Just How Secure is that Note-Taking App Holding Your Sensitive Data?

You may have technology that stops users emailing sensitive information and prevents them from copying data to USB drives, but what are you doing to protect their notes? Research released by privacy-focused search engine DuckDuckGo showed that people are storing their most sensitive secrets in note-taking apps that don’t encrypt that data by default.

The company surveyed 1029 American adults to assess their note-taking habits. They found that 45.3% had saved sensitive information in note-taking apps, such as login credentials, social security numbers, credit card information, and security or PIN codes.

The problem with storing information like this in digital note-taking software is that many of the programs and services don’t encrypt information by default, the company warned. Most note-taking software worth its salt has some form of password protection. Microsoft’s OneNote lets you password protect files, for example, securing them with strong AES-128 encryption. The problem is that you have to turn that on yourself – the software won’t do it for you automatically.

According to the DuckDuckGo research, 58.2% of people didn’t realize that many notes apps don't encrypt notes by default, which implies that they're not seeking out these manual options.

What does this mean for all that sensitive data sitting in your note taking software? It doesn't mean that you can’t protect it. Check the manual measures available for encrypting data inside the app and apply it retrospectively where possible. Beware, though, because some note taking programs offer limited functionality. Evernote lets you encrypt the text content of a note, but only if you’re using the desktop client. You can't encrypt an entire note or notebook, though, meaning that if you're storing sensitive documents like PDFs or Word files there, the service won't protect them.

In those cases, you can often still manually password protect your files using the appropriate editor before you store them in a note-taking app. Adobe Acrobat lets you encrypt PDFs. Or you can protect them using third-party encryption software like Veracrypt or BitLocker (the latter is built into Windows). These offer encryption at the file level but can also encrypt entire volumes for blanket protection, providing a useful option if you're only storing your files and notes locally. Just don't lose your password.

Another alternative is to switch entirely to a program that offers default decryption out of the box. Password managers like LastPass feature default encryption and let you store notes and files. Or you can use a local tool like Standard Notes, which is cross-platform and uses AES-256 encryption by default.

Aside from the unawareness of encryption, this research raises other questions around data hygiene. There are plenty of note-taking apps available, and the chances are that we'll use different software and services as our needs change over time. It's important to manage your data footprint, ensuring that we delete, transfer, or at the very least encrypt notes in software and services that we no longer use. Otherwise, just like other kinds of waste, that discarded data could become toxic.

What’s Hot on Infosecurity Magazine?