Four things you probably don’t want to keep on Evernote

evernoteTrue fact: I have mad love for Evernote. It is without question one of my absolute favorite apps, replacing a longtime history of carrying a book & pen wherever I travel, while providing greater power over notes through information control, collection, sharing, access and safekeeping. I see an article on the web I want to read later? Evernote. I come up with a solution to a thorny problem? Evernote. I have a hot new blog topic, want to pull up a favourite recipe, need to polish product knowledge before a meeting? Evernote, Evernote and more Evernote. Since its release it has been lauded as a “must-have” app by many online software reviewers and productivity experts, and while competition is steep with Microsoft’s OneNote and Apple’s new iCloud note sync, upgrades continue and new fans continue to get on board.

Yet as powerful and flexible as the Evernote app is, there are some things that are best saved elsewhere. It’s an excellent tool for a lot of information types, but it’s not the solution for all types of information. While this may change in future releases as the application is upgraded to meet needs and market demand, for now here are the top four things that you should think twice before placing in the elephant’s trunk, and why.

4. Manipulable Data

Popular spreadsheet standard Excel and I have a love-hate working relationship: it provides me with a significantly flexible tool for data analysis, transformation, movement and processing that’s set the spreadsheet standard. In exchange, I try to look over little idiosyncrasies that result in heavy formula checking, further data cleanup and other time involvements. As I shifted more document draft work into Evernote for easy access and retrieval, using a table in Evernote appeared a natural choice: capture the data accordingly, update it from convenient remote locations as things progressed, and have it all under the same umbrella as other files of related subject matter.

After trying to work with 50 entered data points, I formally apologized to Excel: it was not my best move.

The key difference is that Evernote is an information & record system, not a data system: you can follow the information lifecycle of collection, use, disclosure, retention and destruction, but not the key attribute of data: processing. A table in Evernote, while giving a formatting that appears data-friendly, simply isn’t made to rearrange or analyze what’s entered. You can’t, for example, limit the table view to only show records of particular criteria, or sort by date. Capture and export is likewise best left alone: copying from Evernote to spreadsheet format is not without challenges, and for the amount of data cleanup required in the process not worth it. If you really need to keep your information and data together, you may consider adding spreadsheet attachments, which are then opened in their native program, but otherwise data, Evernote is not for you.

3. Video clips

Audio is not a problem for Evernote: although not a music service, for voice memos the application offers in-house recording, storage and playback that come in handy. Video clips however such as those captured online as part of a web page, are a different matter. Can Evernote capture video files, such as those from YouTube, Vimeo or DailyMotion?

The answer here is “it depends”. Certainly, Evernote can capture the URL or text of the page with an active link, providing quick recall for those videos you wish to watch again & share. However, Evernote itself has no flash player, HTML5 or video download capabilities, meaning an Evernote notebook with a list of videos is a list of links to files, found online or offline. If you wish to play the videos or share, you still need an online connection and the file must remain in its original location. If you’re trying to watch offline, or if the video is moved, taken down, etc. you’re out of luck.

2. Personally Identifiable Information, esp. from Customers & Clients

Before I get into more details, I want to be clear: Evernote is secure. For users it offers protected password access, optional two-step verification, firewalls, transport encryption (protecting information as it moves through the network), and other safeguards to prevent unauthorized access by anyone save the original account holder. Deleted information is deleted from all devices, good and gone, and the security team performs active assessments to keep the application clean. For full details, take a look at their security overview here, which is pleasantly straightforward.  Bottom line: we can trust Evernote with most of our stuff. The application is designed so that only you can access the information in your account unless you choose to share it, and when you save information it moves from a secure channel to a protected vault.

The problem is, the protection stops when information is at that vault: in order to make it searchable and compatible with different devices, information saved on Evernote’s servers is not encrypted. If someone breaks the vault code, either by gaining your password or a sophisticated hack, they can read all of the information you’ve saved, to be copied, sold or do whatever. An equivalent would be an armoured car transporting credit cards and cash: if thieves took down the car, they’d still need to know the account PIN numbers to take money from the cards; the cash however, can be spent right away. For most of us, knowing our information is in an armoured car with security is protection enough. In some circumstances however, extra caution should be considered.

Personally Identifiable Information (PII) is a case where extra caution should be considered: this is information about our customers and clients that we have agreed to safeguard, and may want to take extra precautions. The challenge of course, is that not all ‘personal' information is created equal, and “private information” means different things to different people. When considering PII, ask yourself: what if a leak were to occur? What would be the damage to my clientele? Would they be uncomfortable? Impaired? Could the leak expose personal details that could be used to damage their interests, or cause psychological or physical harm?  Like most applications, talk with your risk assessment expert or champion and determine the potential for threats. What is the nature of your business? What is the nature of your customers? Aside from released information itself, what is the likely reaction from a perceived affiliation between you and them? A printer ink company storing the names and office numbers of local sales reps is likely to find less risk if the information is released than, say, a psychologist storing confidential intel on their client based on personal conversations. A veterinary hospital, while wise to observe confidentiality of patent records, is not at the same level of HIPAA legal compliance requirements that are mandatory for your local doctor’s office.

1. Highly Confidential or Sensitive Data

Much like 2#, but taking it a step further: if you have information that your business regards as top secret or highly confidential, you may want to reconsider Evernote storage altogether. While proper risk assessment and information classification schemes vary depending on the organization, as a general rule if the information within Evernote once leaked could cause significant damage or security risk to your business, it should never be in Evernote in the first place. Although single-note Encryption is available, it removes functionality from the app: you cannot encrypt on mobile devices, features including indexing are lost for the note, and encryption cannot be applied to full notebooks or non-textual information such as pictures or scanned documents. This also doesn’t account for confidential information that is heavily regulated for privacy and security; depending on the details, storage via Evernote may or may not be compliant. Credit card information, for example, is protected under the PCI Data Security Standard twelve requirements for compliance. For these reasons Evernote is not wise key chain application for the storage of passwords, payment details, sensitive documentation or license numbers.

While it may seem like I’m critiquing Evernote here, it’s worth pointing out that for most users, the critique is minor: for the few things the application can’t do, there are far more uses for information collection, storage and retrieval that it can do, and do them well. If we take out highly personal & sensitive information from the mix, Evernote is very secure than our own PC operations: they have the team, resources and knowledge base to cover leaks we can’t. From an information perspective however, we need to be able to evaluate software strengths and weaknesses based on how it handles the information itself, so that we can recommend the right tool for the right user and the jobs they have in mind. Personal and professional users should  feel confident when they use Evernote, knowing there’s much they can get out of it; but also when their needs suggest they best look elsewhere. 

Additional information resources:

Posted in Applications & Software, Protect and tagged , , .

Leave a Reply

Your email address will not be published. Required fields are marked *