EvernoteUser78
-
Posts
6 -
Joined
-
Last visited
Content Type
Profiles
Events
Forums
Blogs
Gallery
Downloads
Posts posted by EvernoteUser78
-
-
BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?
I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?
If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?
These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.
We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.
As we have seen in the last few years, even some of the most robustly secured cloud services are vulnerable when hacking occurs. This is not to excuse Evernote's current state of security, which is not terribly different than a lot of mainstream cloud providers, and could be improved. Rather what I am saying is that ANY cloud is vulnerable when hacking occurs. In most cases, even highly secured cloud storage services will be compromised, it just takes longer.
EDIT (OOPS this time I really did get my posts mixed up!)
Keep in mind that data mining and being hacked are two very different types of events.
You (and others in this thread) might also be interested in this blog post from several years ago:
Evernote's three laws of data protection
The three laws of data protection is a great post, I'm not sure if the comment about not knowing or asking for our passwords bring us to a state of "zero knowledge", but it helps bring a bit more comfort.
EverNote is not HIPPA compliant, and as you stated, may never be.
Clouds are all vulnerable, but when proper security protocols are in place it can be deemed safe, there are plenty of HIPPA compliant SaaS (Cloud) offerings. Hospitals and other medical operators use them, so having a roadmap or strategy to get there would be nice.
When organizations look at their tens of thousands of pages (if not hundreds of thousands or even millions), having a premium service like EverNote there to help with cloud storage and indexing would be fantastic. If it is technical hurdle to allow for "zero knowledge" and still provide indexing, that shouldn't be a hurdle that the brilliant minds at EverNote can't figure out.
I have faith, there will be a service like this in the near future.
-
So are we saying that "zero knowledge" encryption is too much to ask from a Premium EverNote offering?
Zero Knowledge would mean that EverNote would need a password that only the user knows to decrypt and access the data......essentially the data would be encrypted on the local computer or device before syncing to the cloud......emailing in notes may not be encrypted until later or never at all in this scenerio as the EN servers would handle the processing via email.
-
BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?
I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?
If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?
These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.
We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.
-
I will be clear as to what I want:
I want my data synchronized with the online (cloud) version in a way that only I can access while logged in. I want the data to be encrypted on your server in a way that no one can access the data without the encryption key. You can use an encryption algorithm that uses the login password to create the encryption key.
I want the data at rest on your servers to be encrypted and secure so that if there is an EverNote security breech, I will know that my data is safe. If that means that EverNote can't use data mining against my data, so be it, but that might limit EverNote's revenue if they are monetizing our data in ways similar to the way Google does....i.e. targeted Ads
-
Only allowing encryption on local notebook is not a viable option, I left NeatReceipts to go to the cloud and now that I am thinking about putting confidential information into Evernote, encryption would be key. I understand why EverNote doesn't want to give us this ability, but we should still keep pushing for it.
Maybe they will throw us a bone and allow us to encrypt and protect specific notes/documents via an encryption password that would be only known to the user.....we all understand that encryption can be broken, but a targeted attack would be unlikely......an attack that grabs unencrypted data will happen, it is only a matter of time.
EverNote, give us some level of protection for our sensitive data
Password Protected Notebooks
in General Feature Requests
Posted
In the technology world that we live in, very little is not possible......all of these issues can be worked out if it is an area of interest of the vendor.
Encrypted data may have to wait for a local sync to the user's computer before indexed and synced back. Users would have to accept the fact that maybe the data processing would have to take place locally as a 2nd stage encryption password may be envied to provide true "zero knowledge".
I think we have beaten this topic up enough. I am not sure who reads these blogs at EverNote, but I may reach out to the CTO and make the suggestion.