Evernote changes its privacy policy -- and once again alarms its users

Once considered a friendly and conscientious service, Evernote has caused consternation among its users twice this year -- once with a price hike and now with the suggestion that its employees could read your content.

evernote logo 4c
Credit: Evernote

Let me start by saying that I've been a happy and consistent user of Evernote for as long as it's been around. In fact, the first entry that I made in Evernote dates from late May, 2008, and contains notes for a review of the application, which was just about to go into open beta.

I honestly don't remember what I wrote about it at the time; however, I can tell you that since then, Evernote has been my go-to application for almost any kind of text record I needed. I've used it for taking notes at press events, tracking websites that I found useful, storing the copious information I needed one year when I was dealing with a couple of real estate transactions, keeping copies of PowerPoint presentations, storing copies of receipts and travel expenses, working on short stories -- and many, many other things. At the moment, I have 5,647 notes in Evernote -- and I understand that there are other users out there who have over twice as many.

Until recently, I had no reason to doubt that I would stick with the company, and that my notes -- and my privacy -- were safe. Oh, I'm quite aware that anything that's in the cloud is hackable and therefore not absolutely tamper-proof. But the company seemed strong, and conscientious, and concerned with its users' needs, so I continued to use what I considered a highly valuable product.

Stormy seas

The first hint of trouble emerged last June, when Evernote changed its pricing plan, raising its prices and putting several new limits on its free accounts. There was an outcry and some users threatened to desert -- and may have done so. I considered it, looked at some alternatives -- and finally shrugged, ponied over the cash, and made a note to reconsider the matter in a year's time.

Until this morning when, in the middle of the hellacious process of trying to put together my CES schedule, I got an email from a colleague asking, "Have you seen the news around Evernote's new privacy policy?"

Apparently, Evernote has decided to update its privacy policy to allow "some Evernote employees to exercise oversight of machine learning technologies applied to account content, subject to the limits described below, for the purposes of developing and improving the Evernote service." The notice goes on to say, "While our computer systems do a pretty good job, sometimes a limited amount of human review is simply unavoidable in order to make sure everything is working exactly as it should."

In other words, there's a strong possibility that an Evernote employee will have access to some fairly personal and sensitive information. Evernote tries to reassure its users by saying that only a limited number of Evernote employees will be able to access your data, and those who do will be subject to background checks and "receive specific security and privacy training at least annually." I don't find that reassuring at all. I know how unseriously some employees take security and privacy training.

What can you do?

There are some things users can do. They can go into their account settings and uncheck a box that says "Allow Evernote to user my data to improve my experience." Presumably, that means that our notes will not be used as a learning experience for the folks on Evernote's development team.

But wait, there's a catch -- the Privacy Policy lists other reasons that employees may look at content, even if you uncheck that box. Most of these are fairly standard: If the Terms of Service have been violated, if the company has received a warrant or court order, or if there are malware concerns. All well and good. The fourth reason, however, says that they might look at content if they "need to do so for troubleshooting purposes or to maintain and improve the Service." Which could be interpreted in a variety of different ways.

Evernote also suggests that users can encrypt text within their notes. However, when you have several thousand notes -- and several hundred that you'd rather not expose to the curious gaze -- single-note encryption doesn't seem practical.

UPDATE: On December 15th, Evernote CEO Chris O'Neill sent out an email explaining their new policy in more detail. He reiterated that the reason for the changes were important for the new machine learning features and that users can opt out (by unchecking that "Allow Evernote to improve my experience..." box); he also stated that the data will be anonymized and any personal information will be automatically masked from the employee -- and that the company FAQ will be updated in a few days to reflect this. The letter does not address the issue of employees reading the material for troubleshooting purposes.

How different is this?

So has Evernote become so intent on being competitive that it has adopted an unusually intrusive policy? It's hard to say. There are few other note-taking products with the scope and features that this one has. 

Microsoft's OneNote is the closest I could think of. Its privacy statement was last updated October 2012, and mentions, as far as I could see from a quick read, most of the usual caveats you get in one of these statements, including the use of metadata, use of cookies, collection of data on its servers, etc. Nothing about employees reading the content.

Google Keep (which isn't as complex as Evernote, but has its share of fans) seems to come under Google's general Privacy Policy, and whether you trust that policy probably depends on how you feel about Google.

So what's the upshot?

As I write this, there is an upsurge of discussion on Twitter and other social media outlets about Evernote's new privacy policy, and it seems like many users are threatening to pull their accounts. Of course, many made the same threat when the service's prices went up, but this new policy may be a different thing altogether.

There are a number of alternative applications being suggested as well, which I hope to look into -- and report on -- over the next couple of months.

Last time I looked, I couldn't find anything that adequately replaced it. This time, I'll probably look harder.

UPDATE: In response to all the above, Evernote announced that it was reversing its policy and and would not “implement the previously announced Privacy Policy changes that were scheduled to go into effect January 23, 2017.” Its machine learning technologies will still be made available to users, but as an opt-in rather than an opt-out feature. The response of users (as reflected in Evernote’s forum) seems to be modified rapture -- glad that their content will remain completely private, but still cautious about what the company may do in the future.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon