Privacy and Security in Zotero

cfarnum
Hello - I've been reading bits here and there about Zotero re: privacy and security. My context is I'm working outside of the U.S., and researchers I work with are concerned about the security and privacy of the information in their annotations in Zotero, e.g., if they are making comments in the annotations in a PDF, is this information available on U.S. servers? And potentially accessible to the U.S. government? Folks working with vulnerable populations are particularly concerned about this, so if someone could clarify this, I'd appreciate this.
  • adamsmith
    https://www.zotero.org/support/privacy
    If you are syncing your data (which you don't have to for core functionality, but which is required for things like groups and the mobile app) it's on US Servers and yes, it would be subject to US legislation/subpoenas/FISA courts, etc..

    Generally speaking, Zotero is a privacy-first app and doesn't collect or store unnecessary information. It's also designed pretty securely. That said, even working within the US, though, I don't think Zotero is set up to hold anything like potentially identifying information about vulnerable populations: Data aren't encrypted on the server, there's currently no MFA, etc. Using it as sensitive data storage wouldn't pass ethics review here, either.
  • tim820
    edited January 25, 2024
    Has Zotero considered adding database and PDF encryption as an option ? And MFA. Some people are naturally going to be concerned about "US servers" ... or anyone else's servers for that matter. Encrypted or otherwise. But there are probably people already using Zotero for storing/annotating study data (eg interview transcripts) that as you say might not pass ethics review (if the local IRB knew).

    Short of more levels of Zotero security/encryption, I wonder if there are other encryption solutions that could be implemented by the user within existing Zotero, while still maintaining syncing of non-sensitive item metadata ? There are as many local security dangers as there are for data on someone's servers. For example off the top of my head, a linked PDF strategy using only an external PDF reader for annotation could be used, with password-protected PDFs (for what that's worth). The aim might be that (unencrypted) annotations would never enter the Zotero database. And then one could also use a cloud PDF file syncing solution that encrypts files (but one would have to work around the Groups limitation on linked files if sharing is required). One might exclude Google Drive and MS Onedrive for file syncing whether or not they are nominally encrypted. Dropbox "says" it's encrypted. WebDAV can be encrypted can it not ? But files and the database are usually unencrypted on the local machine, unless one uses a local encryption app.

Sign In or Register to comment.