Going paperless: securing your digital file cabinet

When I started writing about my experience going paperless more than a year ago, I was frequently asked about my concerns for the safety of my paperless data. After all, much of that data is stored in the cloud, on servers over which I have no control. The questions fell into 2 general categories:

  1. Are you concerned that your data might be compromised?
  2. What if Evernote (or whatever cloud service you might be using) suddenly went away?

I’ve always followed some best practices for my online activity, such as using strong passwords, SSL (encrypted) connection, virus-scanning, a good spam filter, etc., but nothing is foolproof. That said, I developed some habits and practices that allow me to balance risk and reward to my own satisfaction. Here are some tips for protecting your digital file cabinet.

Ingredients

Creating a “local” digital filing cabinet

If I have sensitive data that I don’t want in the cloud, I keep it in a local notebook in Evernote. (I don’t have very much of this type of data, so that helps make this process easy for me.) Local notebooks are not stored on Evernote’s servers. They exist only on the machine on which they are created. Once you create a local notebook, you cannot switch it to a synced notebook. That said, premium users of Evernote still get the advantage of search data for their scanned documents even when the documents are stored in a local notebook. That makes the notebooks searchable on the local machine. For me, searchability is critical.

EvernoteSecure.png

Last week I wrote about my process for spending 10 minutes a day going paperless. There was a “Scan to Evernote” box in the middle of the process that acts as a kind of subprocess for me. Here is what goes on inside that box. For each document I scan in, I ask myself a question:

Does this document contain sensitive information that I don’t want online?

If the answer is no, it gets scanned into my main “paperless filing cabinet” in Evernote, which is a synced, online notebook.

If the answer is yes, it gets placed in a local notebook, a kind of “locked” filing cabinet that is only available on my local machine.

Local Notebook.png

Click to enlarge

 

By following this process, any documents or notes I consider “sensitive” are not stored on an Evernote server but they remain searchable from that machine on which they reside. This is a good balance for me.

Finding your security sweet-spot

Storing data in the cloud has many benefits. For someone trying to go paperless, it is almost essential because one big advantage of being paperless is being able to access your paperless documents from virtually anywhere. At the same time, you have to balance that reward with the risk you are willing to take with the data residing on a server outside of your control. In matters of information security, increased reward often comes with greater risk and vice versa. That can be illustrated1 as follows:

image.jpg

A good example of the risk-reward trade off is encryption.

Evernote allows you encrypt your text notes. You can also use third party software to encrypt documents you put into Evernote. The theory is, of course, is that if your account is compromised, your data would be encrypted and thus, useless. But there is a trade-off. Encrypted data is not searchable within Evernote because it is encrypted. So you lose the ability to search within your encrypted documents2. If you are using Evernote as cloud-based file storage, this is probably an acceptable trade-off for you. But for someone like me, who does multiple searches within Evernote every day, encrypted notes would not work because my notes would not be searchable3

A virtual briefcase when you are away from home

Sometimes, I do find it useful to have sensitive documents available to me when I am away from the house. In this case, I have a process that allows me to temporarily move sensitive documents from a local notebook to a synced notebook. The process looks something like this:

Secure Travel.png

Click to enlarge

Evernote makes it easy to bulk copy or move notes from one notebook to another. Simply select a set of notes, right-click, chose Copy or Move Notes and select the notebook you wish to move them to. The meta-data moves along with the notes, so if you have saved searches and they are based on things like tags and not the notebook in which the notes appear, your searches will continue to work regardless of the notebook that the notes appear in.

Once I no longer have a need for the documents online, I move them back to the local notebook.

Of course, since the documents are online for a period of time, they are exposed to the same kinds of risk of any online documents. But I am comfortable with my own online security practices. I’ve also been happy with Evernote’s Three Laws of Data Protection. And since these sensitive documents are only online for small windows relative to other documents, I feel like I am further reducing my overall exposure.

On the whole, I don’t lose sleep over my online data security. Indeed, I am more concerned about what would happen if I lost a device with my data or if my local machine decided to quit on me and take the data with it.

Protecting your data on mobile devices

I access my Evernote data frequently from my iPad and in the back of my mind, it has occurred to me that if I ever lost my iPad, my data might be exposed. There are several ways of protecting yourself from this kind of exposure, of course, such as requiring a password or passcode to log into your device. You can also erase all of the data from your device after a certain number of failed login attempts.

As an Evernote premium user, I can also require a passcode to get to my Evernote app on the iPad:

photo.PNG

This is a simple way for adding another layer of security on the off chance my iPad is lost or stolen.

Protecting your digital file cabinet

Data is an asset and like any asset, it requires protection. In the past, when I have lost data, it has almost always been my own stupid fault. But software and operating systems are sometime unpredictable. What happens if I lose Internet access? Or as some people have asked me, what happens if Evernote just “goes away”?

I don’t dwell over Evernote going away, but I do protect myself against that unlikely event. At the end of each month, I backup my Evernote data locally, and that backup eventually makes it way to my cloud backup service. Here is how I do it:

  1. Open the Evernote app on my computer (I use a Macintosh at home but a Windows machine at work).
  2. From the file menu, I select Export…
  3. From the Format menu, I select “Evernote XML Format”Screen Shot 2012-04-16 at 7.44.55 PM.png
  4. I provide a file name.
  5. I click Save.

All of my notes and everything they contain are exported to this XML file format. Binary files are embedded in the XML structure. Keep in mind, for someone with a lot of digital data (I am paperless, after all), this can be a huge file, gigabytes in size.

Once the export is complete, I place the file on an external drive. Generally I will compress it. It is also possible to encrypt this file using a variety of encryption software available online. In this case, encryption is fine because I am not actively searching the backup file.  Of course, I only do this backup once a month. It means that at worst I’d lose one month’s worth of data, but that is an acceptable risk for me. Your mileage may vary.

Summing it up

Protecting your digital filing cabinet is not difficult. With the right tools and a good process, I feel like I’ve done everything I can to provide a secure environment for my data, and give me the level of access to it that I need. Each person needs to determine their own comfort level with what kind of documents you decide to scan and keep online versus keep locally. But good data protection practices is like insurance, you hope you’ll never need it, but it’s there if you do.


Notes

  1. I know this is a rough sketch but I think it conveys the idea.
  2. Of course, you can provide some meta-data on those notes, such as tags, that would remain searchable, but this isn’t enough for my own purposes.
  3. For an interesting technical analysis of security with Evernote and the various layers involved, check out this post from ThoughtAsylym.

14 thoughts on “Going paperless: securing your digital file cabinet

  1. I’m enjoying reading your posts on going paperless, but did you know that your McAfee website safety rating is yellow? As in, watch out for this site.

    You might want to look into that.

    Best,

    Hugh

  2. I completely agree on that security piece. I recently had an iPad stolen. While it was password protected (and remotely locked), I was wishing I could have password protected Evernote. So, this time around, I did. At least I feel better. :)

  3. Really appreciate your columns on going paperless with Evernote. I’m trying to implement many of your ideas. On the local notebook point, you say above:

    “premium users of Evernote still get the advantage of search data for their scanned documents even when the documents are stored in a local notebook.”

    I am an Evernote Premium user, on a Mac. I’m putting some PDFs into a local-only notebook and not getting search results against them. Then, when I tried to move an existing note with PDFs from a cloud notebook to local, I see this warning from Evernote:

    “Local-only images will not have text and handwriting recognized. Text and handwriting recognition is performed on the Evernote servers. Since these images are going into a local-only notebook they will not have any recognition performed on them.”

    What am I missing? Is it that my original PDFs are basically just images, without OCR?

    Thank you,
    David

    1. David, I seem to recall someone else asking about this as well, but I can’t find the thread here, and I checked my email, too, and can’t find it there. Anyway…

      I think I was initially mistaken, but your last point gets to the crux of it. When I scanned a paper to PDF and put it in a local notebook, it seemed to me that the text of it was searchable. I assumed it was because the data was sent to Evernote’s servers for processing, but not retained there. It was stored in my local notebook. But as it turns out, back then, when I was scanning, I was configured to scan “searchable” PDFs by default, so the search data may have been coming from my scanning software and not Evernote.

      What isn’t clear to me is whether what you point out applies to just images or PDFs as well as images. Certainly the warning message you got implied the former. I’ll ask my Evernote contacts and see if I can get a better answer.

      1. I did just figure out how to make PDFs with OCR for the first time (no small feat with an HP all-in-one and Mac 10.7), and low and behold I am now getting search data in my local notebook. So I guess that answers that. Thanks again Jamie!

  4. As a new user to Evernote, I found this article to be extremely helpful. Especially the part about backing up once a month and instructions on how to do it.

  5. To back up Evernote on Windows, there’s an extra step involved between 1 and 2: click on “All Notes” and select them all. Otherwise, you just get a backup of the single that is at present selected.

Comments are closed.