Evernote changes privacy policy: ‘We might look at your notes’

in privacy
December 14th, 2016

The intertubes are lit up today with righteous indignation after popular note-saving app Evernote announced a change in its privacy policy that basically says, “One of our employees might take a look through the notes you trusted us with.” Here’s the official statement.

I have several thoughts on this, especially since I’ve been using the service for many years.

First. It might be that Evernote has received one or more National Security Letters or warrants from the secret US FISA court and this is their way of putting their users on notice that they are obligated to turn over user data. We’ve seen several high-profile companies (including Apple) kill off their warrant canaries in the past few years, but I think that at this point we can pretty much assume that these warrants and letters are being served across the board. There are simpler ways of telegraphing an NSL than changing a subscriber privacy policy. NSL’s come with a gag order preventing the recipient from disclosing them, so it wouldn’t make sense to change a policy in response to this kind of order.

Second. Evernote provides a free tier that, while not as generous in terms of storage as others, is adequate for the casual user. There is no such thing as ‘free’ on the internet; if you aren’t paying for a service, your data is being mined out the wazoo. It is scanned, analyzed, stored, sold, and otherwise wrung out for every dime that the provider can make off of you. I would guess that even Evernote’s paid tiers are subject to some kind of meta-data analysis. As in the first case, this is assumed and wouldn’t require a policy change.

Third. One of Evernote’s marketing points is that it a seamless way to store and reference your day-to-day information. They’re doing some heavy lifting on the back end in terms of indexing, predicting, and optimizing the way that they present information to their users. The communication from Evernote around their policy change hints at this being the reason to allow their employees to see stored notes, that they want to optimize their processes with human intuition, and to be honest it’s the most likely reason that I can think of.

I’m giving Evernote the benefit of the doubt. I think that they are being as upfront as they can about this policy shift, with the understanding that there will be a period of indignation, and that they will lose a small number of customers. When I read the news, the first thing that I did was to spend half an hour looking for alternatives to Evernote. My conclusion is that Evernote is unique in its feature set and that there just isn’t any service or software that is as convenient or comprehensive as Evernote.

There’s a however, however.

Any file that you store in the cloud is no longer under your control.

You absolutely have to keep this in mind every time you sign up for a service like Evernote, or Google Docs, or OneDrive, or Snapfish, or any of the other thousands of sites that want to feast on your data. If you aren’t paying for it (and sometimes even if you are), YOU are the product. Your information is being sold to third parties for a profit.

The bottom line is this: Do not use any cloud service to store private information. 

Even services that allow you to ‘password protect’ information (Evernote, OneNote, etc.) should not be trusted. If the file is on someone else’s server, you must assume that it has been compromised. There just isn’t any way to prove that it hasn’t been. If you don’t want anyone else to see your data, it should be stored on your personal computer and encrypted.

So, will I continue to use Evernote after this shift in their policy privacy? I will. I didn’t trust them with sensitive information before, and I don’t now. But I don’t think that the collection of risotto recipes that I’ve built up over the years is going to land me in jail. I maintain a very clear line between data that I know will be scanned and divulged and data that is private; the latter is never stored on a server or computer that I don’t control.

Post Your Comment