How secure is Evernote?
I’ve been using Evernote for about six months now and have gradually graduated from “What is this for exactly?” to “How did I live without it?”… I became an Evernote Premium member in December and have never looked back.
Once I twigged that Evernote could do more for me than simply clipping interesting websites I have to confess I went a little bit crazy…over the course of a few weeks I uploaded as many documents as I could lay my hands on including birth certificates, passports, bank statements and the like. It wasn’t until I ran out of steam that I started to ask myself – Is it safe for me to store all this in the Cloud?
“Don’t log anything in Evernote you wouldn’t be happy for your mum to see on the evening news.”
Being a curious creature I started to research the subject and there doesn’t appear to be a definitive answer out there on this subject. Some people seem to put full faith in Evernote whilst others wouldn’t scan sensitive documents at all. I thought I’d outline some key considerations and options to consider based on how nervous you are about relinquishing control over your sensitive documents.
Q. Who can see my notes?
A. The official answer to this is “only you, except for shared notebooks.” Evernote’s Privacy statement states that:
“As a rule, Evernote employees do not monitor or view your personal information or Content stored in the Service, but it may be viewed if we believe our Terms of Service have been violated and confirmation is required, if we need to do so in order to respond to your requests for user support, or we otherwise determine that we have an obligation to review it as described in our Terms of Service.” Your Notes also may be viewed where necessary to protect the rights, property or personal safety of Evernote and its users, or in order to comply with our legal obligations, such as responding to warrants, court orders or other legal process.
I think it’s safe to assume that at some point your notebooks will be accessed by someone within Evernote and that if you were subject to a legal or criminal investigation your notes could be subpoenaed. How vigorously Evernote would challenge such a request is unclear. If you’re concerned about storing particular documents in the cloud, you may want to consider using offline notebooks for sensitive documents (a Premium member feature).
Recommendation – Do not store sensitive data in shared notebooks, and don’t log anything in Evernote you wouldn’t be happy for your mum to see on the evening news.
“Your data will be stored physically in the the US and therefore subject to US data protection laws, which may be less stringent than those in your native country.”
Q. How Secure is my data?
A. An un-scientific response would be “pretty secure”. Evernote points out that your password is encrypted and that various physical and electronic protections (they don’t specify the exact mechanisms, or the encryption standards used) are placed upon the servers used to store your data. One interesting point to note for non-US residents is that your data will be stored physically in the US and therefore subject to US data protection laws, which may be less stringent than those in your native country.
One consideration for users of the Evernote apps is that local versions of notes may not be as secure if you do not have adequate encryption. I would recommend using FileVault for your Mac and ensuring you have a PIN set up on your iPhone (which encrypts the phone contents as default) to ensure that the data stored locally by your apps is encrypted (sorry Windows users, you’re on your own for a solution).
There are ways to encrypt specific notes – see How to Encrypt Evernote on a Mac – but I prefer to stick with a global solution
Recommendation – Ensure your locals disks/phone have adequate encryption and set a PIN for your Evernote app(s) (premium feature)
On the whole I think it’s sensible to take a moderate view on what you send to the cloud in Evernote, and for those documents that are more secure consider either keeping them in an offline notebook on an encrypted volume, or encrypting the document itself before you attach it to your note. For the time being I am keeping all my bank statements, tax documents etc in an offline notebook called “private home documents” on my FileVault-encrypted Macbook.
N.B. If, like me you are using a cloud-based backup like Crashplan then you are already trusting any secure documents on your computer to a cloud-based service. You may feel that a company like Crashplan will have more robust security protocols in place (I have no evidence to support or refute such an assumption).
You might also consider reading a few other discussions on the topic: