Jump to content


Level 1
  • Content Count

  • Joined

  • Last visited

  • Days Won


Oliver_ENf2013 last won the day on May 9 2018

Oliver_ENf2013 had the most liked content!

Community Reputation

7 Neutral

About Oliver_ENf2013

Recent Profile Visitors

1,516 profile views
  1. @Rich Tener First of all thanks a lot for your reply. That you reply to these forum post implies that you take user concerns seriously, which is the most important message of all. And if indeed you do not use hotjar on the web-client, >80% of my concerns disappear. This is really good news. And thanks so much for clarifying that. Now - if you allow - I would like to reply to your other points even if it gets slightly more technical: * I guess like most users I enter the web-client through https://evernote.com and then "No-Script" clearly shows hotjar scripts being loaded - and Pi-Hole shows hotjars servers being contacted. So sorry for my misinterpretation. Still the paranoid me doesnt like hotjar on the page I use to enter EN. * I am not the security expert that you are, but I am surprised about your confidence in hotjar. As you probably know until the Princeton study came out in November, hotjar was playing back all users' sessions via http (unencrypted), even if they were recorded encrypted (https) - big no-go. Also until mid-december, you, as the customer had to blacklist the fields you did not want recorded in plain text - everything else was recorded by default. So especially if you change your weblayout, it was quite easy to by mistake transmit data to hotjar. Again a no-go. And again after the study came out hotjar changed the approach and asks you to whiteliest fields. Since as you said you did the due diligence I am sure you are aware of this (and other examples), of how using session replay can cause unintentional security risks... * I never said you sell data. Also I never said hotjar was interested in users data. But to come to aggregate data, hotjar needs to record on an individual and detailed level. And by definition this increases the vulnerability of every users data. But most importantly thanks again for your reply and your transparency in your post. Even though I may not fully agree, I think this builds further trust into Evernote as a company. Which is the most important thing, because as useres we will never understand all technical details, so our decisions need to be based on trusting the people behind the company. @jbenson2 sorry for the late reply. You asked what was being recorded. Have a look at the below video. It shows a dummy website set up by the Princeton team to evaluate the effectiveness of the claimed automatic blocking of sensitive data (Hotjar: "Get started in seconds.") On the left you see the user using the website. On the right you see what is recorded as session replay, so what a company like hotjar would store on their servers on behalf of their client company (like Evernote) (Source: https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/)
  2. That's correct. It seems Evernote has been using hotjar for quite a while, but only amended it's privacy policy very recently. Which in my personal opinion is an issue, since you cannot change the settings in Evernote directly. And as the average user you would not detect your session being recorded by hotjar. So until this amended policy was published, as an average user you would not even know it was being recorded, let alone know how to opt out.
  3. Hi, his would be off topic. I explained my frustrations and some more details in another thread which I just opened. But in a nutshell - Evernote uses what is called "session replay" (only) when you enter your account via browser. "Session replay" tracks your mousemovements and key strokes. It is used so Evernote can optimise their web-design. A side effect is that the analytics company (in this case"hotjar") can and does record everything you type, so also your content. Also the stuff you deleted again before clicking "save". This deleted stuff is not stored on the EN servers, but is stored on the service providers servers. How long they keep it is up to the contract EN has with them. But again, I suggest to close here, and stick to the "UPGRADE" button, which is annoying enough... Another topic - another thread :-) UPDATE: Here is a link to my new topic, in case you have any more questions
  4. Recently a study from Princeton analysed what is called session replay. Oversimplified, it is a third party company acting as man in the middle between your PC and the website you are visiting, which then tracks and stores every mouseclick and keystroke to help the site owner analyse their website. In order to do this, everything you type is not only stored at the website (like for example Evernote), but also on the servers of the analytics company. Obviously this poses a significant security issue. Or like one of the researchers from Princeton puts it: "Collection of page content by third-party replay scripts may cause sensitive information, such as medical conditions, credit card details, and other personal information displayed on a page, to leak to the third-party as part of the recording," Steven Englehardt, a PhD candidate at Princeton University, wrote. "This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes." When Walgreens was caught red-handed, they stopped using those third parties https://www.wired.com/story/the-dark-side-of-replay-sessions-that-record-your-every-move-online/ as the risk was far higher than potential benefits. Evernote was also "featured" in this study, and was caught using one of those analytic providers ("hotjar"), potentially storing everything you enter in your notes on a non-Evernote server on a Malta jurisdiction. Funny enough Evernote just changed the privacy policy just a few months ago to highlight that indeed they were using those services/scripts. And Evernote highlighted how you could opt out. You canot opt out in Evernote. But read the instructions on the service provider's website. Dear Evernote, really? You put so much effort in providing a secure environment? And then you put it all at risk and allow a third party to record everything I do? Every word I type? Record it on their servers? Just for the benefit of optimising your web-design? Seriously? I would suggest you read these forums, there are enough suggestions to optimise your product to keep you busy the next few years, like getting rid of the upgrade button if you are a paying user... After the discussions around your last privacy policy update, I no longer believe this to be a mistake, I think this is a mindset issue. You put so much effort on improving your product, that you miss out on the basics. I understand that AI is more sexy than privacy. But I would have hoped you would not miss out on the basics. This really was the straw that broke the camel's back. So today I have cancelled my subscription. Oliver Additional Sources https://arstechnica.com/tech-policy/2017/11/an-alarming-number-of-sites-employ-privacy-invading-session-replay-scripts/ https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html (Evernote is #359 of most visited sites - and uses tracker) https://evernote.com/intl/de/privacy/policy (you find the version dating from July, but if you go to what's new, you see the change I refer to under the cookies section )
  5. The issue has reappeared. It has been more than a year. There are several forum threads. No solution. No interest from Evernote it seems. This is one of the two reasons that I have today cancelled my subscription. The other reason are privacy concerns when using Evernote in the browser - I thought my notes were only stored on "Evernote" servers, Until recently I was not aware every keystroke and mousemovement when logging in through a browser was being tracked and stored on servers of a third party. When Evernote was "caught red-handed" the reaction was not a public statement, but a "strange" change in the privacy policy. And this after last years experience of a privacy policy change backfiring. I still think Evernote is a brilliant tool, and I understand everyone that keeps using it. But for me, this is the straw that broke the camels back...
  6. THANKS SO MUCH. I know it sounds probably stupid, but when I use Evernote I am usually concentrated, so this distraction, however small it was, was really annoying. Worked for me (for now). Oliver
  7. Same situation here: downgraded from Premium to Plus. Agree, this is really annoying, keeps appearing every 15 min and/or after every sync. Worst thing is that it even has a different color- so really stands out. There are so many things Evernote could improrve, for example if I work on an apop and the Windows Version, font changes. Or in a list there is an additional space. Etc Guys, if your biggest worry is about implementing an advertising feature to your paying customers, which you cannot switch off or get rid off, then you won't survive long..
  8. Thanks a lot for your kind answer! It triggered some additional thoughts... I think one of the strengths of a lot of the succesful recent launches in the net is the possibility to add on and improve via APIs. Just thinking of why dropbox is so much more succesful than most other cloud-storage-options. So I think it is not unreasonable to assume that if EN keeps growing in popularity, so will the ecosystem around it. More apps and programs will use EN going forward. Now I don't have enough phantasie, or maybe I have not worked enough with EN to imagine what those apps could be. But if I imagine that my only option will be to always allow every app full access on everything I have on EN, or not use the app at all, that does not feel right. Especially because going forward if EN grows in popularity it will become a more and more interesting target... I guess this is also the only bit of your post that I am not sure I would fully agree to: I would think a separate account or password only allowing access to only specific activities (upload only) or only specific notebooks would indeed increase overall security. I compare it to my ftp server where different PWs lead to different subfolders. Now you are certainly right that once one PW is hacked it facilitates hacking the whole ftp server or whole EN account. But in the case of an FTP server the effort necessary is small, and the additional security gain is significant enough to be worth the effort. So I guess the question is similar here: is there an easy way to create a bit more security without making the programmers or the users life too complex... Maybe another option (insteaqd of separate accounts) would be to have separate dedicated upload email adresses? I guess as a summary: I am not sure I am proposing the right solution here, but looking into the future I think it will convince more users and allow an ecosystem to grow faster around EN, if there are more options than to just share your master-password... Now I really wrote too much and I will quickly press the POST button before I change my mind, and I do promise not to write more... Thanks again for your positive reply, and your thoughts on security overall, I will keep it in mind. Oliver
  9. Hi Community, this is my first post :-) I am new to Evernote, but otherwise quite IT-savvy, I guess... I have a feature request regarding security. I have to say that I am really concerned about privacy, so while I have been looking at and playing around with EN for a couple years, it was only a few weeks ago that I decided to fully embark on it. One thing that I don't fully understand, is why I have to give my password to the clipper, or several apps I use for uploading content. Whereas EN seems to be quite safe, a browser might not necessarily be? The clipper might not be? Or another example, I have just finsihed setting up a "doxie-scan go" to upload all scanned documents directly up to my EN (as a backup to my Snapscan, eg while scanning on the road). Now again I need to provide my EN-Password to Eye-Fi and/or doxie -not sure I trust their security expertise as much as EN. Long story, short (feature) request - Id love to have separate accounts (or separate passwords linking to the same account name) allowing e.g. only uploading, but not access to any of the stored content. Like FTP on my NAS. Or more general - I'd like to set different access levels to my data depending on the app I am 99% sure somebody had this idea before, but I could not find it via the search function (I did try). And for the remaining 1% likelihood I will happily take the risk of getting some comments on how to properly use a search function in a forum :-) Any thoughts? Thanks Oliver PS - I saw a lot of posts regarding 2 step verification - thats a different story - I mean different access rights within an account...
  • Create New...