Jump to content
ArvindKanda

Evernote and security

Recommended Posts

I am a new user slowly getting hooked on to Evernote.  I have been reading about the concerns related to storing secured information on Evernote cloud. I guess the general recommendation is that if you consider some information should be secured, just do not store it in Evernote. Now my question is what documents should be considered secure.

 

1. Storing passwords in evernote or any cloud service is a terrible idea. I get this.

2. Bank statements - some have said that the account no in bank statements is secure information. Can someone explain why this is secure information? what happens when some hacker gets access to it?

3. Tax returns - Can this be kept in evernote?  This contains soc sec no etc.

 

What do you all do? What kind of information that you DO NOT keep in evernote?  Where do you store such information? (e.g another cloud service that supports encryption on storage)? How do you integrate that cloud service with your Evernote workflow?

 

 

Share this post


Link to post

I am a new user slowly getting hooked on to Evernote.  I have been reading about the concerns related to storing secured information on Evernote cloud. I guess the general recommendation is that if you consider some information should be secured, just do not store it in Evernote. Now my question is what documents should be considered secure.

 

1. Storing passwords in evernote or any cloud service is a terrible idea. I get this.

2. Bank statements - some have said that the account no in bank statements is secure information. Can someone explain why this is secure information? what happens when some hacker gets access to it?

3. Tax returns - Can this be kept in evernote?  This contains soc sec no etc.

 

What do you all do? What kind of information that you DO NOT keep in evernote?  Where do you store such information? (e.g another cloud service that supports encryption on storage)? How do you integrate that cloud service with your Evernote workflow?

 

Hi. The more I think about this, the less I can put onto the cloud, until there is almost nothing left. The problem is that any information gathered on you can easily be put to nefarious ends, even web clippings.

 

One way to approach this problem is to step back and think of what scenarios are most likely to cause you trouble if all of your data was dumped on the Internet for everyone to see. I think I wouldn't be comfortable with my passwords, bank statements, and tax returns out there. Some people would be OK with it, and we simply have different privacy thresholds. I guess almost everyone would be OK with grocery lists and other seemingly innocuous data, right? Practically speaking, local notebooks for private things and regular notebooks for other stuff might be a good way to go.

 

Remember -- once it is uploaded to the cloud, you should consider it "public," because just about everything on the cloud is accessible to someone else (Evernote employees, law enforcement officials, hackers if there is a breach, etc.). As long as you keep that in mind, you shouldn't have any trouble.

  • Like 2

Share this post


Link to post
Putting your sensitive data in a local non-synchronized notebook in Evernote is safer, but keep in mind that you will only be able to access if it with your local client, not the web or your mobile devices. And it is important that you back up this info regularly.
 

Here are a couple perspectives from senior Evernote employees:

 

On the Evernote podcast (#18) the Evernote VP of Marketing, Andrew Sinkov, said
he stores his tax returns on Evernote. He said it could be kept local, but he prefers to keep it sync'd via the server.
 
The Evernote CTO, Dave Engberg, offered this explanation on why Evernote would be crippled if it offered "meaningful" encryption.
"If a server has access to encrypted data, and access to the keys required to decrypt that data (for searching, display on the web, etc.), then anyone who successfully attacks that server has access to your data. If someone can gain control of that server, then the encryption has absolutely no value (other than making things slightly inconvenient). The attacker can make the server decrypt the data and read whatever she wants."
 
"Meaningless encryption offers the illusion of security, which is frequently more dangerous than intentionally and transparently omitting encryption."
 
"The only "meaningful" encryption would require that Evernote does not have a copy of the keys to decrypt the data at all. I.e. we just store a big blob of data that can only be decrypted by a client that has the keys. This would mean: no web interface, no "thin" mobile clients, no image processing/OCR, etc. If you lose/forget your personal encryption key/passphrase, then your data is basically unrecoverable (since Evernote doesn't keep a copy of the key)."
 
"This is actually what we do for the "encryption" feature within Evernote ... if you select some text in a note and encrypt it, that is encrypted with your passphrase, and Evernote does not have any secret "back door" to read your encrypted data. This is why you can't search for the contents of encrypted regions from the web ..."
 
"i.e. you're talking about an opaque file storage service, like one of the secure backup services. Not "Evernote." While these sorts of services have their place, that's not what Evernote's consumer service aims to be."
- Dave Engberg (Evernote)
  • Like 2

Share this post


Link to post

I am a new user slowly getting hooked on to Evernote.  I have been reading about the concerns related to storing secured information on Evernote cloud. I guess the general recommendation is that if you consider some information should be secured, just do not store it in Evernote. Now my question is what documents should be considered secure.

 

1. Storing passwords in evernote or any cloud service is a terrible idea. I get this.

2. Bank statements - some have said that the account no in bank statements is secure information. Can someone explain why this is secure information? what happens when some hacker gets access to it?

3. Tax returns - Can this be kept in evernote?  This contains soc sec no etc.

 

What do you all do? What kind of information that you DO NOT keep in evernote?  Where do you store such information? (e.g another cloud service that supports encryption on storage)? How do you integrate that cloud service with your Evernote workflow?

 

The way I view and use Evernote is this:

  1. Don't put anything unencrypted into Evernote that I consider sensitive.
  2. For sensitive documents I want in Evernote, I encrypt them first (like PDFs)
    1. ​Many PDF tools offer 128-bit encryption
    2. Adobe Acrobat X (and later) and other tools also offer 256-bit encryption, but you won't be able to view the PDFs inline.

Finally, I am in the process of evaluating Wuala which provides highly encrypted Cloud storage that also can sync to your local files like DropBox.

  • Like 1

Share this post


Link to post

Very good points all. It makes sense to keep the secure stuff in a local notebook. I can always remote into my local desktop if I have a need to search my local notebooks.

  • Like 2

Share this post


Link to post

 

I am a new user slowly getting hooked on to Evernote.  I have been reading about the concerns related to storing secured information on Evernote cloud. I guess the general recommendation is that if you consider some information should be secured, just do not store it in Evernote. Now my question is what documents should be considered secure.

 

1. Storing passwords in evernote or any cloud service is a terrible idea. I get this.

2. Bank statements - some have said that the account no in bank statements is secure information. Can someone explain why this is secure information? what happens when some hacker gets access to it?

3. Tax returns - Can this be kept in evernote?  This contains soc sec no etc.

 

What do you all do? What kind of information that you DO NOT keep in evernote?  Where do you store such information? (e.g another cloud service that supports encryption on storage)? How do you integrate that cloud service with your Evernote workflow?

 

The way I view and use Evernote is this:

  1. Don't put anything unencrypted into Evernote that I consider sensitive.
  2. For sensitive documents I want in Evernote, I encrypt them first (like PDFs)
    1. ​Many PDF tools offer 128-bit encryption
    2. Adobe Acrobat X (and later) and other tools also offer 256-bit encryption, but you won't be able to view the PDFs inline.

Finally, I am in the process of evaluating Wuala which provides highly encrypted Cloud storage that also can sync to your local files like DropBox.

 

I use this approach too.

I don't have many documents I consider too sensitive to hold in my EN cloud. If I want a protection layer on some file I use the documents original built in password protection (for ms-office documents or pdf's) or I compress it with encryption before uploading it to EN. I lose the possibility to find the note through search within the document but I can still find it by words in the description or tags etc.

To minimize the risk of unauthorized access I use 2 factor authentication on my account and password protect my mobile devices.

If someone wants to hack my EN and will invest enough effort I guess they could, but I don't have any top-secret information there as I usually keep the nuclear launch codes on a different system.

Share this post


Link to post

Now that EN has a business subscription model, how does this fare with security? To run a business you need to put sensitive data online to share with other employees such as client information, payment methods, invoices.

 

If this is not secure is EN a viable business solution?

 

I'm in the UK. Am I right in believing that my data is stored in Switzerland not the US? Also, if my data is stored in the US not being a US citizen does the US government need a court order to access my data?

Share this post


Link to post

Now that EN has a business subscription model, how does this fare with security? To run a business you need to put sensitive data online to share with other employees such as client information, payment methods, invoices.

 

If this is not secure is EN a viable business solution?

 

I'm in the UK. Am I right in believing that my data is stored in Switzerland not the US? Also, if my data is stored in the US not being a US citizen does the US government need a court order to access my data?

 

Hi. If your business emails the information, then it is just as secure, if not more so. Whether Evernote is viable depends on the needs of your business. In my career (teaching and research), I avoid cloud services that lack zero-knowledge encryption, and I refrain from emailing anything with sensitive information. This means, of course, that I get very little use out of Evernote now (I used it a lot as a graduate student handling very little sensitive data). It lacks encryption and after I weed out all of the sensitive files (with information about me, my students, my institution, etc.), I am left with nothing but web clippings and some random jottings. It's unfortunate, but there isn't much that can be done about it at the moment. 

 

You are wrong about your data. It is stored in the US, which makes it accessible to the US government.

https://evernote.com/intl/jp/legal/privacy.php

 

You are not a US citizen, so I think the government has a lot more leeway, but as far as I know, it still must present a court order to see your data. While this is a valid concern and an especially important issue, it is probably more likely that the average user will have their privacy/security threatened by a rogue employee (no cases at Evernote yet, as far as I know, but it has regularly happened at other places) or a hacker. However, this is still a threat you would have with most email services as well.

 

Evernote does a lot of things right with security, and are ahead of many other companies I use, but it seems to me that they could do a lot better.

  • Like 1

Share this post


Link to post
Quote by Evernote's CEO when Evernote Business was launched:

 

"I think companies that are not comfortable using the cloud aren't going to be Evernote customers," Libin said. While he estimated that may eliminate 50 percent of potential corporate business, he expects that more companies are going to get comfortable using cloud products in the future. Libin isn't expecting to sell to financial institutions since, he said, that is the industry least likely to purchase cloud products at the moment. However, the creative industry is already using a lot of cloud products, he added. "I think the opportunity is huge," Libin said.

 

  • Like 1

Share this post


Link to post

 

Here are a couple perspectives from senior Evernote employees:

 

On the Evernote podcast (#18) the Evernote VP of Marketing, Andrew Sinkov, said
he stores his tax returns on Evernote. He said it could be kept local, but he prefers to keep it sync'd via the server.

I would expect nothing less from the VP of Marketing.

 

Thankfully, Evernote has the local notebook option. It blows my mind that there are somewhat similar products that do not offer local storage - I think many users are oblivious to the risks. While it's true that Google doesn't offer local storage for just about any product they have, and many millions of people use Google products, Google has a much larger security budget than any personal information mgmt software company.

  • Like 1

Share this post


Link to post

i'm perfectly comfortable using the cloud (someone else's server that i connect to through the internet), but not unencrypted. it's not about comfort. it's about security.

i think there'd be a larger opportunity for them if they used encryption, but i guess they've run the numbers and determined that it's more cost effective to leave it out of Evernote. i've never been able to figure out why. dave (cto) and phil (former ceo) have made it clear over the years that evernote isn't well-suited for people whose workspaces need encryption.

Share this post


Link to post

Here are a couple perspectives from senior Evernote employees:

 

On the Evernote podcast (#18) the Evernote VP of Marketing, Andrew Sinkov, said

he stores his tax returns on Evernote. He said it could be kept local, but he prefers to keep it sync'd via the server.

I would expect nothing less from the VP of Marketing.

 

Thankfully, Evernote has the local notebook option. It blows my mind that there are somewhat similar products that do not offer local storage - I think many users are oblivious to the risks. While it's true that Google doesn't offer local storage for just about any product they have, and many millions of people use Google products, Google has a much larger security budget than any personal information mgmt software company.

in my opinion, it's not a matter of budget, trustworthiness, or innovation. everyone is vulnerable to some degree, regardless of the money or resources companies throw at the problem. if anyone is thinking they haven't had their data scooped up yet, they have. they just don't know it.

when everything is encrypted and only we have the keys, then we'll be a lot better protected when (not if) our files are accessed without our permission.

  • Like 1

Share this post


Link to post
Back in the good old days, when Evernote employees were more open with their comments, I grabbed the following info posted by Dave Engberg (in 2009). A lot has changed since then.  Edward Snowden did not hit the security headlines until 4 years later. I wish Evernote would still be this open and sharing with their information. But as they got bigger, I presume they had to start washing and filtering their public comments through a department of legal advisors first.

 

Excerpts from Dave Engberg - Chief Engineer at Evernote - 2009

 

* [Evernote] mitigates these risks through a layered set of security policies and technologies.

 

* Your login information is only transmitted to the servers in encrypted form over SSL, and your passwords are not directly stored on any of our systems.

 

* There's no uber-index of contents of accounts ... we maintain separate user search indices of each user on decentralized storage with no cross-access between individual servers.

 

* Like a secure banking site, we encrypt the connections via SSL so that someone on your network can't see your data go by. Your checking balance is not encrypted in your bank's databases, however, and your notes are not encrypted within Evernote.

 

* Our Privacy Policy and Terms of Service restrict what we can (and would) do with your data ... in particular, we have never (and will never) give your own data to other parties.

 

* When you add a note to the service, it is secured like your email would be at a high-end email provider. This means that your notes are stored in a private, locked cage at a guarded data center that can only be accessed by a small number of Evernote operations personnel.

 

* Physical access to all storage (online and offline-backup) requires multiple authentication factors in protected facilities, and is restricted to only the four full-time IT/Operations staff that maintain the servers.

 

* Even Phil, the CEO, doesn't have passcards and keys to the data center. Security policy says that the departure of any such staff will result in full rekey and change of all passwords, etc.

 

* Administrative maintenance on these servers can only be performed through secure, encrypted communications by the same set of people. All network access to these servers is similarly protected by a set of firewalls and hardened servers.

 

* If you have some notes that you only want to access from a single computer, you can place these into a "Local Notebook" on our Windows or Mac client. Notes in a Local Notebook are never transmitted to our service, so they aren't accessible from the web, or from your other computers.

 

and more comments from Dave Engberg - Chief Engineer at Evernote - in 2010

If a server has access to encrypted data, and access to the keys required to decrypt that data (for searching, display on the web, etc.), then anyone who successfully attacks that server has access to your data. If someone can gain control of that server, then the encryption has absolutely no value (other than making things slightly inconvenient). The attacker can make the server decrypt the data and read whatever she wants.

 

Meaningless encryption offers the illusion of security, which is frequently more dangerous than intentionally and transparently omitting encryption.

 

The only "meaningful" encryption would require that Evernote does not have a copy of the keys to decrypt the data at all. I.e. we just store a big blob of data that can only be decrypted by a client that has the keys. This would mean: no web interface, no "thin" mobile clients, no image processing/OCR, etc. If you lose/forget your personal encryption key/passphrase, then your data is basically unrecoverable (since Evernote doesn't keep a copy of the key).

 

This is actually what we do for the "encryption" feature within Evernote ... if you select some text in a note and encrypt it, that is encrypted with your passphrase, and Evernote does not have any secret "back door" to read your encrypted data. This is why you can't search for the contents of encrypted regions from the web ...

 

I.e. you're talking about an opaque file storage service, like one of the secure backup services. Not "Evernote." While these sorts of services have their place, that's not what Evernote's consumer service aims to be.

Share this post


Link to post

Many thanks for the responses. It seems that if you want security, then forget the cloud!

 

I've tried various encryptions, to encrypting the text myself with gpg, using saferoom (easiest option) or Encrypto. However, I've come to realise that zero-knowledge encryption would remove the majority of EN features. If everything was encrypted in EN then you'd be able to find nothing. Especially if the content was is what you're trying to search!

 

I've been using saferoom and think it's probably the best way to go. Saferoom encrypts the notes content, but not tags or title. If you have a descriptive title and tags, you should be able to find your content with ease.

 

I would imagine EN will never bring out proper zero knowledge encryption as it would stop them being able to search and index stuff. Any item that is encrypted would be removed from the index. Saferoom is probably as close as we're going to get.

 

It has made me ask the question whether I really need things in the cloud, but it is useful to have your data everywhere as more than once I've needed a particular document at the bank, at an airport or in a meeting an EN has been great. I do have Devonthink Pro office, but this really doesn't have proper mobile support as the iOS app hasn't been developed in a long time. I also like the fact the EN gives me an extra layer of backup offsite, being in the cloud. Encrypted documents in Dropbox is ok, but decrypting them on mobile is a problem.

 

I fear that with the rise of government snooping and global hacking, the cloud is on a long course for failure. Searching has become the defacto way of retrieving data and encryption closes that door. Apart from searching within an encrypted environment, I cannot see a way forward. It essentially means all our systems need to change. We need tools that provide an encrypted environment and all the other tool features need to run inside this environment.

Share this post


Link to post

searching encrypted databases seems to be a challenge that folks are handling pretty well, from what i have seen on the web. if the encryption is done client-side, and unencrypted when the app is open, there's no problem. voodoopad, for example, seems to have managed it just fine. i think the evernote folks are pretty smart, and they "could" do it, but they don't want to for other reasons. in other words, it isn't the technical challenge (i guess -- i'm no expert). it's a design decision. if i had to guess, i'd say they are waiting to see how govt. regulations in the us are going to shake out, because there is an idea in some governments (the us and uk) that the government should be able to access anything on anyone's servers. this is obviously antithetical to zero-knowledge encryption.

 

[edit]: whoops. forgot about the elephant in the room. microsoft apparently has zero-knowledge encryption for onenote. if this is true (i haven't been able to confirm it with any microsoft literature, and i haven't tested it to see how the search works), then that would not only be clear evidence that zero-knowledge encryption is technically feasible, but it would also call into question my guess about evernote's reasoning for not adopting it. after all, if microsoft offers zero-knowledge encryption and the govt. is ok with that, what's to stop evernote from doing it?

  • Like 1

Share this post


Link to post

However, I've come to realise that zero-knowledge encryption would remove the majority of EN features. If everything was encrypted in EN then you'd be able to find nothing. Especially if the content was is what you're trying to search!

 

I've been using saferoom and think it's probably the best way to go. Saferoom encrypts the notes content, but not tags or title. If you have a descriptive title and tags, you should be able to find your content with ease.

 

I would imagine EN will never bring out proper zero knowledge encryption as it would stop them being able to search and index stuff. Any item that is encrypted would be removed from the index.

. . .

Searching has become the defacto way of retrieving data and encryption closes that door. 

 

Sorry, but I have to disagree that encryption prevents searching.

 

As you stated with regards to SafeRoom, Evernote could just encrypt the Note contents and leave all of the metadata (Note Title, Tags, dates, etc) as clear text.

 

So if you plan to encrypt a Note, you would just make sure you had a good descriptive title (with keywords) and a good set of Tags to facilitate searching.

 

In fact I think this would work very well.  Most of my Notes are of some type of reference material or of historical nature, neither of which is sensitive information.  They don't need encryption.   But a few of my Note would be sensitive, and would need encryption.

 

In either case, I rely mostly on the Note Title and Tags to search/find my info.  It is a rare occasion that I need to do a full text search.

Share this post


Link to post

Sorry, by talking about encryption preventing searching I meant the present EN setup. The content of an encrypted note is not searchable.

 

I'm leaning more and more towards saferoom. I have to spend some time thinking through the cloud issue. As how I go on now reflects the future. If i remove sensitive data to a mac only app, I see little point in retaining the use of evernote. The idea is to have everything in one place. I have Devonthink Pro Office, but never liked using it although it is powerful, plus it's iOS app is woeful.

 

An EN alternative would be to place sensitive data on a local notebook only. Does anyone do this how how is it working out practically? I'm assuming that local and synced notebooks are all searchable with the local EN app?

Share this post


Link to post

Sorry, by talking about encryption preventing searching I meant the present EN setup. The content of an encrypted note is not searchable.

 

I'm leaning more and more towards saferoom. I have to spend some time thinking through the cloud issue. As how I go on now reflects the future. If i remove sensitive data to a mac only app, I see little point in retaining the use of evernote. The idea is to have everything in one place. I have Devonthink Pro Office, but never liked using it although it is powerful, plus it's iOS app is woeful.

 

An EN alternative would be to place sensitive data on a local notebook only. Does anyone do this how how is it working out practically? I'm assuming that local and synced notebooks are all searchable with the local EN app?

 

local notebooks are a great security feature in evernote, and i thought they worked well for me when i had them (searching is fine), though the obvious drawback is the inability to sync. if you only work on one device, or if you can effectively separate private (local) and public (synced notebooks) stuff, then they are ideal.

 

i am pretty impressed with devonthink, myself, and i think if you only work on a mac, it really is the best way to go. evernote's selling point is its ubiquity, and while it could be called the best notetaking app found on every platform, i don't think many people would claim that it is the best personal information manager / notetaking app on the mac. or on windows (connectedtext?) for that matter.

 

the ios app for devonthink isn't that bad. it's kludgy and certainly not as polished as evernote's, but it gets the job done, and it can sync through wifi, which makes it possible to securely sync between devices without the cloud. this is a huge benefit for the security conscious and anyone traveling away from an internet connection.

Share this post


Link to post

GrumpyMonkey, you sound like your gradually going off EN?

 

The attraction to EN for me is that many ways of getting things in. I can add anything easily to EN from any device. That can't be said for Devonthink. Also the retrieval on mobile is also great.

 

The whole security and encryption has ruined the simplicity of the internet. I know it was never there, but tools that were great to use now need to be filtered with a whole bunch of security questions. At this rate I won't be using the cloud period. Especially if Cameron manages to push through his crazy anti-encryption legislation.

Share this post


Link to post

So what's wrong with putting encrypted PDFs into Evernote Cloud?

 

All of the metadata of the Note where the PDF is attached would still be searchable.

Furthermore, one could if so desired, add keywords and even an abstract which are not sensitive info at the top of the Note.

This, of course, would be available for search.

Share this post


Link to post

An EN alternative would be to place sensitive data on a local notebook only. Does anyone do this how how is it working out practically? I'm assuming that local and synced notebooks are all searchable with the local EN app?

I use local and synced notebooks. It works fine, but of course you can only search/access the local notebook notes on one computer. It would be nice to have access to all notes from any device, but I find that from a practical perspective, this is rarely necessary, at least in my case. So I have no problem separating the sensitive stuff into a local notebook and everything else goes to synced notebooks.

 

If EN dropped local notebooks, I'd drop EN because it's only a matter of time before that growing treasure trove of data on EN's servers proves very attractive to very capable hackers.

  • Like 1

Share this post


Link to post

Does anyone know if there is an update on this?

I've not been using EN for 6 months and am looking at my options. Secure encrypted data is now a must. I see no value of unencrypted data in the cloud. Even personal family data requires security. EN is becoming less and less viable unless this changes. What are the chances of that happening? People keep mentioning the local notebooks, but that defeats the purpose of EN for me especially as I also have Devonthink.

If EN added an ability to sync via wifi to mobile devices that would solve most problems.

Will EN find less and less people/organisations will use EN? I work for a charity in the UK and charity law forbids the use of EN as I must prove that I'm using reasonable precautions when dealing with personal data. Reasonable means encrypted, from email to online storage. At the rate things are going either everything will need to be encrypted or digital systems will be unviable.

Perhaps I need to start carrying my data on an Encrypted USB and forget the cloud. The only problem is that there doesn't appear to be access to encrypted USBs on mobile devices from apple. If I could just plug my USB into my iphone and search that would be great!

Share this post


Link to post
23 minutes ago, why? said:

Does anyone know if there is an update on this?

Can you be more specific as to what you want updates on?

Yes, some (all?) of your data should be encrypted if it goes into the cloud.  
Or for the more paranoid, even if it goes into your computer.
Evernote offers an encryption tool, and there are external solutions.

Maybe I should be more paranoid but I feel some sense of security in using the native Evernote cloud services.
Of course I do encrypt sensitive data.
Its not like I'm posting on a public web page or forum.

>>I see no value of unencrypted data in the cloud

It would be very inconvenient to keep my shopping list encrypted.
Encrypting the data means its not available for service like Evernote's image/pdf OCR
Sharing notebooks .
I've built up a reference database and want easy access to it - its mostly public web clippings and scanning

Share this post


Link to post

I'm asking if EN are becoming HIPPA and FERPA compliant or at least moving to a more secure information repository.

Although I agree that generally keeping your shopping list in the cloud doesn't need encryption that's exactly the kind of information amazon, google etc are interested in. It comes back to being able to accurately profile people. The more information you have on an individual the the easier to sell them something or impersonate them. One shopping list may not be an issue, but if I had your shopping lists for the past 12 months that may begin to compromise your security. My mobile phone contract can be altered by telephone with only three pieces of information. DOB, zip code, and payment method. On there own these pieces of information may seem insignificant and not requiring encryption, but together they could be used to steal your identity. Image that you store 10 years of your life in evernote. Little pieces of information that may seem to pose no security threat whatsoever, but add them together; your parking tickets, shop receipts, tweets, facebook posts, emails, text messages, etc and someone could build enough of a profile to begin to hack your life. Why would folks want to do that? Usually money.

Sadly the internet isn't secure anymore, really it was never secure, but we're now in the position where people know that they can get information from unwitting folks and use it to extract money. The internet is not the same as it used to be. You've now got to look at possible scenarios. Most folks are often too lazy to store one set of data in an encrypted format because of effort. So they mix sensitive and less sensitive data. Many large corporations have been hacked. Just because EN hasn't doesn't mean it's secure. The real security is in how people can access the information once they're in.

I don't know what the answer is. The more security the less easy the software becomes to use. Increase the number of plugins that can access the service and you increase the possiblity of holes. Even the great Apple corporation have not yet fully stopped jail breaking and they've been trying for 7 years. Is it unreasonable to expect EN to make sure that I can encrypt my data on my client? Now i know this is already possible, but it is piecemeal at best. I want to encrypt notebooks, I want a password entered when opening the app and another one when opening specific notebooks, I'd like data encrypted at rest. Ultimately it's a fight between ease of use and security. This will change when someone hacks EN and data is stolen, but that is putting up the fence after the event in my opinion.

Share this post


Link to post
9 minutes ago, why? said:

I'm asking if EN are becoming HIPPA and FERPA compliant or at least moving to a more secure information repository.

HIPPA and FERPA compliance - Now that is taking the discussion to a new level.
I haven't looked at that for a while, but I seriously doubt that EN fits in.

I'm not sure what you mean by "a more secure information repository."
Evernote has implemented a certain level of security; as a user you can supplement that.
What are you asking Evernote to implement?

Share this post


Link to post

As I mentioned in my earlier comment. Data secure at rest and encrypted. Not individual notes, but all data.

Share this post


Link to post
11 hours ago, why? said:

The more information you have on an individual the the easier to sell them something or impersonate them. One shopping list may not be an issue, but if I had your shopping lists for the past 12 months that may begin to compromise your security.

Do you use any Google products, like GMail, Google Search, Google Maps, or Google Chrome browser?

If you do, then Google already has a tremendous amount of info about you.  In my case, far, far more than could be mined from my Evernote account, and I have over 16,000 notes.

Share this post


Link to post
11 hours ago, why? said:

Data secure at rest and encrypted. Not individual notes, but all data

Got it.

Evernote currently only offers encryption at the text level within a note.

So, the request would be for the option of encryption at the note/notebook/all levels.

Share this post


Link to post
6 hours ago, JMichaelTX said:

Do you use any Google products

Nope. For that very reason. Google are a massive concern as they do not respect anyone's privacy. I don't even use their search engine. Google are more like a virus that looks to get its tentacles into every area of your life. After not agreeing with Google's latest privacy policy (where they now store your browsing history on their servers not in cookies on your machine, so you can't delete it) I found I was locked out of using google as a search engine. In my opinion google is no longer a search engine but a classified ads service that ranks results according to payment and their opinion on how people should build there websites.

It seems that until something changes, the cloud is not a secure place bar those offering zero knowledge encryption. If only every cloud based organisation offered that facility. Pardon my paranoia, but I live in the UK and we're the worst. We're the most CCTV covered country in the world and our governments policies on privacy are rapidly removing our right to keep your information private. I'm beginning to understand why people are going offline.

Is there anyway to run evernote off a USB?

Share this post


Link to post
4 hours ago, why? said:

Is there anyway to run evernote off a USB?

Not that I know of.

>>Do you use any Google products Nope. For that very reason.
I acknowledge your concerns and it's good that you are aware of the compromise to your security/privacy.  I think many people are blind to this, however would still use the services even if they thought about it.

And given your concerns (as you say, paranoia) I understand your desire for complete encryption of your Evernote data. Since it's not currently an option, the only solution I see is a third party application to encrypt your data before adding it to Evernote.
 

Share this post


Link to post
1 hour ago, DTLow said:

And given your concerns (as you say, paranoia) I understand your desire for complete encryption of your Evernote data. Since it's not currently an option, the only solution I see is a third party application to encrypt your data before adding it to Evernote.
 

I think the real decision is to either separate clearly all sensitive from non-sensitive data and place the sensitive elsewhere. However, I don't think that there is any non-sensitive data, certainly not in terms of prolonged collection of data that EN encourages. Encrypted notes in EN are essentially the same as local notebooks as searching and reading them becomes impossible on mobile. Let's face it EN needs data unencrypted for it to be viable. Without that most of EN's features become irrelevant. Maybe the position I have arrived at is in setting my personal criteria for acceptable cloud storage. This has to be zero knowledge full encryption. So sadly EN is no longer suitable.

I do wonder if anyone else thinks this way and if EN are going to have to offer this at some point or lose custom?

What I don't understand is that if EN is not FERPA HIPPA compliant how can businesses be using EN to store sensitive client details? Do businesses have no legally required compliancy is storing customer data?

Share this post


Link to post

No matter how secure a site is, there is always someone who wants more.

Back in the good old days, when Evernote employees were permitted to discuss Evernote issues more openly, I captured some interesting security related comments:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

  • Dave Engberg - Evernote CTO

If a server has access to encrypted data, and access to the keys required to decrypt that data (for searching, display on the web, etc.), then anyone who successfully attacks that server has access to your data. If someone can gain control of that server, then the encryption has absolutely no value (other than making things slightly inconvenient). The attacker can make the server decrypt the data and read whatever she wants.

Meaningless encryption offers the illusion of security, which is frequently more dangerous than intentionally and transparently omitting encryption.

The only "meaningful" encryption would require that Evernote does not have a copy of the keys to decrypt the data at all. I.e. we just store a big blob of data that can only be decrypted by a client that has the keys. This would mean: no web interface, no "thin" mobile clients, no image processing/OCR, etc. If you lose/forget your personal encryption key/passphrase, then your data is basically unrecoverable (since Evernote doesn't keep a copy of the key).

This is actually what we do for the "encryption" feature within Evernote ... if you select some text in a note and encrypt it, that is encrypted with your passphrase, and Evernote does not have any secret "back door" to read your encrypted data. This is why you can't search for the contents of encrypted regions from the web.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

  • Heather Wilde - Evernote Support Maven said:

lots of people are asking us to do just that [total complete encryption]. And as I said way back in the early pages of this thread, it's kind of antithesis to the whole point of Evernote. We kind of don't understand why you would want to *use* Evernote if you can't use the major whiz-bang features of it. For example, if we introduced full notebook encryption, presumably we'd have to have a way to *decrypt* those notebooks on all the clients that we sync to as well, or your notes would be worthless everywhere except where they're decryptable.

Additionally, on the mobile clients, even if you could decrypt them, you'd be limited to scrolling through your notes in those notebooks to locate the one you want, because we don't index encrypted content. So, it just makes us a really unwieldy note program.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

  • Andrew Sinkov - Evernote VP of Marketing (prior position Corestreet - Identity & Access Management) 

On Evernote podcast #18, Andrew said he stores his tax returns on Evernote. He said it could be kept local, but he prefers to keep it sync'd via the server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Those comments were in the past. I don't know where Evernote security is going today.

 

  • Like 1

Share this post


Link to post
1 hour ago, why? said:

What I don't understand is that if EN is not FERPA HIPPA compliant how can businesses be using EN to store sensitive client details? Do businesses have no legally required compliancy is storing customer data?

To my limited knowledge FERPA and HIPPA would not effect all businesses, more health and education verticals. 

Good question on "standard" customer data, beyond credit card information, SSN and the like.

Net of it all, it does not sound like EN will meet your encryption requirements.  Quite a few other posts in these forums on this topic.  Look up a user name GrumpyMonkey, he has strong views and ideas as well.

Share this post


Link to post

Many thanks, I appreciate that HIPPA and FERPA are specific, but thought there must be some governing standard for businesses? Can they store their clients payments details in EN? I just seem not to understand how EN business works as I assumed that that would invariably include some sensitive data or personal information and would have to follow some government standards similar to FERPA. I know as UK charity you cannot use EN for personal information from those in your charity data.

Share this post


Link to post

The UK has some serious data protection regulations which prevent any 'personal data' being stored electronically without suitable and sensible safeguards, and most specifically objects to data being moved outside the UK - with some very precise exceptions.  What you do with your own data though,  is (AFAIK) up to you. 

'Vanilla' Evernote wouldn't be suitable for any institution or charity to record such data about individuals,  although it's perfectly acceptable to use the app for products,  technical information and the like.  Personal data could be encrypted with Saferoom or something similar  (get professional advice before you design your complete system around encryption!) but that then makes it unsearchable which is kind've the point of getting your customer base into a searchable context like this one.  Better to use Evernote as an information distribution center on any relevant topics,  but keep your CRM running on your own local system.

The point here being that 'local' regulations around the world are more important to users than any general business or IT principles related to security.  There's a whole industry out there of catastrophe insurers who'll insure the business you against losses from hacking or data loss,  but things start to get really expensive if you annoy the data protection authorities - I don't think you can insure against their monetary penalties,  and that ain't all they can do to you if you get it really wrong...

However Evernote is never the bad guy in the UK - if I keep things in my database that get me in trouble,  that's my lookout!

Share this post


Link to post

From my store base retail experience we encrypted the credit card number from the POS terminal to the approver, never saw the number or PIN if a debit card.  Other than that not a point of expertise for me.  Perhaps someone with more knowledge will chip in.  In any case, based upon the hacks in the news in the recent years, whatever standards and encryption that may be in place isn't working all that well.  So if you don't want it seen the cloud isn't the place for it.

Share this post


Link to post
13 minutes ago, gazumped said:

The UK has some serious data protection regulations which prevent any 'personal data' being stored electronically without suitable and sensible safeguards, and most specifically objects to data being moved outside the UK - with some very precise exceptions. 

Does that mean that Evernote keeps a room of computers on British soil for their cloud storage of UK customers?

I expect that is the case for Chinese customers, but has it expanded to each of the countries in the EU?

Share this post


Link to post

There's something called the Safe Harbor agreement under which personal data can be exported from the UK to the US - there was some excitement recently when it was challenged and (in theory) no US company could take personal data outside the UK.  Facebook,  Google and quite a few other companies were 'concerned',  and did talk about the possibilities and implications of server farms in different countries.

No surprise however,  the agreement was re-approved last year,  and is back in place.  (That's why I mentioned 'very precise exceptions'.)  I assume,  but don't know,  that Evernote meets the requirements of the agreement.  If someone complained to our data protection authority - called the Information Commissioner these days - the IC would investigate an alleged infraction and take any necessary action. 

I don't know what resources Evernote has in the UK,  but I'd bet they're as international as any big IT company.

Share this post


Link to post
7 hours ago, why? said:

Encrypted notes in EN are essentially the same as local notebooks as searching and reading them becomes impossible on mobile. Let's face it EN needs data unencrypted for it to be viable. Without that most of EN's features become irrelevant.

I have seen this statement made numerous times, but I believe there is an approach provides encryption, and allows searching.

This is very simple:  encrypt ONLY the Note contents.  

  • Thus all of the Note metadata (Title, Tags, dates, etc) would still be available to search on.
  • Your sensitive data would be encrypted and protected
  • You could still search (find) text in a Note after you have decrypted it.
  • Perhaps there could be a feature/option to decrypt selected Notes (including all) on your desktop.

IMO, this encryption approach is a very viable solution, that still supports most of  Evernote's features.

Share this post


Link to post

The difficulty is that there seems to be no simple solution. Although I appreciate the "encrypt the note content" method this is not viable with large amounts of data. Essentially for EN to be secure it needs to create a secure environment to work in. Much in the same way 1password operates. You login and do your work and log out. Everything remains encrypted and secure.

In essence, encrypted environments do not seem to cover cloud or mobile well. Getting items encrypted is not an issue, there are many tools. Decrypting on the fly on any device is an issue. If this is not possible, then placing encrypted data in the cloud serves no purpose apart from backup.

I believe that as information hacks and theft increase companies like EN will have to create such environments or loose custom. I've been very happy with EN, but the internet is rapidly evolving and sadly hacking is here to stay. I'm finding my use of online services decreasing simply because they are not secure, from email to sending text messages. Am I prepared to store years worth of data on company servers in an unencrypted form with the possibility that at some point the company may be hacked? No I'm not.

Share this post


Link to post
On 2016年1月26日 at 11:38 PM, why? said:

I'm asking if EN are becoming HIPPA and FERPA compliant or at least moving to a more secure information repository.

.... Ultimately it's a fight between ease of use and security. This will change when someone hacks EN and data is stolen, but that is putting up the fence after the event in my opinion.

I wish that Evernote had zero-knowledge encryption for everything, but it does not, and I doubt it ever will. Some people argue that Evernote would become unusable if it did have zero-knowledge encryption (things become inaccessible, unsearchable, etc.), but I believe they are incorrect (see link below) and, while it may be a fight between ease of use and security, the hurdles are not so high -- I think you'd be surprised to find out how convenient security can be. 

COMPLIANCE

Evernote is not HIPAA compliant and they don't intend to be (last time they talked about it). Evernote is (understandably) taking a hands-off approach to the thorny issue of "compliance" with other laws, saying in their TOS: "you agree that you are responsible for complying with the U.S. Children's Online Privacy Protection Act (“COPPA”) and, to the extent applicable, The Family Educational Rights and Privacy Act (“FERPA”). As far as FERPA goes, I think that if you are an educator including unencrypted data on your students in your account (names, grades, papers, etc.) then you are exposing yourself to quite a bit of risk, and I would strongly urge you to avoid doing that. The University of Michigan, for example, prohibits faculty and staff from using their accounts for such things.

http://safecomputing.umich.edu/dataguide/?q=node/62

ALTERNATIVES

Encrypted alternatives to Evernote exist, beginning with the most obvious one -- OneNote. I'm still unclear about the details with it, especially when working on mobile, so I cannot say this is the best solution for your situation. Personally, I don't use it. I much prefer DEVONthink (OSX and iOS), which provides encrypted syncing through Dropbox (if you want) or syncing through wifi / bluetooth (avoiding the cloud entirely) for mobile devices.

http://www.christopher-mayo.com/?p=1605

EVERNOTE

You can still use Evernote for some things while using another app for others. Evernote has a ton of great features, amazing developers, and lots of potential. Certainly, the effortless syncing is an amazing feat that no one else has quite managed for notetaking / personal information manager apps. As my career has changed and I've had to deal with more and more sensitive information (my own and that of others), I've had to use Evernote less and less, but if I was still a student or had a job that didn't require me to take measures to protect data on the cloud, I'd definitely be using Evernote a lot more. I hope they change their position on encryption / security, but until then, you may want to try out the alternatives I mentioned.

 

 

  • Like 1

Share this post


Link to post
18 hours ago, why? said:

Although I appreciate the "encrypt the note content" method this is not viable with large amounts of data.

I disagree.  The note content is actually stored separate from the Note metadata.  I see no issues specific to storing large amounts of data.

Share this post


Link to post

EN's security seems somewhat behind Microsoft's. Whereas there may be benign data, I believe that to be miniscule. I can understand the a web designer's portfolio or coder's code, may be benign, or perhaps a classes teaching material or a companies standard documentation. My difficulty is that with each passing year there are more companies being hacked and security is becoming a big issue. It's all well an good for EN to say you, the user, are responsible, but then they should stop telling you to put everything in it, that in my opinion is irresponsible.

If you are offering a service for people to put everything in then you should jolly well make sure everything is going to be secure. If you cannot do that then there should be a prominent section in the documentation, website and purchase page, highlighting what you should not store in EN. EN has a far better handle on security issues than most users. That doesn't absolve them, but places a responsibility on EN to make sure they understand. And not in some policies hidden under piles of other polices.

I would love to see legislation change to make the companies responsible. Banks are responsible for my money. If it gets stolen they are held to account. This is why they have high levels of security. Information, it could be argued, is a lot more valuable than money and perhaps it's time companies like EN treated it as such. If they did, then perhaps their users would too?

By the way, Onenote is in front of EN in terms of security. The ability to protect whole sections is excellent. Also, EN only encrypts text, this is a massive short-coming. No attachments in EN can be encrypted. Onenote encrypts anything in the section you protect

Share this post


Link to post
2 hours ago, why? said:

EN's security seems somewhat behind Microsoft's. Whereas there may be benign data, I believe that to be miniscule. I can understand the a web designer's portfolio or coder's code, may be benign, or perhaps a classes teaching material or a companies standard documentation. My difficulty is that with each passing year there are more companies being hacked and security is becoming a big issue. It's all well an good for EN to say you, the user, are responsible, but then they should stop telling you to put everything in it, that in my opinion is irresponsible.

If you are offering a service for people to put everything in then you should jolly well make sure everything is going to be secure. If you cannot do that then there should be a prominent section in the documentation, website and purchase page, highlighting what you should not store in EN. EN has a far better handle on security issues than most users. That doesn't absolve them, but places a responsibility on EN to make sure they understand. And not in some policies hidden under piles of other polices.

I would love to see legislation change to make the companies responsible. Banks are responsible for my money. If it gets stolen they are held to account. This is why they have high levels of security. Information, it could be argued, is a lot more valuable than money and perhaps it's time companies like EN treated it as such. If they did, then perhaps their users would too?

By the way, Onenote is in front of EN in terms of security. The ability to protect whole sections is excellent. Also, EN only encrypts text, this is a massive short-coming. No attachments in EN can be encrypted. Onenote encrypts anything in the section you protect

i don't know about legislation (users who are interested might want to visit the eff site), but the app is what it is, and i doubt there is much incentive for evernote to spotlight its weak points, so i don't expect that will happen. the security situation is fairly easy to ascertain by googling a bit. 

 

as for microsoft, i am not convinced yet about how secure its products really are, especially after the snowden leaks revealed its complicity in giving out our data by opening up skype, bypassing encryption, etc. and, of course, they also spied on their own users in the past (hotmail). the news today is that democratic presidential candidates are even avoiding its free software offers because they don't trust it. i mentioned onenote as an option, but i can't recommend it to anyone who is concerned about security. it could just be my ignorance or paranoia, of course...

 

 

  • Like 1

Share this post


Link to post
2 hours ago, why? said:

Also, EN only encrypts text, this is a massive short-coming.

In all this discussion, that's the point that I strongly agree with.
I feel its my choice/responsibility to encrypt my data, but it bothers me that Evernote only goes halfway on this.
I looked at external products (example Saferoom) but the result is less functional.
 

Share this post


Link to post
4 minutes ago, GrumpyMonkey said:

i don't know about legislation (users who are interested might want to visit the eff site), but the app is what it is, and i doubt there is much incentive for evernote to spotlight its weak points, so i don't expect that will happen. the security situation is fairly easy to ascertain by googling a bit. 

as for microsoft, i am not convinced yet about how secure its products really are, especially after the snowden leaks revealed its complicity in giving out our data by opening up skype, bypassing encryption, etc. and, of course, they also spied on their own users in the past (hotmail). the news today is that democratic presidential candidates are even avoiding its free software offers because they don't trust it. i mentioned onenote as an option, but i can't recommend it to anyone who is concerned about security. it could just be my ignorance or paranoia, of course...

 

 

But isn't that a slightly different issue? You're talking about Microsoft be duplicitous. Those accusations could be made against every large conglomerate from Apple to EN. They may well offer encryption that they have a back door to. However, should sensitive work data be stolen in such a manner, I would be absolved for having used reasonable precautions in securing my data. 'Reasonable precautions' does not include duplicitous companies, or no one would be able to store their data anywhere. At face value, Onenote can encrypt an entire section. This data is encrypted on their servers and I have the password. If MS has a backdoor, that cannot be catered for. If MS does have a backdoor then they have been deceptive. Their documentation in Onenote states:

Quote

WARNING   Choose and type your passwords carefully. If you forget your password, no one will be able to unlock your notes for you — not even Microsoft Technical Support. Write down your passwords and keep them in a safe place if you think you may not be able to remember them.

If MS is duplicitous, then I suspect so are the rest. The PRISM programme was connected with all the big companies.

My main concern is with the data on their servers and in Onenote it appears that it is encrypted with my password which is needed to access the data. Anyone hacking their servers still needs that password. This in my book is pretty good security. EN only offers this for text, whereas MS offers this for all information ins the secured section.

Share this post


Link to post
4 minutes ago, GrumpyMonkey said:

i don't know about legislation (users who are interested might want to visit the eff site), but the app is what it is, and i doubt there is much incentive for evernote to spotlight its weak points, so i don't expect that will happen. the security situation is fairly easy to ascertain by googling a bit. 

as for microsoft, i am not convinced yet about how secure its products really are, especially after the snowden leaks revealed its complicity in giving out our data by opening up skype, bypassing encryption, etc. and, of course, they also spied on their own users in the past (hotmail). the news today is that democratic presidential candidates are even avoiding its free software offers because they don't trust it. i mentioned onenote as an option, but i can't recommend it to anyone who is concerned about security. it could just be my ignorance or paranoia, of course...

 

 

But isn't that a slightly different issue? You're talking about Microsoft be duplicitous. Those accusations could be made against every large conglomerate from Apple to EN. They may well offer encryption that they have a back door to. However, should sensitive work data be stolen in such a manner, I would be absolved for having used reasonable precautions in securing my data. 'Reasonable precautions' does not include duplicitous companies, or no one would be able to store their data anywhere. At face value, Onenote can encrypt an entire section. This data is encrypted on their servers and I have the password. If MS has a backdoor, that cannot be catered for. If MS does have a backdoor then they have been deceptive. Their documentation in Onenote states:

Quote

WARNING   Choose and type your passwords carefully. If you forget your password, no one will be able to unlock your notes for you — not even Microsoft Technical Support. Write down your passwords and keep them in a safe place if you think you may not be able to remember them.

If MS is duplicitous, then I suspect so are the rest. The PRISM programme was connected with all the big companies.

My main concern is with the data on their servers and in Onenote it appears that it is encrypted with my password which is needed to access the data. Anyone hacking their servers still needs that password. This in my book is pretty good security. EN only offers this for text, whereas MS offers this for all information ins the secured section.

Share this post


Link to post

Sorry for the duplicate content, but this is not my doing. There is something seriously wrong with this forum. Constantly getting errors. I submitted once and an error message appeared. I then pressed back and found the post on twice. Cannot seem to delete the duplicate post either.

Share this post


Link to post

i figure that if data gets out, that's a failure, whatever the reason, though you are correct that i would probably not be exposing myself to risk of litigation or anything like that. it appears from the documentation mentioned that ms is using zero-knowledge encryption, which is great news. however, they do the same thing with the encryption of your hard drive while sending the encryption key to headquarters. bad news. they've got such a spotty record, it is difficult for me to trust them. it would be nice if this was the beginning of a new attitude towards security for ms. 

 

at any rate, it is pretty clear from evernote's competitors (devonthink, voodoopad, onenote, etc.) that encryption is technically feasible. this suggests that evernote has other reasons for not implementing it at the note or notebook level.

  • Like 1

Share this post


Link to post
3 hours ago, GrumpyMonkey said:

it appears from the documentation mentioned that ms is using zero-knowledge encryption, which is great news. however, they do the same thing with the encryption of your hard drive while sending the encryption key to headquarters. bad news.

Are you referring to Bitlocker? Microsoft has Bitlocker users' encryption keys? That's crazy! 

Share this post


Link to post
11 hours ago, tavor said:

Are you referring to Bitlocker? Microsoft has Bitlocker users' encryption keys? That's crazy! 

yeah. this is the kind of stuff microsoft does that makes me question their commitment to customer privacy / security.

http://arstechnica.com/information-technology/2015/12/microsoft-may-have-your-encryption-key-heres-how-to-take-it-back/

why they would do such a boneheaded thing is beyond me, but it might have something to do with fears about users losing their own keys or concerns about answering government demands to unlock devices. in contrast, apple gives you the option (in a popup) of sending your data if you want. otherwise, apple says it doesn't know how to unlock your devices, and it doesn't care what is in them, because it is your stuff. nice. if you are going to do encryption, then you ought to do it right like this.

my hope is that evernote will someday follow apple's lead, offer zero-knowledge encryption of notebooks, and just be done with it.

 

 

  • Like 1

Share this post


Link to post
7 hours ago, GrumpyMonkey said:

yeah. this is the kind of stuff microsoft does that makes me question their commitment to customer privacy / security.

http://arstechnica.com/information-technology/2015/12/microsoft-may-have-your-encryption-key-heres-how-to-take-it-back/

why they would do such a boneheaded thing is beyond me, but it might have something to do with fears about users losing their own keys or concerns about answering government demands to unlock devices. in contrast, apple gives you the option (in a popup) of sending your data if you want. otherwise, apple says it doesn't know how to unlock your devices, and it doesn't care what is in them, because it is your stuff. nice. if you are going to do encryption, then you ought to do it right like this.

my hope is that evernote will someday follow apple's lead, offer zero-knowledge encryption of notebooks, and just be done with it.

Yeah, between stuff like this and the very limited opt outs of Windows 10's data collection on users, I think I'm done with Microsoft once Windows 7 is obsolete.

Share this post


Link to post

Voicing my support.

Just started using Evernote and have received a one year premium membership. It looks very nice in both OSX and iOS.

Had used Onenote for some weeks before and previously Simplenote, which is limited to text.

Would love to see Evernote getting end to end encryption, at least optional, so that I can store all my documents in it. I don't need a webinterface. As it stands I'm not comfortable using Evernote to store all my documents.

Share this post


Link to post
On 2016年5月30日 at 3:47 AM, dangerstranger said:

Voicing my support.

Just started using Evernote and have received a one year premium membership. It looks very nice in both OSX and iOS.

Had used Onenote for some weeks before and previously Simplenote, which is limited to text.

Would love to see Evernote getting end to end encryption, at least optional, so that I can store all my documents in it. I don't need a webinterface. As it stands I'm not comfortable using Evernote to store all my documents.

Welcome to Evernote! It is a great service, in many regards, but security is not one of them, I am afraid. Without encryption, it has now fallen behind Apple Notes (one touch encryption), OneNote (notebook sections), VoodooPad (abandonware that still has better encryption), DEVONthink (encryption / secure wifi sync), and Dropbox (encrypted data at rest, but they have the key, so only for decorative purposes, but at least it is something). I used to say that Evernote had security comparable to that offered by other cloud products, but that cannot be said anymore. 

Everynote has a lot going for it in terms of security, with two-factor encryption and its own servers, but this last step of giving the user complete control over the security of their data has not yet been taken. Perhaps 2016 will be the year? It'd be nice to see.

  • Like 1

Share this post


Link to post

I would agree with GrumpyMonkey. EN is way behind in terms of security. For this reason I have now abandoned it, even though I still have a paid subscription. I keep checking back hoping they'll see the light. However, the longer they wait the more people will abandon ship; well, those who care about their data!.

Voodoopad 5 is not yet Abandonware. An update was released Dec 2015. I'm hoping they'll release a version six soon.

I've been beta testing the new Devonthink Go 2 iOS app and it's fantastic. It securely syncs all your data to ios. You can use their cloud, but I'm avoiding cloud storage without a clear zero-knowledge encryption.

If you're new to EN, they I would encourage you to think clearly about what you're using EN for. It's great for many things, but not personal or sensitive data. If you need secure data then GrumpyMonkey has listed some good alternatives.

Share this post


Link to post

For Mac and iPad Users:

If you want a PIM (Personal Information Manager) now that supports AES-256 encryption, checkout Yojimbo:

Quote

Industrial Strength Encryption

Yojimbo helps you protect the privacy of your sensitive information, by providing easy to use encryption. This encryption is used automatically for Password items, and you may also choose to use it (on a per-item basis) for Notes, Images, PDFs, and Web Archives.

Yojimbo uses the Advanced Encryption Standard (US FIPS PUB 197) algorithm, with a 256-bit key (AES-256).

According to the Committee on National Security Systems :

The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.

Download the complete report here.

You can encrypt any item other than a Bookmark or Serial Number with a single click on the Encrypt button. (Yojimbo encrypts Passwords by default.)

I am evaluating Yojimbo now.

Share this post


Link to post

Yojimbo is pretty cool. And, I am a huge fan of BareBones -- longtime user of BBEdit. However, I think DEVONthink is going to be the superior solution if you are looking for encryption on both OSX and iOS, because Yojimbo on iOS (last I checked) is read-only, so it is of limited value. It's nothing to sneeze at -- syncing effortlessly and securely on your home network instead of the cloud is a big deal. But, DEVONthink already does that, plus a lot more. I like both apps for different reasons, and I am glad they are both around -- hopefully Evernote will join the growing ranks of apps (many of their competitors) that support encryption.

VoodooPad's last update, if I recall correctly, was a fix to broken encryption. It may have involved a herculean effort on the back end, but the consumer experience remains unchanged, iOS remains stuck years in the past, and the Dropbox syncing is rather fickle -- last I used it I lost data. I don't think a maintenance update every year or two really counts as active support (take a look at the forums for a sense of how much talking is going on about it). I think it is abandonware, I am afraid, but I hope Plausible Labs proves me wrong. Still, it does kind of work, especially if you are just on OSX, and it still does a lot of stuff better than anyone else. I will note that DEVONthink has similar (better, in my opinion) linking capabilities.

DEVONthink To Go (the iOS version) is amazing, and it is great to see it nearing release to the general public. I think Evernote has a pretty strong lock on a huge swath of this market, and I doubt they are quaking in their Birkenstocks, but it would be very, very difficult to say that they are the industry leader anymore, certainly not in terms of security. I really think they dropped the ball (many years ago) on this, but it is still there, waiting to be picked up again if they are willing to make a real commitement to securing customer data. 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...