(Archived) note privacy?

[iface-patrick 0]

How secure are my notes? Can anyone see them?

[JMichaelTX 4,117]

GM, your response is indicative of the problem.

You provided 7 sources. We need one single source.

Why? The more sources the better, in my opinion.

I see. So you are from the "why not use 1000 words when you only need 10" camp?

Burying the main facts among thousands of useless or unimportant words has long been the mainstay of lawyers who want to hide things from you.

Personally, I hate verboseness, and I think most people do. That why most never read the many, many pages of fine print in the TOS.

On the other hand, I fully appreciate how hard it is to be complete and accurate while being succinct at the same time.

As Blaise Pascal wrote "I have written you a long letter because I did not have time to write a short one."

[JMichaelTX 4,117]

The TOS and Privacy Policy is at the bottom of every page . . .

I agree that if you really look hard for the TOS you can find it.

All I'm suggesting is that since Evernote strongly makes the point of saving ALL of your memories/information in Evernote, they have an opportunity to be the outstanding corporate citizen, and maybe help forge a new standard, if they would post a caution (in the feature section) for prospective new users about storing sensitive (medical, legal, financial, logins/passwords, personal IDs, etc) in Evernote.

BTW, a sale for $0 is still a sale.

[GrumpyMonkey 4,319]

The TOS and Privacy Policy is at the bottom of every page, the same as it is on most company sites. Go ahead, give it a try on your favorite good corporate citizen's site. I bet it will be there too, and probably not as clearly written.

Three words on the website one click away from the main page, in interviews, on podcasts, and on the forums. It seems pretty well-done to me. And, it's not about sales, is it? Evernote is free. It is about making a good website that gets people where they want to go.

Anyhow, I think I have made my point the best that I can. I see that you don't agree, and that is cool. Evernote staff read these posts and participate on the forums (so much for that evil corporate citizen thing), and maybe you have persuaded them, so we might see the changes you want.

Back to the topic: your notes are private unless you choose to make them public. Enjoy!

[JMichaelTX 4,117]

Why not do something? Because their goal probably isn't to educate netizens about the hazards of cloud computing. I think they probably want to move users from discovery to use as smoothly as possible.

This is probably the goal of every salesman on the planet.

Sure, just buy my product/service and don't worry about any limitations.

This is exactly what I mean by "buyer-beware", where the seller avoids clearly informing the potential buyer of limitations.

But, IMO, this is not the behavior of good corporate citizens who really care about their customers.

In fact it will help grow sales if you have a well-informed customer/buyer who will develop trust in you.

Evernote does not deny these limitations, they just don't make them easily available to new, potential users.

You didn't say where the "TOS" link could be found on the Home page, or product pages.

The effort for Evernote to provide a more visible statement about cautions/limitations of security is very small.

I don't see any downsides for Evernote to do this, but there are a number of upsides.

[GrumpyMonkey 4,319]

Why not do something? Because their goal probably isn't to educate netizens about the hazards of cloud computing. I think they probably want to move users from discovery to use as smoothly as possible.

After all, the site is there for both people who just want to download something, and for ones who want to wander around and explore more (users or not). I think there is a reason Amazon doesn't have a big warning banner on its front page telling you not to purchase books from disreputable sellers. Or, a warning that customers that the "purchase" of any Kindle book is actually a "rental", because they have no right to sell it or (for example) leave it for their wife and children if they pass away unexpectedly -- the only entity that "owns" the book is their account. Yet, people survive and find the site navigable nonetheless.

If people want to learn more about privacy and security from Evernote, they can scroll to the bottom of just about any page on any major site and find information there. It's not "hidden" as you claim. It's exactly where we are accustomed to seeing it.

[JMichaelTX 4,117]

As for the placement, I think it is fairly standard for people concerned with privacy to visit the TOS of privacy policies.

, . .

The three laws are boldly displayed at the very top of the TOS, and there is a link to a blogpost with a message from the CEO. What would you prefer instead?

Where do you see a link to the TOS?

Just because everyone else is doing something wrong (or poorly) is not justification for Evernote to do the same.

Let's put the question the other way around: Why shouldn't Evernote make the concern of storing sensitive data more obvious?

IMO, this would NOT significantly reduce sales (or adoption), but might save many users the painful experience of learning about this much later, maybe when it is too late. Anyone who find this unacceptable will quit using Evernote later when they discover this issue.

If fact, Evernote really wants to have the policies of a 100-year company, they could go one further step and provide the user with easy to understand and use options for encrypting their data prior to storing in Evernote. I know this has been done in the Forum, but it's hard to find.

What I would like to see is a link to Security/Privacy displayed at the same level as features on the Home page.

Then, when a user chooses to subscribe, provide a caution notice that their data is NOT encrypted.

I don't really care, nor is it relevant, whether or not Dropbox or Google to the same.

[GrumpyMonkey 4,319]

JM. Are you serious in your criticism, or are you just playing around trying to make Evernote look bad in this regard?

GM, I am not playing around, or trying to make EN look bad.

I'm being practical.

Pretend you are a new user, and know nothing about Evernote.

Go to the EN home page.

After clicking around for a while, I see nothing about security or privacy.

I do see Evernote making these statements:

• "Remember everything"
  
• Video: "Life is full of experiences, and Evernote helps you capture them all"
  

OK, after taking yet another look on the home page, I finally discover a link "Privacy Policy" hidden in very small, low-contrast, hard-to-read text at the bottom of the page:

This link goes to literally the "fine print" page of very small text in low-contrast, hard-to-read, text.

Finally on page 3 Evernote *does* issue a caution about *transmitting* your data to Evernote:

Nowhere do I see any cautions about storing sensitive information in Evernote.

As I mentioned above, I would like to see revisions done to the website as well. Sure, larger fonts, better contrast, mobile friendly, etc. would be nice.

As for the placement, I think it is fairly standard for people concerned with privacy to visit the TOS of privacy policies. In the general news, for example, not just the tech stuff, we regularly hear about Google's privacy policy or Facebook's. It's all available, but just like those two major sites, they don't throw it in your face when you visit. Wouldn't it be funny if Facebook warned you not to put sensitive data on their site? LOL

The three laws are boldly displayed at the very top of the TOS, and there is a link to a blogpost with a message from the CEO. What would you prefer instead?

[JMichaelTX 4,117]

JM. Are you serious in your criticism, or are you just playing around trying to make Evernote look bad in this regard?

GM, I am not playing around, or trying to make EN look bad.

I'm being practical.

Pretend you are a new user, and know nothing about Evernote.

Go to the EN home page.

After clicking around for a while, I see nothing about security or privacy.

I do see Evernote making these statements:

• "Remember everything"
  
• Video: "Life is full of experiences, and Evernote helps you capture them all"
  

OK, after taking yet another look on the home page, I finally discover a link "Privacy Policy" hidden in very small, low-contrast, hard-to-read text at the bottom of the page:

This link goes to literally the "fine print" page of very small text in low-contrast, hard-to-read, text.

Finally on page 3 Evernote *does* issue a caution about *transmitting* your data to Evernote:

Nowhere do I see any cautions about storing sensitive information in Evernote.

[GrumpyMonkey 4,319]

JM. Are you serious in your criticism, or are you just playing around trying to make Evernote look bad in this regard?

The three laws are pretty succinct, they are spelled out clearly at the top of the TOS (http://evernote.com/tos/), they have a link to the laws from one of the ads in the Evernote app, they mention them in podcasts, they mention them in interviews, and bloggers frequently quote them. How much more succinct can you get than three words?

Your data is:

yours

protected

portable

http://blog.evernote.com/2011/03/24/evernote’s-three-laws-of-data-protection/

As for having multiple explanations, I don't think the issue is one of succinctness. It is one of addressing several audiences: the IT guys at a company who have to evaluate its security, third party developers wondering what the rules are, uber-paranoid users, etc. The three laws are enough for some, but too few for others.

Although I do want to see the home page at Evernote improved, and links to stuff like this made clearer, it is pretty good now: if you want to know about privacy, click the "Privacy Policy" link. I don't know of any company with such a clear, concise, and well-publicized policy like the three laws, so I am a little befuddled by your criticism.

[BurgersNFries 2,407]

Evernote employees in charge of security posting on the forums don't count as official?

IMO, no.

The forum is a place for discussion. As often stated, it is a "users forum"

Yes, this is a user's forum. But as you well know, many EN employees post here. There's no reason something posted by Dave (CTO of Evernote) or Heather would be any less "official" if it's posted in the forum. So, in addition to what GM already posted up, here you go (emphasis mine):

Yes, "can't search encrypted content" is an intentionally abbreviated reply. The longer version would be:

If a server has access to encrypted data, and access to the keys required to decrypt that data (for searching, display on the web, etc.), then anyone who successfully attacks that server has access to your data. If someone can gain control of that server, then the encryption has absolutely no value (other than making things slightly inconvenient). The attacker can make the server decrypt the data and read whatever she wants.

Meaningless encryption offers the illusion of security, which is frequently more dangerous than intentionally and transparently omitting encryption.

The only "meaningful" encryption would require that Evernote does not have a copy of the keys to decrypt the data at all. I.e. we just store a big blob of data that can only be decrypted by a client that has the keys. This would mean: no web interface, no "thin" mobile clients, no image processing/OCR, etc. If you lose/forget your personal encryption key/passphrase, then your data is basically unrecoverable (since Evernote doesn't keep a copy of the key).

This is actually what we do for the "encryption" feature within Evernote ... if you select some text in a note and encrypt it, that is encrypted with your passphrase, and Evernote does not have any secret "back door" to read your encrypted data. This is why you can't search for the contents of encrypted regions from the web ...

I.e. you're talking about an opaque file storage service, like one of the secure backup services. Not "Evernote." While these sorts of services have their place, that's not what Evernote's consumer service aims to be.

And as GM said, the more places it's posted the better. Otherwise, I'm sure uh, someone, would come along later & complain that it was only posted in one place & should be posted many places so people can easily find it. Just sayin'

[jbenson2 2,147]

Thanks for the links GumpyMonkey. I added them to my Evernote security notes.

The Evernote write up, that I preferred, gave me some understanding but did not bury me in overly technical details. Unfortunately it is severely out of date now. (dateed 2008)

http://blog.evernote...y-and-security/

Ahh, the good old days with "Mr. Openness" Dave Engberg. Times have changed a lot at Evernote since Dave moved upstairs.

Phil Libin posted a more generic higher level write up 18 months ago

http://blog.evernote...ata-protection/

Documentation has never been Evernote's strong suit.

This forum and general word-of-mouth seems to be Evernote's marketing preference.

[GrumpyMonkey 4,319]

GM, your response is indicative of the problem.

You provided 7 sources. We need one single source.

Why? The more sources the better, in my opinion. People don't find it (I guess) because they are unfamiliar with the service, not because Evernote talks too much about it. I do agree that Evernote could make links to their security and privacy policies more prominent, but maybe that will come in the next update to the home page (I think we can all agree that it could use a lot of work). I suppose the most official sources would be the ones linked off of the main page, and the ones that Evernote asks you to read if you want to know about security and privacy:

http://evernote.com/privacy/

http://evernote.com/tos/

http://blog.evernote.com/2011/03/24/evernote%E2%80%99s-three-laws-of-data-protection/

[JMichaelTX 4,117]

Where is the official (outside of this forum) Evernote statement on security?

Evernote employees in charge of security posting on the forums don't count as official?

IMO, no.

The forum is a place for discussion. As often stated, it is a "users forum"

All of us need a *single*, official, clear source published by Evernote regarding what security is provided, and not provided.

The need of this is clear by the numbers of questions we get in these forums.

Forum threads tend to wander about, and are rarely complete, authoritative statements.

They are almost never succinct.

GM, your response is indicative of the problem.

You provided 7 sources. We need one single source.

[GrumpyMonkey 4,319]

Where is the official (outside of this forum) Evernote statement on security?

Evernote employees in charge of security posting on the forums don't count as official?

TOS

https://evernote.com/tos/

Evernote podcasts (1, 10, and others)

http://www.princeton.edu/~cmayo/evernote-multimedia.html

Evernote ETC (videos to be posted at some point)

http://www.youtube.com/user/EvernoteAndrew?feature=watch (here?)

Evernote tech blog

http://blog.evernote.com/tech/2012/04/24/security-enhancements-for-third-party-authentication/'>http://blog.evernote.com/tech/2012/04/24/security-enhancements-for-third-party-authentication/

http://blog.evernote.com/2008/04/15/evernote-privacy-and-security/

http://blog.evernote.com/tech/

http://blog.evernote.com/2011/08/22/the-big-evernote-for-ios-update/

There are also videos, interviews, etc. Did you have a specific question about security statements?

[JMichaelTX 4,117]

Where is the official (outside of this forum) Evernote statement on security?

[iface-patrick 0]

If you mean are they "public", no, unless you intentionally share them that way.

Thank you

[BurgersNFries 2,407]

If you mean are they "public", no, unless you intentionally share them that way.

If you mean hackers or if your computer gets stolen, please search the board on security and/or encryption since this has been discussed a lot. Even as recently as this past week.