Jump to content

rwizard

Level 1
  • Content Count

    6
  • Joined

  • Last visited

Community Reputation

0 Neutral

About rwizard

  1. I was a fairly early adopter of Evernote. But a couple of years ago I became concerned about the lack of proper security and privacy. Although I stopped adding material at that time, I was hopeful that as people became more attuned to these issues that Evernote would improve, so I left my account open. Sadly, they haven't improved. Today I got an email letting me know that my 50% off upgrade offer was about to expire. I decided that this was my signal to fish or cut bait. I spent a little time reading the current policies and confirmed what I already suspected. Evernote doesn't have a clue about privacy or security. Perhaps one day Evernote will catch up with the rest of the world. Zero Knowledge cryptography is where they need to be. Zero Knowledge would mean no more capabilities for Evernote employees to peruse our "private" files. (I know, "our employees wouldn't do that - just trust us.") It would also mean no more worrying about a web site compromise resulting in your sensitive personal information ending up for sale on Darknet. Yes, we've heard it all before, "we only read your stuff if we really need to" (or are really bored). And: "Secure sites like ours are safe from hacking." (Ever read the news?) The truth is that no system where the custodian of your sensitive data is also the custodian of the keys to that data, is acceptable. We need a system where we hold our own keys. We need an open architecture so that we know you are worthy of our trust. Or, at the very least, ongoing independent audits by respected security experts known to the community. We need a company whose management understands that there is never a "good reason" for a private company to examine customer data to check for "violations". Law enforcement, with a warrant, maybe. But no CEO or designee of that CEO is qualified to assume that extra-judicial role. So today I have waded through the onerous (and I believe intentionally crippled) process of exporting my data. Having completed that Herculean labor, I now have deleted everything of mine from the site. I will wait a day or two for the dust to settle in case I have missed something, and then I will permanently delete my account. By the way, I'm not particularly happy about this. Evernote had the potential to be something great. But they have fallen short. And I note that with a product that is available on hundreds of millions of devices around a fair portion of the globe, Evernote has a mere 250,000 (approximately) customers. Perhaps that pathetic market showing, for a product that could be ubiquitous in its utility, speaks more eloquently than anything I could ever say about the need for Evernote to respect their customers enough to deploy a truly secure product, and to stop looking at the content of our personal data as something they are free to explore for "a good reason" (like monetization? I know, "trust us".). If Evernote ever figures out that they are in a security and privacy sensitive service business, not the customer exploitation business, and if they demonstrate their newfound enlightenment by reinventing themselves as a secure privacy aware platform, I'll come back. In the meantime, its been fun, and its been real, but it hasn't been real fun. See you all on the 'net.
  2. And while it has indeed been discussed to death, this is the ugliest aspect of Evernote. When, when will they ever give us sub-nootebooks, and raise the 100 notebook limit ? Tags are the pits.
  3. I just cancelled my monthly plan and replaced it with an annual plan. My next monthly renewal was 11/20/10. You are showing the renewal anniversary for my new annual plan as 11/8/11, which means I am not getting credit for the already paid for period from 11/8 to 11/20. Could you please correct this ? Moving the annual anniversary to 11/20/11 would be best, although if you would prefer to credit me for the difference that would be acceptable as well. Thanks.
  4. Of course we use the forum search feature. But I didn't come here with a question, I was responding to a thread I came across while browsing the forum. I simply wanted to let En know that there was a continuing interest in this. You know, I've been active on the Internet since the days when there was no such thing as http and the www, but in all that time I can't remember seeing the RFC or FAQ that said you should search the forum before responding to an ongoing thread, and a thread with fairly recent posting dates at that. So, asking a question, yes, search first. Responding to a reasonably current thread, not so much. In any case, if you can't be civil, please just go back under the USENET bridge with the other trolls. To everyone else, sorry for the discord folks.
  5. This is a general problem, and in no way unique or specific to Evernote. It is inadequate to assume that any given cloud repository will never be breached. Even well run sites with skilled and vigilant security staff can be the subject of a breech from some novel attack on an unknown vulnerability or unexpected system failure. So we must assume that any data in the cloud is at risk. Even if external breeches of an account are not a concern, what about the cloud service employee who decides to peruse your unencrypted file? Perhaps out of boredom, perhaps out of criminal intent. As companies grow, the risk of ethically challenged individuals making it through the hiring process may also grow. This is a very common type of breech, and one I have personally been the victim of. I also have been the victim of a breech in which a large company left open both its' wi-fi's and its' accounting systems. I do feel reasonably comfortable Evernote will not make that error. Does Evernote have a responsibility to encrypt our data? Ask a lawyer, but I suspect a bailment is created when a site takes custody of your data. While that would not impose a specific requirement, it does require due diligence. And, just as a popular site may be considered a target rich environment and encourage unwanted attention, one can hope that a reputation for strong security measures might tend to discourage such attention. Would data encryption be a smart feature for Evernote to add? Yes, I strongly believe it would be. Is there a reason for Evernote not to offer it? Two that I can think of. The first is that it can chew up a lot of processing power (but so can OCR). The second, which has little merit in my thinking, is some sort of misplaced fear of being held liable if the encryption fails to protect something. Personally, I would much rather be in court saying "your honor, we tried everything to secure the data and failed", than saying "your honor, we did very little to protect the data and failed". So what about taking responsibility for encrypting our own data? The problem is, as a practical matter, we can't. How can I encrypt my data on my Mac, using something like PGP, and then read it on my iPhone, iPad, Blackberry, etc., when no consistent method is available for implementing this? And frankly, being human, if the solution is not reasonably transparent, I'm not likely to use it consistently. So, we really need a server side solution, or, a client that provides a consistent crypto function across platforms, and manages to do so without bogging down the processor in a cell phone. While I realize it is all the rage, I am personally very skeptical about the wisdom of cloud computing, and the idea of trusting third parties to watch over sensitive data. Especially when that data is unencrypted, and the vendor is saying "Trust me". I am told that "Trust me" is sometimes best translated as "F___ You". I guess I just know more about the black hat side of things than is really good for my peace of mind. Anyway, I am still considering ways to simply keep our systems in sync without involving third parties in the storage of our data. I must admit, however, that Evernote is interesting, and I am doing some serious experimentation with it. I'm just not convinced that any cloud solution is worthy of our trust if we are storing anything remotely sensitive. That is especially so when that data is stored unencrypted. So, I would like to encourage Evernote to provide encrypted storage. I think it makes them a much more interesting (and to me viable) cloud service provider. Hopefully the processing requirements and any other downsides would not be overwhelming barriers. I hope they are monitoring this thread, and will, at some point, respond. Regards to all, and offense meant to no one, especially the folks at Evernote.
×
×
  • Create New...