How does Zotero protect your data?

I know that Zotero's business model gives them no incentive to sell/exploit your personal data. That plus Zotero being open source is a huge draw for me.

I do wonder though - how else does Zotero protect your data? Is any sort of encryption implemented? (at rest, in transit, on their servers only, etc.). Are there measures in place to protect against database corruption? I've been reading that regularly backing up your database is the best way to protect against database corruption. Does Zotero have any built-in function to help with this? (Like how Firefox has an easy, built-in way to export your bookmarks as an HTML file).

I'm actually looking to use Zotero as my primary bookmark manager, potentially in lieu of Firefox Sync, so I've been really curious about this.
  • edited April 28, 2019
    See https://www.zotero.org/support/security and https://www.zotero.org/support/privacy

    For backups, the easiest approach is to include your Zotero data directory in your regular backup of your computer hard drive. It's best to back up the Zotero database itself, rather than exporting a separate file, because re-importing a file will treat these as new items, rather than existing items.
  • @bwiernik - Thanks! This clears up pretty much everything.
  • @dstillman -- when did you start encrypting data at rest? That's great!
  • Are existing accounts also going to transition to encryption at rest?
  • We've been enabling at-rest encryption for various services over the last year, but it's really just a compliance checkbox for some organizations. As with any service that provides web-based access to data, Zotero/Amazon servers by necessity have access to the decrypted data, so the threat model here is basically someone in an AWS data center walking off with a hard drive, which seems extraordinarily unlikely. Because of this, we have no plans to migrate existing data, since 1) there's no real security benefit and 2) anyone who this was an issue for wouldn't have been able to use Zotero syncing previously. (Also, technically "newly created accounts" is an oversimplification. It's new libraries — user or group — for library data, as well as new files and full-text content for all accounts.)

    High-quality transit encryption, which is far more important, has been in place for Zotero syncing from the start.

    @"Liv M": Note that Firefox Sync doesn't offer web-based access, so it's able to use end-to-end encryption. If that's important to you and web-based access isn't a requirement, that would certainly be a valid reason to choose Firefox Sync over Zotero (or to store your Zotero data directory on an external drive that you carry around instead of using syncing).
  • edited May 1, 2019
    I'm curious if the at-rest encryption affects access to the Zotero database by third party software. How is this different from Mendeley's implementation, something we have derided as taking control away from users? Is it only encrypted server-side?
  • edited May 1, 2019
    Yes, this is about data on our servers. It has nothing to do with local data, which is what the Mendeley issue is about. As I say, the only real effect of this is that if someone gets unauthorized access to a hard drive in an Amazon data center they won’t be able to read the data.
  • @dstillman - do you know if Zotero has any plans to implement end-to-end encryption at some point in the future?
  • Unless I'm misunderstanding, that would prevent a web library, which seems like an increasingly essential feature.
Sign In or Register to comment.