Starting Next Year, Evernote Employees Could Access Your Unencrypted Notes

Mark Wilson, reporting for BetaNews: Evernote has published an update to its Privacy Policy, revealing that as of 23 January 2017, employees will be able to access unencrypted notes. The change is being wheeled in because of the apparent failings of machine learning. Perhaps more worrying is the fact that Evernote says that it is not possible to opt out of having employees possibly accessing your unencrypted notes. The only way to fully protect your privacy is to delete all your notes and close your Evernote account. The update to the Privacy Policy starts off sounding fairly innocuous: "The latest update to the Privacy Policy allows some Evernote employees to exercise oversight of machine learning technologies applied to account content, subject to the limits described below, for the purposes of developing and improving the Evernote service."

Re:

[Z00L00K]

And then fill in a lot of notes with cryptic texts and obscure web addresses that don't lead anywhere.

Re:

[beastofburdon]

And the occasional RickRoll.

RIP

[Anonymous Coward]

RIP Evernote!

Re:

[pr0fessor]

as if anyone ever read privacy policies...

Re:RIP

[zopper]

The article is FUD. If any of you really read the change directly from Evernote... "If you want to opt out, you can do so in your account settings, and our engineers won't look at your data to improve the service." Evernote clearly states you CAN OPT OUT and the only thing you loose is the machine learning thing. So everything is going to be like now for you.

It still seems VERY abusive to me.

[Futurepower(R)]

They know most people won't understand that.

Re:

[Darinbob]

Why not encrypt the notes? People are suddenly amazed and shocked that when they put unecrypted data into the "cloud" that other people can look at it? This is not the 90s with noobs on AOL, we should all be assuming that the internet is a dangerous minefield and to tread slowly and carefully while there.

Cloud services should be renamed

[QuietLagoon]

Maybe a better name would be Looking Glass services.

Re:

[Anonymous Coward]

That's exactly right. As we see, any promises made in the terms of service and privacy policies aren't worth the electrons they're written on and we should have no expectation of privacy in our cloud accounts.

We, the consumer, are just cattle to be exploited.

Re:

[Anonymous Coward]

What you fail to understand is that YOU are not the actual customer.

If you are not paying for the service -- and I mean REALLY paying for it, as in "paying your full share of the actual cost of providing the service to you" -- then you are NOT the customer. You are the PRODUCT, which is being sold to whoever IS paying for the cost of providing the service. What, did you think Evernote, Twitter, Facebook, etc. were charitable non-profit organizations or something? You really think they're somehow obligate

Re:

[mlts]

I was paying for it, mainly so I can use multiple devices and upload larger documents. Keyword is "was". At least exporting your stuff isn't too hard (install their app, dump your notebooks, delete, flush trash can.)

Wish there is something for Android that would store notes locally and sync them to one's own Dropbox, GDrive, or other account, preferably encrypted... only thing it seems that does is Apple's Notes app.

Re:

[skegg]

I used to use MyPhoneExplorer [google.com] to sync my Android phone with my Windows desktop. There's a corresponding desktop client [fjsoft.at]. Worked very well.

You could then use something like Duplicati [duplicati.com] to sync with a cloud provider. I use it to backup to my own server over SSH.

Re:

[AmiMoJo]

dump your notebooks, delete, flush trash can

Dude... That's... That's not the trashcan. No wonder it's always blocked.

Re:

[QuietLagoon]

...You are the PRODUCT, which is being sold ...

That is the business model that was used by print magazines. Subscription costs did not cover the cost of publishing, ad costs did. The purchasers of ad space were buying access to the eyeballs of the subscribers, and paying for the publication of the magazine.

Re:

[Applehu Akbar]

No, you're a user who is trading off a known amount - the amount being what you put into unencrypted Evernote - of privacy in return for free use of software.

Machine learning?

[Anonymous Coward]

What possible legitimate use have a company that is in the business of storring small text files on behalf of their customers of machine learning? None! That's all, they are not providing any other service nor their customers are asking them to!

Re:

[Desler]

It's a easy way to bilk VCs of money.

Re:

[AmiMoJo]

They are trying to complete with other providers of similar services, like Google Keep. They offer automatic transcription, so for example if you take a photo of a document or object with text on it, that text will be OCRed and make searchable.

To improve those services it is vital to have a large amount of test data. When the automated system makes a mistake it will need to be examined and corrected by a human, hence the need for staff to see user's data. In fact many other companies already do this, with v

What note solution?

[cfalcon]

This is stupid, of course, but what's the replacement?

I'd love a solution that could work on an Apple phone or a Linux box, and sync via a method that isn't viewable to naughty employees, as evernote is quickly becoming. Even throwing away the hard part of that requirement (Linux), what solutions are there really in this space?

Re: What note solution?

[Anonymous Coward]

After Evernote failed to fix some other issues earlier this year I switched to One Note and have been happy with it. Much better text editing and solid cross-platform support.

There isn't one online

[Overzeetop]

There isn't a single cloud service provider with both open source software and zero knowledge servers, so right off the bat you're looking at rolling your own if you want any semblance of privacy/security. If you're not hosting it, or didn't write (or at least fully audit) the pre-uploading encryption, what ever you choose will be no more secure than pinning your notes to the wall of the local courthouse. You could pay someone like Rackspace to make something from scratch for you, but unless you can audit t

Re:

[Darinbob]

Why not encrypt the data?

Re:

[Anonymous Coward]

One Note

Re:What note solution?

[110010001000]

There is a note solution I use called "Sticky"

add more hype please.

[zlives]

Cloud... Disrupted

Re:

[OhPlz]

The search feature is abysmally slow, and don't even get me started on the weak handwriting recognition!

Re:

[thegarbz]

I lost all my sticky notes when my house burnt down*.

* It didn't really but you're an idiot for suggesting sticky notes to people who specifically moved away from them with a better solution.

Re:What note solution?

[Quince alPillan]

Google Keep?

Re:

[perlancar]

Keep is fine, except that there is only a single level of undo. I've managed to lose my edits a couple of times because of this.

Re:What note solution?

[kaustik]

There is this [turtlapp.com]. Open source, encrypted, similar to Evernote. My concern is that I would dump all my data here and the kind folks running the project would move on to something else.

Another nice one :)

[Idisagree]

https://github.com/Laverna/lav... [github.com]

Laverna is a JavaScript note taking application with Markdown editor and encryption support. Consider it like open source alternative to Evernote. https://laverna.cc/index.html [laverna.cc]

Re:

[tattood]

You could always rent a small AWS instance and run your own turtl server [turtlapp.com].

Re:

[kaustik]

Perhaps you weren't able to read the actual announcement from Evernote. They state that employees WILL be manually reading the notes, in order to improve their machine learning capabilities.

These are human beings reading confidential material. Abuse is incredibly likely.

From the FAQ [evernote.com]:
"This is primarily to make sure that our machine learning technologies are working correctly, in order to surface the most relevant content and features to you. While our computer systems do a pretty good job, sometimes

Re:

[Unknown User]

If I didn't already own a notebook and a pencil, I would probably use a single text file on a shared free Mega disk and access it with Emacs.

Re:

[Just Some Guy]

I self-host. There are a couple of good options that way:

• If you have a Synology NAS, you can install Note Station [synology.com] which is basically Evernote but stored on your own server. It has nice (and free) iOS apps, and an Android app that I haven't used. There's no desktop app yet but it does have a nice web interface. This is probably the easiest drop-in replacement for Evernote - if you have a Synology.
• If you're in the Apple ecosystem, I love DEVONthink Pro Office [devontechnologies.com] (DTPO). It's not so much a note app as a persona

Re:

[bobm]

It appears that QNAP NAS also support note station. I haven't installed it yet but since I just deactivated my Evernote account I guess it's my next step.

I stopped paying for evernote when I had to do a restore and all of my notes went into one folder.

Since then I use a combination of Pocket and email, note perfect and hopefully Note Station will be a decent solution.

Re:

[Just Some Guy]

Give a shot. Worst case: you decide it sucks and continue looking for a good replacement. I still prefer DTPO, but if you already have the ability to run Note Station it's definitely worth a close look.

Re:

[CrashNBrn]

I researched this the last time Evernote bumped their prices by 40%+

Pim Software [google.com]

1. EssentialPIM – Personal Information Manager for Windows, iOS and Android [essentialpim.com]
2. Efficcess - Free Personal Information Manager (PIM) Software [efficcess.com]

Notes Organizer - Google Search [google.com]

1. Notes Organizer - The Official Home of AlfaPad - PIM [notes-organizer.com]
2. TreeDBNotes Free PIM, Notes organizer, Document manager software [mytreedb.com]
3. TreeDBNotes Pro: Personal Information Manager, Notes Organizer, Contact Manager, Password manager, Task manager [mytreedb.com]
4. Tree [dextronet.com]

Re:

[0100010001010011]

If you only need to save text, Self hosted Etherpad behind NGINX for authentication.

Re:

[Applehu Akbar]

"I'd love a solution that could work on an Apple phone..."

The aforementioned Notes app. You can sync the phone app data, should you use the dreaded Cloud, with Notes on your other Apple devices and computers.

Re:

[AmiMoJo]

OneNote isn't bad, and you can make it use a local file that you think sync manually (I use encrypted cloud storage with my own key). There are apps for Android and I think iOS, maybe even Windows Phone.

The companion Office Lens app is pretty good too. Photograph a sheet of paper, a book, a label or whatever and it will automatically neaten it up into a nice, perspective free scan and OCR it. There are other apps which claim to do the same, but they are not as good.

Well they made my decision for me

[Colin Castro]

"The only way to fully protect your privacy is to delete all your notes and close your Evernote account." Easy enough, but I'm confused about the encryption part, can they read those or are they saying it's hackable or that they have a key?

Re:Well they made my decision for me

[Overzeetop]

If you believe them - and since you can't audit their code personally you shouldn't - then they cannot decrypt your encrypted notes without brute forcing it. They claim not to store you key: https://help.evernote.com/hc/e... [evernote.com] You have to decide whether or not to believe them.

Re:

[mlts]

If one can get access to the notes via some recovery mechanism like an E-mail to an account, a SMS, or other means, then it isn't really secure encryption. With services like Hushmail, if you lose your password, you can reset your account... but you will lose all the contents.

Sounds fine to me

[Grishnakh]

I don't have a problem with this. If you don't like it, don't use Evernote.

I don't use Evernote, so it's not a problem for me.

Re:

[Grishnakh]

Exactly. Screw them. No one is forcing you to be an Evernote user, or a user of any cloud service for that matter. There's not even any kind of monopoly effect going on here; no one really *needs* Evernote, and there's a ton of competitors anyway.

People who continue to give their support to shitty companies like this is the whole reason these companies get away with their shenanigans.

The only good thing here is that their actions are being publicized here, so that interested customers can leave. We'll s

Re:

[fisted]

Starting next year, they MAY access your data. Prior to 23 January 2017, they COULD [] access your data.

FTFY. It's delusional to assume the people who run the damn service were somehow magically unable to access their own damn files.

Migration path?

[layabout]

I've tried Google keep, Microsoft one note, personal wikis but nothing seems to function as well as Evernote. The ability to access the same data, without explicit synchronization steps on tablet, phone, and laptop is a core value of Evernote. What's the alternative?

Re:

[spire3661]

You are trading security for convenience. The alternative is to do it the traditional way with pen, paper and a scanner attached to an open source computer/network None of these programs respect your privacy, at all, for even one second. I see no point in using them for anything

Re:

[Wraithlyn]

Check out Simplenote [simplenote.com].

If you just want text, it's perfect.

Re:

[irrational_design]

This looks good. The two main problems I see are 1. There isn't a way that I can see to group notes into "folders" and 2. There isn't a way that I can see to export/backup all of my notes (that is, I want a zip file of all of my notes in a non-proprietary text format).

Re:

[Bourdain]

(1) you could use tags if you want which would function as well if not better than folders

(2) the api seemingly allows one to export your notes pretty easily at least with the windows client (resophnotes)

I've been using simplenote for years with resophnotes as my primary client and it automatically syncs with my iOS version on my phone so I can research things in a pinch

I use it as a sort of knowledgebase where any individual idea or thing I'd want to come back to gets its own note (plus I have some s

Re:

[Anonymous Coward]

Keep does everything you're calling out as important. It's not as robust a product for sure, but it syncs great.

Re:

[Anonymous Coward]

I moved to ColorNote. Works well on Android. Encrypts before syncing to the cloud. The only drawback is that the sync function uses gmail or facebook authentication. Works very well for notes and lists. Permissions required are minimal. Can be downloaded from 3rd party apk sites or google market or windows market for w8.

http://www.androiddrawer.com/24549/download-colornote-notepad-notes-app-apk/

This is not true!

[Tommy Carpenter]

The article says "The only way to fully protect your privacy is to delete all your notes and close your Evernote account." Evernote comes with built in encryption, you just have to use it: https://help.evernote.com/hc/e... [evernote.com] Moreover, evernote warns you "WARNING: We do not store a copy of your encryption key. If it is forgotten by you, your note is lost forever". So it is NOT true what this article says!

Re:

[ColdWetDog]

Enter a passphrase into the form. You will need to enter this passphrase whenever you attempt to decrypt this text. Do not forget this passphrase because Evernote does not store this information anywhere.

Sounds really user friendly. Typing in a passphrase every time I want to read a note.

No thanks.

I liked Evernote in the beginning but they've been getting more and more obnoxious as time rolls on. Interstitial ads? On a paid subscription?

Bye.

Re:

[OrangeTide]

If a note is not encrypted you might as well assume it is being read by someone you don't know.
So I fail to see the BFD.

Re:

[The MAZZTer]

Sooo how exactly do you log into your Slashdot account again?

Re:

[Hognoxious]

evernote warns you "WARNING: We do not store a copy of your encryption key. If it is forgotten by you, your note is lost forever"

Well if that's what they say it must be true!

Re:

[OhHellWithIt]

TFA also says, in the quotation from the Evernote privacy policy, that customers can turn off the machine learning that is the reason for the employee access by disabling it in the account settings. I just did that with no problem at all.

If one is serious about security, though, then why would he/she trust any cloud provider's encryption?

Privacy policies

[jgullstr]

No need to read privacy policies. Just check "I agree" and go about your day.

Goodbye Evernote

[Ziest]

Just deleted my account.

Sync to your own Server or OwnCloud?

[Zombie Ryushu]

Is there a way the application can be reconfigured to talk to your own Domain Controllers or OwnCloud server?

2 devices

[irrational_design]

Ever since the recent change to only allowing two devices to access a free account I have been meaning to switch my notes. This is just accelerating that need.

the consumer cloud kinda sucks

[anthony_greer]

"Cloud" services can be done very securely, look at any number of business/enterprise services from MS, Amazon, Oracle, SAP or any of a dozen other vendors. Its sad that the consumer end of the cloud is such a joke security wise. look at the past few months, this and the the yshoo FBI search thing are great examples of how piss poor the consumer cloud is. It doesnt have to be this way. We need a secure consumer cloud.

Article is FUD

[asvravi]

I use Evernote software extensively. I actually took the time out to read both old and new privacy policies and their FAQ closely as soon as I got the email from Evernote.

The article and the Slashdot summary are, as usual, best described as FUD. They make it seem as if Evernote is compromising privacy and making it impossible to opt out of. Nothing can be farther from the truth. The change being made now is to include an additional reason for Evernote employees to access my notes - and that is to verify that the machine learning is working as intended. This change can be entirely opted out of by unchecking an option in the client. The thing that is not possible to opt out of is, other circumstances and reasons for which Evernote employees access my data, which was already in the old policy and continues unchanged in the new policy. That relates to things like legal obligations, troubleshooting, TOS violations and protecting users against malware etc, which are the norm at any service provider.

See for yourself under "Do Evernote Employees Access or Review My Notes?"
Old policy [evernote.com]
New policy [evernote.com]

In fact, Evernote has some of the the most transparent and clear privacy and security policies I have ever seen among online service providers.
1. It is in the form of Q & A
2. The crux of it is in the form of clear tables with "We collect" and "Why we collect it" columns.
3. It is very comprehensive, dealing with all imaginable aspects of privacy and security

Not only did Evernote provide a very clear update on the upcoming changes, they also allowed a well advertised opt-out (although an opt-in would have been better). They also have an 800 word FAQ to specifically clarify the changes and my options here [evernote.com]. They are also clear about not using my data for other purposes. From their 3 laws of data protection -

Our business model is old-fashioned: we only make money when you decide to pay us for a great product. This means that trust is our biggest asset and keeping your data private is fundamental

.
I couldn't have asked for anything better.

Re:

[LordWabbit2]

Which is an option you can choose as well, AND they don't keep a copy of your key, so they definitely cannot access it.

I wonder ...

[Alain Williams]

if this is a warning by subterfuge ... maybe someone at evernote has got fed up with the FBI/... demanding that customer notes be secretly turned over to them and added this to show that anything unencrypted should not be assumed to be private. Maybe/maybe-not.