if I synch my Zotero database with the Zotero server, is any of my information visible to or shared with other users?

No, by default your information is private. All current and future sharing and collaboration features will operate on an opt-in basis. So, none of your data will become publicly visible without you making it so.

For more information see the general privacy policy and the server privacy policy.

Thanks for your feedback, and for your patience in providing an answer that was already on your website.

I guess for my personal comfort level the best solution is to be paranoid, and not synch with the server at all.

If it were possible I would synch the public data and keep the private data local. I don't suppose it's possible to maintain two databases simultaneously, or to tag some items as unsynchable? Perhaps a "to synch or not to synch" property of of each citation would be a solution to these issues. Has that been considered at all?

It is certainly possible to maintain separate databases, but it may be a bit tedious.

Having different sync options for different collections or references has been discussed, but is not yet possible.

I guess I should check these things before making such a statment - I just assumed since it keeps me logged in. But indeed, the login is ssl.

(I would still say be careful with uploading confidential data to anywhere outside your firms network, but as I said - if you're allowed to transport the data on your laptop without encryption, the Zotero server is as safe (or maybe even safer) for your data than your hd.

> I don't suppose it's possible to maintain two databases simultaneously

One way to work with multiple databases is to use a separate Firefox profile for each. Straightforward enough, but the databases are completely isolated from one another.

That's a really interesting point, elena.

>>>> Is it possible to set up one's own Zotero server?

>> Not at this time & it has been said that the server code will likely be released, but that it will still be unsupported.


I would appreciate this move, as I store a lot of sensitive data (interviews, analytical notes etc) and I am not really assured, whether all my information is fully secured (ie encrypted) in the databases where it is stored (ie in Z server). What happens if someone hacks into the Z server/databases and releases all the information...? I have big respect and trust towards the Z developers, and continue promoting this product in my academic circles, but nevertheless, I'm very careful with my records as well.

At the moment I only know that "by default [my] information is private", but what does it really mean? Of course I know that the transfer is fully SSL secured, but after that - are there (going to be) any mechanisms of data encryption? Surely, opponents would say that in that case just don't sync your data via Zotero, but this is not really an argument - if one has already created a public and free software, and promotes and inspires people to use it, then it should be as secure as possible.

From 'Zotero's server privacy policy':
"Synchronizing your data to the Zotero server is optional, although synchronization is strongly recommended in order to provide backup, collaboration, and recommendation services"

privacy != encryption

Can I have an account with Zotero to sync my files? If so, what is the procedure? If not why?

Thanks

Ok thanks. This is an important feature.

IMHO of course

Currently our research group is a babel of reference managers. I use Zotero, others use various versions of Reference Manager. We need to standardize on a solution in which all of us can add to and edit the database and files concurrently. We would be more comfortable if both the reference database and downloaded files are on our own server. (Particularly after the Sidekick/Danger/Microsoft debacle.) Is there a way to do this on our Windows 2003 server?

Does Zotero if used by students on a network, have a vulnerability to security e.g by using collboration & synching could any filters be circumvented?

Just my $.02, If Zotero was able to utilize locally stored private keys (say from GPG), the data could be encrypted prior to sync'ing without affecting the syncing process. i.e. any changes in the ciphertext would indicate a change in the plaintext...thus syncing is needed.

This would allow the data to be kept confidential when not locally stored.

WARNING: Regardless of methods, many corporate policies do not permit the *storage* of proprietary/confidential information in any fashion on non-corporate systems. So check your companies polices!

An enterprising company / research group can run an independent instance of the Zotero dataserver, and distribute to its users modified versions of Zotero that sync with that server. For information, see the user-provided instructions here: http://www.zotero.org/support/dev/dataserver_setup

There are apparently several groups out there doing just this. Just keep in mind that the Zotero team is not prepared to dedicate any support resources to helping out people using independent instances of the data server, so this is only for those confident mucking about in the code if necessary. If your company goes this route, post to the Zotero developers' listserv (http://groups.google.com/group/zotero-dev) for help from others running the server.

Just by accident, I find that anyone can download a private personal file without the login credentials. For example, please try the following link, it is a sample file I uploaded into Zotero server under my account:

https://files.zotero.net/11350724611/pdf.pdf

I have double checked my privacy setting, and I am sure I have not check the "Publish entire library".

So in this case, by brute force attack and try different ID and file name, all the files on the Zotero server is open to the public......

I hope this is not true ...