[BreachExchange] Evernote Caught in Privacy Imbroglio

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 15 20:42:53 EST 2016


http://www.lightreading.com/enterprise-cloud/evernote-
caught-in-privacy-imbroglio/d/d-id/729029

When you've lost Star Trek actor Wil Wheaton, you know you're in trouble.

Users including Wheaton are peeved at cloud note-taking service Evernote
following an update to its privacy policy giving employees the right to
read users' information in order to improve its machine learning algorithms.

The latest update to Evernote's privacy policy allows some of its employees
to "exercise oversight of machine learning technologies applied to account
content, subject to the limits described below, for the purposes of
developing and improving the Evernote service."

"This is primarily to make sure that our machine learning technologies are
working correctly, in order to surface the most relevant content and
features to you," Evernote says. "While our computer systems do a pretty
good job, sometimes a limited amount of human review is simply unavoidable
in order to make sure everything is working exactly as it should."

To protect users, Evernote "strictly limit[s] the number of Evernote
employees who have access to user data to those who need this access" to
perform functions it lists in its privacy policy. Those employees are
subject to background checks, and "specific security and privacy training
at least annually to ensure they are up to date on the latest privacy and
security requirements and standards," Evernote says.

Evernote's assurances weren't good enough for some users.

"Time to uninstall Evernote. Like, right now," says Wheaton on Twitter.

"Yeah, I love Evernote but this pretty much does it for me," says
"SurlyDave" on reddit.com/r/evernote. "The suggestion that if I don't
consent to someone reading my notes I won't have access to future upgrades
means I'll be looking elsewhere for a similar product. Shame, because I
really use Evernote a lot and moving my data across will be a big hassle."

"You are uploading stuff to the cloud, assume you have ZERO privacy," says
ryanmercer, who adds that users seeking privacy should look for a service
that complies with the US Health Insurance Portability and Accountability
Act.

We contacted Evernote about this, and a spokesman said the company is
working on a statement about the issue.

Evernote says users can use encryption on its desktop clients to protect
data. Users can also opt out of the machine learning feature, which will
also stop Evernote employees accessing data to improve machine learning.

Previously, Evernote's privacy policy provided for disclosure of
information for reasons including investigating potential terms of service
violations, preventing or taking action against illegal activities, and
compliance with court orders and subpoenas. This is standard for cloud
services.

Machine learning is strategic to Evernote. Part of the company's reason for
an ambitious migration to the Google Cloud Platform from Evernote's own
private cloud was to get access to Google's machine learning services. (See
Why the Evernote Elephant Packed Its Trunk for Google Cloud.)Evernote has
had a tumultuous history. In 2012, the company became one of Silicon
Valley's first so-called "unicorns" -- privately held companies with value
of more than $1 billion. The company cut 13% of its staff last year, or 47
employees, and longtime CEO Phil Libin resigned.

Evernote is looking to transition from a consumer service with a free plan
used by a big base of users, as well as some paid plans, to a paid
subscription service used by professionals. While it still offers a free
plan, Evernote has cut back on its capabilities and raised prices, angering
its users. This month, the company opened a new engineering office in San
Diego. The last thing Evernote needs is a black mark for failing to protect
customer data.

As for me: This new privacy policy from Evernote is a concern. I use
Evernote extensively for personal and professional business, including to
store article notes and research. I'm not much concerned about my private
data, but, as a business journalist, I have a responsibility to safeguard
the confidential information that's entrusted to me. I'll be watching
developments closely to see if Evernote is a service I want to stick with.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161215/66073943/attachment.html>


More information about the BreachExchange mailing list