applied at a notebook level.

I could then have a notebook called private and within that have multiple notes - one for registration details (eg website logins), one for financial info etc.

PS looking forward to being able to add notebooks from mobile device.

Link to post

There are technical challenges but none that I believe are insurmountable given that the encryption and indexing are not mutually exclusive.

They absolutely are mutually exclusive, if the file(s) are truly "secure" because Evernote would have no access to the encryption password & therefore no way to decrypt the text & index it.

If they have the ability to encrypt text blocks, the same concept can be applied to notes.

The text you encrypt in Evernote is NOT indexed. See above paragraph and for more information about encryption.

"Any time a cloud service can tell you your password (click "forgot password') and/or can help you restore your data, your data is NOT secure from hackers. Do you think hackers are smart enough to be able to hack into a cloud server but not smart enough to figure out where the encryption passwords are located???"

And from Heather's post in that thread:

"Just to give you a little bit of a real-world perspective on this: we've had a handful of people over the years contact us to attempt to retrieve their lost encryption passwords, and the reaction was overwhelmingly positive - in the end.

However, until it really sunk in that their notes were well and truly lost unless they, themselves, remember the passwords, and that we honestly have no way of retrieving them, at all, we have been ... well, not treated with the nicest of manners."

Link to post
Basically, EN allows you to encrypt text. If you want other types of info encrypted, EN leaves that up to the user & the third party app of the user's choice. They have been very, very clear on this subject.

I know your point, that users could always use 3rd-party programs for encryption and attach them into the Evernote.

In my personal point of view, the value of encryption from Evernote is being portable. I want something encrypted being available everywhere - on the PC, on the web via browser, on the mobile phone, or so anywhere, without the need to install a program or depack a portable 3rd-party program.

Hmmm.. in this point, maybe encryption of texts is enough. Something more important than encryption of objects may be to make Evernote Web, Evernote Mobile Web, and other apps fully able to encrypt and decrypt (securely of course).

Link to post
  • Level 5*

Not at all. Feature requests and suggestions are always welcome, and a lot of them lead to changes. I have a number outstanding, myself.

What I do find odd is when people outside the company try to second-guess Evernote's aims in working on feature 'X', because they don't find it useful to them, or whatever reason; often it's part of some assumption that Evernote would then have time to work on feature 'Y' instead (I understood your comment in this light -- if that's not what you meant, then I apologize for the misunderstanding). But generally speaking, most non-Evernoters don't have good-enough information to make reasoned judgments on the subject, which turns it into conjecture as far as I am concerned, and not much different than say, sports talk in a bar. It can be fun and interesting, but probably not much substantive comes out in the end.

Along the lines of what I said before, I believe that the current Evernote encryption system is meant to be a lightweight, easy-to-use system that satisfies most people's needs (if they even need encryption at all) without degrading Evernote's overall aim of making your notes searchable. For people who have more stringent needs, there are ways for individual users to implement more comprehensive encryption, but they're just part of Evernote's general attachment facility.

Link to post

To be honest, I'm not experienced enough with the handling of API's to give you a great opinion on whether breaking up the permissions like that makes sense. There's a bunch of technical (and probably non-technical) nuances that I'm completely unaware of. But other than that, your suggestion seems reasonable.

I know Android has intents and Windows 8 has share/search contracts. Perhaps a system like that could solve some of the issues by carving out specific functions an app can sign up for. (Again, I'm not at all saying that we'll do this).

Link to post
The text you encrypt in Evernote is NOT indexed. See above paragraph and for more information about encryption.

Of course the encrypted text is not indexed. It must not be indexed. This is the reason of encrypt notes: You can't access the content without a password. Of course the index is and should also be unable to access this content. Otherwise encryption would make no sense. I don't see there a problem. The currently included text-encryption also can't be indexed and that is what the people ask for.

Currently I have attached many encrypted attachments for all content that I want to be encrypted (example: every password). It woud be very helpful when this workaround would be not necessary. The most handycap of this workaraound is that I can't see this encrypted attachments on my mobile devices. And that is not the meaning of evernote. And no, you can't use the already included text-encryption for this because it is very weak (RC4 64bit) as mentiond in several discussions before.

I wish, EN would at least make this already impemented text-encryption more secure and therefore usable.

Marcel.

Link to post

Another big +1 from me too.

I especially use EN on job, but I'm a o prof writer, and I would like using EN for this too. Obviously I need that my writings have to be protected by every sight!

Encryption function is not the best way to manage this request, it's like shoot to a mosquito with a cannon...

Inviato dal mio Transformer TF101 usando Tapatalk

Link to post

I'm not too fussed about the fact you can't password protect entire notebooks, but it would be handy to protect the odd note from time to time.

The current functionality works well if you have raw text in a note, but what if you have a sensitive document like a PDF or Word doc? At that point, the encryption feature is a moot point because you're stuck. Yes, you could password protect the files themselves I suppose but I'd much rather do this within Evernote.

Link to post

Would this be just for third party apps such as the ones in the Trunk? What if Evernote rents out a datacenter somewhere for some reason. Would it be ok if your walled off notebookw as stored there, even though technically it isn't Evernote? The latter seemed unrealistic.

only for third party apps. i don't understand what you mean by the datacenter.

I think...when dlu is talking about renting a datacenter, it's a situation where say, Evernote needs more disk space (a rather simplified comparison) and didn't want to spend the money to buy their own. (For whatever reason. Could be they don't want to spend the lump sum $$$, could be they don't mind spending the $$$ but the engineer time on their part getting it all installed, implemented & tested is not currently available, etc.) So they outsource it to someone else. IOW, my Evernote database may be residing on a server that is not owned by Evernote but is "rented" by Evernote. Since the datacenter is owned by someone else, there is another option for a security breach. So his question is do I, as a user, have a problem with that. (I think that's what he's asking/saying.)

And personally, I don't care. I implement security on my end (by not having sensitive info in my EN cloud either b/c I used an image editor to mark out the info or b/c I password encrypted a PDF or (old skool) put the item in a local (non-sync'd notebook) or not in Evernote at all), knowing that my EN database in the cloud is not stored encrypted. Additionally, I have confidence in the EN team that if they were to outsource, they would be very dilgient about selecting a vendor.

Link to post

...I believe that the current Evernote encryption system is meant to be a lightweight, easy-to-use system that satisfies most people's needs (if they even need encryption at all) without degrading Evernote's overall aim of making your notes searchable.

Fair. So did it contradict with my suggestion?

Something more important than encryption of objects may be to make Evernote Web, Evernote Mobile Web, and other apps fully able to encrypt and decrypt (securely of course).

When I said that, I was complaining about the fact that Evernote Mobile Web can not view encrypted content, and the fact that Evernote Web cannot add or edit encrypted content, and was requesting a new feature.

Don't you think that portable is important? Don't you know that sometimes we have to put up with Evernote Mobile Web for our notes with IE6 on public computers or with old-style phones? Do you know that sometimes we have the need to add or edit encrypted data while not wanting to install Evernote Windows on public computers?

Link to post

There`s an option to set a separate password for a single notebook?

I`d like to use a notebook to take note of all my passwords, so i could check it later if i forget one and don`t risk security, any possibility on doing that?

Link to post
Found the fix! MS OneNote, password protect every note, easy

You get what you pay for.......

:D

Actually, it's more of what the app's focus is, IMO. I also use Onenote. (shrug) Some people seem to think EN & ON are mutually exclusive, but I don't. And I don't store sensitive info in Evernote. (shrug) IMO, Onenote is better geared toward brainstorming. But it's overkill for storing contact info or which sandwich my husband prefers from Quizno's or what changes I made to a program at work last week. OTOH, for that as well as pretty much all other information I want to keep & have easily accessible, no matter where I am, then Evernote is my program of choice.

Link to post
  • Level 5*

Danny: You've asked several questions. My comments on the nature of Evernote's current encryption facilities were directed at your following posts:

That's strange. If password protection is meant to be up to the user, why does Evernote develop the encryption function? Why not just save the time and make productive things?

and also

I just don't know what was the purpose and the target of this function. Why cost time to develop a function with a plenty of alternatives?

As to the 'portable' question, I'm not really sure what to say. I do believe that being able to access your Evernotes wherever you are is desirable, and I think that Evernote is continuing to add those facilities over time. What I don't believe is that 'portable' should mean 'universally available', and I also don't believe that Evernote needs to support every platform that's ever existed under the sun. I sure don't expect to access my notes on my old-style basic phone.

Link to post

i think security is actually a big concern for lots of people. it comes up on the forums a lot, it is discussed on the internet especially in terms of privacy for third-party info in evernote, and security concerns are something anyone with multiple users on their computer deals with on a daily basis (multiple user accounts).

as you said, a well thought out interface will avoid any problems.

Yea, that's the software designer coming out in you by providing a simpler to program and use feature that fulfills the purpose.

Link to post
The text you encrypt in Evernote is NOT indexed. See above paragraph and for more information about encryption.

Of course the encrypted text is not indexed. It must not be indexed. This is the reason of encrypt notes: You can't access the content without a password. Of course the index is and should also be unable to access this content. Otherwise encryption would make no sense. I don't see there a problem.

I don't see a problem, either. That was my point.

Currently I have attached many encrypted attachments for all content that I want to be encrypted (example: every password). It woud be very helpful when this workaround would be not necessary. The most handycap of this workaraound is that I can't see this encrypted attachments on my mobile devices. And that is not the meaning of evernote. And no, you can't use the already included text-encryption for this because it is very weak (RC4 64bit) as mentiond in several discussions before.

Not sure I'm really understanding what you're saying. But I use a true password manager for my passwords. It has an iPhone app so I can access them on my desktop or from my phone.

I wish, EN would at least make this already impemented text-encryption more secure and therefore usable.

Based upon Evernote's often stated stance on security (which is leaving it in the hands of the user and I have not seen anything to indicate this has changed), I suspect it's a low priority because:

There are a myriad of other ways to add encrypted information to the cloud including Dropbox. EN's "value added" is the ability to index & quickly retrieve your notes, which cannot be done if the files are encrypted.

Link to post
  • Level 5*

Regarding the 3rd party access, we do have access controls for 3rd party (OAuth tokens). We can limit access to create only, read, update, delete anything but notes, delete notes, and read user information. These permissions are displayed when you grant OAuth access and can be view and managed within the Applications tab within Setting.

This is distinct from 3rd party applications like, for example, a iOS app the integrates with the Evernote service. If you give a 3rd party application your username and password then, from a security perspective they have full access.

If you've got questions or requests about this it would be great to bring them up in the Evernote Developers forum. Evernote has a group dedicated to partners. I'm not an expert on this area.

hi philip. thanks for weighing in.

my understanding is that third parties can see everything. for example, if they receive read access, it gives them access to every single one of our notes. it is true that they do not have full access, and they cannot, for example, delete all of my information. but, one of the concerns i have is that they find out exactly how quotidian my life is, have a copy of all this on their servers, where it is out of my hands, and beyond the reach of evernote as well.

personally, i am really uncomfortable with this. no matter how banal my notes are, i prefer to keep them private and in my control. it is a real shame, because i would like to use so many of these services. if only there were a way to wall off my information. i am not talking about encryption here. it would be great if we could restrict permissions to a single notebook.

i'll stop by the developer's forum and bring this up there, but i would think this is entirely out of the developers' hands. it seems that it would be up to evernote to set the rules by which permissions are given. in this case, by defining permissions not on the account level, but on the notebook one.

i think security is actually a big concern for lots of people. it comes up on the forums a lot, it is discussed on the internet especially in terms of privacy for third-party info in evernote, and security concerns are something anyone with multiple users on their computer deals with on a daily basis (multiple user accounts).

as you said, a well thought out interface will avoid any problems.

Yea, that's the software designer coming out in you by providing a simpler to program and use feature that fulfills the purpose.

i wish i had the skills to write a program like evernote. unfortunately, i am stuck at the level of armchair quarterbacking. i talk a good game, but until they let me into their offices to wreak havoc, there's no way to know if my interface ideas would be "better" or not :)

Link to post

I have one note that I want to encrypt (since apparently we cannot password protect some notes - true? )

How do I do this with the Web client? The iPhone client?

If I can only encrypt on the Mac application client, can I decrypt via the Web client or iPhone client?

Thanks

Link to post
  • Level 5*

i am not thrilled with bnf's data mercenary scenario, but i think that is a different issue. presumably, they have a contract with en and are legally bound by it. third party apps are independent of evernote and only bound by their own terms of service. more importantly, though, the data mercenaries stand guard at our apartment door, and the third party apps are invited inside to rummage around.

as for bnf's policy, i do something similar. while i wouldn't mind peeping tom's seeing me naked in my apartment, all things considered, i'd like to send out invitations to that show.

Link to post

I have tried multi-platform password managers. But I would like to store all information in the note where it belongs to and not spread them in different applications.

Marcel.

Link to post

It would be extremely useful to have the ability to password protect individual notes. For instance, if i'm thinking of birthday presents for my mom and I dont want her to be able to look at the note "Mom Birthday Ideas" so as not to ruin the surprise i could put a password on *just that note* so that when she clicks on it it prompts her for a password and she is thwarted! This would be extremely easy to implement and you could bundle it in the premium version as an up-sell item.

Link to post

I have tried multi-platform password managers. But I would like to store all information in the note where it belongs to and not spread them in different applications.

It's fine that that's what you want to do. My point is that there is no indication that EN will expand on the current, limited method of encryption they currently have. (shrug)

Link to post
  • Level 5*
I have one note that I want to encrypt (since apparently we cannot password protect some notes - true? )

As far as I know, you can only encrypt a selection of text in a note (could be the whole note, if it's all text). But you can't encrypt, using Evernote facilities, an attachment, or an embedded image or the like. On the other hand, you could encrypt any ot those before you attached it to the note.

How do I do this with the Web client? The iPhone client?

Again, as far as I know, you cannot encrypt using the web client. Dunno about iPhone.

If I can only encrypt on the Mac application client, can I decrypt via the Web client or iPhone client?

Yes, you can decrypt using the web client. Dunno about iPhone.

Link to post
  • Level 5

I have found LastPass to be a great free program to manage all my passwords and confidential notes. Just to be extra safe, I use the LastPass export encrypted feature and save a copy in an Evernote non-sync'd local notebook.

Link to post

I would like to have access by third parties to be more granular by notebooks. Select the set of notebooks accessible with each service grant. That way, I could organize my stuff so that third-party service access would be limited to the particular notebooks related to their service. It would be my job to store my stuff appropriately. I could grant access to all of my notebooks if needed. I can choose which notebooks are accessilble to other EN accounts, so I see no reason why I shoudn't be able to select the notebooks I allow a third-party to access throught the API.

This would have to be transparent to the third-party service - it would have to look like to the API as if they had global access, otherwise, it would break existing third-party services. When you grant access to zendone, you choose from a list which stacks and or notebooks zendone can access.

I'm more concerned about third-parties that don't understand the TOS / security requirements needed to protect EN data than I am about them deliberately causing problems or inadvertently creating hack opportunities. EN could create a TOS / security model for third-party providers and then indicate which ones claim to have impmented that model. Note I said "claimed to have" because I'm not talking about a certification program, simply an indication of which third-parties have promised to meet the standard.

Link to post
  • Level 5*

As best as I can tell, Evernote implemented a simple though limited encryption facility that's useful to some people, and called it good (enough). What's unproductive about that?

Link to post

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...