Help w rebuttal to University security staff denying zotero

Ho guys,

I have been using zotero for a long time and want to continue using it.

My institution does not want me to use zotero and are favoring Endnote.

Below are excerpts from a recent conversation with our security team.

I wrote to zotero support and got a good reply. I was wondering if this community has any additional suggestions for cogent arguements I can include in my rebuttal

Thank you all.






Me: please clarify what risk you are talking about.

How is storing publicly available PDF files from journals related to security risk and how does using Endnote negates that risk.

Them: Files stored in Zotero are not stored encrypted. Further, I was unable to determine the Security features of Zotero. Security is most likely not a consideration in this software. Without a Contract, we are unable to conduct a Vendor Risk Assessment. It is uncertain whether Codes written for the Zotero software are checked for any vulnerabilities or Backdoors, or whether any of the MDACC Security requirements are met.



Me: Also, please provide supporting information how using zotero increases risk of malware intrusion and infections compared to Endnote.

Them: Zotero allows you to download files and bring back to your desktop on the MDA network. Unsecured Files downloaded are a perfect attack vector that a cyber attacker can use for inserting malware and infiltrating the MDA network via Backdoor, or Code Injection. MDA Research, Intellectual Property and Patient Health Information is at Risk, and is an attractive target for cyber attackers.



The Institution does not encourage additional software, if there is a suitable Application offered by the Institution for use, with similar functionalities.





Me: I would encourage you to please review and understand what zotero is and what purpose it is used for.

Them: I did review Zotero. I could not find security features offered.



Me: This is not about convenience, this is about accuracy.

Them: You mentioned that it is free software and it is easier to use àThat makes it Convenient

Me : Endnote makes more mistakes in generating bibliographic information while zotero is more accurate in this regard. Please see attached literature.





Them: Summary:

The software request for Zotero was sent to Information Security Department for Risk Review.

Zotero is free software - with no contract, no SLA, no Vendor Risk Assessment, no Vendor responsibilities to the Institution.

Free software is an attractive target for cyber attackers. Unencrypted, unsecured Files downloaded can serve as a backdoor for malware code injection, and create an attack vector for cyber criminals. With no Contracts, no SLA, no Vendor Risk Assessments, the inherent Risk to the Institution is High.



As such, Zotero is not Approved.
  • The Zotero developers may be able to say more. The security team rather clearly did not do much of a review. The security information about Zotero is linked on the first page of the Zotero documentation.
    https://www.zotero.org/support/security
  • dstillman Zotero Team
    edited February 13, 2021
    For others who might come across this, I'll share what I told @a.maiti via email:

    It doesn't sound like this person has any clue what they're talking about, and they don't sound open to evidence, so if possible I would try to escalate this to someone more knowledgeable and reasonable.

    This person is using technical jargon in meaningless ways — e.g., saying that "files stored in Zotero are not stored encrypted". File encryption has no connection to network security, and, regardless, file encryption is typically an OS-level task and isn't something individual programs do, which is why EndNote doesn't either. "Unencrypted, unsecured Files downloaded can serve as a backdoor for malware code injection" is nonsense here — Zotero "downloads files" from sites the same way that you would download a PDF manually in your browser, with the same transport encryption, and all of Zotero's communications with Zotero servers, including software updates, have always been encrypted. "Free software is an attractive target for cyber attackers" is an absurd, evidence-free statement — whether software costs money has no bearing on its security, and probably the largest hack in U.S. history was just perpetrated by targeting enterprise software installed across the federal government and private sector.

    Zotero is a leading research tool, recommended by most universities worldwide, created at a major U.S. research university and initially funded by several major philanthropic organizations. It's been around for 15 years, is built by a team of professional software developers, and is funded by a stable services business, with clients including major universities, multinational corporations, and governmental agencies. The code is open-source, allowing it to be publicly audited for security issues (which is not the case for proprietary software), and privacy and security are at the core of its design.

    Our security and privacy policies are here:

    https://www.zotero.org/support/security
    https://www.zotero.org/support/privacy

    In particular, the privacy policy documents every single type of network request Zotero makes, the reason for it, and how to turn it off, which is a level of transparency and user control that almost no other software provides. As documented there, Zotero is a local program that stores all data locally by default, and it can be used without syncing data to the cloud.

This is an old discussion that has not been active in a long time. Before commenting here, you should strongly consider starting a new discussion instead. If you think the content of this discussion is still relevant, you can link to it from your new discussion.

Sign In or Register to comment.