Jamie Todd Rubin

paperless Data security and protecting your paperless data

56 posts in this topic

The two questions I get more than any others when it comes to going paperless are as follows:

  1. What about backups (if for some reason, Evernote was not accessible)?
  2. Aren't you worried about security/identity theft/etc.?

I was tempted to write a separate blog post for this but thought a post here in the forum would be good to better allow full discussion of these important questions. What follows is my personal take. Everyone has to gauge these issues for themselves. And let me be clear from the start: no one at Evernote asked me to write this post. This is based entirely on my own experience because I do get asked these questions a lot. Just look at the comment threads to the posts I've written.

Backing up paperless data

In all the time I've been using Evernote (well over a year) there has never been a time when I couldn't access my data. Evernote seems to have better uptime than a lot of other cloud-services I've used. In my day job, I'm a software developer and I know how difficult it can be to keep servers up and running. I give Evernote high marks for this so far. When they do have an outage, they announce it through several channels, among them:

That said, having worked in IT for 20 years, I've learned to plan for the unexpected. Here is how I ensure that I have backups of my data and access to my most important documents, even if Evernote is down.

  1. My data is not stored directly on my computer. At home, my data is not stored directly on my laptop but on a 1 TB external hard disk. If something happens to my computer, the data on the external disk is still safe and sound.
  2. My data is also backed up to the cloud. I use a product called IDrive which allows me to backup up to 5 machines and my WordPress website. The software works on Windows, Macintosh, etc. It runs nightly and I get an email when the backup is complete for each machine. I pay for a premium service that allows me to backup 500 GB of data. I think it costs me $150/year.
  3. Included in that cloud backup is the /user/[username]/Application Support/Evernote folder on my Mac. This is a bunch of local meta-data for Evernote that I can easily restore if I ever need to.
  4. Twice a year (usually 4th of July weekend and New Years) I use the "Export Notes From [Notebook]..." function to export all my notes (and related attachments) to an XML file that I store in a folder on the external hard disk (and which in turn is backed up to the cloud.)
  5. On my iPad, I have enabled the "Offline Notebook" feature for what I call my "Paperless Filing Cabinet" notebook, which is where most of my documents go. This allows me to access the notes and attachments in the Evernote app, even if have no Internet connection.

These five things provide me with all of the backup security I feel I need. Sure, there are things that can slip through the cracks here, but with the exception of item #4, the above provides me with good, reliable backups with almost no labor on my end.

Data Security, Identity Theft, etc.

I get asked a lot about this. The truth is I don't worry about this much. That might be naive on my part, but I have learned over the years that a few simple practices go a very long way to protecting data and preventing things like identify theft. Here are some of the practices that I use. I understand that some people feel more strongly about this than I do and again, you have to do what makes you most comfortable.

  1. I always use SSL when transferring data. Evernote uses SSL when data is transferred over the Internet to their servers. That means the data is encrypted over the wire.
  2. I always use strong passwords. A strong password is one that uses a combination of upper and lowercase letters, numbers and symbols and does not contain an English word. It is also long, more than 12 characters at least.
  3. I change my password frequently.
  4. If I feel like I need additional security, I can encrypt documents using some other encryption application before loading them into Evernote.

Of course, even the best practices can't always prevent a security breach. When I think about this eventuality, I liken it to the risk of someone breaking into my house and going through my (now non-existent) file cabinet. How can you protect against this? They've gotten through your physical security, they've breached your alarm system? What else can you do?

Not much. I do have a rider on my homeowners insurance that protects me against identity theft and I've made sure that rider is adequate to cover any possibly losses. But the truth is I'm not worried that it will come to that, just as I don't worry that someone will break into my house.

So there you have it! How I backup my paperless data and how I protect myself against unwanted intrusions. Have at it! Discuss! How do you handle backups? How do you protect your data? Are there better practices than what I've got here? I'm always interested in learning better practices and techniques.

1 person likes this

Share this post


Link to post

Regarding security, I don't put anything sensitive in the EN cloud without password encrypting it. And since I have local notebooks that may have unencrypted, sensitive data, my EN database is stored in a Truecrypted container.

Regarding backups, I regularly backup my data to USB drives. And for many years, I've used Amazon S3 via Jungle Disk. The backup runs nightly. (I leave my computers on 24/7.) And I password encrypt my Jungle Disk "buckets". I don't like relying wholly on one backup, so that's why I use both. Plus, in the event of a hard drive crash, it's faster (and cheaper, if you pay for bandwidth to your cloud service) to restore from a USB drive that my not be totally current & then sync down the new files/changes from the cloud. (At least if you have very much data.)

1 person likes this

Share this post


Link to post

That's a nice summary. Thanks

My system involves:

  • Carbonite for off-site backup. It runs 24 hours a day and kicks in to find any changes whenever I am away from the computer for a few minutes. Cost is $50 a year.

  • For important documents, I store them in a local non-sync'd Evernote notebook. They do not get pushed up to the Evernote cloud.

  • Create manual backups of the .exb folder and local non-sync'd notebook at least once a week and always before installing an upgrade to Evernote.

  • LastPass manages my 80 passwords. There is no way I could possibly remember my 14 character passwords (example: nY9X*21TqSs&6$).

  • Importance of frequent password changes is subject to discussion. Pro for work related passwords. Con for personal passwords. I favor the side that does not believe it offers much benefit,

Share this post


Link to post

My backup scheme:

1st layer: Time Machine (backs up the entire machine hourly)

2nd layer: SugarSync (documents and Evernote as they are changed)

Super-critical items: Dropbox (which is also backed up by SugarSync and Time Machine) I use it in addition to SugarSync for a few files that change and need to be backed up quickly, since Sugarsync can have a lag as it runs through the upload queue.

Evernote: web, iPhone, iPad, plus all the above.

It's overkill but it's all automatic and requires no administration time other than the hassle of reminding iPhone and iPad to sync. A choice to do that by cable within iTunes would be really nice but I think the idea has been flogged to death on the forums and soundly rejected by management, for what is certainly a good reason.

Security: Strong passwords, not using dictionary words, and long. Roboform. Change occasionally.

Identity theft: Quicken checks bank account and credit cards every day, so I'll see any unusual activity.

Use SSL whenever possible.

Quit worrying about it.

Edit 12/30/11 : Roboform changed its subscription system without notice once too often, so I'm using 1Password (Mac, iPad, iPhone). Where has it been all my life?

Edited by jmpsfs
2 people like this

Share this post


Link to post

How do you encrypt documents using some other encryption application before loading them into Evernote?

Share this post


Link to post

How do you encrypt documents using some other encryption application before loading them into Evernote?

Using whatever encryption program you prefer. There are many. IE Winrar or use a PDF viewer to password encrypt a PDF.

Share this post


Link to post

Regarding security, I don't put anything sensitive in the EN cloud without password encrypting it.

You mentioned this elsewhere and I felt stupid for not thinking of this sooner. All of a sudden I realized that I've been backing up to SugarSync (even before EN) and don't know what their encryption is (if any) to protect my data. Then the idea of knowingly sending all of my scanned docs to EN as well just raised my concern way too high. I've got medical docs, loan docs, financial statements, etc. Is it crazy to store all of that in the cloud without encryption? But the idea of using a 3rd party solution and also losing some search functionality brings me right back to where I'm at today. The whole reason I wanted to use EN for my scanned docs was for the search and tagging functionality (I suspect tagging would still work.)

2nd layer: SugarSync (documents and Evernote as they are changed)

Hummm.... I'm using SugarSync too (and loving it) for all personal files. I have NOT specifically included any EN folders and they don't appear to reside in "My Documents" in Win 7. Where is the local data stored?

Security: Strong passwords, not using dictionary words, and long. Roboform. Change occasionally.

I've been using Roboform for several years and absolutely love it. I've migrated all of my important credentials to completely random, complex passwords and don't have to remember a thing. Plus it syncs all that data between machines and stores the backup (Encrypted!!!!) in the cloud.

Share this post


Link to post

Is it crazy to store all of that in the cloud without encryption? But the idea of using a 3rd party solution and also losing some search functionality brings me right back to where I'm at today. The whole reason I wanted to use EN for my scanned docs was for the search and tagging functionality (I suspect tagging would still work.)

EN will not OCR/index any attachments like Word/Excel docs. It will also not OCR/index any encrypted data. (See this thread.) BUT...IMO, that's NBD b/c I rely primarily upon accurate titles/tags & keywords to find my docs. IDK if it's crazy or not to store sensitive info unencrypted My husband & I have Lifelock but I still prefer to be cautious b/c I'd rather not have to live through the hassle, even with Lifelock. OTOH, one of the EN employees (Heather?) stores all her info in EN w/o encrypting it.

I've been using Roboform for several years and absolutely love it. I've migrated all of my important credentials to completely random, complex passwords and don't have to remember a thing. Plus it syncs all that data between machines and stores the backup (Encrypted!!!!) in the cloud.

I've also been using Roboform for several years & also love it. Whenever I need a new password, I let it gen one - so nice!

Share this post


Link to post

My current major concern as a relatively recent adopter of EN (in addition to the above re backup security) is reliability of local storage of mission-critical notes. This is based on a recent experience of having lost 2 hours' worth of key data in a meeting when my Android smartphone crashed & rebooted. On re-opening the note it only had the stuff I had saved before the meeting, not the 2 hours' worth I had taken during it! Don't worry, I did a within-file search of all the files from that day in the EN folder, just to be sure it wasn't there somewhere. It wasn't.

Why is there not the option to autosave a user-definable number of local backup copy versions every so often as you go along? Without this facility, I cannot commit to Evernote, which seems really great in other respects. I need my note-managing software to be bomb-proof for my mission-critical notes; as it stands, I'm afraid EN isn't. Unless I'm missing something somewhere...

Share this post


Link to post

My current major concern as a relatively recent adopter of EN (in addition to the above re backup security) is reliability of local storage of mission-critical notes. This is based on a recent experience of having lost 2 hours' worth of key data in a meeting when my Android smartphone crashed & rebooted. On re-opening the note it only had the stuff I had saved before the meeting, not the 2 hours' worth I had taken during it! Don't worry, I did a within-file search of all the files from that day in the EN folder, just to be sure it wasn't there somewhere. It wasn't.

Why is there not the option to autosave a user-definable number of local backup copy versions every so often as you go along? Without this facility, I cannot commit to Evernote, which seems really great in other respects. I need my note-managing software to be bomb-proof for my mission-critical notes; as it stands, I'm afraid EN isn't. Unless I'm missing something somewhere...

Dude. If you need something bomb-proof, good luck with that. Every system is fallible. Every system. Even paper & pen which can be lost, stolen, damaged (spill a coke on your notebook), etc. The key is to find the most reliable system (hopefully a couple) & use it (them) with care. Then, if you still encounter data loss, you just have to accept that as part of life. (shrug). Keep in mind the reliability of note taking may involve several factors. Anything computer oriented has a host of them. If the hardware malfunctions, that can cause data loss, even with the best/most reliable software. ***** happens.

Having said all that, if I were taking "mission-critical notes" & wanted them as "bomb-proof" as possible, I would:

1. Investigate & use a process for a while to run it through it's paces to make sure the hardware/software works as I think it should & to acclimate myself with the hardware/software.

2. Have at least two "systems" in play. IOW, not rely upon one app or device.

IME, with "mission-critical" stuff I want to be as "bomb-proof" as possible, I use a Livescribe pen along with a low tech Olympus voice recorder. But this is an entirely different thread. In a nutshell, with the LS pen, I get audio/handwriting & with the Olympus, I get more audio. IOW, I have three "inputs".

BTW, this is seriously OT for this thread...you should have created a different thread.

Share this post


Link to post

I'm new to EN and concerned about security of my data going up into the EN cloud. Do you think keeping a Notebook of sensitive notes/documents local is a better way to secure the data. I'm not exactly sure how local notebooks work. I've done some looking around the forum here and correct me on this. With the premium EN account I could have a local notebook on one main home computer that I could add sensitive notes and documents (insurance policy, wills, real estate mortgage info etc.) This notebook would only live local. Besides not being able to sync this notebook with the web and other devices is there any other disadvantage of working this way? Can I still search and tag this local notebook.

Thanks

Share this post


Link to post

You don't need to be a premium user to have local notebooks. Local notebooks can be searched and the notes in them can have tags. As you correctly point out, they will not be synced with EN or your other devices, so you must back them up yourself.

Many users keep sensitive data in local notebooks. Others encrypt these notes and then sync them. And some sync everything, unencyrpted. It comes down to your level of comfort (and how sensitive your data is).

I'm new to EN and concerned about security of my data going up into the EN cloud. Do you think keeping a Notebook of sensitive notes/documents local is a better way to secure the data. I'm not exactly sure how local notebooks work. I've done some looking around the forum here and correct me on this. With the premium EN account I could have a local notebook on one main home computer that I could add sensitive notes and documents (insurance policy, wills, real estate mortgage info etc.) This notebook would only live local. Besides not being able to sync this notebook with the web and other devices is there any other disadvantage of working this way? Can I still search and tag this local notebook.

Thanks

Share this post


Link to post

I posted something similar thread under Windows and I've been reading all the links people posted on threads here.

It would be beneficial if Evernote had a bit more security that it apparently has today. I wanted to store bank statements and medical records using Evernote, but I will put that off for a while.

I know it's impossible to have bombproof protection. I know even paper is never safe. If someone REALLY wants your stuff, they can break into your house and get it. But that requires someone to know who you are and know what to get. In the cloud, it's easy for some punk @ass teenager to go fishing for any type of information without knowing who I am or what he has gotten a hold of.

1. Evernote should encrypt any information stored locally, like cache.

2. Evernote should require a password everytime you start it. After some time unused, password should be required again.

3. Information should be encrypted on the server and this should be clearly stated. I haven't found anything official, other that SSL encryption of the data stream.

4. You should be able to put passwords on certain folders and encrypt these without using any external apps.

5. You should be able to turn off any security measures if you so wish to do so.

I need to investigate this a bit further....for the moment, I think Evernote is best for recipes and pictures of stuff I don't want to forget ;)

S

Share this post


Link to post

In a nutshell, Evernote's focus is to ocr/index your notes so they are easily retrieved. That cannot be done if the notes are encrypted, since true encryption means EN would not have access to your encryption password. So it's highly unlikely more advanced encryption will be added any time soon, if ever.

As far as password protecting the app on your computer(s), as stated in the various threads, Evernote pretty much leaves that up to the user. Doubtful that will change other than maybe to have a PIN just to get into the app.

Share this post


Link to post

In a nutshell, Evernote's focus is to ocr/index your notes so they are easily retrieved. That cannot be done if the notes are encrypted, since true encryption means EN would not have access to your encryption password. So it's highly unlikely more advanced encryption will be added any time soon, if ever.

As far as password protecting the app on your computer(s), as stated in the various threads, Evernote pretty much leaves that up to the user. Doubtful that will change other than maybe to have a PIN just to get into the app.

I found this (here: http://michaelhyatt.com/is-your-data-safe-in-evernote.html)

"Evernote can encrypt sensitive data within a note. If you have something within a note that you want to keep private—passwords, financial information, counseling notes, etc.—you can do so by highlighting the data, right-clicking, and selecting “Encrypt selected text.” You will then be prompted to enter a password. In order to view that information in the future, you (or anyone else) will have to enter the password to do so."

Problem is, most sensitive documents are PDF's, not plain text (at least mine). So you can't encrypt it with this method. I don't really care for indexing these types of documents, it's more for backup/easy retrieval than fast indexing. I know what my 2009 tax return says, I just need it up in the sky.

That's why a way to create a folder within Evernote, that is encrypted as standard and you need a password (not a pin) to open. It's that easy...

Share this post


Link to post

In a nutshell, Evernote's focus is to ocr/index your notes so they are easily retrieved. That cannot be done if the notes are encrypted, since true encryption means EN would not have access to your encryption password. So it's highly unlikely more advanced encryption will be added any time soon, if ever.

As far as password protecting the app on your computer(s), as stated in the various threads, Evernote pretty much leaves that up to the user. Doubtful that will change other than maybe to have a PIN just to get into the app.

I found this (here: http://michaelhyatt....n-evernote.html)

"Evernote can encrypt sensitive data within a note. If you have something within a note that you want to keep private—passwords, financial information, counseling notes, etc.—you can do so by highlighting the data, right-clicking, and selecting “Encrypt selected text.” You will then be prompted to enter a password. In order to view that information in the future, you (or anyone else) will have to enter the password to do so."

Problem is, most sensitive documents are PDF's, not plain text (at least mine). So you can't encrypt it with this method. I don't really care for indexing these types of documents, it's more for backup/easy retrieval than fast indexing. I know what my 2009 tax return says, I just need it up in the sky.

That's why a way to create a folder within Evernote, that is encrypted as standard and you need a password (not a pin) to open. It's that easy...

I'm not sure what point you're trying to make here. Nothing new here. Yes, as has been noted before, Evernote provides TEXT encryption. However, that is not indexed. And yes, you can password encrypt PDFs with most PDF viewers. (As I posted earlier in this thread.) I do it quite often before putting the PDF into Evernote. Again, the encrypted PDF will not be ocr'd/indexed. My point is that EN will most likely never (or at least any time soon) add any more encryption than it has (with the text encryption) because it does not coincide with it's focus of ocr'ing/indexing your notes to make them easily retrieved and since files can be encrypted using the third party app of your choice. It's that easy...

Share this post


Link to post

Asking a question here: Sounds like if you don't care about OCR/Index of the file and you can lock the PDF with a password or encrypt the file then loading the file on the EN cloud should be fine. If you have good title descriptions or tags then you should be able to find the file easily. Seems like most of the files you don't need access to very often. How many times do you need to pull up your closing docs from a refinance on your iphone? My feeling is that I will keep these files on a local notebook and just back them up to several drives as part of my back up routine. Right now I have paper tax returns in files in my house. I plan on converting them to EN local notebook. But the fact is if I need to look something up from them I'd need to look up the paper files at home now anyway. I like the idea of paperless but do I need all those files up in the cloud to access at any moment? Not really.

1 person likes this

Share this post


Link to post

Asking a question here: Sounds like if you don't care about OCR/Index of the file and you can lock the PDF with a password or encrypt the file then loading the file on the EN cloud should be fine. If you have good title descriptions or tags then you should be able to find the file easily. Seems like most of the files you don't need access to very often. How many times do you need to pull up your closing docs from a refinance on your iphone? My feeling is that I will keep these files on a local notebook and just back them up to several drives as part of my back up routine. Right now I have paper tax returns in files in my house. I plan on converting them to EN local notebook. But the fact is if I need to look something up from them I'd need to look up the paper files at home now anyway. I like the idea of paperless but do I need all those files up in the cloud to access at any moment? Not really.

I agree with everything you said. Really, any time you may need to fork over sensitive data (tax returns, bank statements), any reliable company understands & you don't have to do it in 10 seconds or less. I still don't put bank/investment/credit card statements in the Evernote cloud. But I do have some tax returns & a few other docs with sensitive info in sync'd notebooks. Those I do encrypt. I think the only reason I put them in Evernote to begin with is just because I can and b/c there are some docs/info I'd like to have "at the ready" if I were out of town or I was having computer problems.

Share this post


Link to post

Interessting... http://antivirus.about.com/od/securitytips/a/evernotetip.htm

Bottom line: storing unencrypted data on an Internet-facing server is not a great idea. With that in mind, following are seven of the worst Evernote (or any cloud-based storage) tips:

  1. I'm a teacher. I use @evernote to create individual portfolio files for each student, documenting everything.
    Why it's bad: Compromise of the teacher's Evernote credentials potentially exposes sensitive details on students, who also likely happen to be minors. This tip is not only a security risk to those students, it potentially has legal ramifications for the teacher (and the school at which they teach).
  2. Store credit card statements.
    Why it's bad: Credit card statements often include the account number. Exposure could lead to increased risk of credit card fraud.
  3. Store login names and passwords for websites (tag with Login to see them all together)
    Why it's bad: Attackers who gain entry to your Evernote account now potentially have access to all your online accounts.
  4. Build family medical portfolios including medical history, allergies, pictures of medications, receipts.
    Why it's bad: In the past, cybercriminals who have stolen medical information have sometimes blackmailed the victims. Unless this is information you would feel comfortable sharing with friends, neighbors or even strangers, it is best not stored in-the-cloud.
  5. Keep family social security numbers (and other info) in an encrypted note for easy, secure access.
    Why it's bad: Exposure leaves your entire family at risk of identity theft. This type of sensitive information is best kept in a locked file cabinet, not in-the-cloud.
  6. Keep router/firewall settings (addresses, passwords, open/closed ports, etc.) handy and nearby.
    Why it's bad: Attackers who gain access can use this information to reconfigure DNS settings on your router or enable their own access to your network.
  7. Take a photo of your passport and send it to Evernote. If it's lost or stolen, you can still show the embassy your info.
    Why it's bad: A photo of your passport makes it that much easier for counterfeiting. A safer bet would be storing only the passport number (in encrypted form).

I've done 5 of those and I AM concerned, because none of my questions/worries really have been answered satisfactory. All those things above, that's what Evernote would be insanely great...

Share this post


Link to post

Interessting... http://antivirus.abo...evernotetip.htm

Bottom line: storing unencrypted data on an Internet-facing server is not a great idea. With that in mind, following are seven of the worst Evernote (or any cloud-based storage) tips:

(snip)

I've done 5 of those and I AM concerned, because none of my questions/worries really have been answered satisfactory. All those things above, that's what Evernote would be insanely great...

Nothing new here. Security has been discussed ad nauseum on the board. Please search the board for the "wide open databases" thread, if you want more information.

Bottom line:

- EN allows text encryption. Doubtful they will add anything more, any time soon, since their focus is to collect & easily retrieve info. Indexing cannot be done on encrypted info.

- Anything else you want in the EN cloud can be encrypted via the third party app of your choice.

- EN is not a password manager. However you can add your logins & passwords in text format & encrypt them using EN's built in text encryption, if you wish.

- you can store sensitive data locally only (non-cloud), via either a Mac or Windows desktop, if you choose to.

Share this post


Link to post

Interessting... http://antivirus.abo...evernotetip.htm

Bottom line: storing unencrypted data on an Internet-facing server is not a great idea. With that in mind, following are seven of the worst Evernote (or any cloud-based storage) tips:

(snip)

I've done 5 of those and I AM concerned, because none of my questions/worries really have been answered satisfactory. All those things above, that's what Evernote would be insanely great...

Nothing new here. Security has been discussed ad nauseum on the board. Please search the board for the "wide open databases" thread, if you want more information.

Bottom line:

- EN allows text encryption. Doubtful they will add anything more, any time soon, since their focus is to collect & easily retrieve info. Indexing cannot be done on encrypted info.

- Anything else you want in the EN cloud can be encrypted via the third party app of your choice.

- EN is not a password manager. However you can add your logins & passwords in text format & encrypt them using EN's built in text encryption, if you wish.

- you can store sensitive data locally only (non-cloud), via either a Mac or Windows desktop, if you choose to.

Hmmm, I hear you I hear you.

But if this is "old" news and the forum has quite of similar topics, it appears to me as this is an area where Evernote could/should get better? If there's a market for it, you make it. If Evernote leaves this area as is, then it either must be a) design philosophy or :) lack of funds?

Share this post


Link to post

But if this is "old" news and the forum has quite of similar topics, it appears to me as this is an area where Evernote could/should get better? If there's a market for it, you make it. If Evernote leaves this area as is, then it either must be a) design philosophy or :) lack of funds?

There are always people who want Evernote to do something else - ranging from bullet points, to outlines, to photo manipulation to more security.

It's hard to argue with Evernote's success (and their decisions).

In less than 4 years, they have a customer base of over 20 million users.

They were named Company of the Year by Inc. Magzaine last month.

It's not a "lack of funds", Read up on the amount of venture capital they've landed.

They've increased their staff and are moving to a new 5-story office

I've seen over 40 upgrades in the product over the past couple years.

Seems like their "design philosophy" is working quite nicely for them.

Share this post


Link to post

Based on the many concerns raised by users, security is a big issue, in fact it is one of the biggest issues when using cloud based systems and it should not be played down, regardless how successful the service is. A reputation of any cloud based service could very easily be destroyed if security related problems emerge. Also, concerns about security would stop many user from using the software to the full extent.

Personally I'm using Evernote because I want to go paperless and this involves storing critical information. Having said that, I'm following each Evernote update with lots of interest hoping that the issue around encryption would be addressed (encrypting notes or OCR search indexes). So far there hasn't been much news lately.

Providing the best security would probably help Evernote immensely as it could strengthen its user base. This is more about retention and strengthening its position rather than just growth.

Share this post


Link to post

Based on the many concerns raised by users, security is a big issue, in fact it is one of the biggest issues when using cloud based systems and it should not be played down, regardless how successful the service is. A reputation of any cloud based service could very easily be destroyed if security related problems emerge. Also, concerns about security would stop many user from using the software to the full extent.

Personally I'm using Evernote because I want to go paperless and this involves storing critical information. Having said that, I'm following each Evernote update with lots of interest hoping that the issue around encryption would be addressed (encrypting notes or OCR search indexes). So far there hasn't been much news lately.

Providing the best security would probably help Evernote immensely as it could strengthen its user base. This is more about retention and strengthening its position rather than just growth.

Security is not being downplayed at all. Evernote is not a backup system. If you want a secure, encrypted cloud backup system, you should use one. (Jungle Disk, Crashplan, Carbonite, etc.)

Evernote's focus is to collect, organize & retrieve bits of information from a variety of sources. Organization & retrieval is facilitated due to their indexing system. Indexing cannot be done if the data is securely encrypted because the cloud service does not have the ability to know your encryption password.

Security exists in at least two places...sending data and the data as it resides on the "cloud" server.

This particular post is addressing how the data is stored on a cloud server...

People tend to think Dropbox is more secure that EN. Dropbox tends (IMO) to propogate this fallacy. I've seen their blurb on security.

"All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password"

Any time a cloud service can tell you your password (click "forgot password') and/or can help you restore your data, your data is NOT secure from hackers. Do you think hackers are smart enough to be able to hack into a cloud server but not smart enough to figure out where the encryption passwords are located??? Although there is no 100% security from hackers, unless the data is encrypted using a password the "host" does not have access to, then your data is not very secure from hackers. IOW, if you do not provide a second, encryption password & you are warned that if you forget it, you will not be able to recover your data, then the "host" is storing the encryption password somewhere. And hackers can get to it. That's what they do.

Jungle Disk (a TRUE backup/encryption cloud) says, if you encrypt your "bucket" & forget your password, you are SOL. They cannot help you recover your data.

Truecrypt, another TRUE encryption app, also says, if you forget your encryption password, kiss that baby good by. They cannot help you.

Evernote states any text you encrypt in Evernote notes is not indexed...same reason as above. And if you forget the password, they cannot help you recover it.

So...if you feel comfortable putting something into Dropbox (without using a WINRAR'd file or Truecrypt container or some such), then you should feel equally comfortable putting that info into Evernote.

And from Dave Engberg, CTO of Evernote (emphasis mine):

Yes, "can't search encrypted content" is an intentionally abbreviated reply. The longer version would be:

If a server has access to encrypted data, and access to the keys required to decrypt that data (for searching, display on the web, etc.), then anyone who successfully attacks that server has access to your data. If someone can gain control of that server, then the encryption has absolutely no value (other than making things slightly inconvenient). The attacker can make the server decrypt the data and read whatever she wants.

Meaningless encryption offers the illusion of security, which is frequently more dangerous than intentionally and transparently omitting encryption.

The only "meaningful" encryption would require that Evernote does not have a copy of the keys to decrypt the data at all. I.e. we just store a big blob of data that can only be decrypted by a client that has the keys. This would mean: no web interface, no "thin" mobile clients, no image processing/OCR, etc. If you lose/forget your personal encryption key/passphrase, then your data is basically unrecoverable (since Evernote doesn't keep a copy of the key).

This is actually what we do for the "encryption" feature within Evernote ... if you select some text in a note and encrypt it, that is encrypted with your passphrase, and Evernote does not have any secret "back door" to read your encrypted data. This is why you can't search for the contents of encrypted regions from the web ...

I.e. you're talking about an opaque file storage service, like one of the secure backup services. Not "Evernote." While these sorts of services have their place, that's not what Evernote's consumer service aims to be.

Share this post


Link to post
Evernote's focus is to collect, organize & retrieve bits of information from a variety of sources.

BurgersNFries is spot on here. I use Evernote as part of an active and ongoing process to be paperless. I don't use it as a backup system. The stuff that I maintain in the cloud in Evernote is stuff that I think I'll have a good chance of needing or working with in the near future. When I don't think I'll be needing to access things online, I move them to a local notebook. This requires some work and management of documents, but that's my point: I use the software as part of an active and ongoing process.

Evernote is not to my knowledge a backup system. A backup system is like an insurance policy. It's not part of an active process, but it's there if you need it. I backup my Evernote data quarterly by exporting all of the notes to an XML files using Evernote's native export functionality. This file is the backed up to the cloud using my cloud backup software, but the key difference is that I can compress and encrypt the file before sending it off the cloud because I won't be actively searching it. It's there as insurance, in the event that my local systems fail.

Distinguishing between tasks that are part of an active process (e.g. managing documents in real time) and a backup is important to understand why security is implemented as it has been in Evernote.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now