synch with server and privacy / security

fbennett · April 2, 2016

https://forums.zotero.org/discussion/57875/a-very-serious-security-and-privacy-bug-of-zotero/#Item_5

Whateverr · March 10, 2017

I read the ttps://www.zotero.org/support/terms/privacy and https://www.zotero.org/support/terms/zotero_server_privacy_policy but I did not find a satisfying answer of these questions concerning a private database (which seems to be the default mode):

Can you guys (Zotero administrators) read a note written by a user (inside his private database)?

And more globally can you see (for a reason or another, such as debugging) all entries of the database?

My question does not concern the moral aspect ("it's immoral so we don't do it") but the technical aspect : can you technically access the users’ private data? And if so (if you can for instance read a private note), is there a kind of administrative procedures created to protect the users from (a hypothetical) abuse of a dishonest administrator? If so, which one?

Thanks in advance for your reply

adamsmith · March 10, 2017

Since items aren't encrypted server-side (only in transfer), I'm pretty sure someone with root access to the server could read them, yes.

Dan would have to speak about their internal policies, though I'm not sure how much you can do beyond monitoring such access. That's facilitated by the fact that there just aren't very many people with such access. My guess would be that there are 2.

dstillman · March 11, 2017

the technical aspect : can you technically access the users’ private data?

The answer to this is yes for any service that provides web-based access to your data, as Zotero does. If you can access your data on a website, the site's administrators can also access it. So the same applies to, say, files you store in Dropbox — since you can access those files on the Dropbox website, some Dropbox employees inherently also have access to them. (Note that inverse is not the case: a service's not offering web-based access doesn't guarantee that the provider can't access your data, unless the service was specifically designed with end-to-end encryption.)

At Zotero, access to private data is restricted to the (very few) people who need access to maintain the service, and we have tools to deal with most issues — e.g., answering support questions involving library size or sync activity — without examining library contents. The majority of the Zotero staff does not have any access to user data.

Whateverr · March 11, 2017

@adamsmith & @dstillman thanks for your answer.

Since it's a critical security point, it would be interesting to know the detail of these access permission. How many have access? Who are those people? And the most important question: are those critical access monitored? (A 2 level system, with admin able to access user datas, but not being able to modify the access log that will be sent to lower level admin would help)

Trust is important, but relying the whole privacy on that might sound quite risky for (some) users, but also for zotero (a privacy issue would probably greatly damage zotero reputation).

The detailed protocol would add more detailed risk probability to the answer given above: "they are probably as safe with Zotero as they are with you[r laptop]". It's an interesting answer but it does not take into account these admin access (users with this concern don't allow foreign access to their laptop. Yes intrusions are still possible, but they would be treated as threat.)

ps. I know that I could use other server to sync the db. It's just difficult to assess the risk probability without these informations.

ps: Concerning Dropbox I found that:
"we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that's the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances." https://www.dropbox.com/en/help/27

"Just because you're paranoid doesn't mean they aren't after you"

dstillman · March 12, 2017

Since it's a critical security point, it would be interesting to know the detail of these access permission. How many have access? Who are those people?

We're not going to disclose who has what access, clearly.

Dropbox's statement sounds fairly close to what I said above. But Dropbox is a multi-billion-dollar company with over a thousand employees. Zotero isn't. Our needs are much simpler — as adamsmith said, there simply aren't that many people who need access.

Fundamentally, with an organization the size of Zotero's, it does come down to trust: you need to trust the Zotero team — the people who have been running the project for the last decade, helping people in the forums every day, making sure zotero.org gets an A+ on the SSL Labs test — to make responsible decisions about all aspects of security, including internal access and monitoring. Or not, in which case you can of course use Zotero without syncing any data to zotero.org.

Whateverr · March 14, 2017

I apologize if my direct questions did hurt anyone's feeling. I understand your point. I was just curious to know how it work to assess the risk, I would have tried to know all I could.

I'm very grateful (and it's really nothing to say) for all the work and the talent you offer us ― for free, which I find unbelievable, since you beat in quality and constant improvement easily most service I pay for. So, I trust you and I warmly thank you for having answered my question.

kdb_research · July 8, 2017

Can I ask a bit more about the security of sync-ed data? I have some colleagues working on sensitive data and they are [very] concerned not to expose documents and informants. Can you say a bit more about how the sync-ed files are secured? Is there a limit on password attempts? Are IPs logged? Can the owners receive emails when people log into the libraries?

Many thanks, k

adamsmith · July 8, 2017

As someone who both loves Zotero and works at a data repository, it would never occur to me to store sensitive research data in Zotero; why would you ever do that?

kdb_research · July 8, 2017

Well there are many good reasons relating to Zotero as a research tool. One additional reason is that laptops and hard-drives have a tendency to go missing. If there's a thread on securing this kind of research data please point me to it. Thanks.

adamsmith · July 8, 2017

There's really no blanket advice as both legal factors and locally available infrastructure play into this (e.g. lots of universities provide secure storage and some require that their researchers use it) but at a minimum, sensitive data should be encrypted on the server (in addition to locally) which is not the case for Zotero.

Beyond that, if you're actually handling sensitive data in particular about 3rd parties (informants?) you should consult a specialist. That's way beyond the scope of this forum.