synch with server and privacy / security

I would like to use Zotero to organize citations of confidential corporate documents as well as the usual public scientific documents. But first I need to know, if I synch my Zotero database with the Zotero server, is any of my information visible to or shared with other users? How is the info stored, and how much of it is stored?

Zotero is nice, but not so nice that I wish to get fired for breach of intellectual property rules. I'd be happy if you could clarify for me exactly what happens when a user synchs with the server.

  • if I synch my Zotero database with the Zotero server, is any of my information visible to or shared with other users?
    No, by default your information is private. All current and future sharing and collaboration features will operate on an opt-in basis. So, none of your data will become publicly visible without you making it so.

    For more information see the general privacy policy and the server privacy policy.
  • but still - depending on the level of confidentiality - I'd guess you can still get in trouble for uploading confidential data to an external server, to an account that's not designed for a lot of security features (e.g. sign-in without ssl etc.) etc.
    Really, that depends. I have off the record interviews in my database, but no one would come after me if someone uses criminal means (e.g. hacks into my account) to get a hold of them. But depending on the sensitivity of your data that might be different.
    E.g. when travelling with your laptop, are you required to encrypt the files? Are you allowed to store them on a laptop at all? If so, I wouldn't upload. If not, they are probably as safe with Zotero as they are with you.

    This is not the first time this comes up as an issue (it's not for me), I think it's worthwhile exploring solutions here.
  • Thanks for your feedback, and for your patience in providing an answer that was already on your website.

    I guess for my personal comfort level the best solution is to be paranoid, and not synch with the server at all.

    If it were possible I would synch the public data and keep the private data local. I don't suppose it's possible to maintain two databases simultaneously, or to tag some items as unsynchable? Perhaps a "to synch or not to synch" property of of each citation would be a solution to these issues. Has that been considered at all?
  • It's definitely something people have been talking about here in the forum - not sure if it's planned.
  • It is certainly possible to maintain separate databases, but it may be a bit tedious.

    Having different sync options for different collections or references has been discussed, but is not yet possible.
  • to an account that's not designed for a lot of security features (e.g. sign-in without ssl etc.)
    FYI, Zotero login requires SSL, and all metadata syncing operations are secure. We provide the option to sync attachments to unsecured WebDAV, but that's of course up to users.
  • I guess I should check these things before making such a statment - I just assumed since it keeps me logged in. But indeed, the login is ssl.

    (I would still say be careful with uploading confidential data to anywhere outside your firms network, but as I said - if you're allowed to transport the data on your laptop without encryption, the Zotero server is as safe (or maybe even safer) for your data than your hd.
  • edited March 17, 2009
    A related issue recently came up with some Canadian librarians--they were worried about storing researchers' databases on a server in the U.S. while the Patriot Act is still in effect. From their point of view, no SSL can protect Middle Eastern Studies scholars, for example, if the U.S. government decides that their records are vital for national security.
  • > I don't suppose it's possible to maintain two databases simultaneously

    One way to work with multiple databases is to use a separate Firefox profile for each. Straightforward enough, but the databases are completely isolated from one another.
  • Is it possible to set up one's own Zotero server? This would alleviate corporate security concerns. Another idea would be to allow the Zotero client to choose which Zotero server they wished to sync with.
  • That's a really interesting point, elena.
  • Is it possible to set up one's own Zotero server?
    Not at this time & it has been said that the server code will likely be released, but that it will still be unsupported.
  • >>>> Is it possible to set up one's own Zotero server?

    >> Not at this time & it has been said that the server code will likely be released, but that it will still be unsupported.

    I would appreciate this move, as I store a lot of sensitive data (interviews, analytical notes etc) and I am not really assured, whether all my information is fully secured (ie encrypted) in the databases where it is stored (ie in Z server). What happens if someone hacks into the Z server/databases and releases all the information...? I have big respect and trust towards the Z developers, and continue promoting this product in my academic circles, but nevertheless, I'm very careful with my records as well.

    At the moment I only know that "by default [my] information is private", but what does it really mean? Of course I know that the transfer is fully SSL secured, but after that - are there (going to be) any mechanisms of data encryption? Surely, opponents would say that in that case just don't sync your data via Zotero, but this is not really an argument - if one has already created a public and free software, and promotes and inspires people to use it, then it should be as secure as possible.

    From 'Zotero's server privacy policy':
    "Synchronizing your data to the Zotero server is optional, although synchronization is strongly recommended in order to provide backup, collaboration, and recommendation services"
  • Except that collaboration & recommendation can't be effective with data that is 100% private & you certainly have other options to backup.

    The group functionality is certainly a promising start for those that want to have different privacy restrictions for different portions of there data.
  • privacy != encryption
  • First, Zotero is a great product. I love it.

    Second, our IT group setup a corporate WebDAV server on our private network in a few minutes. However, for corporate security reasons, we need a corporate Sync Server on our private network. So, all we can do is play with Zotero Sync and wait until the Synch Server code is released.
  • Can I have an account with Zotero to sync my files? If so, what is the procedure? If not why?

  • We will have another File sync option for you very soon DenDen60, a matter of days.
  • Ok thanks. This is an important feature.

    IMHO of course
  • (repeat fo find out if there were any updates on the question)

    Can I have an account with Zotero to sync my files? If so, what is the procedure? If not why?

  • Currently our research group is a babel of reference managers. I use Zotero, others use various versions of Reference Manager. We need to standardize on a solution in which all of us can add to and edit the database and files concurrently. We would be more comfortable if both the reference database and downloaded files are on our own server. (Particularly after the Sidekick/Danger/Microsoft debacle.) Is there a way to do this on our Windows 2003 server?
  • not currently, no.
  • Does Zotero if used by students on a network, have a vulnerability to security e.g by using collboration & synching could any filters be circumvented?
  • The communication between Zotero clients and the server is encrypted and as secure as, say, traffic to bank websites.

    I'm not sure exactly what you are asking about. If this doesn't answer your question, please explain in more detail in a new thread -- this one is about something quite different.
  • Just my $.02, If Zotero was able to utilize locally stored private keys (say from GPG), the data could be encrypted prior to sync'ing without affecting the syncing process. i.e. any changes in the ciphertext would indicate a change in the plaintext...thus syncing is needed.

    This would allow the data to be kept confidential when not locally stored.

    WARNING: Regardless of methods, many corporate policies do not permit the *storage* of proprietary/confidential information in any fashion on non-corporate systems. So check your companies polices!
  • dag - but that would very much affect the way Zotero syncs, which is more intelligent then just checking if something has changed - see e.g. the conflict resolution dialogue during sync, online display of items, connection between items and pdfs etc. It also would mean that any change would require a complete up/downwnload of the mysql.

    If you require personalized pgp encryption of your files, close FF, encrypt your Zotero data folder and send it or transport it on a USB stick to the next machine.
    Zotero is about as safe as a well maintained e-mail account - i.e. the data is private and secure unless someone breaks into the Zotero server or hacks your password. If the type of data you have requires pgp for your e-mail, you probably shouldn't use Zotero sync with it.
  • An enterprising company / research group can run an independent instance of the Zotero dataserver, and distribute to its users modified versions of Zotero that sync with that server. For information, see the user-provided instructions here:

    There are apparently several groups out there doing just this. Just keep in mind that the Zotero team is not prepared to dedicate any support resources to helping out people using independent instances of the data server, so this is only for those confident mucking about in the code if necessary. If your company goes this route, post to the Zotero developers' listserv ( for help from others running the server.
  • edited November 3, 2011
    Hi. Just to weigh in on this conversation. One way that could be explored is to use my own phpZoteroWebDAV script as a VERY straightforward way to set up your own attachment sync server. This would enable you to ensure that sensitive attachments never leave your organisation or country if you use an internal computer to set this up.

    Note though that the library metadata is still synced to and that WebDAV is not in itself a particularly secure protocol for transmitting data and that the synced data will not be encrypted by default on the server. Having said that, if you keep the WebDAV server behind an institutional firewall that all shouldn't matter.

    also, just to be clear, allow me to quote adamsmith's reminder from a related thread.
    (to avoid misunderstandings with this old thread revived - the Zotero dataserver source code has since been released: . It's _much_ harder to implement locally than krueschan's ZoteroWebDAV, so if the latter is sufficient for you needs, I'd strongly recommend going with that. This is just to clarify where developments are on the issues raised in this thread).
  • Just by accident, I find that anyone can download a private personal file without the login credentials. For example, please try the following link, it is a sample file I uploaded into Zotero server under my account:

    I have double checked my privacy setting, and I am sure I have not check the "Publish entire library".

    So in this case, by brute force attack and try different ID and file name, all the files on the Zotero server is open to the public......

    I hope this is not true ...
  • edited April 2, 2016
    That returns a 404 error for me; I believe that those attachment pages only work when logged in to an account with access to the file.
Sign In or Register to comment.