When I started writing about my experience going paperless more than a year ago, I was frequently asked about my concerns for the safety of my paperless data. After all, much of that data is stored in the cloud, on servers over which I have no control. The questions fell into 2 general categories:
- Are you concerned that your data might be compromised?
- What if Evernote (or whatever cloud service you might be using) suddenly went away?
I’ve always followed some best practices for my online activity, such as using strong passwords, SSL (encrypted) connection, virus-scanning, a good spam filter, etc., but nothing is foolproof. That said, I developed some habits and practices that allow me to balance risk and reward to my own satisfaction. Here are some tips for protecting your digital file cabinet.
- Tools of the trade
- A good paperless process
- A “local” notebook in Evernote (I call mine “Local filing cabinet”)
Creating a “local” digital filing cabinet
If I have sensitive data that I don’t want in the cloud, I keep it in a local notebook in Evernote. (I don’t have very much of this type of data, so that helps make this process easy for me.) Local notebooks are not stored on Evernote’s servers. They exist only on the machine on which they are created. Once you create a local notebook, you cannot switch it to a synced notebook. That said, premium users of Evernote still get the advantage of search data for their scanned documents even when the documents are stored in a local notebook. That makes the notebooks searchable on the local machine. For me, searchability is critical.
Last week I wrote about my process for spending 10 minutes a day going paperless. There was a “Scan to Evernote” box in the middle of the process that acts as a kind of subprocess for me. Here is what goes on inside that box. For each document I scan in, I ask myself a question:
Does this document contain sensitive information that I don’t want online?
If the answer is no, it gets scanned into my main “paperless filing cabinet” in Evernote, which is a synced, online notebook.
If the answer is yes, it gets placed in a local notebook, a kind of “locked” filing cabinet that is only available on my local machine.
By following this process, any documents or notes I consider “sensitive” are not stored on an Evernote server but they remain searchable from that machine on which they reside. This is a good balance for me.
Finding your security sweet-spot
Storing data in the cloud has many benefits. For someone trying to go paperless, it is almost essential because one big advantage of being paperless is being able to access your paperless documents from virtually anywhere. At the same time, you have to balance that reward with the risk you are willing to take with the data residing on a server outside of your control. In matters of information security, increased reward often comes with greater risk and vice versa. That can be illustrated1 as follows:
A good example of the risk-reward trade off is encryption.
Evernote allows you encrypt your text notes. You can also use third party software to encrypt documents you put into Evernote. The theory is, of course, is that if your account is compromised, your data would be encrypted and thus, useless. But there is a trade-off. Encrypted data is not searchable within Evernote because it is encrypted. So you lose the ability to search within your encrypted documents2. If you are using Evernote as cloud-based file storage, this is probably an acceptable trade-off for you. But for someone like me, who does multiple searches within Evernote every day, encrypted notes would not work because my notes would not be searchable3
A virtual briefcase when you are away from home
Sometimes, I do find it useful to have sensitive documents available to me when I am away from the house. In this case, I have a process that allows me to temporarily move sensitive documents from a local notebook to a synced notebook. The process looks something like this:
Evernote makes it easy to bulk copy or move notes from one notebook to another. Simply select a set of notes, right-click, chose Copy or Move Notes and select the notebook you wish to move them to. The meta-data moves along with the notes, so if you have saved searches and they are based on things like tags and not the notebook in which the notes appear, your searches will continue to work regardless of the notebook that the notes appear in.
Once I no longer have a need for the documents online, I move them back to the local notebook.
Of course, since the documents are online for a period of time, they are exposed to the same kinds of risk of any online documents. But I am comfortable with my own online security practices. I’ve also been happy with Evernote’s Three Laws of Data Protection. And since these sensitive documents are only online for small windows relative to other documents, I feel like I am further reducing my overall exposure.
On the whole, I don’t lose sleep over my online data security. Indeed, I am more concerned about what would happen if I lost a device with my data or if my local machine decided to quit on me and take the data with it.
Protecting your data on mobile devices
I access my Evernote data frequently from my iPad and in the back of my mind, it has occurred to me that if I ever lost my iPad, my data might be exposed. There are several ways of protecting yourself from this kind of exposure, of course, such as requiring a password or passcode to log into your device. You can also erase all of the data from your device after a certain number of failed login attempts.
As an Evernote premium user, I can also require a passcode to get to my Evernote app on the iPad:
This is a simple way for adding another layer of security on the off chance my iPad is lost or stolen.
Protecting your digital file cabinet
Data is an asset and like any asset, it requires protection. In the past, when I have lost data, it has almost always been my own stupid fault. But software and operating systems are sometime unpredictable. What happens if I lose Internet access? Or as some people have asked me, what happens if Evernote just “goes away”?
I don’t dwell over Evernote going away, but I do protect myself against that unlikely event. At the end of each month, I backup my Evernote data locally, and that backup eventually makes it way to my cloud backup service. Here is how I do it:
- Open the Evernote app on my computer (I use a Macintosh at home but a Windows machine at work).
- From the file menu, I select Export…
- From the Format menu, I select “Evernote XML Format”
- I provide a file name.
- I click Save.
All of my notes and everything they contain are exported to this XML file format. Binary files are embedded in the XML structure. Keep in mind, for someone with a lot of digital data (I am paperless, after all), this can be a huge file, gigabytes in size.
Once the export is complete, I place the file on an external drive. Generally I will compress it. It is also possible to encrypt this file using a variety of encryption software available online. In this case, encryption is fine because I am not actively searching the backup file. Of course, I only do this backup once a month. It means that at worst I’d lose one month’s worth of data, but that is an acceptable risk for me. Your mileage may vary.
Summing it up
Protecting your digital filing cabinet is not difficult. With the right tools and a good process, I feel like I’ve done everything I can to provide a secure environment for my data, and give me the level of access to it that I need. Each person needs to determine their own comfort level with what kind of documents you decide to scan and keep online versus keep locally. But good data protection practices is like insurance, you hope you’ll never need it, but it’s there if you do.
- I know this is a rough sketch but I think it conveys the idea. ↩
- Of course, you can provide some meta-data on those notes, such as tags, that would remain searchable, but this isn’t enough for my own purposes. ↩
- For an interesting technical analysis of security with Evernote and the various layers involved, check out this post from ThoughtAsylym. ↩