Oliver_ENf2013 7 Posted March 28, 2013 Share Posted March 28, 2013 Hi Community,this is my first post :-) I am new to Evernote, but otherwise quite IT-savvy, I guess... I have a feature request regarding security. I have to say that I am really concerned about privacy, so while I have been looking at and playing around with EN for a couple years, it was only a few weeks ago that I decided to fully embark on it. One thing that I don't fully understand, is why I have to give my password to the clipper, or several apps I use for uploading content. Whereas EN seems to be quite safe, a browser might not necessarily be? The clipper might not be?Or another example, I have just finsihed setting up a "doxie-scan go" to upload all scanned documents directly up to my EN (as a backup to my Snapscan, eg while scanning on the road). Now again I need to provide my EN-Password to Eye-Fi and/or doxie -not sure I trust their security expertise as much as EN. Long story, short (feature) request - Id love to have separate accounts (or separate passwords linking to the same account name) allowing e.g. only uploading, but not access to any of the stored content. Like FTP on my NAS.Or more general - I'd like to set different access levels to my data depending on the app I am 99% sure somebody had this idea before, but I could not find it via the search function (I did try). And for the remaining 1% likelihood I will happily take the risk of getting some comments on how to properly use a search function in a forum :-) Any thoughts? ThanksOliver PS - I saw a lot of posts regarding 2 step verification - thats a different story - I mean different access rights within an account... Link to comment
Level 5* gazumped 11,652 Posted March 28, 2013 Level 5* Share Posted March 28, 2013 Hi Oliver, welcome to the forums. You will have noted a bit of a discussion about security recently, and the fact that Evernote is reviewing their processes as I type; so you might see changes coming up in the near future. Don't know whether they will address this particular issue, but you've raised it in the right place - the developers read these forum posts for ideas and feedback (and a fair amount of general abuse) so if they have any concerns around this point, something will (eventually) be done. Evernote doesn't publish its plans or intended delivery dates though, so you may be waiting a while for any visible signs of activity. Meantime there are two levels of security in your query. Some of the items you mention - Clipper and Clearly are Evernote products, so if you believe that Evernote security via the desktop and the web apps is acceptable, then more or less by definition you have to accept that they have designed their apps to be secure when operating via your preferred browser portal. Other apps are secured because they don't know your user name and password, they're approved by you, and listed under Applications on your web-based My Account page where you can unapprove them at any time. You're giving your user name to these apps for the same reason you give it to a browser - they need to contact the Evernote server and log in to your account to get the information you need - in this case the permission to access your data so they can add / edit / remove as appropriate to the individual app. Of course you shouldn't quote your password in any browser you've never heard of, or one in which you have reason to feel a certain lack of confidence - same goes for add-on applications. If there were reason to believe that Doxie or Eye-fi were causing any issues, I'm sure it would be in here somewhere. And as to additional passwords - I'm not sure they would give you any additional security. Even if they 'only' allow access to the permissions page, or to add notes, as soon as someone hacks that password, they're partway into your account and can probably think of ways to get further. That's the drawback of any security measure - no matter how smart the person who sets up a new layer of protection may be, there's always someone out there who may be smarter, looking to find a way through it. If you're going to put any information on the internet, you have to accept there's a very small but real risk it can be found, no matter how good the security around it. If you have secrets you want to keep, keep them on paper, not online. If your online information is valuable, keep your own local backups so you can't ever lose it. (I do know I'm not smart enough to remember the passwords I have, much less carry around any extra ones!) Link to comment
Oliver_ENf2013 7 Posted March 29, 2013 Author Share Posted March 29, 2013 Thanks a lot for your kind answer! It triggered some additional thoughts... I think one of the strengths of a lot of the succesful recent launches in the net is the possibility to add on and improve via APIs. Just thinking of why dropbox is so much more succesful than most other cloud-storage-options.So I think it is not unreasonable to assume that if EN keeps growing in popularity, so will the ecosystem around it. More apps and programs will use EN going forward. Now I don't have enough phantasie, or maybe I have not worked enough with EN to imagine what those apps could be. But if I imagine that my only option will be to always allow every app full access on everything I have on EN, or not use the app at all, that does not feel right. Especially because going forward if EN grows in popularity it will become a more and more interesting target... I guess this is also the only bit of your post that I am not sure I would fully agree to: I would think a separate account or password only allowing access to only specific activities (upload only) or only specific notebooks would indeed increase overall security. I compare it to my ftp server where different PWs lead to different subfolders. Now you are certainly right that once one PW is hacked it facilitates hacking the whole ftp server or whole EN account. But in the case of an FTP server the effort necessary is small, and the additional security gain is significant enough to be worth the effort.So I guess the question is similar here: is there an easy way to create a bit more security without making the programmers or the users life too complex... Maybe another option (insteaqd of separate accounts) would be to have separate dedicated upload email adresses? I guess as a summary: I am not sure I am proposing the right solution here, but looking into the future I think it will convince more users and allow an ecosystem to grow faster around EN, if there are more options than to just share your master-password... Now I really wrote too much and I will quickly press the POST button before I change my mind, and I do promise not to write more...Thanks again for your positive reply, and your thoughts on security overall, I will keep it in mind. Oliver Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.