(Update: Policy Scrapped) Evernote’s Updated Privacy Policy Raises some Concerns, But don’t Fret just Yet

(Update: Policy Scrapped) Evernote’s Updated Privacy Policy Raises some Concerns, But don’t Fret just Yet

New policy states employees can access your notes under limited circumstances

Update: Evernote has announced that they will scrap their plans to give some employees access to user data in an interest to improve their machine-learning algorithms.

With hundreds of millions of global installations on the Apple App Store and Google Play Store, Evernote ranks as one of the most popular note taking applications on the market. Thanks to the myriad of functions available to Evernote users – ranging from powerful note taking tools to searching and annotating all kinds of document formats – the popular service is relied upon by many to handle both routine and professional note keeping. But it’s one of Evernote’s biggest strengths that has resulted in a firestorm of controversy – synchronization.

Evernote and Cloud Storage

Part of Evernote’s draw is its ability to synchronize content across devices. While hardly a distinctive feature in today’s app landscape given the likes of Google Keep and other competitors, Evernote was able to attract customers during a time when most note taking applications were not offering cross-device compatibility. Of course, because the service offers the ability to synchronize your notes, the company must maintain servers to store your data.

It is in Evernote’s best interest to ensure the integrity, safety, and privacy of your data. As the company outlines in their security overview, they take many steps to make sure that your data cannot be leaked to outside parties from their servers or during the transmission of your data to their servers. Furthermore, the company offers strong password security measures – including two-factor authentication – to ensure that your account and its data cannot be compromised. However, the recent controversy surrounding Evernote does not revolve around a security breach. Instead, what some users are concerned about is the ability for some of its employees to read your notes.

Meet the new Evernote, Same as the old Evernote

Encrypting content within Evernote is indeed possible, but client-side encryption on text content is not enabled by default. After all, most users probably use the service for mundane note keeping tasks – such as shopping lists or reminder notes – so dealing with encryption passphrases would be a nuisance for most. But because of that, any content that you do not explicitly encrypt is accessible to the company on their servers.

This should not come as a surprise to any users familiar with encryption and cloud storage. But the question is not if Evernote can access your data, it’s whether or not Evernote will access your data. An update to the company’s privacy policy reveals that yes, the company may indeed access your data, but only under limited circumstances.

As uncovered by Droid-Life, Evernote recently updated their privacy policy which will take effect on January 23, 2017, to include the following language:evernotepolicy1


Screenshots via Droid-Life


Under the new privacy policy, some Evernote employees who are specifically working on updating their machine-learning algorithm may view some users’ data. This is in addition to the short list of reasons the company states they may already justify viewing your data:


In other words, Evernote maintains that they may only access your data to enforce their terms of services, to comply with legal requests, or to improve their services. The company is categorizing the machine-learning algorithm updates as “maintain[ing] and improv[ing] the service”, but some users are concerned that this means Evernote employees may randomly access your data without your knowledge.

This is indeed true, but the accessing of your data for purposes of upgrading the service does not have to be without your consent. Evernote is allowing users to opt out of this data collection by unchecking “Allow Evernote to use my data to improve my experience” under Account Settings. Furthermore, if you no longer trust Evernote, you will always have the ability to destroy all of your data on its servers while deleting your account.

To Leave or Not to Leave Evernote

In a statement from the CEO, Evernote states that their new machine-learning algorithm will be used to automate some of the most common functions of the service, such as creating to-do lists or travel itineraries. I personally do not see a reason to distrust them on this matter, but I can see why some users are concerned due to the vague wording of the privacy policy. However, although their communication on these changes have been poor, Evernote has been fairly transparent about the existence of these changes.

Given the nature of how Evernote, and frankly any company this size and in this industry, does its business, it is not surprising that they may begin mining data from customers to improve their services. Every Google service operates like this. Engineers working on databases of all kinds have this kind of access – and there’s no real way for us to know that they aren’t viewing your data. They probably are – but that’s their job, and access is generally limited to a short list of people. What separates Evernote from the others, if the company is to be believed, is their insistance on avoiding big data collection and sales of said data.

If you wish to continue using Evernote and are concerned with the company potentially accessing your data, then you still have the option to encrypt your text before it reaches their servers. In this case, their database engineers will have no way of reading your content. Or, you can simply continue using Evernote to store unimportant notes and use other services to store more sensitive data. But just know that what Evernote is doing here is not at all uncommon in the industry, and as such there is not yet cause for any concern.

While I believe this interest in Evernote’s changing privacy policy is good for transparency, I do not believe that there is reason to condemn Evernote as some are doing. So long as the company does exactly what they say they are doing in their privacy policy, it is up to the individual user whether or not they want to entrust Evernote with their data. I, personally, will continue using Keepass to save my passwords and Veracrypt to store important files on an encrypted volume.

Do you use Evernote? Are you concerned about these privacy changes? Voice your concerns below!