(Archived) Share notebook so named person can read it

[clarer1 0]

Hi,

I'm struggling to make sense of this. I want to share one notebook with a manager so she can read my notes but not edit them. I don't want to have a public link especially if that might mean my notes will show up in search engines. (If they definitely won't show up in search engines, I'm a bit less worried as I wouldn't expect someone to come across the URL if left to themselves.)

As far as I know, she doesn't have an Evernote account and I think probably wouldn't want to register with something that is unknown to her just to be able to read my notes. So I right-click on the notebook, select share, which brings up a dialogue offering either invite individuals or create a public link. Invite in turns brings me to a dialogue to enter the recipients' email, mail and select view notes or view notes and activity.

There's also a tick box "Allow notebook preview without requiring login." Help implies my manager would be able to read the notebook and wouldn't have needed to register or log in. But when I tick this box and my manager clicks the link that Evernote emails to her, it asks her for her login details. She can't get past this screen so can't read the notes after all.

What is going wrong and how do I correct it?. (Mine is a free account.)

Thanks.

Clarer1

[C6REW 416]

Hi Clarer,

I am sure your manager will need an account, but it is free so that shouldn't be a problem. Unfortunately I cannot test it for you as all of my computers have Evernote on.

There is a quite a lot of information on the forum about this sort of thing if do a search.

Regards

Chris

[Mike Wood 139]

@clarer1 You will have to create a public shared notebook if you want to be able to share with someone who hasn't got an account.

An alternative would be for you to setup a dummy account for your manager and tell her the username and password? She could then look at the notebook, through the web client, without installing any software.

[GrumpyMonkey 4,319]

Hi. Unless I am mistaken, if you share the notebook with someone, then they can view it without needing an account. Click on the link in my signature and you will see a page asking the visitor to view or join the notebook. If they click join, then they have to create an account. If they pick view, then they can view without any account. The public and private sharing work the same in this respect, as far as I know.

Create a dummy email, share, log out of Evernote (or open another browser), and see for yourself

[Mike Wood 139]

Hi. Unless I am mistaken, if you share the notebook with someone, then they can view it without needing an account. Click on the link in my signature and you will see a page asking the visitor to view or join the notebook. If they click join, then they have to create an account. If they pick view, then they can view without any account. The public and private sharing work the same in this respect, as far as I know.

Create a dummy email, share, log out of Evernote (or open another browser), and see for yourself

OK... I'm wrong it seems there is an option see below which you can tick, perhaps it doesn't appear in every client? It's still in effect public, as anybody with the link will be able to view the notebook.

[GrumpyMonkey 4,319]

Hi. Unless I am mistaken, if you share the notebook with someone, then they can view it without needing an account. Click on the link in my signature and you will see a page asking the visitor to view or join the notebook. If they click join, then they have to create an account. If they pick view, then they can view without any account. The public and private sharing work the same in this respect, as far as I know.

Create a dummy email, share, log out of Evernote (or open another browser), and see for yourself

OK... I'm wrong it seems there is an option see below which you can tick, perhaps it doesn't appear in every client? It's still in effect public, as anybody with the link will be able to view the notebook.

Yes, and no. I am unclear about this myself.

I recently received a business account invite, for example, to one email address. I logged in from another account with a different email address, and it worked, so business accounts (apparently) can be joined by anyone, regardless of whether they were the actual invitee. If you receive an invite and forward it to your sister, she could join. This seems like a problem to me, but I will bring it up in the business forums, because I am a little unfamiliar still with the service. Maybe it isn't a problem at all, and I am misunderstanding something.

Shared notebooks? If you require a login, then the person shouldn't even be able to view it, so it is private. However, what if you forward that email to your sister? I remember reading that the shared notebook invite will only work for the email address (and the associated account) you sent it to, but I have not actually tested it. I suspect, since email addresses associated with accounts could well be different than the one used by a person for correspondence, that the invite will work for any one person. In other words, it is a one-time invite open to anyone who answers. Assuming you trust the recipient not to send it on to someone else, then this is no big deal. Still, it isn't clear in the current user interfaces, is it.

An invite that does not require a login to view is essentially public as long as no one actually joins. The recipient of the invite could forward it to a million people, and they could view it. If one person joins, though, does that link stop working? I don't know. Even "public," it is not indexed by Google, and is unlikely to be found by anyone who isn't actively trying to discover it, so this isn't a huge concern. It is something to think about, though.

[Mike Wood 139]

@Grumpy it appears to be quite complicated and I'm not fully convinced I know what's happening. Apparently the link continues to work as long as nobody views it who has a EN account currently logged in within the browser (or joins it). Its like once it can identify an EN individual it locks it down further.

[clarer1 0]

Thanks everyone. Am still totally muddled though. I'm trying with a dummy address as my invitee. I've been ticking "allow notebook preview without requiring login" but when I click on the emailed link, EN still demands I log in or register and won't let me view the notebook.

The easy way would be to make the notebook public but I'd need to go through every entry to make sure there wasn't something that we don't want in public domain. So that's no good.

Toying with setting up a dummy EN account and asking manager to log in with that. How private is a shared notebook? Anyone with the link and an EN account can access it, rather than only invitees? Though who else would find the link anyway?

Is it definite that even shared notebooks aren't found with search engines? Or only fully public notebooks? (Is there a difference?)

I am so confused!

[GrumpyMonkey 4,319]

@Grumpy it appears to be quite complicated and I'm not fully convinced I know what's happening. Apparently the link continues to work as long and no body views it who has a EN account currently logged in within the browser (or joins it). Its like once it can identify an EN individual it locks it down further.

Yeah. I ought to test this out to see, but I am too busy at the moment to mess with it. A lot of things on my plate right now. I know enough not to do any damage to myself or others, but not enough to help out. Maybe in the spring

[Mike Wood 139]

Thanks everyone. Am still totally muddled though. I'm trying with a dummy address as my invitee. I've been ticking "allow notebook preview without requiring login" but when I click on the emailed link, EN still demands I log in or register and won't let me view the notebook.

The easy way would be to make the notebook public but I'd need to go through every entry to make sure there wasn't something that we don't want in public domain. So that's no good.

Toying with setting up a dummy EN account and asking manager to log in with that. How private is a shared notebook? Anyone with the link and an EN account can access it, rather than only invitees? Though who else would find the link anyway?

Is it definite that even shared notebooks aren't found with search engines? Or only fully public notebooks? (Is there a difference?)

I am so confused!

I think the dummy account is the way to go and I think this is as safe as you are going to get and no this type of share isn't google indexed or accessible publicly.... as long as you create the share after you have created the dummy user.

[Mike Wood 139]

@clarer1 I have done some further checks. With the dummy account you will need to accept the invite by email and login to the dummy evernote account to fully lock it down. Once you have done this you can check and adjust the status of the share at any time by going back into the share window and see the users who are connected and their access rights.

[Mike Wood 139]

@grumpy LOL ....

Having played with sharing I seem to have confused my test account. In all clients it shows '.notebook3' as shared, but when I check the settings it indicates it isn't?#!

[Mike Wood 139]

"Yes, and no. I am unclear about this myself.

I recently received a business account invite, for example, to one email address. I logged in from another account with a different email address, and it worked, so business accounts (apparently) can be joined by anyone, regardless of whether they were the actual invitee. If you receive an invite and forward it to your sister, she could join. This seems like a problem to me, but I will bring it up in the business forums, because I am a little unfamiliar still with the service. Maybe it isn't a problem at all, and I am misunderstanding something"

@grumpy ...because the invite goes to an email address not a evernote username (specifically) it appears anybody can accept the invite who has a valid EN account. Once such a link is setup the invite is disabled. ALSO it doesn't tell you in your shared info who has actually attached, it just shows the email address you used to send the invite. So its a definite weakness unless I'm missing something?

[Mike Wood 139]

@Grumpy I have tested this sharing weakness further and its dangerous. Shall I contact Heather or can you flag it up?

The issue in my mind, is the use of email at all. The clients should accept/respond to invites directly. If email is to be used, the client should identify whether an EN user exists with that email address and make sure that only that account can connect to it (also warn the sharer if the person they are inviting will need to setup an account). Presently if I mistype an email address the recipient only has to create an EN account to accept my erroneous invite. WHAT MAKES IT WORSE I have no idea which EN account has connected to it, as the sharing screen only shows the email address I sent it to.

[C6REW 416]

Seems to me that we need to add password protection in before emailing someone a link. They can then be informed of the password separately.

Regards

Chris

[Mike Wood 139]

@Chris is the business sharing any more secure?

[C6REW 416]

Hi Mike,

I have not managed to carry out tests as you have done on the normal one. I will send an email with a shared link to my Daughter who does not have Evernote yet and see what happens.

Regards

Chris

[C6REW 416]

Been entertaining family and friends so only getting a small chance to come on the computer!

Just went on Daughter's laptop and it has happily opened a business notebook I have emailed a link to for sharing. I am now going to forward that email that`to my Wife from my Daughters MS Outlook and see if she can open it.

Regards

Chris

[C6REW 416]

I forwarded the email to my Wife from my Daughter's computer.

Then managed to view the business notebook without any problem!

Ooops, that has to be wrong.

We definitely need a password added into this.

Best regards

Chris

[GrumpyMonkey 4,319]

I forwarded the email to my Wife from my Daughter's computer.

Then managed to view the business notebook without any problem!

Ooops, that has to be wrong.

We definitely need a password added into this.

Best regards

Chris

That is kind of what I suspected. I think it is probably expected behavior (the developers designed it to work this way on purpose), and it might be this way because the alternative of a password system is too cumbersome. The idea is probably that you trust the recipient, so you expect them not to leave the invite hanging open. A mistake in sending or forwarding (human error) could have nasty consequences for a business. A password of some sort would alleviate the problem, I suppose, but then that would have to be sent separately, so we are back at cumbersome...

[C6REW 416]

Hi Grumpy,

I often receive encrypted documents via email and on a separate email the password.

Regards

Chris

[GrumpyMonkey 4,319]

Hi Grumpy,

I often receive encrypted documents via email and on a separate email the password.

Regards

Chris

Oh. I am not saying it isn't possible, or that it doesn't happen, but rather that it introduces an extra level of complexity into the system. For example, if we are concerned about emailing the link to the wrong person, wouldn't we be concerned about doing the same thing with the password? Of course, the same thing goes with an employee who mistakenly or maliciously forwards the link to a third party. They might send the password along with it. I am just thinking out loud here, but when we get to this point, it seems like the cumbersome elements outweigh the beneficial ones. At any rate, I am speculating here about why it might have been designed this way.

[Mike Wood 139]

@Grumpy LOL we'll be asking for 2FA next.

Obviously nothing is 100% but you can only have one EN account attached to each email address and every account must have an email address. So we just need it to tie the two together. Obviously you may want to send an invite to someone who hasn't got an EN account which is fine and it can warn you of the additional risk. If you tie the two together then you know that the email invite is useless, except to a person who has the password to the destination Evernote account.

Otherwise its a bit like sending your garage door key and a card with your home address, in an envelope via the post, to a friends address. Probably OK most of the time, but stupid!

[everett 0]

What if...

What if Evernote sent you an email, and all you had to do was hit reply, send.

Then Evernote sends you an email saying... Here's the reply from address. Authorize click this link:

Then Evernote sends another email to the original recipient, with a one time use token to be clicked on. They are linked to a website where THEY are asked for a password. Once they enter a password, they have access.

What this does and doesn't do:

It does prevent email forwarding from working. You (the sender) are responsible if the access was sent out to the wrong email, you've been asked to verify it.

Problem is if the password created by the recipient is handed out...

To fix this switch to a PKI. Then the person you authorize has to compromise their private key. Problem is you aren't guaranteed they won't.

[DDr_12 4]

So there is no pwd option for a shared "public" link?

IMHO, public should have the option for a pwd. "Public" should mean "not an EN user"

This is very troublesome.

[GrumpyMonkey 4,319]

So there is no pwd option for a shared "public" link?

IMHO, public should have the option for a pwd. "Public" should mean "not an EN user"

This is very troublesome.

Hi. Public means it is open to anyone, not just EN users. People can view it (give the link in my signature a try) without joining. There is no option in any type of sharing for passwords.

A workaround for this would be to encrypt the text and/or PDF attachments in a shared notebook so that only the people who have received the password separately from you can view the content.