Jump to content
Oliver_ENf2013

Did you know: Your notes are less safe, when entered through browser

Recommended Posts

Recently a study from Princeton analysed what is called session replay. Oversimplified, it is a third party company acting as man in the middle between your PC and the website you are visiting, which then tracks and stores every mouseclick and keystroke to help the site owner analyse their website.
In order to do this, everything you type is not only stored at the website (like for example Evernote), but also on the servers of the analytics company. Obviously this poses a significant security issue. Or like one of the researchers from Princeton puts it: "Collection of page content by third-party replay scripts may cause sensitive information, such as medical conditions, credit card details, and other personal information displayed on a page, to leak to the third-party as part of the recording," Steven Englehardt, a PhD candidate at Princeton University, wrote. "This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes."
When Walgreens was caught red-handed, they stopped using those third parties https://www.wired.com/story/the-dark-side-of-replay-sessions-that-record-your-every-move-online/ as the risk was far higher than potential benefits.

Evernote was also "featured" in this study, and was caught using one of those analytic providers ("hotjar"), potentially storing everything you enter in your notes on a non-Evernote server on a Malta jurisdiction. Funny enough Evernote just changed the privacy policy just a few months ago to highlight that indeed they were using those services/scripts. And Evernote highlighted how you could opt out. You canot opt out in Evernote. But read the instructions on the service provider's website.

Dear Evernote, really? You put so much effort in providing a secure environment? And then you put it all at risk and allow a third party to record everything I do? Every word I type? Record it on their servers? Just for the benefit of optimising your web-design? Seriously?
I would suggest you read these forums, there are enough suggestions to optimise your product to keep you busy the next few years, like getting rid of the upgrade button if you are a paying user...
After the discussions around your last privacy policy update, I no longer believe this to be a mistake, I think this is a mindset issue. You put so much effort on improving your product, that you miss out on the basics. I understand that AI is more sexy than privacy. But I would have hoped you would not miss out on the basics.
This really was the straw that broke the camel's back. So today I have cancelled my subscription.
Oliver

Additional Sources
https://arstechnica.com/tech-policy/2017/11/an-alarming-number-of-sites-employ-privacy-invading-session-replay-scripts/
https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html (Evernote is #359 of most visited sites - and uses tracker)
https://evernote.com/intl/de/privacy/policy (you find the version dating from July, but if you go to what's new, you see the change I refer to under the cookies section )

 

  • Like 2

Share this post


Link to post

Evernote provides this documentation at https://evernote.com/privacy/cookies

Hotjar. To learn more about Hotjar and your privacy, visit https://www.hotjar.com/privacy. You can opt out of such tracking at any time by using a “Do Not Track” header. You can read more about how to do that by visiting https://www.hotjar.com/opt-out  (edited: removed . from end of url)

I'm not really a web platform user, but it sounds like you would want to opt out of the tracking

  • Like 2

Share this post


Link to post

@Oliver_ENf2013 - thanks for the headsup.  Reading through the links and information I'm still not sure how much information is being captured - Evernote seem to enumerate stuff that I'd imagine most site operators look for,  and they're hardly 'featured' being listed as one of " sites that are ranked in the top 10,000 according to Alexa ".  I used @DTLow's link to opt out (which I hadn't known how to do before this) - although there's a full-stop on the link which causes a 404.  Try here if you're stuck - https://www.hotjar.com/opt-out

Took me seconds...

ScreenClip.png.2d6f98c251bf2c67492b67bb635b6522.png

  • Like 1

Share this post


Link to post
6 hours ago, DTLow said:

Evernote provides this documentation at https://evernote.com/privacy/cookies

Hotjar. To learn more about Hotjar and your privacy, visit https://www.hotjar.com/privacy. You can opt out of such tracking at any time by using a “Do Not Track” header. You can read more about how to do that by visiting https://www.hotjar.com/opt-out.

I'm not really a web user, but it sounds like you would want to opt out of the tracking

That's correct. It seems Evernote has been using hotjar for quite a while, but only amended it's privacy policy very recently.
Which in my personal opinion is an issue, since you cannot change the settings in Evernote directly. And as the average user you would not detect your session being recorded by hotjar.
So until this amended policy was published, as an average user you would not even know it was being recorded, let alone know how to opt out.

  • Like 2

Share this post


Link to post
5 hours ago, gazumped said:

@Oliver_ENf2013 - thanks for the headsup.  Reading through the links and information I'm still not sure how much information is being captured - Evernote seem to enumerate stuff that I'd imagine most site operators look for,  and they're hardly 'featured' being listed as one of " sites that are ranked in the top 10,000 according to Alexa ".  I used @DTLow's link to opt out (which I hadn't known how to do before this) - although there's a full-stop on the link which causes a 404.  Try here if you're stuck - https://www.hotjar.com/opt-out

Took me seconds...

ScreenClip.png.2d6f98c251bf2c67492b67bb635b6522.png

I never use the browser version of Evernote. But I went ahead and I opted out also.

When it comes to privacy, I feel like the little boy putting his finger in the dike. Kind of a hopeless action.

  • Like 1

Share this post


Link to post
11 minutes ago, jbenson2 said:

When it comes to privacy, I feel like the little boy putting his finger in the dike.

I know what you mean.  My electronic footprint is no doubt all over the place.  All we can do is keep papering over the cracks when we find 'em.

  • Like 2

Share this post


Link to post
21 hours ago, DTLow said:

You can read more about how to do that by visiting https://www.hotjar.com/opt-out  (edited: removed . from end of url)

This is not working for me.  But perhaps it is due to Chrome blocking cookies and/or Ghostery blocking trackers.

IAC, we should not have to be going to a 3rd party web site to prevent this. 

ATTN: @Evernote: (  @Chantal Leonard, @Johnathan Hebert, @Jason Miller ) 

Please add a profile option to prevent/deny all tracking of our keystrokes and/or data submitted to Evernote.com, regardless of whether by browser or by device application.

  • Like 1
  • Thanks 1

Share this post


Link to post
On 1/1/2018 at 4:53 PM, Oliver_ENf2013 said:

Recently a study from Princeton analysed what is called session replay. Oversimplified, it is a third party company acting as man in the middle between your PC and the website you are visiting, which then tracks and stores every mouseclick and keystroke to help the site owner analyse their website.
In order to do this, everything you type is not only stored at the website (like for example Evernote), but also on the servers of the analytics company. Obviously this poses a significant security issue. 

. . .

Evernote was also "featured" in this study, and was caught using one of those analytic providers ("hotjar"), potentially storing everything you enter in your notes on a non-Evernote server on a Malta jurisdiction. Funny enough Evernote just changed the privacy policy just a few months ago to highlight that indeed they were using those services/scripts. And Evernote highlighted how you could opt out. You canot opt out in Evernote. But read the instructions on the service provider's website.

Thanks for sharing this disturbing news.  I am very disappointed in Evernote -- but I guess since they are now under the influence of Google, I should not be surprised.

Perhaps we should all email the Evernote CEO complaining about this, and demanding that it be removed.  From an Evernote Blog by CEO Chris O'Neill:

Quote

If at any point you feel we aren’t listening, please don’t hesitate to contact me personally via Twitter (@croneill) or email (ceochris@evernote.com) with your concerns.

 

  • Like 1

Share this post


Link to post

Hi everyone, I'm Evernote's head of security. @Oliver_ENf2013, thank you (and the others in this thread) for voicing your concerns. We had similar concerns when we evaluated the security and privacy impact of using Hotjar. Reviewing the security and privacy impact of a new vendor is a standard part of our vendor review process.

We are using Hotjar, but we are using it in a way that minimizes the impact to your privacy:

  • We only use Hotjar on our marketing website (https://evernote.com).
  • We don’t use it in our web client (https://www.evernote.com/Home.action), so words you type in a note are not being sent to Hotjar.
  • We make sure the data we send to Hotjar is anonymized and de-identified. We do this by configuring the Hotjar javascript to redact anything you type into a form field. For example, if you enter contact information on our business contact page (https://evernote.com/business/contact/), all Hotjar receives is a random string of asterisks for each field. 

We aren't in the business of selling or renting your information. That's been one of our guiding principles since we published our three laws of data protection and our mindset on that topic has not changed.
 

  • Like 4
  • Thanks 1

Share this post


Link to post

@Rich Tener
First of all thanks a lot for your reply. That you reply to these forum post implies that you take user concerns seriously, which is the most important message of all. And if indeed you do not use hotjar on the web-client, >80% of my concerns disappear. This is really good news. And thanks so much for clarifying that. 
Now - if you allow - I would like to reply to your other points even if it gets slightly more technical:
* I guess like most users I enter the web-client through https://evernote.com and then "No-Script" clearly shows hotjar scripts being loaded -  and Pi-Hole shows hotjars servers being contacted. So sorry for my misinterpretation. Still the paranoid me doesnt like hotjar on the page I use to enter EN.
* I am not the security expert that you are, but I am surprised about your confidence in hotjar. As you probably know until the Princeton study came out in November, hotjar was playing back all users' sessions via http (unencrypted), even if they were recorded encrypted (https) - big no-go. Also until mid-december, you, as the customer had to blacklist the fields you did not want recorded in plain text - everything else was recorded by default. So especially if you change your weblayout, it was quite easy to by mistake transmit data to hotjar. Again a no-go. And again after the study came out hotjar changed the approach and asks you to whiteliest fields. Since as you said you did the due diligence I am sure you are aware of this (and other examples), of how using session replay can cause unintentional security risks...
* I never said you sell data. Also I never said hotjar was interested in users data. But to come to aggregate data, hotjar needs to record on an individual and detailed level. And by definition this increases the vulnerability of every users data.
But most importantly thanks again for your reply and your transparency in your post. Even though I may not fully agree, I think this builds further trust into Evernote as a company. Which is the most important thing, because as useres we will never understand all technical details, so our decisions need to be based on trusting the people behind the company.

@
jbenson2 sorry for the late reply. You asked what was being recorded. Have a look at the below video. It shows a dummy website set up by the Princeton team to evaluate the effectiveness of the claimed automatic blocking of sensitive data (Hotjar: "Get started in seconds.")
On the left you see the user using the website. On the right you see what is recorded as session replay, so what a company like hotjar would store on their servers on behalf of their client company (like Evernote) (Source: https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/)

 

 

  • Like 2

Share this post


Link to post
3 hours ago, Rich Tener said:

We are using Hotjar, but we are using it in a way that minimizes the impact to your privacy:

  • We only use Hotjar on our marketing website (https://evernote.com).
  • We don’t use it in our web client (https://www.evernote.com/Home.action), so words you type in a note are not being sent to Hotjar.

Rich, thanks for your reply.

One question:  To get to the web client, I start at Evernote.com, then click on login.  This takes me to the login page at https://www.evernote.com/Login.action.  From there, it does go to the https://www.evernote.com/Home.action page.  So, is HotJar recording our keystrokes on the login page?

  • Like 3

Share this post


Link to post

If you redact everything that is entered into form fields - what are you actually using HotJar for?

Is it just user journey/fallout stuff?

  • Like 1

Share this post


Link to post

@Oliver_ENf2013, you are correct that a lot of people enter the site through our marketing landing page at https://evernote.com. If you click login, you get taken to our web service at https://www.evernote.com, which doesn't load Hotjar. We don't have Hotjar loading on any page under www.evernote.com. It's a little confusing that evernote.com and www.evernote.com are different sites. We keep a very strict separation between the marketing pages on evernote.com and the Evernote service at www.evernote.com. They live in different infrastructures in Google's cloud platform and are completely isolated from each other. 

Part of my job is balancing confidence in a vendor with bounding risk. With the way that we've configured Hotjar (only loaded on our marketing site with very few places allow a visitor to enter any text) we've limited a lot of the risks associated with them. HTTP playback is a great example. It's not a good security position for them, but If the only thing coming across that stream is de-identified heat maps and mouse recordings, with redacted text fields, the privacy impact is almost non-existent.

I don't think you are paranoid at all and you have a healthy level of scrutiny. My team and the other teams at Evernote welcome it. We appreciate you bringing potential security and privacy issues to our attention because you are helping make Evernote safer. Feel free to engage with us directly here in the future: https://evernote.com/security/report-issue

@JMichaelTX, Hotjar is not recording keystrokes at https://www.evernote.com/Login.action either.  

@Metrodon, yep, we are using it for user journeys. We use the session recordings and heat maps to help us understand how visitors navigate the site. Our goal is to improve that and make navigation less confusing and more efficient.

Share this post


Link to post

Thanks - I'm happy to go to Malta for you to do an onsite :)

Share this post


Link to post

@Rich Tener

Why not change the name of the marketing landing site to avoid confusion? 

 

Share this post


Link to post
On 1/2/2018 at 5:55 AM, gazumped said:

@Oliver_ENf2013

I used @DTLow's link to opt out (which I hadn't known how to do before this) - although there's a full-stop on the link which causes a 404.  Try here if you're stuck - https://www.hotjar.com/opt-out

Took me seconds...

ScreenClip.png.2d6f98c251bf2c67492b67bb635b6522.png

It is giving me instructions for Safari on an Apple OS. I am using Chrome on Android. 

Share this post


Link to post

Hmmn.  Didn't try on my Androids yet... but I have now.  On that link all I saw in both Firefox and Chrome was the same screen as above with a "you're not opted out" message and the same button marked "Disable..."

All I do is press the button - no instructions involved... ???

Share this post


Link to post

I know that this is an old thread but I have only just seen it.

It would appear that hotjar is also accepts "Do Not Track" as an opt-out. So if your browser(s) have Do Not Track switched on the hotjar site says:
 

Quote

 

"Do Not Track" Support

Hotjar also honors the Do Not Track header. This means that if you have the Do Not Track header installed, Hotjar will not track you.

 

 

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...