Jump to content
  • 0

Note Export Should not be available with View Only Privileges

sjachille

Asked by sjachille,

Idea

sjachille

sjachille 15

Posted
Posted

Hi,

In Evernote, when I share a notebook with "View Only" Privileges, I have noticed that an external user can export all of the notes (please see attached screenshot). At this level (view only) the user should not be able to Mass download the notes, and all other related functions should be limited to an absolute minimum, i.e. there should not be a possibility to export or download if not in the most primitive way which is a brutal screenshot or save as an html page from the browser. 

This is a point that a prospect made to me during a presentation... 

Hope this helps make E/N even better :)

 

Sante

 

Pasted_Image_16_08_2017__15_22.png

Link to comment

9 replies to this idea

Recommended Posts

  • Level 5*
jefito

jefito 5,589

Posted
  • Level 5*
Posted

Is this a security problem? You're sharing the notes; the sharee is allowed to view the shared notes, so they need to be present on their machine i.e., a mass download is required).

Note that a determined user who can view your notes could always go into the local database where the shared notes are stored and retrieve the same information there.

Link to comment
sjachille

sjachille 15

Posted
  • Author
Posted

I disagree strongly on this affirmation: one thing is to share, another is to allow a mass download: mind you that I understand that the notes can be downloaded and that they are on the users machine BUT allowing a mass download makes it much simpler to harvest information that they are ONLY supposed to VIEW, not share or distribute, so like I said view only privileges should not allow any form of download to be allowed only for edit or edit and share profiles.

Sante

Link to comment
  • Level 5*
DTLow

DTLow 5,736

Posted
  • Level 5*
Posted
2 hours ago, sjachille said:

At this level (view only) the user should not be able to Mass download the notes

Tthe request is posted and we'll see how it goes.  
I'm thinking it's overkill but anyone wanting to indicate their support should use the voting buttons in the upper left corner of the discussion

As an example,  pdf files have various levels of security59945fb6e2998_ScreenShot2017-08-16at08_03_57.png.d6d1902cfcb268565cc449076452593d.png

Link to comment
  • Level 5*
jefito

jefito 5,589

Posted
  • Level 5*
Posted
33 minutes ago, sjachille said:

the notes can be downloaded and that they are on the users machine BUT allowing a mass download

Seems like a distinction without a difference. You have a notebook shared to you, you receive the right to download all of the note content in that notebook to your local machine from the Evernote servers; you need it to be able to view search notes in the notebook. The horse has left the barn at this point: a user can get at everything in the note, if they really want to, since notes are not stored encrypted locally (except, of course, for encrypted sections in a note). If you want to make a case for encrypting notes in local storage, that's a different argument. If you want to make the case for preventing edit copy operations, I'd guess that would be limiting to some use cases (e.g., my boss doesn't want me editing our task list, so they make it view-only, but it should be ok for me to copy tasks out of the list to paste into my notes for my own use). How about preventing screen captures on viewable-only notes?  I'd agree with DTLow that it probably is overkill. Maybe Evernote will want to make the finer-grained sharing controls required to cover all situations, but for a consumer product? I'm doubtful, but also, per DTLow: let the votes fall where they may...

Link to comment
sjachille

sjachille 15

Posted
  • Author
Posted

We have already granted the fact that the user can screenshot and download via browser but one thing is to download everything with one shot (select all and download as it is now) and another is to manually have to repeat the process for 10, 100, or 1.000 times 

Most end users are not that skilled to go into Evernote and extract the notes - I am targeting these guys who work for a corporation - not computer GURUs

On another note let's say that a user is granted the VIEW ONLY share mode. If I revoke the share they should not be able to see the note any longer. 

It's a matter of corporate protocol you can disagree with but which can make the difference between selling Business seats or not...

Sante  

Link to comment
  • Level 5*
DTLow

DTLow 5,736

Posted
  • Level 5*
Posted
7 minutes ago, sjachille said:

On another note let's say that a user is granted the VIEW ONLY share mode. If I revoke the share they should not be able to see the note any longer. 

You probably don’t want to hear about my backups :)

Yes, all shared notes are included

Link to comment
sjachille

sjachille 15

Posted
  • Author
Posted

Of course it's understood - I know and we all know there are ways around, and that it is impossible to impede download - the idea is to raise the bar and make it a complex operation - nothing more, nothing less which at the end of the day is seen by the client as a security measure 

Link to comment
  • Level 5*
jefito

jefito 5,589

Posted
  • Level 5*
Posted
2 hours ago, sjachille said:

Most end users are not that skilled to go into Evernote and extract the notes - I am targeting these guys who work for a corporation - not computer GURUs

Flip side: most end users wouldn't know what to do with exported notes anyways. Security by obscurity is no security.

2 hours ago, sjachille said:

On another note let's say that a user is granted the VIEW ONLY share mode. If I revoke the share they should not be able to see the note any longer. 

Different issue, but I agree with the point.

2 hours ago, sjachille said:

It's a matter of corporate protocol you can disagree with but which can make the difference between selling Business seats or not...

You might want to check in with the Evernote for Business product. I don't know it well enough to make claims about its security. The forums for that product are right down the hall: https://discussion.evernote.com/forum/134-evernote-business/

Link to comment
sjachille

sjachille 15

Posted
  • Author
Posted
20 minutes ago, jefito said:

Flip side: most end users wouldn't know what to do with exported notes anyways. Security by obscurity is no security.

Different issue, but I agree with the point.

You might want to check in with the Evernote for Business product. I don't know it well enough to make claims about its security. The forums for that product are right down the hall: https://discussion.evernote.com/forum/134-evernote-business/

I am a business user with 3 seats - have been one for 3 years but this is besides the point - This is not an Evernote security issue, it's about managing shared information and the perception how Evernote (Business) manages and restricts the flow of information at various levels. 

Link to comment

Archived

This topic is now archived and is closed to further replies.

Go To Idea Listing
×
×
  • Create New...