Leaving Evernote

Update 12/19/2016

So I’ve decided to try out Ulysses for sensitive material only. They rely on encryption provided by iOS and Mac OS (iCloud in transit, FileVault at rest). 2FA is provided by Apple. Data is stored on Apple servers, so Ulysses folks also don’t have access to user data at all. Obviously, this isn’t perfect (Apple and iCloud involved, expensive, geeky) but it’s what feels most secure and balanced right now. Nothing is perfectly safe.

However, this diversified solution allows me to continue using tools like Evernote and Dropbox without compromising my privacy as much as I feel I would be otherwise. I’ll keep testing, and eventually transition to tools like this up and coming “Zero knowledge note-taking app” by SpiderOak.

Update 12/16/2016

Evernote withdrew their policy change last night, which was slated for January 23, 2017:

“Instead, in the coming months we will be revising our existing Privacy Policy to address our customers’ concerns…We’re sorry we disappointed our customers, and we are reviewing our entire privacy policy because of this.”

Some say too little, too late. And in many ways, that’s true. The realist in me says this is a fairly superficial move that will not result in meaningful or long-term shifts in how they build products. The idealist in me hopes it’s not all PR, that companies make mistakes, and perhaps this was a wake up call for them. And if that’s the case, wonderful.

It was a wake up call for me, too. I didn’t realize how much I rely on a single product to organize my life, private thoughts, business. And whether I end up leaving Evernote completely or not, I’m much more cautious now about investing so disproportionately. I’ve begun using Dropbox Paper for business- and other documentation, and for now, will be wary of trusting sensitive information with any single product.

Also, SpiderOak seems interesting (and approved by Edward Snowden).


Original post:

Building empathetic, user-centered products is hard. Evernote disappoints yet again on this front, particularly in a general climate of fear and paranoia about personal security.

This week there was a public outcry about Evernote’s upcoming changes to its privacy policy. Beginning in January of 2017, some of Evernote’s employees would be able to view users’ notes to “make sure everything is working exactly as it should:”

The latest update to the Privacy Policy allows some Evernote employees to exercise oversight of machine learning technologies applied to account content, subject to the limits described…for the purposes of developing and improving the Evernote service.

Vague and confusing language about whether or not folks could opt out further inflamed the situation.

This morning Evernote amended their policy to clarify that opting out of machine learning technologies keeps your content free from related human oversight:

If you choose to participate, they’ll see random content, but they won’t know who it belongs to, and they’ll only see the snippet they’re checking. Not only that, but if a machine identifies any personal information, it will mask it from the employee. If you choose not to participate, your notes will not be included in this research.

The thing that actually bothered me most was not that Evernote was making changes to the service that are inconvenient for me, or even that my content would be less private.

Those of us who rely heavily on apps and technology in general are no strangers to privacy and security issues. We know that we’re being tracked, that nothing is truly exempt from human oversight, that there are tradeoffs for convenience, and that we make and live with our choices.

What disturbed me most is that Evernote prioritized business goals above its users (many of whom, like me, are loyal, paying long-timers), and how painfully apparent this was in how they handled opportunities for product innovation.

First of all, they note that they “strictly limit the number of Evernote employees who have access to user data” and that those employees “are subject to background checks and receive specific security and privacy training.” As if having only a few strangers privy to your journal, private thoughts, or medical information for the purposes of research somehow should make one feel better, secure, less exposed. See? It’s only one person! And he’s trained! No big whoop. Red flag number one.

Second, they seem surprised by how vehemently users reacted to news that strangers would be seeing our private notes. It’s all anonymized! And in snippets! What’s the big deal? It’s as if users feeling disrespected or violated were, at worst, of little importance. At best, puzzling. Plus, as a friend put it: “snippetized is long enough for someone to identify hella personal information.” Red flag number two.

Maybe I would have been OK with aspects of this shift if I felt more in control, if I felt treated like a human being rather than a tool and anonymized snippet by the people who made these decisions. Maybe they could have spent time and money on furthering research without engaging users en masse in this way. Perhaps they could have called on volunteers to improve alg0rithms for this project to a point where human scrutiny would not be as necessary. Perhaps they could have approached this change in a user-centered way. But they did not. They prioritized the product over the user.

I’ve been an avid user of Evernote since 2009. It’s probably one of the tools I use most, and aside from the search and reminder functionalities, I’ve loved it through thick, thin, and passive-aggressive customer service. I stuck by it after I discovered that they don’t encrypt data at rest (industry standard for similar services). I even stuck by it after they increased my subscription fee by 33% in Q3.

I feel this is the last straw and am saddened by it. Not only is full off-boarding going to require significant time and effort on my part, but there’s currently no service I know of that goes toe to toe with Evernote in terms of features and polish that I’ve come to take for granted:

  1. Tagging
  2. PDF search
  3. Inter-note linking
  4. Document scanning
  5. Web-clipping
  6. Integrations with third party services

Microsoft’s One Note apparently comes close but it doesn’t feel more secure, empathetic, or user-centered. Still worth a look I guess.

So what to do? Like many in my position, I don’t immediately know. Evernote is a robust offering and people use it in wildly differing ways. The alternatives I outline below may fit the bill for some and that’ll be that.

As for me, I want to transition off of Evernote but it will likely be in a fragmented and incremental way over time. Here’s the loose plan:

  1. Change my settings to opt out of this new research.
  2. Remove or obfuscate all sensitive information.
  3. Investigate downgrading to Evernote free, disabling sync, using what I have on my devices as an offline archive, and begin anew elsewhere.
  4. Explore various alternatives.
  5. Maybe use different products for different tasks:
    - Dropbox Paper for documentation and brainstorming
    - Evernote Free for innocuous and impersonal stuff like recipes and clipped references
    - Dedicated apps for doc-scanning and searching PDFs

Here are the alternatives I’ve looked at so far, and how they fare in terms of privacy and security as far as I can tell:

“No human access” means access is impossible for anyone, including the user, without proper credentials.

Here are a few features that are important for me, and how contenders stack up as far as I can tell:

It looks like MS OneNote provides the features but the lack of transparency around privacy and security is weird. It actually feels even more dubious than the situation with Evernote.

:(

General resources

  1. Sticking with Evernote
  2. Bye, privacy
  3. How to jump ship
  4. How secure are top services?

Alternatives

  1. Ulysses
    Ulysses Is the Plain Text, Evernote-Style Writing App I’ve Always Wanted
    Ulysses, the Powerful Text Editor for iPad and Mac, Is Now on iPhone
    Ulysses is now a damn good WordPress editor for Mac and iOS
  2. iCloud Note
    Notes App: The Ultimate Guide
    Privacy overview
    Controversy FBI
    Letter to customers from Apple about privacy & Answers
    How to migrate from Evernote
  3. Bear
    Privacy
    Review
  4. MS OneNote
    Review
    Privacy
    Controversy
    Feature matching with Evernote
    Versus Evernote
    Confusion around encryption
    Encrypting sections: it’s a pain
  5. Dropbox Paper
    Dropbox security
    Security & privacy
    Is Dropbox safe to use forum
    Edward Snowden calls it “hostile to privacy.”
    Boxcryptor
  6. Spideroak
    Approved by Edward Snowden
    Zero-knowledge note-taking

Good luck. 2016 is almost over, by the way. Thank god.