Hackability of the data stored in One Drive when linked to Zotero

The institutional reticence in collaborative projects towards using unsafe/hackable software is paramount, amongst others, to avoid lack of security & data-protection compliance, financial fines, potential jail, etc.

I aim to propose my current research team Zotero as a bibliographical and data-retrieval interface linked-up to Microsoft's One Drive as the cloud-based storing place.
This, to me, would mean the most amazing referencing software, i.e. Zotero, lined-up with the safety of Microsoft's One Drive as the cloud storing system.

Hence, my question is:
What is the extend of hackability of the data stored in One Drive that/when is linked to Zotero?
  • edited December 7, 2017
    You absolutely should not store your Zotero database in OneDrive or any other cloud-syncing folder. That will inevitably lead to corruption of your database and potentially data loss. You can set up your system to store attachment files in OneDrive, but your item metadata and notes will sync to the Zotero servers if you enable syncing. You can set up and host your own sync server, but this is quite technically involved.

    The Zotero sync servers use industry-standard encryption methods to prevent unauthorized access (see https://www.zotero.org/support/terms/privacy_policy) and are hosted using Amazon Web Services, which is a highly secure platform. So, while it is not suitable for storing sensitive patient data, the Zotero sync servers are unlikely to be the target of hacking. The Zotero developers would be able to provide more details.
  • The Zotero sync servers use industry-standard encryption methods to prevent unauthorized access
    That is actually not quite correct. It's true for personal information like e-mails, but data synced with Zotero are stored unencrypted at rest which is state-of-the-art for the type of data Zotero is designed for but neither suitable nor (in many countries) in legal compliance with requirements for storing sensitive data.
  • To clarify this, Zotero uses best-practice encryption for data in transit (e.g., A+ on the SSL Labs test), but as with any web service, Zotero web servers/staff have access to the data at rest. That access is tightly controlled to just the servers/people that need access to maintain the service.

    As bwiernik says, shared access to your Zotero database in OneDrive or similar isn't technically possible to begin with because of how the database access works, but as far as I know OneDrive doesn't offer client-side encryption anyway, so there's not really much difference in the security of your stored data. (Generally speaking, if you can access a file via a website, the website has access to the data. There are some JavaScript-based solutions, but those are complicated/controversial, since the JS you have to trust is still coming from the website.) Of course, you might trust Microsoft more than Zotero, which is fine, but fundamentally your data isn't secure unless you encrypt it client-side with your own key.

    The real solution here would be a private Zotero server. That's currently quite difficult, but we're planning to provide more support for that in the future.
  • This is getting quite technical so maybe not the best place, but I think what Dropbox business is doing in running a separate application&encryption services and storing files fragmented and with AES-256 is elegant (and seems to satisfy most regulators including for HIPPA and FERPA in the US): https://www.dropbox.com/business/trust/security/architecture
    I think that's likely overkill for Zotero, though.
  • Yeah, but fundamentally the web servers still need access to the key to show you the data. You can obviously gate/log/monitor access to those servers, but the data is still accessible to the company one way or another. In Zotero's case, the list of people who have access is extremely limited, so most of that sort of architecture is irrelevant.
  • Thanks to all for your kind and swift responses.
    Has anyone used Zotero within/as part of a UK-specifically university project, and if so what is the experience in terms of data protection, security issues, university IT policy?
  • What are you planning to store in Zotero? My understanding is that UK data protection policies (like most similar policies) are about personal data. That's not what you'd typically store in Zotero.
    If you do plan on storing personal information in Zotero, that's almost certainly not allowed by UK regulations.

    For regular bibliographic information and accompanying notes, data protection regulations do not apply. I know of a significant number of projects in the UK using Zotero at universities without any issues with IT and a good number of universities actively promoting it. Have you actually gotten any pushback?
  • @dstillman, "data is still accessible to the company one way or another" is the obvious reason that got me here;
    A future "private Zotero server" though sounds great indeed;

    @adamsmith, There is a lot of misinformation, and some good degree of ignorance among all of us, so rather than a pushback I have got reticence until corroboration-towards-confidence has been reached.

    Otherwise, I/we are planning to store interviews (i.e. audio/video/transcriptions), some documentation (i.e. MoUs, meeting minutes, etc.), and the usual bibliographical entries Zotero is famous for too.

    The idea is to get it all store here for alignment among the team members (via, for instance, creating a group, so we can all access and manage it), and because Zotero has proven me in 4 years to be an awesome way to do this, for example, due to the meta-tagging and its superbly easy interface and overall data-gathering, storing, curating.

    I have always had my own bibliography-based Zotero linked-up to Dropbox to storing entries and so be able to have all the space that I require from my Dropbox profile. Hence, I thought it may be wise to link Zotero with, for instance, One Drive to make it all 'safe' and compliant with uni's data privacy T&Cs.

    Any further suggestions will be more than thanked-for & welcome.
  • @dstillman, "data is still accessible to the company one way or another" is the obvious reason that got me here
    But my point was just that that applies equally to OneDrive or Dropbox if you're not encrypting data locally. There are compliance policies (of debatable merit) that those large companies can adhere to in various ways, and that may be sufficient for your purposes, but the fundamental third-party access to data is still there whether you use OneDrive or Zotero.
  • I have always had my own bibliography-based Zotero linked-up to Dropbox to storing entries and so be able to have all the space that I require from my Dropbox profile.
    Just to restate that that's a bad idea, whether it's OneDrive or Dropbox. There's a good chance it'll lead to data loss and/or corruption.
    Otherwise, I/we are planning to store interviews (i.e. audio/video/transcriptions), some documentation (i.e. MoUs, meeting minutes, etc.),
    I'd advise against that. My understanding is that by UK regulations you are not allowed to save information classified as personally identifiable (which is almost certainly the case for audio/video interviews and likely for transcripts) on US-based cloud servers at all. The UK Data Archive would be one place that would be able to give you reliable specifics on this, so you might want to contact them. I've co-taught data management workshops with them and they tell researchers to be very careful using cloud services for such data (much more so than we in the US). It's possible One Drive has a European cloud which does make a difference. Zotero uses AWS-US servers exclusively.
  • These are really valuable comments, and advice, for which I thank you both immensely!

    Now: You, @adamsmith, state that "It's possible One Drive has a European cloud which does make a difference".
    Does this then mean that if storing the data organised via/in Zotero into One Drive with a European cloud, though still connected to Zotero anyway as its interface, would then UK personal data-privacy comply with existing regulations, or there is still the issue of Zotero having access to it, hence data-privacy being still compromised because of the third-party install?
  • You'd have to talk to your data protection folks, but _legally_ it's probably fine if (!) they've signed off on OneDrive.

    I just want you to acknowledge that we have both warned you that this is a _terrible_ idea and that, especially in a collaborative project, the chances of data loss or corruption are extremely high and possibly irreversible.
    If you want to risk suddenly not being able to access any of your Zotero records after 2 years of project work, go ahead and place your data directory in OneDrive. But when that happens, don't blame Zotero.
  • This is one situation where you might be better served by Mendeley, which houses its data in the EU (well, in the UK...) and is registered as a data controller under the UK Data Protection Act.
  • @adamsmith, thanks very much indeed for your advice, and wise-warnings.
    @whuber, thanks to you also for the info/lead about Mendeley's alignment.
    We shall be checking it all and likely informing over here for the future curious individuals/teams to come to have a better picture about the state of affairs nowadays.
    Cheers guys :)
Sign In or Register to comment.