Privacy Concerns

question

(Turkey Gravy) #1

I have a privacy concern question that I would like to clarify. With personal notes being some of the closest things to me, I feel quite strongly about privacy around them.

I have read through the privacy policy, though it feels very loose in what it’s actually saying, and doesn’t say what things are actually shared or not. This gives me a bit of fear that it leaves it open to use in ways I don’t feel comfortable in the future.

Main concerns

We will collect personal information through appropriate methods for the following purposes

We may entrust the whole or part of the personal information it collected to outsourcing entities to the extent required to achieve the purpose of use

What is contained within the scope of this personal information? I want to be able to fully understand what is shared, what is not.

  1. Is it the first name, last name, email provided in account settings.
  2. Is this note contents?
  3. Note titles?
  4. Tag names?
  5. Folder names?
  6. Linked websites from within notes?

My understanding from other posts in this forum is that data is encrypted at rest, but not encrypted in transit. I presume that HTTPS is used for encryption in transit between client and server?

The data encryption & decryption always happen on the Inkdrop servers.
So when encrypting/decrypting, the servers have to look into your data in plaintext.
https://forum.inkdrop.info/t/where-is-data-encrypted/218

First, your notes are not encrypted with your password directly.
Inkdrop generates an encryption key and it’s encrypted with your password while stored on disk.
So your encryption key itself won’t be changed if you change your password. Just re-encrypting the encryption key.
https://forum.inkdrop.info/t/changing-resetting-password/159

With this is it correct to state that it is not possible for you, or any authorities, third party, hacker, etc, to read the data of my notes, tags, folders, etc, since they are encrypted at rest with a strong cipher and key:salt pair?

Other questions

and is difficult to obtain your consent

What is defined as difficult? You only have my email address, does that qualify as difficult, or is there a time period of response? What would that be?

it is necessary for cooperating with a national or local authority or an entity entrusted by it in executing the affairs prescribed by laws and ordinances

In which country? I am a UK citizen, according to Twitter you live in Tokyo, so is this in reference to Japanese authorities, or UK, or both? I wouldn’t expect UK to have any enforcement to you as a resident of Japan. My concern is if a country not either of those makes a request, such as the largest country in the west, that I don’t feel comfortable having my information shared with.

This also relates to which country the data is actually stored in. I presume it’s built in AWS or something similar, so understanding if the regions selected available are EU, would make me more comfortable. Since you’re in Japan, you may have selected a region closer to home.


(Takuya Matsuyama) #2

Hi Turkey,

I’d like to answer your questions as following.

What is contained within the scope of this personal information?

  • The first name, last name and email address
  • The usage statistics such as number of notes, notebooks and tags

We won’t touch anything about contents of your note data, something like analyzing words of notes, or collecting statistics on tag names.

I presume that HTTPS is used for encryption in transit between client and server?

Yes.

With this is it correct to state that it is not possible for you, or any authorities, third party, hacker, etc, to read the data of my notes, tags, folders, etc, since they are encrypted at rest with a strong cipher and key:salt pair?

In principle. But note that a Man-in-the-middle attack is still possible depending on your network environment.

and is difficult to obtain your consent

What is defined as difficult?

For example, when you are losing consciousness.
Basically we will try to ask you if we have to provision to third party.

In which country?

Currently the servers are located in US.

If you don’t still feel comfortable for using Inkdrop, please check out other apps focusing on privacy like Turtl.
Hope it’s helpful.


(Turkey Gravy) #3

Brilliant, thanks for the info :slight_smile: