Is Evernote Secure Enough for Client Data?

evernote_ipad_wallpaper
computer-security-guide-cover-2nd-ed

4-Step Computer Security Upgrade

Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.

I love Evernote and I use it every day, but I am uncomfortable with the idea of using it for client data.

Related“The Evernote Q&A, Tips & Tricks Thread”

The other day on the Macs in Law Offices (MILO) group, someone said they were exploring using Evernote to manage client files. I responded that I do not think it is a good idea. Here are my two reasons:

  1. As far as I can tell (Evernote’s security page does not actually have any information about its security practices), Evernote does not encrypt data at rest. Anything you put into Evernote is stored unencrypted on Evernote’s servers.
  2. After reading Jason Kincaid’s blog post1 about Evernote’s bugs, I share his concern that “Evernote seems to be playing fast and loose with the data entrusted to it.”

In response, Rocket Matter‘s Larry Port reached out to Evernote’s head of security for a response.

Encryption at Rest

Here is what Evernote’s security chief had to say about encryption at rest:

We are not encrypting data at rest unless you manually encrypt selected text inside a note (http://evernote.com/contact/support/kb/#!/article/23480996). Encryption at rest is an answer to a different question depending on who you talk to. Some people want us to encrypt their data on the client to protect against data loss when their phone is stolen. Some want us to use it to protect against a server being stolen. One of the main reasons a service provider looks at encryption as a control is to protect against unauthorized physical access. Because we operate our own infrastructure in our own physically secure data center cage, we’ve mitigated much of that risk. We haven’t dismissed implementing encryption at rest and will continue to consider it when looking at ways to protect Evernote users’ data.

Our computing infrastructure is physically located inside dedicated cages in multiple data centers. We rely on those data centers to manage physical access controls and each one has a third party auditor attest to their ability to do so securely.

Here’s what I glean from that. Evernote has its servers in third-party data centers, where they are protected by a cage like this one. It sounds like the data center has the key to the cage and the responsibility for ensuring that only authorized people can get through the gate. Third-party auditors have attested to each data center’s physical access controls.

This requires a lot of trust in procedures and the willingness of third-party server admins to comply with those procedures.

However, if Evernote encrypted the data on those servers, it would still have all those physical access controls in place, but encryption would render the data on the servers pretty much useless to anyone who did get unauthorized access to them. With data encrypted at rest, you don’t have to worry as much about who might have physical access to Evernote’s servers, or how Evernote disposes of old hard drives.

To be fair, Evernote does let you encrypt portions of your notes. Just highlight what you want to encrypt, right-click, and select Encrypt Selected Text…. This works fine for one thing at a time, but it is obviously impractical for securing your notes in bulk.

Related“It’s Time for Lawyers to Re-Think the Cloud”

To put this in context, cloud storage providers like Dropbox mostly encrypt data at rest. This makes Dropbox objectively more secure than Evernote, yet many are still debating whether Dropbox is secure enough to store sensitive data. With Dropbox, the concern is mostly that Dropbox keeps the encryption key, which means some Dropbox employees could decrypt your data. There are fewer people to trust than with Evernote and its third-party data centers, but there are still some people you have to trust, in addition to any spy agencies who might take an interest in your clients or scoop up your data on a whim.

If you aren’t comfortable storing sensitive information in Dropbox without an extra layer of encryption, you definitely won’t want to use Evernote. Even if you are comfortable storing sensitive information in Dropbox, you might not want to do it in Evernote.

Playing Fast and Loose with Data

evernote

Is Evernote “playing fast and loose with the data entrusted to it,” as Kincaid alleges? That may be overstating it, but I don’t think Evernote is living up to the spirit of its “Your Data Is Protected” promise. Reading that statement, Evernote seems to see the issue as one of privacy, not security.

Evernote’s actual security practices don’t seem to reflect the concerns of a company that makes security a top priority. I don’t think there is a sensible argument that it is somehow more secure not to encrypt data at rest. It is just more convenient (and probably cheaper) for Evernote.

It also refused to implement two-factor authentication because it would be inconvenient. Evernote finally implemented two-factor authentication only after it was hacked.

The useless security page doesn’t help, either. Evernote could certainly tell users more about its security practices without compromising security. Saying nothing feels evasive, as if Evernote isn’t comfortable telling users what it is doing to protect their data.

Adding it up, I don’t come away with the impression that the security of users’ data is a top priority at Evernote. While Evernote is obviously not ignoring security entirely, I don’t think it is taking it all that seriously. So I do not store sensitive information in Evernote. Instead, I use it for stuff like lists of books I want to read, cases or law-review articles I want to hold onto, cocktail recipes, pictures of restaurants’ take-out menus, and CLE notes. I would like to use it for things like receipts and deposit slips and notes on client meetings, but I just don’t think they would be well-enough protected.

It is certainly possible I have gotten the wrong impression by reading the wrong things into Evernote’s statements and drawing the wrong conclusions from a few errors and omissions. You might very well have read the above and come to the opposite conclusion. If you do, I would be interested in reading your thoughts in the comments.

Securing Evernote

If you do decide to store client data or other sensitive information in Evernote, definitely follow the security chief’s advice, at a minimum:

We recommend that you enable 2-step verification to protect your account from hackers that may try to guess your password or phish you for it. Because your data also lives on the devices you sync it to, we recommend you make use of the security features available on your devices to protect it.

Also, make a habit of selectively encrypting any especially-sensitive information within your notes by using the Encrypt Selected Text… option. (This does not seem to work with images and attachments, however.)


  1. Damage-control response from Evernote CEO here

Subscribe

Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions
  • Thanks for posting this. I had wondered about the issue of security. I started to use evernote and had even set up a tickler in it although I found it cumbersome to use. Now I am using it primarily for office admin and for articles I want to read, books places to go, etc.
    While some rave about it, I don’t see a need to go outside of Word to take substantive work notes for projects, etc.

    • I generally take notes by hand, so Evernote is great for capturing those notes, especially since it does a pretty good job recognizing my handwriting.

      Of course, I don’t use it for notes that have sensitive data on them. Those get scanned to my Viivo-encrypted folders in Dropbox.

  • doug

    Where are the servers that Evernote uses to keep their customer’s files? Evernote is headquartered in California but they have an international market. I don’t mean what is the physical address, but in what country? If I missed this detail please forgive. In the event of a compromise or loss of information legal remedies can be cumbersome, expensive, and often impossible to pursue outside the U.S.

    • That information is not in my post, but it is in the (actually pretty readable) terms:

      Where Does My Data Go?
      The Evernote Service is available worldwide, but our data processing operations take place in the United States. If you use the Service, you acknowledge that you may be sending electronic communications (including your personal account information and Content), through computer networks owned by Evernote and third parties located in California and other locations in the United States and other countries. As a result, your use of the Service will likely result in interstate and possibly international data transmissions, and your use of the Service shall constitute your consent to permit such transmissions.

  • Christopher Anderson

    I believe this fits into a bigger discussion about whether lawyers should be using consumer-oriented tools to accomplish goals that have requirements that go beyond the needs of most consumers, i.e. our obligations, pursuant to the Rules of Professional Conduct for Safekeeping of our clients property (including information), and Confidentiality. You have illustrated some shortcomings we should be aware of through the example of Evernote, but we should be similarly concerned about other consumer-oriented services like DropBox, Google Docs/Drive, and others.

    These services Terms and Conditions, and Privacy Policiies are enough to make me steer clear, despite the “encrypted at rest” that Dropbox espouses (but which hasn’t stopped them from exposing customers’ data twice in the past two years.)

    I agree with you that having the company hold the encryption keys is acceptable. I think the risk is much higher if lawyers hold the keys … as a loss would be irretrievable. Perhaps there is a business model in 3rd party key holders?

    Anyway, great article. Broad discussion.

    – C

  • In addition to what you quoted in your post, the Terms of Service, under “What Is The License I Have To Grant To Evernote?”, it specifically states you are granting Evernote the right to view and access your data.

    I do not store client/ confidential information in Evernote. I think lawyers need to have total control over access to their data unless they have received a client’s informed consent to use services such as Evernote, Dropbox, etc..

  • BEPearceLaw

    EverNote states that you should use local notebooks (i.e., notebooks that never leave your computer) for sensitive data. Anyone storing sensitive data on notebooks that are in the cloud never read EverNote’s literature. That said, EverNote is missing a market opportunity by not offering an encryption service (Premium Plus?).

    • If Evernote still does OCR on local notes, then the data is getting to the cloud at some point, isn’t it? I don’t think it does OCR locally.

      • BEPearceLaw

        I haven’t tried a search in my local notebooks. If there is an OCR on local notebook contents, it seems to me that your risk is limited to the time and mode of transmission and OCR’ing (yes, I just typed that).

        • If you are confident in Evernote’s security precautions. I’m not. Even if they have the best of intentions, they have had some unfortunate bugs.

  • Paul McGuire

    You are correct in that I would never store sensitive information as defined by the link in the article in my client notes in Evernote. However, I would not store that information in my files openly whether Evernote, Dropbox, Sugarsync, Gmail, or other service. There are extra precautions that should be taken when dealing with social security numbers, bank account numbers, and other information that I work to avoid having a copy of in regular unencrypted e-mail, or other cloud storage. Whenever I need to request this information from a client over an electronic means I use some sort of encryption whether an encrypted e-mail service or something else.

    On the other hand, I don’t consider my general notes to be sensitive enough that I am concerned beyond enabling two factor identification to ensure that my notes aren’t accessed by someone else.

  • Michael Romano

    Interesting post. What’s the best alternative to Evernote the for note-taking that can be shared on desktop, laptop, and mobile (cell/tablet) platforms?

    • Well you could use Microsoft OneNote. It is the main competitor to Evernote. I don’t know that the security is inherently better, however.

  • Hi,
    If you’re interested in Evernote security, please check our new application – Saferoom (link). This is an extension to Evernote and provides a way to store sensitive information in Evernote cloud using client-side encryption/decryption.

  • Leopold31

    Do lawyers keep written files encrypted in case someone breaks into their office?

    • No, which is why digital files are safer, if properly maintained.

  • CliffSpicer

    Thanks for the terrific article Sam. I see it was written on July 15th, 2014. I was wondering if you have revisited this topic and if so, do you feel Evernote has made any changes that would change your mind and make you feel that client’s data is more secure in Evernote in 2016 compared to 2014? The one thing I may add, is if you need an extra layer of protection for your PDFs, you could always password protect those before you put them into Evernote.

    • There haven’t been any changes that I’ve heard about. And yes, there are all kinds of workarounds, but they are all pretty clunky and generally make Evernote harder to use.

      Note: I’m not suggesting that nobody should use Evernote to store client data. The analysis is never that simple. I’m suggesting that it may not be secure enough for some client data, and whether or not that’s true for a particular client or a particular bit of data is what every lawyer needs to consider.

      • ScoobyDoo

        When you say “workarounds” do you mean ways to make Evernote more secure or alternatives? I am curious as to whether there is another company offering similar services as Evernote but without the blatant disregard for folks who don’t trust Evernote’s insistence that they will do a fine job of serving as the moral guardian of everyone’s data. I can’t see Evernote standing up in an Apple-esque situation where the US government is determined to get at user’s data.

        • I meant ways to make Evernote more secure, like making local notebooks (so they never leave your computer) or encrypting individual notes within Evernote. Local notebooks can be very secure, but half the point of Evernote is being able to access your notes from all your devices. Encrypting individual notes is helpful, too, but one-at-a-time encryption really only helps when you want to share a note. It’s totally impractical for securing all your notes.

          There are lots of alternatives. Here’s our list, but there are more coming out all the time.