Jump to content
Billm

Are you sending our data to the NSA?

Recommended Posts

I don't want a boiler plate answer like "We comply with the law".  I want to know point blank, yes or no, have you sent any of our data to the NSA?

Share this post


Link to post

Yes, of course they are, just like all software providers.   :D

 

Sorry.  Hope you get the sarcasm.

 

There is a very old rule about security, that is often overlooked by the "smartest" people:

Don't put anything on a network, or in the Cloud that you don't want someone else to know.

  • Like 2

Share this post


Link to post

I don't want a boiler plate answer like "We comply with the law".  I want to know point blank, yes or no, have you sent any of our data to the NSA?

If they were, they couldn't tell you, because they would be legally obligated to keep the information confidential.

https://www.eff.org/deeplinks/2015/03/government-clarifies-its-stance-nsl-gag-orders

If they weren't, the NSA could probably still intercept the data and access it.

http://www.zdnet.com/article/how-the-nsa-and-your-boss-can-intercept-and-break-ssl/

We do know that the CEO is in favor of some points raised by the Apple CEO about policies. And, we know he was planning to roll out "sexy" encryption at one point. Both of these are great, but in practice, we are still in the same state of vulnerability as we were when the Snowden leaks occurred.

http://www.cnbc.com/id/102730801

You can use third-party apps to encrypt your Evernote data (Saferoom is the only one out there doing this).

https://discussion.evernote.com/topic/81336-saferoom-zero-knowledge-encryption-for-evernote-and-more/

You can use local notebooks.

http://www.christopher-mayo.com/?p=425

Or, you can use other apps that provide encryption.

www.christopher-mayo.com/?p=1605

There isn't much out there at the moment, though, that will make it completely convenient and reliable. DEVONthink is almost there with encryption for its databases (the password still needs to be encrypted, but we're edging closer). OneNote has encrypted sections, though Microsoft still holds the keys. Things are improving :) If Evernote ever decides to implement zero-knowledge encrypted notebooks, we'll finally be in secure (relatively speaking) territory.

  • Like 5

Share this post


Link to post

Please see the thread I've recently opened. There are issues that Evernote has not been held accountable for. It would help for many to gain interest in making Evernote comply. A formal complaint has been filed and they have two weeks to reply with a solution. If such solution has not been reached, further action will be taken. For now the interest of the general subscriber base will be largely helpful in seeking the solution. 

 

https://discussion.evernote.com/topic/86218-evernotes-violation-of-california-law/

Share this post


Link to post

Yawn.....

Seriously, the law is pretty clear, if you store your stuff in the cloud there is very little that the company that you choose can actually do if the evil government decide that they want to see it.

If you don't like this then don't use a cloud service.

  • Like 2

Share this post


Link to post

Yep... And then there's this: don't put any incriminating material into your Evernote account. Do you have any material that could put you behind bars? The NSA is most likely not interested in your web clippings nor your business plans.

It's like the student who asked Siri on his iPhone, "Where to hide body?". Not very smart.

Share this post


Link to post

the dead body / asking siri thing is an urban myth, i'm afraid, but a good point.

i'm concerned about more mundane things. when you deal with your confidential data, or third party data you are obligated to keep confidential, having anyone hack your account (nsa or otherwise) is bad. remember, once it's out, it doesn't matter what the nsa wanted with it, when (not if) they're hacked, everyone else has it as well (snowden or other hackers people suspect already got into top secret files). even innocuous data can be valuable when combined with other data that has been vacuumed up.

this is a long way of saying that if you put it on the cloud unencrypted, consider it public, and when you think of the potential problems that might ensue if it was made public, multiply that by ten or more. your dog's name? no problem, you think. your dog's name as the answer to a password prompt? big problem. remember, the nsa is also building a database of our passwords. sad, but true.

as for the legal thing about customer support, i'd like better support as well, but the protest / lawsuit thingy doesn't seem to have legs. i don't think evernote is doing anything wrong. they're fine. i wish they'd do more, of course, with encryption, but that's just another user request, not a question about the lawfulness of the service.

  • Like 1

Share this post


Link to post

the dead body / asking siri thing is an urban myth, i'm afraid, but a good point.

 

http://www.dailymail.co.uk/news/article-2723786/College-student-accused-murder-asked-Siri-hide-body.html

 

"'Siri, I need to hide my roommate': College student accused of killing his friend in love triangle 'asked his phone where to put the body' the day the man went missing"
 
1407928162027_wps_35_Siri.jpg?dl=1

Share this post


Link to post

the dead body / asking siri thing is an urban myth, i'm afraid, but a good point.

 

http://www.dailymail.co.uk/news/article-2723786/College-student-accused-murder-asked-Siri-hide-body.html

 

"'Siri, I need to hide my roommate': College student accused of killing his friend in love triangle 'asked his phone where to put the body' the day the man went missing"

 

1407928162027_wps_35_Siri.jpg?dl=1

urban myth.

http://gawker.com/prosecutors-murder-suspect-asked-siri-where-to-hide-ro-1620972731

Share this post


Link to post

And OJ is innocent.

Ouch! Poor guy, to get lumped in with OJ. I think it isn't about overall innocence or guilt here, but whether this evidence is accurate or not. It's a little different than the gloves.

Let's pretend that he did it, though, and asked his phone about how to commit a crime, something not too different than googling it in a browser (see the AOL data dump for some pretty egregious privacy violations in this regard). Here is my problem with it: why should a regular citizen's activity be under surveillance at all? Why shouldn't we expect our private information to stay safe? Those are rhetorical questions.

For some reason, when I do anything using dead tree products, I'm protected from illegal search and seizure under the fourth amendment, but when I use digital products, I am not. People who are clumsy in their use of electronic media are not stupid, but just assuming the rules are the same, as the rules ought to be. Of course, I'm not condoning murder or other criminal activity, but I also don't think we want to live in a Minority Report world, where we have lost all of our privacy, and our guilt is assumed by some algorithm somewhere. My data is dull for anyone not interested in sixteenth century japan, but the data is mine, and i am not willing to allow strangers to wander through it.

The best everyone can do is to encrypt their data before uploading it onto a third-party server, and hope that Evernote decides someday to introduce more robust protections.

  • Like 3

Share this post


Link to post

. . . why should a regular citizen's activity be under surveillance at all? Why shouldn't we expect our private information to stay safe? Those are rhetorical questions.

For some reason, when I do anything using dead tree products, I'm protected from illegal search and seizure under the fourth amendment, but when I use digital products, I am not. People who are clumsy in their use of electronic media are not stupid, but just assuming the rules are the same, as the rules ought to be. Of course, I'm not condoning murder or other criminal activity, but I also don't think we want to live in a Minority Report world, where we have lost all of our privacy, and our guilt is assumed by some algorithm somewhere. 

 

@GM, I couldn't agree with you more in the above statements.

 

This, plus the following make me very concerned about the U.S. being headed towards becoming a police state:

  1. A person, including U.S. citizens, suddenly looses all their constitutional rights as soon as some unknown person in one of the many U.S. police agencies declares that person a possible or potential "terrorist", all without the benefit of any court or judicial review.
  2. Although I understand the potential benefit of this, the "See something, say something" campaign is moving too close to similar tactics employed by, and I really hate to say this,  N a z i   Germany.
    1. Actual crimes that are observed should be reported
    2. Reporting of any suspicious (meaning the intent is unknown to the person making the report) behavior can quickly lead to devastation of innocent lives, maybe intentional (to punish one's enemies, or gain favor with the state).
    3. It has its benefits (preventing actual terrorist acts), but can easily be abused.
    4. All too quickly "suspicious behavior" can become anything that the state doesn't like.
  • Like 1

Share this post


Link to post

I don't know about comparisons with ***** (apparently, the nanny software thinks historical terms are naughty -- I have to write Drittes Reich?) Germany, but I think the combination of narcissistic nationalism ("[t]he U.S. is the greatest, best country God has ever given man on the face of the earth") and fear ("see something, say something") in America at the moment is making it difficult for us to come to a reasonable, and I think healthy, way of handling privacy.

 

Some people say that if you are not doing something wrong, you have nothing to worry about, but that assumes everyone in government is unlike the rest of humanity, and they never abuse their authority / power. It assumes everyone in companies are unlike the rest of humanity, and they never abuse their authority / power. And, it assumes that all laws are just, even when we know they clearly are not. It's a big topic where there is plenty of room for reasonable people to disagree.

 

But, one thing that I think would go a long way towards a solution is to encrypt everything. If Evernote gives us the tools to make our own decisions about the level of privacy we want to maintain, then everyone (except for the FBI) is happy. At the moment, there is no law stopping EN from encrypting everything and saying to the NSA or other hackers that they just don't have any idea what is inside their servers. No one can read it except the owners of the data and super hackers (the NSA and others who have the know-how and resources to spend on breaking encryption). This is how SpiderOak and other zero-knowledge cloud services work. It's not perfect, but it is a pretty good start. There are technical challenges, to be sure, but I think that (judging by the fact that others have succeeded) Evernote could overcome them. If they wanted to.

 

Perhaps a new CEO will give it a push in this direction. Apple is doing a fantastic job with its devices (sadly, though, iCloud only has 128-bit encryption and the keys are stored by Apple), and other Silicon Valley companies might find it easier now to follow suit.

  • Like 2

Share this post


Link to post

Some people say that if you are not doing something wrong, you have nothing to worry about, but that assumes everyone in government is unlike the rest of humanity, and they never abuse their authority / power. It assumes everyone in companies are unlike the rest of humanity, and they never abuse their authority / power. And, it assumes that all laws are just, even when we know they clearly are not. It's a big topic where there is plenty of room for reasonable people to disagree.

 

Having been around during the Nixon era (just graduated college), and then an avid reader of Nixon related books, the real potential for abuse of power has been permanently imprinted in me.  And then there is the case where the American people, and Congress, were grossly mislead into a war (Iraq) that has cost us over 4,500 U.S. lives, hundreds of thousands of Iraq lives, and over $2T (and growing) in U.S. costs.  It is hard to say how much of the misleading was intentional (and by whom), and how much was ignorance and poor evaluation/planning.  IAC, it has led to a large mistrust of the U.S. government, both in the U.S. and abroad.

 

In recent years, the number of people who were innocent but falsely incarcerated, and even put to death, found by the Innocence Project has reinforced this mistrust of authority.  And then, there was the finding that in my own cherished state and city, the Houston Police Crime lab was horribly biased and gave false testimony on DNA results.  This has really given rise to question the proclamations of all law enforcement.  Further, there have been too many cases exposed where the District Attorney is more interested in getting a conviction (any conviction) than in ensuring that justice is done and the real criminal is prosecuted.

 

The U.S. was founded to free us from the bonds of tyranny by the government.  We must never forget this.

 

As good ole Ben said:

 

“Those who surrender freedom for security will not have, nor do they deserve, either one.”

Share this post


Link to post

Good points, and just about everything is political in some way, but bringing the conversation back to Evernote and its policies, I think we also ought to be cognizant of the potential for abuse of our data by companies (not just governments), intentional or not.

I think encryption actually insulates Evernote from several problems. First, the next time they are hacked, the hackers will not get away with everything in plain text -- it will at least have some protections, even if encryption isn't 100% secure. Second, if they do get a request from a government agency, they can say (in all honesty) that they simply don't know what is on their servers, thereby alleviating the concerns of the security/privacy-conscious. Third, it is much less likely that an employee will be able to do anything unethical (a common problem at any company / institution dealing with customer data). Fourth, educators, doctors, lawyers, and businesses legally obligated to secure data that comes into their hands will be able to use Evernote without exposing themselves (or their clients/customers/students) to risks.

The only people who lose out in this are the developers, who have to rewrite each client. However, I think the extra effort would be worth it, and it would position Evernote ahead of its competitors in this space.

  • Like 1

Share this post


Link to post

Microsoft to hide European data from the NSA with new German datacenters

http://betanews.com/2015/11/11/microsoft-to-hide-european-data-from-the-nsa-with-new-german-datacenters/

 

A good reason to switch to OneNote?

not exactly. first of all, you will have to move to europe to take advantage of it. perhaps a vpn routed through germany might do the trick. then, you have to consider the fact that two companies would now be holding your data, so you've doubled the points of access. finally, the nsa and other security agencies routinely share data.

onenote does offer encryption (i think it is zero knowledge, but don't use it, so don't know for sure). this may be the most compelling reason to use it, because no matter what data center it ends up in, your data will probably be more difficult to access without your permission.

Share this post


Link to post

×
×
  • Create New...