Jump to content
  • 0
sjachille

Note Export Should not be available with View Only Privileges

Idea

Hi,

In Evernote, when I share a notebook with "View Only" Privileges, I have noticed that an external user can export all of the notes (please see attached screenshot). At this level (view only) the user should not be able to Mass download the notes, and all other related functions should be limited to an absolute minimum, i.e. there should not be a possibility to export or download if not in the most primitive way which is a brutal screenshot or save as an html page from the browser. 

This is a point that a prospect made to me during a presentation... 

Hope this helps make E/N even better :)

 

Sante

 

Pasted_Image_16_08_2017__15_22.png

Share this post


Link to post

9 replies to this idea

Recommended Posts

  • 0

Is this a security problem? You're sharing the notes; the sharee is allowed to view the shared notes, so they need to be present on their machine i.e., a mass download is required).

Note that a determined user who can view your notes could always go into the local database where the shared notes are stored and retrieve the same information there.

Share this post


Link to post
  • 0

I disagree strongly on this affirmation: one thing is to share, another is to allow a mass download: mind you that I understand that the notes can be downloaded and that they are on the users machine BUT allowing a mass download makes it much simpler to harvest information that they are ONLY supposed to VIEW, not share or distribute, so like I said view only privileges should not allow any form of download to be allowed only for edit or edit and share profiles.

Sante

Share this post


Link to post
  • 0
2 hours ago, sjachille said:

At this level (view only) the user should not be able to Mass download the notes

Tthe request is posted and we'll see how it goes.  
I'm thinking it's overkill but anyone wanting to indicate their support should use the voting buttons in the upper left corner of the discussion

As an example,  pdf files have various levels of security59945fb6e2998_ScreenShot2017-08-16at08_03_57.png.d6d1902cfcb268565cc449076452593d.png

Share this post


Link to post
  • 0
33 minutes ago, sjachille said:

the notes can be downloaded and that they are on the users machine BUT allowing a mass download

Seems like a distinction without a difference. You have a notebook shared to you, you receive the right to download all of the note content in that notebook to your local machine from the Evernote servers; you need it to be able to view search notes in the notebook. The horse has left the barn at this point: a user can get at everything in the note, if they really want to, since notes are not stored encrypted locally (except, of course, for encrypted sections in a note). If you want to make a case for encrypting notes in local storage, that's a different argument. If you want to make the case for preventing edit copy operations, I'd guess that would be limiting to some use cases (e.g., my boss doesn't want me editing our task list, so they make it view-only, but it should be ok for me to copy tasks out of the list to paste into my notes for my own use). How about preventing screen captures on viewable-only notes?  I'd agree with DTLow that it probably is overkill. Maybe Evernote will want to make the finer-grained sharing controls required to cover all situations, but for a consumer product? I'm doubtful, but also, per DTLow: let the votes fall where they may...

Share this post


Link to post
  • 0

We have already granted the fact that the user can screenshot and download via browser but one thing is to download everything with one shot (select all and download as it is now) and another is to manually have to repeat the process for 10, 100, or 1.000 times 

Most end users are not that skilled to go into Evernote and extract the notes - I am targeting these guys who work for a corporation - not computer GURUs

On another note let's say that a user is granted the VIEW ONLY share mode. If I revoke the share they should not be able to see the note any longer. 

It's a matter of corporate protocol you can disagree with but which can make the difference between selling Business seats or not...

Sante  

Share this post


Link to post
  • 0
7 minutes ago, sjachille said:

On another note let's say that a user is granted the VIEW ONLY share mode. If I revoke the share they should not be able to see the note any longer. 

You probably don’t want to hear about my backups :)

Yes, all shared notes are included

Share this post


Link to post
  • 0

Of course it's understood - I know and we all know there are ways around, and that it is impossible to impede download - the idea is to raise the bar and make it a complex operation - nothing more, nothing less which at the end of the day is seen by the client as a security measure 

Share this post


Link to post
  • 0
2 hours ago, sjachille said:

Most end users are not that skilled to go into Evernote and extract the notes - I am targeting these guys who work for a corporation - not computer GURUs

Flip side: most end users wouldn't know what to do with exported notes anyways. Security by obscurity is no security.

2 hours ago, sjachille said:

On another note let's say that a user is granted the VIEW ONLY share mode. If I revoke the share they should not be able to see the note any longer. 

Different issue, but I agree with the point.

2 hours ago, sjachille said:

It's a matter of corporate protocol you can disagree with but which can make the difference between selling Business seats or not...

You might want to check in with the Evernote for Business product. I don't know it well enough to make claims about its security. The forums for that product are right down the hall: https://discussion.evernote.com/forum/134-evernote-business/

Share this post


Link to post
  • 0
20 minutes ago, jefito said:

Flip side: most end users wouldn't know what to do with exported notes anyways. Security by obscurity is no security.

Different issue, but I agree with the point.

You might want to check in with the Evernote for Business product. I don't know it well enough to make claims about its security. The forums for that product are right down the hall: https://discussion.evernote.com/forum/134-evernote-business/

I am a business user with 3 seats - have been one for 3 years but this is besides the point - This is not an Evernote security issue, it's about managing shared information and the perception how Evernote (Business) manages and restricts the flow of information at various levels. 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...