Hackability of the data stored in One Drive when linked to Zotero
The institutional reticence in collaborative projects towards using unsafe/hackable software is paramount, amongst others, to avoid lack of security & data-protection compliance, financial fines, potential jail, etc.
I aim to propose my current research team Zotero as a bibliographical and data-retrieval interface linked-up to Microsoft's One Drive as the cloud-based storing place.
This, to me, would mean the most amazing referencing software, i.e. Zotero, lined-up with the safety of Microsoft's One Drive as the cloud storing system.
Hence, my question is:
What is the extend of hackability of the data stored in One Drive that/when is linked to Zotero?
I aim to propose my current research team Zotero as a bibliographical and data-retrieval interface linked-up to Microsoft's One Drive as the cloud-based storing place.
This, to me, would mean the most amazing referencing software, i.e. Zotero, lined-up with the safety of Microsoft's One Drive as the cloud storing system.
Hence, my question is:
What is the extend of hackability of the data stored in One Drive that/when is linked to Zotero?
The Zotero sync servers use industry-standard encryption methods to prevent unauthorized access (see https://www.zotero.org/support/terms/privacy_policy) and are hosted using Amazon Web Services, which is a highly secure platform. So, while it is not suitable for storing sensitive patient data, the Zotero sync servers are unlikely to be the target of hacking. The Zotero developers would be able to provide more details.
As bwiernik says, shared access to your Zotero database in OneDrive or similar isn't technically possible to begin with because of how the database access works, but as far as I know OneDrive doesn't offer client-side encryption anyway, so there's not really much difference in the security of your stored data. (Generally speaking, if you can access a file via a website, the website has access to the data. There are some JavaScript-based solutions, but those are complicated/controversial, since the JS you have to trust is still coming from the website.) Of course, you might trust Microsoft more than Zotero, which is fine, but fundamentally your data isn't secure unless you encrypt it client-side with your own key.
The real solution here would be a private Zotero server. That's currently quite difficult, but we're planning to provide more support for that in the future.
I think that's likely overkill for Zotero, though.
Has anyone used Zotero within/as part of a UK-specifically university project, and if so what is the experience in terms of data protection, security issues, university IT policy?
If you do plan on storing personal information in Zotero, that's almost certainly not allowed by UK regulations.
For regular bibliographic information and accompanying notes, data protection regulations do not apply. I know of a significant number of projects in the UK using Zotero at universities without any issues with IT and a good number of universities actively promoting it. Have you actually gotten any pushback?
A future "private Zotero server" though sounds great indeed;
@adamsmith, There is a lot of misinformation, and some good degree of ignorance among all of us, so rather than a pushback I have got reticence until corroboration-towards-confidence has been reached.
Otherwise, I/we are planning to store interviews (i.e. audio/video/transcriptions), some documentation (i.e. MoUs, meeting minutes, etc.), and the usual bibliographical entries Zotero is famous for too.
The idea is to get it all store here for alignment among the team members (via, for instance, creating a group, so we can all access and manage it), and because Zotero has proven me in 4 years to be an awesome way to do this, for example, due to the meta-tagging and its superbly easy interface and overall data-gathering, storing, curating.
I have always had my own bibliography-based Zotero linked-up to Dropbox to storing entries and so be able to have all the space that I require from my Dropbox profile. Hence, I thought it may be wise to link Zotero with, for instance, One Drive to make it all 'safe' and compliant with uni's data privacy T&Cs.
Any further suggestions will be more than thanked-for & welcome.
Now: You, @adamsmith, state that "It's possible One Drive has a European cloud which does make a difference".
Does this then mean that if storing the data organised via/in Zotero into One Drive with a European cloud, though still connected to Zotero anyway as its interface, would then UK personal data-privacy comply with existing regulations, or there is still the issue of Zotero having access to it, hence data-privacy being still compromised because of the third-party install?
I just want you to acknowledge that we have both warned you that this is a _terrible_ idea and that, especially in a collaborative project, the chances of data loss or corruption are extremely high and possibly irreversible.
If you want to risk suddenly not being able to access any of your Zotero records after 2 years of project work, go ahead and place your data directory in OneDrive. But when that happens, don't blame Zotero.
@whuber, thanks to you also for the info/lead about Mendeley's alignment.
We shall be checking it all and likely informing over here for the future curious individuals/teams to come to have a better picture about the state of affairs nowadays.
Cheers guys :)