Jump to content

(Archived) Password protected notes.


Recommended Posts

Come on guys. Are you truly going to created an incredible software such as this and offer absolutely no way to password protect your notes and notebooks (with exception to the dinky little text encryption). Don't get me wrong, I'm not trashing you at all. I think you have a great product.

The problem is, however, that most (I'd say about 99.9%) of your users NEED the ability to secure their data. Otherwise, Evernote is useless to us. I want the ability to store my sensitive information in a common place, as would anyone. That includes silly photos and snippets from the web because I don't want someone snooping through my info of any kind.

Honestly, this is a no-brainer. I am having a hard time imagining why you didn't add this to your software...and it makes me wonder negative things such as "Are you trying to give yourselves access to all of my information?" What could possibly be the reason for you leaving this out. It's obviously not because you don't have the ability, there must be another reason.

It seems to me that you guys have been somewhat avoiding the answer this question (as I've seen, forgive me if you have already) and I do believe you owe it to us as your loyal users that you come out and give us a straight answer. Who's with me? I assure you, if you can provide a reasonable explanation, the Evernote community would be understanding. I can also assure you, that if you can't provide a reasonable explanation, you are going to lose my business. Not that it would hurt you much but I know that I'm not the only one that feels this way.

Again, I don't mean to sound ungrateful. Thank you so much for your hard work in putting this project together and offering it for free, but PLEASE, give us a decent response here. It's the least you could do in giving us some kind of assurance that we will see this feature in the future.

Thanks Guys,

Jeremy

Link to comment
  • Level 5*

There's plenty of discussion in the forums on password protection, including commentary by Evernote staff (mainly Dav Engberg, the CTO) on their take. You can search for 'password protection to find it, if you care to.

~Jeff

Link to comment

I have been following the discussion with interest and I think I know where the disconnect is.

As an analogy, let's say you have a safety deposit box at your local bank. In that box, you've put an incriminating picture of yourself during that lost weekend in Tijuana. As with all safety deposit boxes, the only way to gain access to that box is to either prove that you're the owner of the box, or provide a court warrant that says the owner has passed away and you're the executor of the owner's will. (I think.) Ideally, you want to do something to that incriminating picture... steganography perhaps... such that even the bank and the executor of your estate cannot see what you did that booze filled weekend.

Evernote's stand on the matter is that you should encrypt the picture before you put it into the deposit box. You and you alone are responsible for choosing a sufficiently strong enough encryption, and for managing the passwords and keys. From the discussion thread however, it sounds like a lot of people want Evernote to take on the responsibility of encrypting the box's contents, and managing the keys. Some folks want that kind of encryption to be the default. Such a feature would be useful if you wanted to read an encrypted note on your cellphone and can't exactly "mount" and decrypt the file. (I believe Dropbox does in fact encrypt all of their files in the cloud.)

Please correct me if I'm wrong.

I personally think that if Evernote's security is sufficiently strong enough to deter people from breaking into the safety deposit box to begin with, then it doesn't really matter whether that photo is encrypted or not. Additionally, I also think that encrypting the photo and any other notes at that point will not only dramatically slow down indexing and synchronization, it imposes the additional complexity of maintaining two passwords - one for access and one to decrypt. (Using the same password for both, defeats the purpose and in hindsight, I wonder why Dropbox even bothers.)

Now the question on my mind is, is Evernote doing a good enough job controlling access to the safety deposit box in the first place? The bank of course would get suspicious if 20 different people all showed up on the same day with fake credentials claiming to be me. Is Evernote taking the appropriate actions when random hackers target my account?

Link to comment

IMO, my sensitive data is only safe in a scenario where I have a password & they don't. As you mentioned, Dropbox claims to store the data encrypted, but since they have a copy of my password (somewhere - they have to in order to validate my login) and they don't ask for a separate encryption password, then if a hacker got to my data, they can see my data.

EN's text encryption asks for a password - if you lose it, your encrypted data canNOT be recovered.

Jungle Disk allows you to add an encryption password & they advise you that if you lose it, your data canNOT be recovered. Same thing with Truecrypt.

Is Evernote taking the appropriate actions when random hackers target my account?

viewtopic.php?f=30&t=9583&p=37567#p46912

Link to comment
Is Evernote taking the appropriate actions when random hackers target my account?

viewtopic.php?f=30&t=9583&p=37567#p46912

The question was asked in that thread but it got lost in the encryption discussion and it was never answered. I'm afraid to repost it there because I think it'll get lost again. In a nutshell...

Presumably some hacker in Russia is connecting to the Evernote web site and repeatedly trying random user names and passwords. At some point, EN will assume that someone is trying to break in, and take actions to block the hacker from making any further attempts. Depending on which actions EN actually takes, I could be locked out of my account and be unable to synchronize my notes. (For example, EN can disallow logins to that account or ban my ISP if it turns out my neighbor's computer was infected and being used to attack EN.)

In hindsight, I don't think EN needs to detail exactly what they would do but in the context of this conversation, it would be nice if EN assures us that yes, EN will take action to deny access once they see suspicious behavior and once EN takes action, there is a process in place that will allow me to get back into my account.

Link to comment
  • 3 weeks later...

This is a general problem, and in no way unique or specific to Evernote.

It is inadequate to assume that any given cloud repository will never be breached. Even well run sites with skilled and vigilant security staff can be the subject of a breech from some novel attack on an unknown vulnerability or unexpected system failure. So we must assume that any data in the cloud is at risk.

Even if external breeches of an account are not a concern, what about the cloud service employee who decides to peruse your unencrypted file? Perhaps out of boredom, perhaps out of criminal intent. As companies grow, the risk of ethically challenged individuals making it through the hiring process may also grow. This is a very common type of breech, and one I have personally been the victim of. I also have been the victim of a breech in which a large company left open both its' wi-fi's and its' accounting systems. I do feel reasonably comfortable Evernote will not make that error. :)

Does Evernote have a responsibility to encrypt our data? Ask a lawyer, but I suspect a bailment is created when a site takes custody of your data. While that would not impose a specific requirement, it does require due diligence. And, just as a popular site may be considered a target rich environment and encourage unwanted attention, one can hope that a reputation for strong security measures might tend to discourage such attention.

Would data encryption be a smart feature for Evernote to add? Yes, I strongly believe it would be.

Is there a reason for Evernote not to offer it? Two that I can think of. The first is that it can chew up a lot of processing power (but so can OCR). The second, which has little merit in my thinking, is some sort of misplaced fear of being held liable if the encryption fails to protect something. Personally, I would much rather be in court saying "your honor, we tried everything to secure the data and failed", than saying "your honor, we did very little to protect the data and failed".

So what about taking responsibility for encrypting our own data? The problem is, as a practical matter, we can't. How can I encrypt my data on my Mac, using something like PGP, and then read it on my iPhone, iPad, Blackberry, etc., when no consistent method is available for implementing this? And frankly, being human, if the solution is not reasonably transparent, I'm not likely to use it consistently. So, we really need a server side solution, or, a client that provides a consistent crypto function across platforms, and manages to do so without bogging down the processor in a cell phone.

While I realize it is all the rage, I am personally very skeptical about the wisdom of cloud computing, and the idea of trusting third parties to watch over sensitive data. Especially when that data is unencrypted, and the vendor is saying "Trust me". I am told that "Trust me" is sometimes best translated as "F___ You". I guess I just know more about the black hat side of things than is really good for my peace of mind. Anyway, I am still considering ways to simply keep our systems in sync without involving third parties in the storage of our data.

I must admit, however, that Evernote is interesting, and I am doing some serious experimentation with it. I'm just not convinced that any cloud solution is worthy of our trust if we are storing anything remotely sensitive. That is especially so when that data is stored unencrypted.

So, I would like to encourage Evernote to provide encrypted storage. I think it makes them a much more interesting (and to me viable) cloud service provider. Hopefully the processing requirements and any other downsides would not be overwhelming barriers. I hope they are monitoring this thread, and will, at some point, respond.

Regards to all, and offense meant to no one, especially the folks at Evernote.

Link to comment
Oh boy, here we go again!

Doesn't anyone use the forum search feature?

Of course we use the forum search feature. But I didn't come here with a question, I was responding to a thread I came across while browsing the forum. I simply wanted to let En know that there was a continuing interest in this.

You know, I've been active on the Internet since the days when there was no such thing as http and the www, but in all that time I can't remember seeing the RFC or FAQ that said you should search the forum before responding to an ongoing thread, and a thread with fairly recent posting dates at that. So, asking a question, yes, search first. Responding to a reasonably current thread, not so much.

In any case, if you can't be civil, please just go back under the USENET bridge with the other trolls.

To everyone else, sorry for the discord folks.

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...