I love Evernote and I use it every day, but I am uncomfortable with the idea of using it for client data.
The other day on the Macs in Law Offices (MILO) group, someone said they were exploring using Evernote to manage client files. I responded that I do not think it is a good idea. Here are my two reasons:
- As far as I can tell (Evernote’s security page does not actually have any information about its security practices), Evernote does not encrypt data at rest. Anything you put into Evernote is stored unencrypted on Evernote’s servers.
- After reading Jason Kincaid’s blog post1 about Evernote’s bugs, I share his concern that “Evernote seems to be playing fast and loose with the data entrusted to it.”
In response, Rocket Matter‘s Larry Port reached out to Evernote’s head of security for a response.
Encryption at Rest
Here is what Evernote’s security chief had to say about encryption at rest:
We are not encrypting data at rest unless you manually encrypt selected text inside a note (http://evernote.com/contact/support/kb/#!/article/23480996). Encryption at rest is an answer to a different question depending on who you talk to. Some people want us to encrypt their data on the client to protect against data loss when their phone is stolen. Some want us to use it to protect against a server being stolen. One of the main reasons a service provider looks at encryption as a control is to protect against unauthorized physical access. Because we operate our own infrastructure in our own physically secure data center cage, we’ve mitigated much of that risk. We haven’t dismissed implementing encryption at rest and will continue to consider it when looking at ways to protect Evernote users’ data.
Our computing infrastructure is physically located inside dedicated cages in multiple data centers. We rely on those data centers to manage physical access controls and each one has a third party auditor attest to their ability to do so securely.
Here’s what I glean from that. Evernote has its servers in third-party data centers, where they are protected by a cage like this one. It sounds like the data center has the key to the cage and the responsibility for ensuring that only authorized people can get through the gate. Third-party auditors have attested to each data center’s physical access controls.
This requires a lot of trust in procedures and the willingness of third-party server admins to comply with those procedures.
However, if Evernote encrypted the data on those servers, it would still have all those physical access controls in place, but encryption would render the data on the servers pretty much useless to anyone who did get unauthorized access to them. With data encrypted at rest, you don’t have to worry as much about who might have physical access to Evernote’s servers, or how Evernote disposes of old hard drives.
To be fair, Evernote does let you encrypt portions of your notes. Just highlight what you want to encrypt, right-click, and select Encrypt Selected Text…. This works fine for one thing at a time, but it is obviously impractical for securing your notes in bulk.
To put this in context, cloud storage providers like Dropbox mostly encrypt data at rest. This makes Dropbox objectively more secure than Evernote, yet many are still debating whether Dropbox is secure enough to store sensitive data. With Dropbox, the concern is mostly that Dropbox keeps the encryption key, which means some Dropbox employees could decrypt your data. There are fewer people to trust than with Evernote and its third-party data centers, but there are still some people you have to trust, in addition to any spy agencies who might take an interest in your clients or scoop up your data on a whim.
If you aren’t comfortable storing sensitive information in Dropbox without an extra layer of encryption, you definitely won’t want to use Evernote. Even if you are comfortable storing sensitive information in Dropbox, you might not want to do it in Evernote.
Playing Fast and Loose with Data
Is Evernote “playing fast and loose with the data entrusted to it,” as Kincaid alleges? That may be overstating it, but I don’t think Evernote is living up to the spirit of its “Your Data Is Protected” promise. Reading that statement, Evernote seems to see the issue as one of privacy, not security.
Evernote’s actual security practices don’t seem to reflect the concerns of a company that makes security a top priority. I don’t think there is a sensible argument that it is somehow more secure not to encrypt data at rest. It is just more convenient (and probably cheaper) for Evernote.
It also refused to implement two-factor authentication because it would be inconvenient. Evernote finally implemented two-factor authentication only after it was hacked.
The useless security page doesn’t help, either. Evernote could certainly tell users more about its security practices without compromising security. Saying nothing feels evasive, as if Evernote isn’t comfortable telling users what it is doing to protect their data.
Adding it up, I don’t come away with the impression that the security of users’ data is a top priority at Evernote. While Evernote is obviously not ignoring security entirely, I don’t think it is taking it all that seriously. So I do not store sensitive information in Evernote. Instead, I use it for stuff like lists of books I want to read, cases or law-review articles I want to hold onto, cocktail recipes, pictures of restaurants’ take-out menus, and CLE notes. I would like to use it for things like receipts and deposit slips and notes on client meetings, but I just don’t think they would be well-enough protected.
It is certainly possible I have gotten the wrong impression by reading the wrong things into Evernote’s statements and drawing the wrong conclusions from a few errors and omissions. You might very well have read the above and come to the opposite conclusion. If you do, I would be interested in reading your thoughts in the comments.
If you do decide to store client data or other sensitive information in Evernote, definitely follow the security chief’s advice, at a minimum:
We recommend that you enable 2-step verification to protect your account from hackers that may try to guess your password or phish you for it. Because your data also lives on the devices you sync it to, we recommend you make use of the security features available on your devices to protect it.
Also, make a habit of selectively encrypting any especially-sensitive information within your notes by using the Encrypt Selected Text… option. (This does not seem to work with images and attachments, however.)