Upgrade StorageZotero deemed security risk
Hi all,
I work for a state wildlife agency which recently deemed Zotero a security risk, so they are banning it and removing it from our machines. I use this software a lot and it has been a fantastic tool in my research so I am pretty upset to see it go. Here are their reasons:
Zotero attempts to access “Microsoft\Edge\User Data\Default\Login Data” which contains saved passwords. The browser plugin triggers a security alert for attempts to access the file containing stored browser passwords.
Zotero accesses internet servers that are used to serve ads such as “hxxps://securepubads.g.doubleclick.net”.
Zotero does not have any formal security certification and there is no formal secure coding process. Simply relying on encryption at rest and in transit is not enough. They lack any standard cybersecurity documentation such as a SOC2 report, SSP, or ISO27001 report.
They are recommending Mendeley and EndNote instead. Does anyone have any counterpoints to this? I’d love to get this info to the developers to see if they might be able to beef up security to meet the agency’s demands.
I work for a state wildlife agency which recently deemed Zotero a security risk, so they are banning it and removing it from our machines. I use this software a lot and it has been a fantastic tool in my research so I am pretty upset to see it go. Here are their reasons:
Zotero attempts to access “Microsoft\Edge\User Data\Default\Login Data” which contains saved passwords. The browser plugin triggers a security alert for attempts to access the file containing stored browser passwords.
Zotero accesses internet servers that are used to serve ads such as “hxxps://securepubads.g.doubleclick.net”.
Zotero does not have any formal security certification and there is no formal secure coding process. Simply relying on encryption at rest and in transit is not enough. They lack any standard cybersecurity documentation such as a SOC2 report, SSP, or ISO27001 report.
They are recommending Mendeley and EndNote instead. Does anyone have any counterpoints to this? I’d love to get this info to the developers to see if they might be able to beef up security to meet the agency’s demands.
There are one or two situations where operations within Zotero could trigger a webpage load, but that's literally a standard webpage load as any browser would make (Zotero is based on Firefox), and it depends entirely on what you're saving. For example, if you add an item by DOI, Zotero might follow the DOI URL and load the associated article webpage in order to make a webpage snapshot, and if the publisher uses Google ads on their site, those ad resources would get loaded as they would if you loaded the article page in your browser. You can turn off snapshot saving in the General pane of the settings (though that will prevent snapshots from being saved from the Zotero Connector as well).
We're also looking into an issue where links in snapshots loaded in the Zotero 7 reader result in DNS (not HTTP) requests. That shouldn't happen, and we're going to try to fix that, but that generally wouldn't be ad servers, and again, it's solely making requests based on what you've saved.Fixed in Zotero 7.0.14. These are enterprise certifications that aren't realistic for an organization of our size. We can provide a HECVAT (an assessment tool used by higher-education institutions to evaluate security and privacy) on request. This is a meaningless claim. Zotero has been developed by a professional team of software developers for almost two decades. We consider privacy and security in everything we do, starting with Zotero's very design as an offline-first, open-source tool. They're welcome to review our codebase — literally every commit — if they have concerns about our "coding process", which they certainly can't do for our competitors.If they want to recommend tools produced by companies literally in the business of selling their users' data, that's a choice, but it's certainly not the one we would make.
If they have specific technical questions, they can post here or email us at support@zotero.org.
I can provide emails and phone numbers for our information security manager and/or network service section leader and/or chief information officer.
When I noticed the initial block, I immediately reached out and requested OIT contact Zotero's support team to make them aware of the security risks (per the security statement on Zotero's site).
I plan to forward this information along to our OIT and strongly encourage them, once again, to reach out to support@zotero.org to discuss the concerns in more detail.
I'm already experiencing hours of wasted productivity related to transferring my substantial library over to EndNote...
I will be replying again reiterating the HECVAT, though I won’t be holding my breath. I do hope you still reach out to them- I’ve talked a few other people at my office into doing so as well. My hope is that with enough pushback and reiteration of how valuable this tool is to us, they will reconsider. And frankly, I tried EndNote first and it sucked. Maybe the paid version is better but… boo.
I kindly asked whether it would be permissible to continue communicating with Zotero rep(s) to see whether a solution could be found, and was basically told to cease any further engagement on behalf of the agency.
That doesn't mean I won't still pursue solutions and see if something can be done, but it won't be on behalf of the agency (as it never was in the first place).
In any case, the dismissive tone of the response and check-box nature of the security protocols is infuriating, at best. I was also rather put off that despite being told to contact a specific individual, that individual never responded and instead forwarded it up the chain to a section lead.
On a final, personal note, I agree that EndNote is a garbage program. I have used Papers (port to PC was rubbish), Mendeley (before Wiley purchased and ruined it), and then EndNote. I liked EndNote for a brief moment, but I wanted to embrace more open-science tools and products. I subsequently switched to Zotero a couple of years ago, which took a solid day of arguing with Endnote to fully export and reestablish my 15+ year literature library in Zotero. The forced transition back to EN now has me maintaining two separate reference management softwares - such an incredible waste of time and resources. One would think a state agency would embrace the opportunity to reduce costs by switching to an open-source, free platform.