A little about the history: I've always been really methodical at dealing with the stuff that turns up in the house - which is probably an inherited trait: My Dad, in later life, purchased a number of decent filing cabinets in his desire to maintain some kind of order, rejecting the (by then) 30 odd alphabetical ring-binders that represented the house filing system. I've been doing much the same - which means chucking all the paper in the filing tray, periodically having a mass holepunch and filing session and, increasingly, having to reorder the ringbinders and boxfiles, prune old material and buy more storage. As time goes on, the system becomes harder to maintain: ringbinders and boxfiles don't lend themselves to easy re-organisation, the older stuff starts to attract 'memorabilia' value and it becomes harder to find anything.
Moving to digitising the paper that turns up was never going to happen, unless the process to scan and file is no more time-consuming than the 'collect the paper into one place and periodically have a mass filing session' process (notwithstanding the regular re-org overhead). The time potentially saved in finding stuff doesn't feel real, even though you know it is. Getting it into the right place electronically has to take no longer than getting it to it's end-filed state physically always has done. And I'm pleased to report that, against my early expectation, it doesn't. The main reason for this is the Canon P-215, which has exceeded my expectations in so many ways.
Some of the data in here is relatively sensitive, from an identity-theft perspective. There's nothing really confidential, save for a few credit card details, passwords etc - but Evernote allows you to encrypt text within a note with a separate password, so I'm confident that those details are well protected. But collecting all this data in one place - particularly in the cloud - lends it some significance it doesn't have when scattered over paper filed in my house: Identity thieves don't target the physical theft of people's ringbinders.
There are three main areas of concern:
- The storage of the data in the Evernote cloud.
- The transmission of the data between here and their datacentre.
- The local Evernote databases associated with each full client installation, particularly on Window's machines, where everything is held in one database file that's entirely open - the Evernote password only enables synchronisation or web access to your database.
I've come to the conclusion that I'm not that bothered about the first. These guys are not idiots and their architecture is well-considered, their kit very physically secure. Even were a hack successful, my data - if they could connect it all up to me and my account - is a drop in a planet's worth of oceans. Someone might try and plunder it with technology, assuming they could get access, but no-one is ever going to do anything more than look for interesting patterns that might be worth exploring, in amongst the petabytes of everyone else's stuff. I'm confident that I have nothing interesting enough, apart from the already encrypted stuff. I'm choosing to cloud-sync all of this data, even though I could keep some of it local - the benefits and automatic resilience outweigh any security concern for me.
Data transmission is a much more interesting potential vulnerability. The transmission itself is encrypted, so eavesdropping isn't a worry. The fact that access to the cloud data is a matter of one password is: I use a unique, well considered one and change it regularly. I don't share the most sensitive notebooks with Al's login, because I can retain better control of it that way. (Sorry sweetie, nothing personal!)
The thing that most worries me from a security point of view, perhaps surprisingly given the cloud nature of the service, are the local databases. Two Windows machines have the client - and hence a copy of the whole database. No-one steals an attic full of paper, but they do steal laptops - and the local database is easily plundered by mounting the disks in a different machine. But scanning direct to Evernote will only work with the full client and much of the advanced capability is only really available with it. Moreover, two iPhones and two iPads also have access and may have some locally synced date.
So, after much thought: I have applied a password to the Evernote app on the iDevices, as well as the devices themselves. If one gets lost it can be remote wiped in any case and further access stopped by changing the Evernote password. I've moved the two Windows copies of the database to a separate Bitlocker encrypted partition on each machine. Even if the machines get left on when we leave - just before the house is burgled - they will have locked out after 5 minutes, so the data is untouchable. I'm also taking a separate, offsite, encrypted copy of the database periodically: Call me anal, I won't be insulted.
Which leaves me thinking there's more than one recommendation out of all this:
- I wholeheartedly recommend pursuing the paperless route - it's a much better way to organise your life, on so many counts
- Don't do it if you're paranoid about your data. Don't do it with anything really confidential, at least not with this approach
- Be conscious that, if you choose to maintain the most confidential data solely at home, it becomes a risk because of its digital collation - and it needs an offsite backup strategy.
- Don't do it at all if you're not prepared to think long and hard about these issues. You could well regret it. Cloud services are changing our lives - but throwing your life into them without thinking about it is probably foolhardy...