Jump to content

Idea

Recommended Posts

  • 0

I am just going to +1 this topic.  

 

Given how awesome Evernote is otherwise and given that it is my defacto cloud-based-brain, I really need to be able to encrypt entire notes or notebooks.  Encrypting just the text is not enough, there's too much sensitive information stored in non-text formats these days.

 

I hope when they do release it that it's a standard feature, but if it was a premium feature, it would probably be a tipping point for me to go premium.

 

Any word on their progress with launching this feature?

  • Like 3

Share this post


Link to post
  • 0

I am just going to +1 this topic.  

 

Given how awesome Evernote is otherwise and given that it is my defacto cloud-based-brain, I really need to be able to encrypt entire notes or notebooks.  Encrypting just the text is not enough, there's too much sensitive information stored in non-text formats these days.

 

I hope when they do release it that it's a standard feature, but if it was a premium feature, it would probably be a tipping point for me to go premium.

 

Any word on their progress with launching this feature?

No word, yet. My opinion is that this ought to be standard (it is with other note-taking apps on the Mac like DevonThink, nvALT, and VoodooPad). However, if it was a Premium feature, that would be fine with me as well.

Share this post


Link to post
  • 0

No word, yet. My opinion is that this ought to be standard (it is with other note-taking apps on the Mac like DevonThink, nvALT, and VoodooPad). However, if it was a Premium feature, that would be fine with me as well.

It's not for me to say. But I'd guess if it were premium, it would spawn a whole 'nuther rant theme similar to the one(s) that offline notebooks should not be a premium feature.

Share this post


Link to post
  • 0

No word, yet. My opinion is that this ought to be standard (it is with other note-taking apps on the Mac like DevonThink, nvALT, and VoodooPad). However, if it was a Premium feature, that would be fine with me as well.

It's not for me to say. But I'd guess if it were premium, it would spawn a whole 'nuther rant theme similar to the one(s) that offline notebooks should not be a premium feature.

True. I don't envy Evernote's task of deciding what goes with Premium and what doesn't. Their notebook sharing policy might give a clue, though. Free=encrypt one notebook. Premium=encrypt up to 250?

  • Like 1

Share this post


Link to post
  • 0

EN needs to give the option of encryption for notebook level at least.  If not people are not going to be able to trust the integrity of their notes.  I really don't want to start using another tool but the reasons for encryption seem to be growing.

Share this post


Link to post
  • 0

EN needs to give the option of encryption for notebook level at least.  If not people are not going to be able to trust the integrity of their notes.  I really don't want to start using another tool but the reasons for encryption seem to be growing.

 

I agree. At the moment, I've split my notes up into confidential (VoodooPad) / non-confidential (Evernote) because I need secure access to my notes on iOS. It works pretty smoothly, and it isn't a big deal (especially with my workflow), but I think the more options the better for everyone.

http://www.christopher-mayo.com/?p=1605

 

If you are only using a single desktop, of course, Evernote's local notebooks are a secure solution, because they do not sync to the cloud. I used this solution for a long time and accessed these notes through a remote login, but (as I talk about on the post above), this is no longer an appealing option for me. 

 

Looking forward to Evernote's "sexy" encryption solution :)

  • Like 1

Share this post


Link to post
  • 0

+1 for encrypting entire notebooks. This feature would be so useful, especially when considering EverNote for business. I'm currently not a paying customer. I would consider becoming one for this feature alone, if it was done right (i.e. encrypted on the client side, and no, I don't want you to be able to recover my content if I forget the key). With this feature, I'm sure more business user would consider paying for this product.

  • Like 1

Share this post


Link to post
  • 0

+1 for encrypting entire notebooks. This feature would be so useful, especially when considering EverNote for business. I'm currently not a paying customer. I would consider becoming one for this feature alone, if it was done right (i.e. encrypted on the client side, and no, I don't want you to be able to recover my content if I forget the key). With this feature, I'm sure more business user would consider paying for this product.

 

I agree. Encryption on the client side, zero-knowledge (only I have the key and can un-encrypt it), and at the notebook level (one text passage at a time won't cut it) would be perfect for my needs. I think it is a pretty critical feature to have these days -- it's been a year since the Snowden leaks and I am sure some people are wondering why Evernote hasn't done it yet. Then again, hardly anyone else has either! My guess is that this is easier said than done. Still, it is worth the effort, and I sure hope we get the encryption soon.

  • Like 2

Share this post


Link to post
  • 0

+1

Evernote, please add full-notebook encryption. 

 

I'm a lawyer.  The law on attorney-client and work product privilege requires me to keep client information confidential.  If there's no encryption, and my notes are in plaintext, I can't guarantee that doesn't break privilege.  This is the case for every lawyer in the US, so until you add full-notebook encryption, using your product for serious work puts us and our clients at risk.  The limited encryption you do offer is cumbersome and it breaks search--sufficiently crippled so as to make the whole product not worth it.

 

More broadly, the lack of practical encryption also calls into question whether stuff saved to evernote qualifies for trade secret protection. That's because trade secret law requires you keep your trade secrets, well, secret.  No encryption = no confidentiality = good bye trade secret.

 

I suppose you could have Chris Dahl issue an opinion letter stating that your product doesn't break privilege or waive trade secret protection, with an offer to indemnify your users in the event that turns out to not be true.  But I suspect he wouldn't be ok with that...

Share this post


Link to post
  • 0

+1

Evernote, please add full-notebook encryption. 

 

I'm a lawyer.  The law on attorney-client and work product privilege requires me to keep client information confidential.  If there's no encryption, and my notes are in plaintext, I can't guarantee that doesn't break privilege.  This is the case for every lawyer in the US, so until you add full-notebook encryption, using your product for serious work puts us and our clients at risk.  The limited encryption you do offer is cumbersome and it breaks search--sufficiently crippled so as to make the whole product not worth it.

 

While I agree with and support your request as a fellow user who also handles confidential data, it is not Evernote that is putting your clients at risk, it is you who is putting your clients at risk by using Evernote. For data that is this sensitive, there are other alternatives. 

  • Like 1

Share this post


Link to post
  • 0

+1

Evernote, please add full-notebook encryption. 

 

I'm a lawyer.  The law on attorney-client and work product privilege requires me to keep client information confidential.  If there's no encryption, and my notes are in plaintext, I can't guarantee that doesn't break privilege.  This is the case for every lawyer in the US, so until you add full-notebook encryption, using your product for serious work puts us and our clients at risk.  The limited encryption you do offer is cumbersome and it breaks search--sufficiently crippled so as to make the whole product not worth it.

 

More broadly, the lack of practical encryption also calls into question whether stuff saved to evernote qualifies for trade secret protection. That's because trade secret law requires you keep your trade secrets, well, secret.  No encryption = no confidentiality = good bye trade secret.

 

I suppose you could have Chris Dahl issue an opinion letter stating that your product doesn't break privilege or waive trade secret protection, with an offer to indemnify your users in the event that turns out to not be true.  But I suspect he wouldn't be ok with that...

 

Hi. Welcome to the forums!

 

To follow up on what Scott said, I recommend you consider some of the powerful tools you have available at the moment to ensure you are fulfilling your obligations.

 

1. Local notebooks in Evernote

http://www.christopher-mayo.com/?p=425

 

2. Alternative apps for sensitive information on mobile

http://www.christopher-mayo.com/?p=1605

 

I very much want to see Evernote implement encryption (zero-knowledge at the notebook level), but they don't right now, and they make it clear in their terms of service what the current limits are for the service. As users, we have to make sure we have chosen the best app for our use cases. 

Share this post


Link to post
  • 0

 

To follow up on what Scott said, I recommend you consider some of the powerful tools you have available at the moment to ensure you are fulfilling your obligations.

 

1. Local notebooks in Evernote

http://www.christopher-mayo.com/?p=425

 

2. Alternative apps for sensitive information on mobile

http://www.christopher-mayo.com/?p=1605

 

I very much want to see Evernote implement encryption (zero-knowledge at the notebook level), but they don't right now, and they make it clear in their terms of service what the current limits are for the service. As users, we have to make sure we have chosen the best app for our use cases. 

 

 

Thanks Christopher, this is very helpful!

Share this post


Link to post
  • 0

 

 

To follow up on what Scott said, I recommend you consider some of the powerful tools you have available at the moment to ensure you are fulfilling your obligations.

 

1. Local notebooks in Evernote

http://www.christopher-mayo.com/?p=425

 

2. Alternative apps for sensitive information on mobile

http://www.christopher-mayo.com/?p=1605

 

I very much want to see Evernote implement encryption (zero-knowledge at the notebook level), but they don't right now, and they make it clear in their terms of service what the current limits are for the service. As users, we have to make sure we have chosen the best app for our use cases. 

 

 

Thanks Christopher, this is very helpful!

 

 

Thanks for these tips!  Local notebooks are ok, but I really want it on my phone too... Looks like both Voodoo and Devon are iOS only, any recommendations for Android?  Maybe local notebooks + BoxCryptor?

 

Scott--your point is well taken, and for that reason I *can't* use evernote for any sensitive material, despite all indications being that the efficiency boost might be life-changing.  But having lurked on the sidelines for years over this issue, I thought I'd speak up with a couple of specific user stories on why full-notebook encryption should be moved up in EN's development backlog.  In the meantime, I will continue watching and waiting...

  • Like 2

Share this post


Link to post
  • 0

To follow up on what Scott said, I recommend you consider some of the powerful tools you have available at the moment to ensure you are fulfilling your obligations.

1. Local notebooks in Evernote

http://www.christopher-mayo.com/?p=425

2. Alternative apps for sensitive information on mobile

http://www.christopher-mayo.com/?p=1605

I very much want to see Evernote implement encryption (zero-knowledge at the notebook level), but they don't right now, and they make it clear in their terms of service what the current limits are for the service. As users, we have to make sure we have chosen the best app for our use cases.

Thanks Christopher, this is very helpful!

Thanks for these tips! Local notebooks are ok, but I really want it on my phone too... Looks like both Voodoo and Devon are iOS only, any recommendations for Android? Maybe local notebooks + BoxCryptor?

Scott--your point is well taken, and for that reason I *can't* use evernote for any sensitive material, despite all indications being that the efficiency boost might be life-changing. But having lurked on the sidelines for years over this issue, I thought I'd speak up with a couple of specific user stories on why full-notebook encryption should be moved up in EN's development backlog. In the meantime, I will continue watching and waiting...

Thanks for speaking up! I have no answers for Android. Sorry. My Samsung phone is not getting a whole lot of note-taking use because there doesn't appear to be anything wih convenient encryption (I assume a handful of notes is doable on an app somewhere, but I see nothing remotely able of handling hundreds or thousands of notes,). It's too bad, but it looks like this market (note-taking across platforms with encryption) is extremely under-developed at the moment. Even if I had an iPhone, the options are shockingly limited with hundreds of thousands of apps in the stores :(

If Evernote can nail this, I think it will be a huge mark in their favor when people are comparing apps and considering which one they want to use.

  • Like 1

Share this post


Link to post
  • 0

Evernote IS the best at what it does.  Nothing else comes close...trust me, I have searched.

 

Third party app integration is excellent.  Sync works great.  It's available for almost every platform.

 

So instead of waiting on the encryption, I have started using Local Notebooks more...and not sending docs to EN via File This Fetch. (Use the Mac instead.)

 

Still hoping...

  • Like 1

Share this post


Link to post
  • 0

I suggest that Evernote add a new feature, lockable notebooks.  A locked notebook is one that cannot be opened without a password.  This way all notes in the notebook cannot be viewed.  If you want a note to be hidden from view, then simply move it into the notebook.  There is only one password to remember for all the notes in the notebook.  Locking individual notes is a pain and cannot be done on an iPad.  With this feature you can keep a private diary that is not easily viewed. 

 

I know that you can have a passcode lock for evernote for the iPad, but this would just be for one or a few notebooks.  The passcode would only be needed when working with those notebooks.

 

A search should not show a note that is in a locked notebook, but it could optionally indicate that a search result is in a locked notebook.  Or a search will only find a note that is in an unlocked notebook.

 

A notebook would stay unlocked for 5 minutes after the last viewing/ editing of a note in a locked notebook.  Or it could stay unlocked until the user switches to a new app (iOS) or closes the window (web) or quits the program (desktop).

  • Like 1

Share this post


Link to post
  • 0

I'll +1 that - it has been suggested before, with variations;  and I'm not sure how Evernote would engineer that (please don't tell me how they could..) but I can see it would be a bit of added protection for public use when a user might click the wrong notebook and open up something unexpected.

 

Against that there's the fact that you can lock your screen when you are away from your desk / keep a separate free account for private stuff and switch to/from it easily from Premium / or password protect note contents in a word-processor file to prevent accidental display.

 

Still,  the devs do read these posts...

Share this post


Link to post
  • 0

+1 For encryption on notebook level with zero knowledge

 

I'm surprised that a company like EN has such week security levels.

 

After reading a lot about NSA, Encryption, Heartbleed,... I think if your data is in the cloud and the government wants it, they will get it. Even if you use the best encryption methode. So my conclusion: If you want your data really safe, don't send it to the cloud.

  • Like 1

Share this post


Link to post
  • 0

+1 for notebook encryption!  Absolutely needed feature for being able to store sensitive info!

 

Share this post


Link to post
  • 0

Evernote, please add full-notebook encryption. 


 


I'm a psychologist and use my iPad for therapy session notes.  The law on psychologist-client and HIPAA requires me to keep client information confidential.  If there's no encryption, and my notes are in plaintext, I cannot send them to Evernote which is one of three options for exporting notes that my note-taking program allows.  This is the case for every medical professional in the US, so until you add full-notebook encryption, using your product for serious work is unacceptable. I realize that many users do not need this option and agree with others that I would be glad to pay an additional fee for encryption at the notebook level. Ideally I would be able to transfer the file to Evernote locally and then add it to an encrypted in Evernote to allow access wherever I am.


 


Hoping this will be a new feature soon!


  • Like 1

Share this post


Link to post
  • 0

Only allowing encryption on local notebook is not a viable option, I left NeatReceipts to go to the cloud and now that I am thinking about putting confidential information into Evernote, encryption would be key. I understand why EverNote doesn't want to give us this ability, but we should still keep pushing for it.

 

Maybe they will throw us a bone and allow us to encrypt and protect specific notes/documents via an encryption password that would be only known to the user.....we all understand that encryption can be broken, but a targeted attack would be unlikely......an attack that grabs unencrypted data will happen, it is only a matter of time.

 

EverNote, give us some level of protection for our sensitive data

Share this post


Link to post
  • 0

Only allowing encryption on local notebook is not a viable option, I left NeatReceipts to go to the cloud and now that I am thinking about putting confidential information into Evernote, encryption would be key. I understand why EverNote doesn't want to give us this ability, but we should still keep pushing for it.

 

Maybe they will throw us a bone and allow us to encrypt and protect specific notes/documents via an encryption password that would be only known to the user.....we all understand that encryption can be broken, but a targeted attack would be unlikely......an attack that grabs unencrypted data will happen, it is only a matter of time.

 

EverNote, give us some level of protection for our sensitive data

 

1) It is not clear to me that DOESN'T want us to encrypt our data. Granted, encrypting our data with no serverside knowledge of the encryption would prevent any server side services like OCR.... but again I don't think Evernote is against the possibility of users encrypting. 

 

2) Evernote does give us some level of protection for our sensitive data. In the desktop clients users can select any amount of text and encrypt it. Web and mobile apps can decrypt any encrypted text. So, they do give SOME protection.

 

3) I imagine increasing security is on Evernote's radar, especially with their push into business, but offering the server side processing and cross-platform features they do will be hard to juggle with intensification of encryption, so it is not something that they can just jump into willy nilly. 

Share this post


Link to post
  • 0

I will be clear as to what I want:

 

I want my data synchronized with the online (cloud) version in a way that only I can access while logged in. I want the data to be encrypted on your server in a way that no one can access the data without the encryption key. You can use an encryption algorithm that uses the login password to create the encryption key.

 

I want the data at rest on your servers to be encrypted and secure so that if there is an EverNote security breech, I will know that my data is safe. If that means that EverNote can't use data mining against my data, so be it, but that might limit EverNote's revenue if they are monetizing our data in ways similar to the way Google does....i.e. targeted Ads

Share this post


Link to post
  • 0

I don't believe Evernote does much in the way of data mining. They aren't an ad company like google. Most of their need to access your information is so that it can be processed by their OCR system and any indexin it does on the server. These aren't really revenue generators for them.

Your concern about a breach is valid, and Evernote isn't trailing too far behind any other mainstream cloud service provider. Definitely there is room for Evernote and many others to improve, but I really don't think we'll see zero-knowledge encryption, at least not any time soon.

Anything that is really that sensitive should perhaps not be out in ANYBODY'S cloud. Even the best of companies have proven to be vulnerable.

In the mean time, documents that are sensitive could be encrypted by you before adding to Evernote, that will keep those contents reasonably safe.

I am curious thoug, what is it that makes you think Evernote is generating money off users' Evernote contents? Is there something in their terms of service or their privacy policy? Have they started an ad agency a la google that I haven't heard about?

Share this post


Link to post
  • 0
The post about data mining is not mine. I wrote:
 

Evernote, please add full-notebook encryption. 

 

I'm a psychologist and use my iPad for therapy session notes.  The law on psychologist-client and HIPAA requires me to keep client information confidential.  If there's no encryption, and my notes are in plain text, I cannot send them to Evernote which is one of three options for exporting notes that my note-taking program allows.  

 

This is the case for every medical professional in the US, so until you add full-notebook encryption, using your product for serious work is unacceptable. I realize that many users do not need this option and agree with others that I would be glad to pay an additional fee for encryption at the notebook level. Ideally I would be able to transfer the file to Evernote locally and then add it to an encrypted in Evernote to allow access wherever I am.

 

  • Thanks 1

Share this post


Link to post
  • 0

I will be clear as to what I want:

 

I want my data synchronized with the online (cloud) version in a way that only I can access while logged in. I want the data to be encrypted on your server in a way that no one can access the data without the encryption key. You can use an encryption algorithm that uses the login password to create the encryption key.

 

I want the data at rest on your servers to be encrypted and secure so that if there is an EverNote security breech, I will know that my data is safe. If that means that EverNote can't use data mining against my data, so be it, but that might limit EverNote's revenue if they are monetizing our data in ways similar to the way Google does....i.e. targeted Ads

Evernote does not data mine.

If your data is encrypted on the EN servers, it cannot be indexed, which is a big part of Evernote's appeal. If you say to use your logon password as part of the encryption password, then that's not much more secure than no encryption. You may find this old thread informative.

Share this post


Link to post
  • 0

BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?

 

I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?

 

If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?

 

These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.

 

We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.

Share this post


Link to post
  • 0

BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?

I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?

If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?

These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.

We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.

Please read the thread I linked to above. It's thorough & I'm not inclined to rewrite what I've already written. If you want a simple yes/no answer, then it's really simple...if you don't want a hacker getting your data, then don't put it in any cloud unless it is encrypted with an encryption key that is not known to the hosting company. I use Amazon S3 servers for this. But Evernote is not a backup app...it indexes your data & cannot do this if the data is truly & securely encrypted.

Share this post


Link to post
  • 0

BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?

 

I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?

 

If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?

 

These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.

 

We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.

 

Hi. The data is not encrypted on Evernote's servers. It would be nice if they did encrypt it, but I don't want Evernote (or anyone else) to have the key, so I am hoping that if/when they implement a more powerful encryption method that it is "zero knowledge."

Share this post


Link to post
  • 0

The post about data mining is not mine. I wrote:

 

Evernote, please add full-notebook encryption. 

 

I'm a psychologist and use my iPad for therapy session notes.  The law on psychologist-client and HIPAA requires me to keep client information confidential.  If there's no encryption, and my notes are in plain text, I cannot send them to Evernote which is one of three options for exporting notes that my note-taking program allows.  

 

This is the case for every medical professional in the US, so until you add full-notebook encryption, using your product for serious work is unacceptable. I realize that many users do not need this option and agree with others that I would be glad to pay an additional fee for encryption at the notebook level. Ideally I would be able to transfer the file to Evernote locally and then add it to an encrypted in Evernote to allow access wherever I am.

I don't believe anyone said you wrote about data mining...???

Evernote is not & I doubt they ever will be HIPAA compliant, which I believe is a requirement for the medical industry.

Share this post


Link to post
  • 0

 

The post about data mining is not mine. I wrote:
 

Evernote, please add full-notebook encryption. 

 

I'm a psychologist and use my iPad for therapy session notes.  The law on psychologist-client and HIPAA requires me to keep client information confidential.  If there's no encryption, and my notes are in plain text, I cannot send them to Evernote which is one of three options for exporting notes that my note-taking program allows.  

 

This is the case for every medical professional in the US, so until you add full-notebook encryption, using your product for serious work is unacceptable. I realize that many users do not need this option and agree with others that I would be glad to pay an additional fee for encryption at the notebook level. Ideally I would be able to transfer the file to Evernote locally and then add it to an encrypted in Evernote to allow access wherever I am.

 

Yes, to be absolutely clear, my post was not directed toward you, and I never claimed it was you writing about data mining. I was responding to EvernoteUser78 whose post is directly above mine. 

 

 

And, as BnF suggested, if you are keeping medical notes, I would absolutely NOT put that data in the cloud if it could be avoided.

 

You might consider DEVONThink, which has some facilities for LAN sync, so you can keep several devices in sync via your local network rather than transmitting your data over the internet. Now, you'd have to ensure you have a very secure (hopefully offsite) backup as well, since there is no centralized storage like with Evernote. But, you'd also have to make sure you are complying with whatever regulatory requirements you are bound by with respect to storing patients' data. 

 

Share this post


Link to post
  • 0

BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?

 

I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?

 

If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?

 

These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.

 

We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.

 

As we have seen in the last few years, even some of the most robustly secured cloud services are vulnerable when hacking occurs. This is not to excuse Evernote's current state of security, which is not terribly different than a lot of mainstream cloud providers, and could be improved. Rather what I am saying is that ANY cloud is vulnerable when hacking occurs. In most cases, even highly secured cloud storage services will be compromised, it just takes longer. 

 

EDIT (OOPS this time I really did get my posts mixed up!) 

 

Keep in mind that data mining and being hacked are two very different types of events. 

 

You (and others in this thread) might also be interested in this blog post from several years ago:

Evernote's three laws of data protection

Share this post


Link to post
  • 0

So are we saying that "zero knowledge" encryption is too much to ask from a Premium EverNote offering?

 

Zero Knowledge would mean that EverNote would need a password that only the user knows to decrypt and access the data......essentially the data would be encrypted on the local computer or device before syncing to the cloud......emailing in notes may not be encrypted until later or never at all in this scenerio as the EN servers would handle the processing via email.

Share this post


Link to post
  • 0

So are we saying that "zero knowledge" encryption is too much to ask from a Premium EverNote offering?

 

Zero Knowledge would mean that EverNote would need a password that only the user knows to decrypt and access the data......essentially the data would be encrypted on the local computer or device before syncing to the cloud......emailing in notes may not be encrypted until later or never at all in this scenerio as the EN servers would handle the processing via email.

 

To re-reiterate & be extremely clear..."zero knowledge" encryption is mutually exclusive from one of Evernote's main draws which is indexing your data.  So although they may add this in the future, it's not their main focus.  If you want total zero knowledge encryption, you should seek out a backup program.  There are several very good ones out there.  Evernote is not a backup program, nor are they striving to be.

 

There really is nothing more I have to add.

Share this post


Link to post
  • 0

So are we saying that "zero knowledge" encryption is too much to ask from a Premium EverNote offering?

 

Zero Knowledge would mean that EverNote would need a password that only the user knows to decrypt and access the data......essentially the data would be encrypted on the local computer or device before syncing to the cloud......emailing in notes may not be encrypted until later or never at all in this scenerio as the EN servers would handle the processing via email.

I don't think it is too much to ask. I think this could be very useful. There are a few things to consider though.

1) This would mean any data encrypted this way could not benefit from any server-side processing like OCR, or any of the features that require the server-side indexing. 

2) This would mean, as you have already noted, that data could be relatively easily lost, which could increase support load and require additional support resources. This isn't a reason not to do it, but it is a reason to be careful about how and when it is implimented.

3) I am not terribly knowledgeable about this kind of stuff, but I wonder if de/encrypting might be difficult to implement on all of the mobile platforms that Evernote supports? As such there would have to be careful consideration about how to negotiate this sort of thing and make sure users are aware that, for example, they might not be able to access their encrypted data on the BB10 devices, or whatever. (AGAIN this is my ignorant speculation!).

4) I suspect decrypting would require that the entire note(book) content be downloaded and (temporarily) stored locally on mobile devices in order to be de/encrypted since this cannot be done server-side. This could be challenging for devices with limited space. It also means that anything encrypted would not be searchable on a mobile device unless it was downloaded in its entirety and then decrypted

 

Again, none of these are reasons NOT to do it, but the do suggest that there could be some significant complications associated with such a feature, and that less savvy users (and even some savvy users) might encounter some frustrating situations. 

Share this post


Link to post
  • 0

 

BurgersNFries - Are you saying that my data on the EN servers is only accessible to me? Are you saying that if someone hacked an EN server and grabbed data they would not be able to access the data without first breaking the encryption?

 

I want some level of comfort that the data is safe from all prying eyes but properly authenticated access via username/password. I use complex passwords and am willing to take the risk of someone hacking that password......I just don't know if the data is encrypted "at rest" on the servers, data in transit is encrypted, but what about at rest?

 

If someone grabbed the database from an EN server, would that database require years of computing power to decrypt?

 

These should be simple questions to answer yes or no.....there are many cloud backup providers, some provide users with the ability to use personal encryption password keys to ensure that the data is encrypted at rest......of course if the users forget these passwords, the data is not accessible by the user or the vendor.....this is the type of security we are asking for and willing to pay for.

 

We all love EN and want to put more and more data there, but we need to be sure that the data is properly secured.

 

As we have seen in the last few years, even some of the most robustly secured cloud services are vulnerable when hacking occurs. This is not to excuse Evernote's current state of security, which is not terribly different than a lot of mainstream cloud providers, and could be improved. Rather what I am saying is that ANY cloud is vulnerable when hacking occurs. In most cases, even highly secured cloud storage services will be compromised, it just takes longer. 

 

EDIT (OOPS this time I really did get my posts mixed up!) 

 

Keep in mind that data mining and being hacked are two very different types of events. 

 

You (and others in this thread) might also be interested in this blog post from several years ago:

Evernote's three laws of data protection

 

The three laws of data protection is a great post, I'm not sure if the comment about not knowing or asking for our passwords bring us to a state of "zero knowledge", but it helps bring a bit more comfort.

 

EverNote is not HIPPA compliant, and as you stated, may never be.

 

Clouds are all vulnerable, but when proper security protocols are in place it can be deemed safe, there are plenty of HIPPA compliant SaaS (Cloud) offerings. Hospitals and other medical operators use them, so having a roadmap or strategy to get there would be nice.

 

When organizations look at their tens of thousands of pages (if not hundreds of thousands or even millions), having a premium service like EverNote there to help with cloud storage and  indexing would be fantastic. If it is technical hurdle to allow for "zero knowledge" and still provide indexing, that shouldn't be a hurdle that the brilliant minds at EverNote can't figure out.

 

I have faith, there will be a service like this in the near future. 

Share this post


Link to post
  • 0

 

So are we saying that "zero knowledge" encryption is too much to ask from a Premium EverNote offering?

 

Zero Knowledge would mean that EverNote would need a password that only the user knows to decrypt and access the data......essentially the data would be encrypted on the local computer or device before syncing to the cloud......emailing in notes may not be encrypted until later or never at all in this scenerio as the EN servers would handle the processing via email.

I don't think it is too much to ask. I think this could be very useful. There are a few things to consider though.

1) This would mean any data encrypted this way could not benefit from any server-side processing like OCR, or any of the features that require the server-side indexing. 

2) This would mean, as you have already noted, that data could be relatively easily lost, which could increase support load and require additional support resources. This isn't a reason not to do it, but it is a reason to be careful about how and when it is implimented.

3) I am not terribly knowledgeable about this kind of stuff, but I wonder if de/encrypting might be difficult to implement on all of the mobile platforms that Evernote supports? As such there would have to be careful consideration about how to negotiate this sort of thing and make sure users are aware that, for example, they might not be able to access their encrypted data on the BB10 devices, or whatever. (AGAIN this is my ignorant speculation!).

4) I suspect decrypting would require that the entire note(book) content be downloaded and (temporarily) stored locally on mobile devices in order to be de/encrypted since this cannot be done server-side. This could be challenging for devices with limited space. It also means that anything encrypted would not be searchable on a mobile device unless it was downloaded in its entirety and then decrypted

 

Again, none of these are reasons NOT to do it, but the do suggest that there could be some significant complications associated with such a feature, and that less savvy users (and even some savvy users) might encounter some frustrating situations. 

 

 

In the technology world that we live in, very little is not possible......all of these issues can be worked out if it is an area of interest of the vendor.

 

Encrypted data may have to wait for a local sync to the user's computer before indexed and synced back. Users would have to accept the fact that maybe the data processing would have to take place locally as a 2nd stage encryption password may be envied to provide true "zero knowledge".

 

I think we have beaten this topic up enough. I am not sure who reads these blogs at EverNote, but I may reach out to the CTO and make the suggestion.

Share this post


Link to post
  • 0

 

 

So are we saying that "zero knowledge" encryption is too much to ask from a Premium EverNote offering?

 

Zero Knowledge would mean that EverNote would need a password that only the user knows to decrypt and access the data......essentially the data would be encrypted on the local computer or device before syncing to the cloud......emailing in notes may not be encrypted until later or never at all in this scenerio as the EN servers would handle the processing via email.

I don't think it is too much to ask. I think this could be very useful. There are a few things to consider though.

1) This would mean any data encrypted this way could not benefit from any server-side processing like OCR, or any of the features that require the server-side indexing. 

2) This would mean, as you have already noted, that data could be relatively easily lost, which could increase support load and require additional support resources. This isn't a reason not to do it, but it is a reason to be careful about how and when it is implimented.

3) I am not terribly knowledgeable about this kind of stuff, but I wonder if de/encrypting might be difficult to implement on all of the mobile platforms that Evernote supports? As such there would have to be careful consideration about how to negotiate this sort of thing and make sure users are aware that, for example, they might not be able to access their encrypted data on the BB10 devices, or whatever. (AGAIN this is my ignorant speculation!).

4) I suspect decrypting would require that the entire note(book) content be downloaded and (temporarily) stored locally on mobile devices in order to be de/encrypted since this cannot be done server-side. This could be challenging for devices with limited space. It also means that anything encrypted would not be searchable on a mobile device unless it was downloaded in its entirety and then decrypted

 

Again, none of these are reasons NOT to do it, but the do suggest that there could be some significant complications associated with such a feature, and that less savvy users (and even some savvy users) might encounter some frustrating situations. 

 

 

In the technology world that we live in, very little is not possible......all of these issues can be worked out if it is an area of interest of the vendor.

 

Encrypted data may have to wait for a local sync to the user's computer before indexed and synced back. Users would have to accept the fact that maybe the data processing would have to take place locally as a 2nd stage encryption password may be envied to provide true "zero knowledge".

 

I think we have beaten this topic up enough. I am not sure who reads these blogs at EverNote, but I may reach out to the CTO and make the suggestion.

 

You are right, on a computer, you can rely on local processing (however, Evernote would have to write this into their desktop client, as currently this is all done server side, so this would be a bit of an undertaking).

 

Getting this to work at all on a mobile device will be considerably more challenging. 

 

Yes it can be done, perhaps it should be done, but if it is going to happen, it isn't going to happen tomorrow. 

Share this post


Link to post
  • 0

Sorry, but if I thought for even a second that *any* of my medical (or legal) data was stored on an app like Evernote, I would blow a gasket. If my records were hacked, it would be the doctor (lawyer) I went after.

Stopping here, before I explode.

Evernote, please add full-notebook encryption.

I'm a psychologist and use my iPad for therapy session notes. The law on psychologist-client and HIPAA requires me to keep client information confidential. If there's no encryption, and my notes are in plaintext, I cannot send them to Evernote which is one of three options for exporting notes that my note-taking program allows. This is the case for every medical professional in the US, so until you add full-notebook encryption, using your product for serious work is unacceptable. I realize that many users do not need this option and agree with others that I would be glad to pay an additional fee for encryption at the notebook level. Ideally I would be able to transfer the file to Evernote locally and then add it to an encrypted in Evernote to allow access wherever I am.

Hoping this will be a new feature soon!

  • Like 2

Share this post


Link to post
  • 0

It's not for me to say. But I'd guess if it were premium, it would spawn a whole 'nuther rant theme similar to the one(s) that offline notebooks should not be a premium feature.

 

As someone who really wants to see this feature, and having had interactions with others who are "freebie" Evernote users and feel like the free product is so good they have no need to upgrade, it's important that Evernote continue to add powerful and useful premium features to make it worth the money for people to upgrade.

 

As paying customers, it's not unreasonable for us to ask for features we'd like to see. If the leadership at Evernote wants to outright say "No!" to certain requests, they certainly can, but until they decline the feature request, people are going to keep asking. And I don't think there's anything wrong with that. :-)

Share this post


Link to post
  • 0

Paying or not, we all have a voice, and we're free to make suggestions here (or elsewhere). That's what the discussion boards are here for, and Evernote staff read all of it.

Personally, I think that encrypted notebooks are critical for Evernote to develop, because even the "average" user has significant needs for encryption (tax stuff, work stuff, bank statements, health records, your kid's report cards, and anything else that isn't anyone else's business). When you deal with other people's confidential information, it is even more important.

Yes, you can encrypt each file or text passage one by one (something I've recommended up until recently), but it is quite a pain when you are talking about hundreds or thousands of instances, and I'd sure like to see something more user friendly. My guess is that Evernote recognizes the necessity and is working hard on providing an elegant solution ("sexy" in their words) to the problem. I just hope that we see it sooner rather than later.

  • Like 3

Share this post


Link to post
  • 0

Hasn't soon left the barn long ago?

It was a year ago Phil put out the super sexy encryption quote with a tentative rollout years end (half a year ago now).

Something that slips it's timeline by 6 months with a 6 month pre-announcement before that, would seem to be in serious trouble and doubt.

Smaller teams have done a complete ground up product re-write (sometimes a whole OS re-write) in that amount of time.

I stopped holding my breath and expecting it at all the end of February.

In keeping my Evernote expectations lower than the permafrost layer, it's hard for them to do anything but delight...

http://fortune.com/2013/07/02/evernote-is-interested-in-more-than-your-notes/

Share this post


Link to post
  • 0

Hasn't soon left the barn long ago?

It was a year ago Phil put out the super sexy encryption quote with a tentative rollout years end (half a year ago now).

Something that slips it's timeline by 6 months with a 6 month pre-announcement before that, would seem to be in serious trouble and doubt.

Smaller teams have done a complete ground up product re-write (sometimes a whole OS re-write) in that amount of time.

I stopped holding my breath and expecting it at all the end of February.

In keeping my Evernote expectations lower than the permafrost layer, it's hard for them to do anything but delight... http://fortune.com/2013/07/02/evernote-is-interested-in-more-than-your-notes/

True. "Soon" would have been sometime in 2010 or so for me :)

We don't know why it hasn't happened yet. Trouble behind the scenes? Maybe. A push to get it right? Probably. A lack of interest? I doubt it. But, we don't know, so the best we can do is to keep pushing for it.

In the meantime, as I often say, adapt to the app that is rather than the one you want it to be. Local notebooks work pretty well for some use cases, using different apps for sensitive materials works for others.

  • Like 2

Share this post


Link to post
  • 0

Looks like a nice opportunity for their competitors. As EN takes their eye off the ball and starts wasting time selling ridiculous backpacks, someone will come in and snatch this untapped market of folks willing to pay for software. Twenty-somethings, I'm talking to you- get busy. You could bang this out in AngularJS, Bootstrap and Firebase by the end of the year.

 

Share this post


Link to post
  • 0

Looks like a nice opportunity for their competitors. As EN takes their eye off the ball and starts wasting time selling ridiculous backpacks, someone will come in and snatch this untapped market of folks willing to pay for software. Twenty-somethings, I'm talking to you- get busy. You could bang this out in AngularJS, Bootstrap and Firebase by the end of the year.

Fortunately, I doubt the software developers are tasked to design backpacks. In fact, a lot of the work is clearly being done by other companies who are designing and manufacturing the products.

Also, Evernote's competitors are already doing this. Devonthink has wifi sync for its iOS app through iTunes (avoiding the cloud entirely) and it encrypts is database when synced through Dropbox (sync through Dropbox + iOS isn't here yet). Voodoopad also has a fully encrypted database synced through Dropbox. The problem is that neither app on iOS is anywhere near the sophistication of Evernote's. Moreover, they only work on iOS / Mac. I get a lot of use out of them for sensitive materials, because I am primarily in an Apple environment, but I think very few people will be willing to accept the tradeoffs. What Evernote is doing on every platform is pushing into new territory. Rolling out encryption that works, assuming they are trying to do it, is no small task.

This isn't to excuse the delay, which is also extremely frustrating for me (I cannot tell you how many hours I have spent trying to deal with this deficiency), but it might help to explain why there might be one and why no one else has managed (or likely will in the near future) to challenge them in this tech space. The only product I can imagine that is even close would be OneNote, but that app is so anemic on iOS and Mac that even it is unlikely to be a serious contender.

  • Like 1

Share this post


Link to post
  • 0

Let me just say, the backpacks are "cute"....well, sorta...

 

I don't think EN can conitue to expand in this environment without encryption.

 

Google, Apple, Yahoo, and others are adding encryption services in light of new revalations and hacking attempts.

 

Evernote will have to, also.

Share this post


Link to post
  • 0

Let me just say, the backpacks are "cute"....well, sorta...

I don't think EN can conitue to expand in this environment without encryption.

Google, Apple, Yahoo, and others are adding encryption services in light of new revalations and hacking attempts.

Evernote will have to, also.

They are and they aren't. Google Drive (last I checked) is still unencrypted and mined for data by Google. When there is encryption, who has the encryption keys? In most cases, the service provider, so you still cannot guarantee the security of your data. What's the point of encryption if everyone can still look at it?

If Evernote does encryption, then it ought to get it right with zero-knowledge encryption, and (as far as I can tell) very few competing services are anywhere close to having it. The best ones I know of are relatively small operations restricted to OSX (Voodoopad and DevonThink). If Evernote manages it, then it will be a pioneer -- the first among the major companies to offer cross-platform support.

  • Like 2

Share this post


Link to post
  • 0

I'm still hoping some form of encryption is still in the works by the developers.

A zero-knowledge type would be great so I'm adding another post to keep this thread alive and let the powers see that many users find this an important issue.

  • Like 1

Share this post


Link to post
  • 0

I'm still hoping some form of encryption is still in the works by the developers.

A zero-knowledge type would be great so I'm adding another post to keep this thread alive and let the powers see that many users find this an important issue.

Thanks for keeping the thread alive with more than a +1 or a bump.

I'm also crossing my fingers and hoping something is on the way. Strangely, I don't see a whole lot of movement anywhere for zero-knowledge encryption in the marketplace. Sure, there are services like SpiderOak, but it's been around for a while. Where are the newcomers in the note-taking realm? I don't see any multi-platform competitors (devonthink and voodoopad are solid apps with great security features, but lack Windows support). Maybe people are apathetic after all, there just isn't enough demand, and people think the current situation is good enough.

It is true that Evernote has rather strong security features now, but they aren't mining my data, so they have so much less than other companies to lose by offering more encryption options.

  • Like 1

Share this post


Link to post
  • 0

I would add my hearty support for this request.  I use evernote because of it's "all in one" idea.  I have one place to put all sorts of stuff, rather than some email, some folders, some etc.  However, I also have things that I don't want anyone else to see when my laptop is displaying on the projector or with co-workers on my desk.  It's not just the note contents, it's also titles and the related notes that show in the different views. 

Even something as simple as a 4 digit PIN to open a notebook, or display it in the related notes, or have the search results show it.  My android phone copy of Evernote offers this in order to open the program, it should be easy on Windows to have that function for a designated notebook.

 

Thanks.

  • Like 1

Share this post


Link to post
  • 0

I would add my hearty support for this request.  I use evernote because of it's "all in one" idea.  I have one place to put all sorts of stuff, rather than some email, some folders, some etc.  However, I also have things that I don't want anyone else to see when my laptop is displaying on the projector or with co-workers on my desk.  It's not just the note contents, it's also titles and the related notes that show in the different views. 

Even something as simple as a 4 digit PIN to open a notebook, or display it in the related notes, or have the search results show it.  My android phone copy of Evernote offers this in order to open the program, it should be easy on Windows to have that function for a designated notebook.

 

Thanks.

 

You'll note we're not expecting anything soon..  meantime the suggestions above may help.

Share this post


Link to post
  • 0

My android phone copy of Evernote offers this in order to open the program, it should be easy on Windows to have that function for a designated notebook.

Apples and oranges. Your Android does not offer the functionality that you're actually asking for; PIN-protecting the application is not the same. For one thing, it's not clear that the PIN is anything but local to the Android client, and if not, it's not part handled by the Evernote API. On the other hand, would you expect PINs set in one place to be honored by other clients that you use? If so, then that's got to be handled by the API: the data needs to be stored and synced. And then all of the clients should be updated; otherwise you might set a PIN on a notebook on one device, but if the client on another device doesn't have the changes, then it's probably not going to need a PIN to open a protected notebook. At a guess, this is not so easy as it may seem...

 

If you have really private stuff, you could look into opening up a separate account, and really keeping it private.

Share this post


Link to post
  • 0

I made an account specifically just to add one more vote for the lockable notebook proposal. I've been using Evernote for at least two years now and I have one or two notebooks that I'd like to have a lock. Information leakage isn't really a worry for me as I don't share a laptop or tablet with anyone but I'd like the feeling of added security for having a different passcode for notebooks with more confidential information.

Share this post


Link to post
  • 0

I have been an EN user since Beta, and became a Premium user as soon as it was offered. I, too, would like the ability to encrypt an entire notebook. This really should be as easy as a Right-Click or selection in properties for a Notebook. 

 

I saw above where it says a user can already encrypt an entire note. The only was I can see to do that is to select all of the text/images in the note and then encrypt. IS there a simple one step alternative?

 

As with others above, I would be willing to pay a few bucks extra a year for this additional encryption ability. Seems this should be a no-brainier for EN, both as a tech matter and as a business/profit matter.

  • Like 1

Share this post


Link to post
  • 0

This really should be as easy as a Right-Click or selection in properties for a Notebook.

 

With all due respect you are confusing the effort to add a UI control with the effort in creating the underlying code required to carry out the function.  Changes would be required for each client that EN supports as well as server side changes to the service.  Notebook encryption would also require some user behavior education since encrypted notebooks would no longer be indexed by the service and users would need to understand how this may change their search behavior.

 

Long story short, this is nontrivial but would be a welcome addition to the EN service.

  • Like 1

Share this post


Link to post
  • 0

I, too, would like the ability to encrypt an entire notebook. This really should be as easy as a Right-Click or selection in properties for a Notebook.

You have GOT to be kidding?!?!?!! As s2sailor said, you are confusing UI with actual "programming".  It's kind of like me telling the guy at Discount Tire to change my tires vs the work actually involved in changing my tires.

 

 

@gazumped, but EN does provide encryption. It's just cumbersome in that one needs to select the text in a note and then right-click to encrypt. So it seems that making it easier to encrypt an entire note or notebook would not add to any issues as re cross-platform use. IMHO

It's pretty easy to arm chair quarterback. Yes, EN currently provides encryption...for text only. Simply b/c text encryption exists doesn't mean that can easily be applied to an entire notebook (or even just a note) that may contain images, PDFs, MP4s, etc. and sync & work well across multiple platforms.

 

Share this post


Link to post
  • 0

With all due respect you are confusing the effort to add a UI control with the effort in creating the underlying code required to carry out the function.  Changes would be required for each client that EN supports as well as server side changes to the service.  Notebook encryption would also require some user behavior education since encrypted notebooks would no longer be indexed by the service and users would need to understand how this may change their search behavior.

 

And you're confusing his request for how he'd like it to be used with a statement about how easy it would be to implement. I mean, come on...you can't honestly think that's what he meant, do you? You and BurgersNFries immediately pounce on people asking for this feature and defend Evernote's programmers as if they are gentle flowers that can't possibly cope with customer requests.

 

I've been involved in enough communities to know that you both see yourselves as being helpful (and I'm sure you answer a lot of questions elsewhere here), but honestly, from an outsider's perspective, you both come across as kind of hostile here to anyone who's raising their hand and asking for this feature. This thread is a bit painful to read. :-(

 

It's not your job to tell other Evernote customers why we shouldn't be asking for this feature. There's clearly a good number of people that really would like to have it.

Share this post


Link to post
  • 0

Perhaps @mapjr could clear the air as to the intent of his statement? Problem with the written word is that" I would like to see..." and "It should be as easy as..." don't mean the same thing to all people. Might be best to question the intent before jumping as well, I suppose.

  • Like 1

Share this post


Link to post
  • 0

Am I confusing his request?  Maybe.  I don't know mapjr and can only respond to how he worded his comment and yes (surprisingly) some people do think it is that easy.

 

If you read the last line in my post I was agreeing that it would be a welcome addition.  I wasn't discouraging the request at all.  Encrypted notebooks is high on my want list too.

  • Like 2

Share this post


Link to post
  • 0

 

With all due respect you are confusing the effort to add a UI control with the effort in creating the underlying code required to carry out the function.  Changes would be required for each client that EN supports as well as server side changes to the service.  Notebook encryption would also require some user behavior education since encrypted notebooks would no longer be indexed by the service and users would need to understand how this may change their search behavior.

 

And you're confusing his request for how he'd like it to be used with a statement about how easy it would be to implement. I mean, come on...you can't honestly think that's what he meant, do you? You and BurgersNFries immediately pounce on people asking for this feature and defend Evernote's programmers as if they are gentle flowers that can't possibly cope with customer requests.

 

I've been involved in enough communities to know that you both see yourselves as being helpful (and I'm sure you answer a lot of questions elsewhere here), but honestly, from an outsider's perspective, you both come across as pretty hostile here to anyone who's raising their hand and asking for this feature.

 

It's not your job to tell other Evernote customers why we shouldn't be asking for this feature.

 

 

Ok, please point out where ANYONE has said people should not ask for this feature.  I'm pretty sure you can't b/c I'm pretty sure no one has said that. 

 

You say we are "confusing his request".  Well, all we have to go on is his words.   And yeah, from his words, it seems he thinks this is simple. 

  • Like 1

Share this post


Link to post
  • 0

i think it is safe to say that implementing this change is a significant challenge. all things being equal, why not have encryption, right? the fact that only one or two services are able to make this work on mobile (voodoopad and filemaker?) suggests that it's not easy, but it is possible. microsoft onenote and google keep certainly haven't managed it, so i wouldn't say evernote is behind. yet.

i hope they burn the midnight oil and get this thing done sooner rather than later. a simple ui (as suggested) and powerful features sounds like evernote's mo to me!

Share this post


Link to post
  • 0

the fact that only one or two services are able to make this work on mobile (voodoopad and filemaker?) suggests that it's not easy, but it is possible. microsoft onenote and google keep certainly haven't managed it, so i wouldn't say evernote is behind. yet.

i hope they burn the midnight oil and get this thing done sooner rather than later. a simple ui (as suggested) and powerful features sounds like evernote's mo to me!

 

Wuala has mobile apps.

 

I'm with you on the midnight (and noon) oil !

Share this post


Link to post
  • 0

i think it is safe to say that implementing this change is a significant challenge. all things being equal, why not have encryption, right? the fact that only one or two services are able to make this work on mobile (voodoopad and filemaker?) suggests that it's not easy, but it is possible. microsoft onenote and google keep certainly haven't managed it, so i wouldn't say evernote is behind. yet. i hope they burn the midnight oil and get this thing done sooner rather than later. a simple ui (as suggested) and powerful features sounds like evernote's mo to me!

 

Absolutely, I get that it's not easy - and there would be some sacrifices (like encrypted notebooks not being searchable, or maybe they're only searchable after the passphrase is entered) - but it would be worth it. I'm truly a little scared of how much critical data I've put into Evernote and I'm relying solely on their security to keep it safe vs. real encryption. The benefits outweigh the risks for me right now though because it's so tremendously useful to have that data everywhere I go...I just hope I don't regret it. :-)

Share this post


Link to post
  • 0

I don't know mapjr and can only respond to how he worded his comment and yes (surprisingly) some people do think it is that easy.

With you 100%.

To go off topic, if it were me, I'd ask for note level encryption. Better personal use case and I can only imagine the hair on notebook level encryption when you start moving and sharing notes.

  • Like 1

Share this post


Link to post
  • 0

@ jm

wuala is neither an information manager nor a notetaking app. spideroak has a mobile app, too. heck, we could also include lastpass, etc. if we are just talking about a bit of encrypted text. the trick is to have a notetaking app that handles lots of notes, is secure, and is available everywhere.

on ios and osx (certainly, this is not everywhere), i think that comes down to voodoopad, devonthink, and filemaker. if there are more, let me know. the first two are ancient by ios standards and unreliable. filemaker? it is a beast, in my opinion, and i haven't been able to work efficiently with it yet on mobile.

@ csihilling

why not both? i see no headaches with notebook level encryption. just have sharing removed if it goes into an encrypted notebook, just as it's removed when it goes into a local one. you could make it more complicated by keeping the sharing, but that seems unnecessary for me, and there is already a model of behavior for evernote to work with here (local notebooks).

Share this post


Link to post
  • 0

@ jm

wuala is neither an information manager nor a notetaking app. spideroak has a mobile app, too. heck, we could also include lastpass, etc. if we are just talking about a bit of encrypted text. the trick is to have a notetaking app that handles lots of notes, is secure, and is available everywhere.

 

As I think you know, I'm fully aware that Wuala is not a PIM.  My only point is that their mobile app is an example of implementing high security using zero knowledge keys.  The point is that it can be done.  Whether it is encrypting Note text or a file, the principle is the same.

 

Evernote could encrypt the Note body while leaving the Note metadata unencrypted.  This would permit good searching.

Share this post


Link to post
  • 0

@ jm

wuala is neither an information manager nor a notetaking app. spideroak has a mobile app, too. heck, we could also include lastpass, etc. if we are just talking about a bit of encrypted text. the trick is to have a notetaking app that handles lots of notes, is secure, and is available everywhere.

 

As I think you know, I'm fully aware that Wuala is not a PIM.  My only point is that their mobile app is an example of implementing high security using zero knowledge keys.  The point is that it can be done.  Whether it is encrypting Note text or a file, the principle is the same.

 

evernote could encrypt the Note body while leaving the Note metadata unencrypted.  This would permit good searching.

i see where you are headed. i don't think the challenge is encryption itself, which has been done by several apps. gus (maker of voodoopad) is an indie developer and he managed it years ago. getting it to work with existing functionality, the api, and the sync might be more of a challenge, i guess. honestly, i am completely out of my league here, and have no firsthand knowledge of encryption, but if an indie developer can do it, then why can't ms, google, and en do it? it's kind of weird, as if they don't see encryption as a critical feature. maybe they don't get the guardian or other newspapers there and they are living in a pre-snowden bubble :)

just kidding, they know more about encryption than most of us. however, they do seem strangely uninterested, despite their security backgrounds. maybe their former work was traumatizing or something, because en's encryption has never been ahead of the curve, and they always seem loathe to stick their hands into improving it.

Share this post


Link to post
  • 0

@GM

Both would not only be fine, but maybe required, IMO. Theoretically, what do you do when you take a note out of an encrypted notebook? Wouldn't that note have been encrypted while in the encrypted notebook?

I'm just saying if it is easier to implement note level encryption (relative term and I would guess it is) then a Ctrl-A and a right click menu as a part of the process gets you there, with note level integrity. FWIW.

Full disclosure - I don't use a lot of notebooks which influences my view of the universe.

Share this post


Link to post
  • 0

...but if an indie developer can do it, then why can't ms, google, and en do it? it's kind of weird, as if they don't see encryption as a critical feature. maybe they don't get the guardian or other newspapers there and they are living in a pre-snowden bubble

 

A lot of "the big guys" don't implement security until they're forced to - most big companies are not proactive. Look how long it took Facebook, Yahoo, Google, etc. to make SSL the default experience on some of their services. To a certain degree, you can understand it because it adds cost and complication on a massive scale. That's why smaller companies can usually take the lead on features and do things the "right" way. Then the big guys catch up eventually.

  • Like 1

Share this post


Link to post
  • 0

@GM

Both would not only be fine, but maybe required, IMO. Theoretically, what do you do when you take a note out of an encrypted notebook? Wouldn't that note have been encrypted while in the encrypted notebook?

I'm just saying if it is easier to implement note level encryption (relative term and I would guess it is) then a Ctrl-A and a right click menu as a part of the process gets you there, with note level integrity. FWIW.

Full disclosure - I don't use a lot of notebooks which influences my view of the universe.

 

i don't want to get technical (because i can't!), but the model for it can be found with local notebooks. when you move a note from a local to a regular notebook, it gets a guid (i believe) and goes over without any problems. perhaps the developers are banging their heads on their desks reading this. frankly, i don't design encryption software, so i can't say exactly how it is done. however, other apps manage to do it just fine, so i think evernote can call those guys up and ask if they have questions :)

Share this post


Link to post
  • 0

Random thoughts in the notion of encrypted notebooks:

 

Notes exist on their own as atomic objects, not as part of a notebook. In other words, notebooks don't really contain notes except in a metaphorical way; instead, notes refer to their notebook via its GUID, so a notebook is really the collection of notes that have the notebook's GUID in their notebookGUID field (see https://dev.evernote.com/doc/reference/Types.html#Struct_Notebook). An encrypted notebook would require some rule such that all notes in the notebook were stored as encrypted.

 

An encrypted note would presumably have the following parts of its content encrypted:

* The note contents itself

* The note's resources (attachments)

* At least some of its attributes (tags? location? sourceURL? date fields?) There's a pretty good gang of them.

* Its recognition text (text produced via OCR)

 

Anything else? Refer to https://dev.evernote.com/doc/reference/Types.html#Struct_Note for more candidates...

 

So what happens when you move a note into an encrypted notebook? OK, so the note becomes encrypted, whatever that means. How about the backups that Evernote stores? Presumably they are not encrypted, so would Evernote then be required to seek them out and encrypt them? It's one thing to preserve old edited versions of a note, but if it's an encrypted note, you don't want those old versions laying around in plain text, right? Then once it's encrypted on the server, it splays out to any syncing device.

 

Presumably, when you move a note out of an encrypted notebook, the reverse happens.

 

You might also what happens if you change a shared notebook to encrypted. Good times.

 

Oh, OK, so you have your encrypted notebook, and now you want to work with it. So you unlock it on your device, and now the local device needs to run around and decrypt every part of it that gets encrypted, so you can search, filter, and all of the normal stuff. Of course, if you make changes, you have to encrypt everything before syncing up to Big Brother the Evernote servers in the sky...

 

What did I miss?

Share this post


Link to post
  • 0

 

An encrypted note would presumably have the following parts of its content encrypted:

* The note contents itself

* The note's resources (attachments)

* At least some of its attributes (tags? location? sourceURL? date fields?) There's a pretty good gang of them.

* Its recognition text (text produced via OCR)

 

 

 

I wouldn't want to encrypt the metadata, what you call "attributes".  That way they could still be used in searches.

 

My thought is that it would work just like the current text encryption.  Everything is always encrypted on the Evernote Cloud.

When you select a Notebook you would have an option to unencrypt -- perhaps by a button or right-click.

You would enter the password for that Notebook, and when you select a Note in that NB, EN would unencrypt it, and it would stay unencrypted as long as your have EN open, or until you press a button.  Could be the same button that acts like a toggle switch.

 

When you sync, the EN client would encrypt the changed Notes before sending to the Cloud.

 

The UI for this is clearly something that needs to be carefully thought through, tested internally, and tested with users for feedback before it is locked down.

Share this post


Link to post
  • 0

 

 

An encrypted note would presumably have the following parts of its content encrypted:

* The note contents itself

* The note's resources (attachments)

* At least some of its attributes (tags? location? sourceURL? date fields?) There's a pretty good gang of them.

* Its recognition text (text produced via OCR)

 

 

This is a tricky one. Technically any note encrypted from the get-go could never be OCR'd because that's completed server-side. A properly (effectively) encrypted note should not be accessible to the servers. 

What this means is that some notes will be created without encryption, OCR'd, then encrypted.... which means you'd have OCR data to potentially encrypt. But then you'd have a new class of notes, those which were encrypted upon creation which could never be OCR'd and would have no OCR data to encrypt. 

Maybe this isn't a big deal at all but it does add to the complexity, and of course, may be infuriating to users as they try and figure out why text in some images don't return results while others do.

 

Again, I'm all for this. I have a lot of data I do not store in Evernote because of the limited encryption. I'd welcome great, note- or notebook-level encryption with open arms. I think Evernote should work VERY hard to make this happen. That being said, on the face of it it seems immensely challenging. 

Share this post


Link to post
  • 0

I would definitely support a feature that gave you the option of creating password-protected notebooks in Evernote.  It might even persuade me to upgrade to Premium.

  • Like 1

Share this post


Link to post
  • 0

+1

 

I have similar situation with my private journal. I tried using some other journal apps, but using already established tag system and linking journal's articles to notes makes me consider Evernote as my journal app again.

 

I don't understand why Evernote team doesn't consider implementing two levels of notebook password protection:

1. Protection from unathorized access in already open Evernote app, with possibity to search in protected notebooks

2. Encryption without possiblity to search in encrypted notebooks/notes.

 

I believe these features will make happy a big number of already existing Evernote users, and make Evernote more attractive for potential users. 

 

Regards

Share this post


Link to post
  • 0

+1 for zero knowledge notebook level bla bla bla...

 

obviously there is more than adequate demand for this feature to be supported, since it's not implemented yet we have to look for reasons why... 

 

1. it's hard... well yeah... it is, but time+available resources bla bla bla... it would have be done by now anyhow... so it's not that

2. they don't want to, because it would compromise the indexing... not a real reason... they are not indexing any data which is not on servers now, are they?

3. outside pressure... this one seems the only realistic one to me, if legally they are given only the option to implement inherently compromised encryption solution they face the hard choice... either do it the way they don't want to either not to do it at all... if this is the case it becomes apparent why this matter still is not addressed. 

 

P.S.

it's clear that many people have expressed their urge, and it has been heard, and little has been done... there is an obvious business potential and as soon as (and if) adequate means will be available the service will be provided, as to what can be done... I think to average user it remains only to wait... maybe occasional cry on the forum so the issue is not forgotten...

 

all this obviously is fan fiction... I in no way am involved in the matter, I'm a mere user who wandered in here from google investigating if notes can be encrypted. 

  • Like 1

Share this post


Link to post
  • 0

since it's not implemented yet we have to look for reasons why...

Um, no we don't.  We don't because it doesn't matter why.  The bottom line is it is not.  So what the user needs to do is decide what they need to do.  Use EN for non sensitive info?  Use local notebooks for sensitive into?  Use another app? 

  • Like 1

Share this post


Link to post
  • 0

+1 for zero knowledge notebook level bla bla bla...

 

obviously there is more than adequate demand for this feature to be supported, since it's not implemented yet we have to look for reasons why... 

 

P.S.

it's clear that many people have expressed their urge, and it has been heard, and little has been done... there is an obvious business potential and as soon as (and if) adequate means will be available the service will be provided, as to what can be done... I think to average user it remains only to wait... maybe occasional cry on the forum so the issue is not forgotten...

 

all this obviously is fan fiction... I in no way am involved in the matter, I'm a mere user who wandered in here from google investigating if notes can be encrypted. 

 

Good point FineArt.

 

While we may not ever be able to truly understand why Evernote makes certain decision, a lot can be gleamed from their public statements and interviews.

 

If the "why" means that Evernote is moving away from its core service, and no longer sees a need to support and/or improve on it, then we may need to look for other options.

Share this post


Link to post
  • 0

My impression is that, for some reason, Evernote isn't terribly interested in encryption and doesn't think the privacy / security issues raised over the last few years are ones they need to try and tackle.

I think Phil Libin (Evernote CEO) recognizes the problems that exist. He has said: "I think the Internet has come a ridiculously long way given the fact that it’s insecure and broken.... but the recent loss of trust has been exponential and is really threatening to undermine a lot of the progress that we have made.... [some company is going to end up making the Internet more secure, and that company is going to ultimately] be worth a billion dollars and rule the world.”

However, I don't think he wants to step into that space. For example, Phil recently said: "We don’t own anyone’s data and are one of the few companies that explicitly says that. Everything you put into Evernote is private by default. I am a believer that the issue of government surveillance is a completely solvable problem. We as a society just need to get together and decide how do we want our governments to act." I'm glad that he is so optimistic, but I think I'd rather be given tools to protect my data from unauthorized access (private or state-sponsored).

Anyhow, with the new emphasis on collaboration, surfacing your data, and presentations I don't think encryption is going to figure prominently in this new vision of Evernote either.

  • Like 1

Share this post


Link to post
  • 0

Anyhow, with the new emphasis on collaboration, surfacing your data, and presentations I don't think encryption is going to figure prominently in this new vision of Evernote either.

 

I'm not so sure.  Corporate owners/users are probably more concerned about security than individuals, not just from hackers and the government, but also from crusaders and competitors.

Share this post


Link to post
  • 0

Anyhow, with the new emphasis on collaboration, surfacing your data, and presentations I don't think encryption is going to figure prominently in this new vision of Evernote either.

 

I'm not so sure.  Corporate owners/users are probably more concerned about security than individuals, not just from hackers and the government, but also from crusaders and competitors.

How long has Business been around? How much has encryption improved? I think the comments we have seen from Phil on encryption in recent years don't suggest much interest in encryption for Evernote beyond the sexy thing that was promised more than a year ago. Perhaps they are working on something behind the scenes. I don't know, but I don't think pressure from business clients is likely to sway them. In my experience, many businesses, especially the smaller ones that Evernote Business targets, don't have much interest in encryption, so Phil might well be making a wise choice by deferring development on encryption.

  • Like 1

Share this post


Link to post
  • 0

+1 for this. I'm transitioning to a paperless system and feel this would be great to individually lock out the notebook(s) I would use to keep scanned documents.

Share this post


Link to post
  • 0

+1

 

Is there any workaround / best practice to try to implement something like this now?

Share this post


Link to post
  • 0

+1

I need this feature. When I leave my app open on my iPad, and on my Windows pc, I want to access some notebooks frictionless. But I also want to access some "private" or "protected" notebooks, via typing a password.

Share this post


Link to post
  • 0

+1 

I've gradually been increasing my Evernote usage, and recently started using it for a journal. Please!

  • Like 1

Share this post


Link to post
  • 0

+1

 

 

I also love Evernote and use it for everything just as it says on the tin. "Everything" includes some stuff that really shouldn't be read by someone else. People have been asking for this for YEARS and to STILL not having implemented this seemingly simple feature is a MAJOR fail and could very well be a deal breaker for me.

 

Anyone has a solid tip for another app that can do this?

Share this post


Link to post
  • 0

It's not a fail, it's a clearly thought out business decision.

 

It's pretty clear that Evernote's vision is try to become more than just a dumb space that users add data to. Context, Related Notes, the AI investment and Libin's recent comments all point towards an idea that Evernote will help to make you better at doing things.

 

Siloing data into encrypted containers would break this paradigm.

 

So it's nothing to do with being simple or not and it's obviously not a major fail. It's probably just not the app that you need in order to prevent your deal from breaking.

  • Like 1

Share this post


Link to post
  • 0

You make really good points and I understand that is the thinking behind this. You are right.

 

However I can't help thinking that the fact that it is a conscious decision doesn't automatically mean that it is not a fail. Plenty of fails are badly made decisions rather than mistakes... My point is that for all the clever ai in the world I still cannot use Evernote as the business tool it is claiming to be if I cannot store sensitive data.

 

I am open to the possibility that I am doing something wrong here and just don't understand how to use the product properly, If so, please enlighten me. Is there a good way of, for example, hiding notebooks? :)

Share this post


Link to post
  • 0

No, you are simply using the wrong tool for your requirements and that's fine.

 

I'm often amazed at how people are trying to squeeze their whole business and private lives into one application. Evernote is a pretty decent general application that allows lots of people to do lots of useful things. But, it's not particularly good at anything and it's never going to be because if they concentrate on a smaller subset of use cases they will undoubtably reduce the general usefulness.

 

I use Evernote I don't know how many times a day, on different devices and in different places, I find it incredibly useful. I also use a bunch of other apps that are far better  at doing specific tasks than Evernote will ever be.

 

It sounds like you have a requirement to encrypt the data you store in the cloud. My first thought would be to find an app that does this immediately, rather than finding one that doesn't and then deciding that not having a function that it's never had, never promised to have and might never have is a 'deal-breaker' for you.

Share this post


Link to post
  • 0

I am not really talking about a specialist solution or a way to encrypt anything. All I want is a checkbox on the notebook settings that requires me to enter my password again for example.

  • Like 1

Share this post


Link to post
  • 0

This is not a niche use case. Anyone using Evernote a lot could benefit from keeping the kids out of the Gift Ideas notebook or nosey clients out of other client's presentation notebooks...

Share this post


Link to post
  • 0

If that's all you want, well why not just password protect your machine? It's easy and available on every operating system already.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...