Separating Work and Personal libraries : setup, and privacy concerns

prbt
I have been a long time user of Zotero. To simplify my workflow significantly, I'm considering becoming a paying customer so that I can sync my work devices and my personal ones.

I do however have concerns about data privacy, as well as separation of work/private life, and would like to put these to rest.

The situation is fairly simple:
- I'd like to sync only a part of my Zotero library (the work-related documents), while keeping personal documents exclusively local, as I don't want them on a work machine, nor I do not even want the Zotero team to have access to them (or, in the worst-case scenario, have them leaked to an unknown third party were the encryption compromised in any way).
- I do not want to rely on a personal WebDAV server, as I am not competent in maintaining a server and do not wish to get lost in that rabbit hole.

I know there have been many threads along these lines over the years, and from what I've gathered, the way to set up this kind of separation between work and personal stuff is as follows :

- Create 2 private groups, let's say one "Personal", one "Work". At creation, in the "File editing" options, select "No group file storage" for the "Personal" group, and "Only group admins" for the "Work" group.
It can also be modified after the group's creation in the Library settings of the group.
- For good measure, on your personal device's Zotero, go into Edit > Settings > Sync and uncheck "Sync attachment files in My Library using Zotero".


Here are my questions :

1. Is the setup I described above correct?

2. In particular, does it mean that the files in the "Personal" group will remain exclusively local, unless someone with access to my account changes the group's "File editing" option?
I realize that if the Zotero team were compromised/subpoenaed they could technically force the sync of my "Private" group by toggling this option, but I see no better alternative so far.

3. From what I've read in the [security policy](https://www.zotero.org/support/security) the data I chose to sync is both encrypted in transit, and encrypted on the AWS US servers it's stored on, meaning that, unless the US government decides to subpoena Zotero for some reason, nobody outside of a handful of Zotero employees can access my synced data. Is that correct?

4. Is the privacy policy for documents in private groups the exact same as those that would be in a standard synced library, i.e. encrypted in transit then encrypted on the AWS US servers?

Thanks for your help!

  • dstillman Zotero Team
    edited 18 days ago
    If your concern is solely files and not the associated library data, you can use linked files for some files, either with the built-in options or via plugins that automate that. Linked files don't sync, so they would never be on Zotero servers.

    If the goal is to avoid syncing some data as well, there's no supported way to not sync part of a given Zotero library. The point of syncing is to make all your data and stored files available online and on all devices where you choose to download them. There are options not to download files to a given device until you open them, but not to avoid uploading them.

    What you describe above about group settings would not work. Groups without file editing can't have files in them at all.

    Your only option would be to maintain a local profile that wasn't tied to a Zotero account, and then have another that syncs, but note that that's an advanced configuration that we don't recommend for most people.
    3. From what I've read in the security policy the data I chose to sync is both encrypted in transit, and encrypted on the AWS US servers it's stored on, meaning that, unless the US government decides to subpoena Zotero for some reason, nobody outside of a handful of Zotero employees can access my synced data.
    Yes.
    4. Is the privacy policy for documents in private groups the exact same as those that would be in a standard synced library, i.e. encrypted in transit then encrypted on the AWS US servers?
    Yes.
  • prbt
    Thanks a lot for your thorough reply!
    If your concern is solely files and not the associated library data, you can use linked files for some files, either with the built-in options or via plugins that automate that. Linked files don't sync, so they would never be on Zotero servers.
    The library data that would be synced in that case would be my Collections names, as well as the names of the Collections' items (generally matching the names of the files), but not the contents of the files themselves, is that correct?
    If the goal is to avoid syncing some data as well, there's no supported way to not sync part of a given Zotero library. The point of syncing is to make all your data and stored files available online and on all devices where you choose to download them. There are options not to download files to a given device until you open them, but not to avoid uploading them.

    What you describe above about group settings would not work. Groups without file editing can't have files in them at all.
    I've set up the following test :
    - On my personal laptop, I created 2 groups, one named "Personal", the other "Work", and set them up the way I described in my initial message.
    - In "Personal", I have a ShouldNotSync.pdf file, and in "Work" a ShouldSync.pdf file.
    - In my online library, both these groups appear, though "Personal" is empty, and "Work" contains, as planned, the ShouldSync.pdf file. It is the same on what serves as my work device for the sake of this test.

    As I'm typing this, I realized that ShouldNotSync.pdf, while not appearing in the "Personal" group online, does appear in my online library, defeating the purpose of this whole thing.

    I have however found a fix that seems to work: in Settings > Sync > Choose Libraries, I unchecked "My Library & Feeds", as well as "Personal", leaving only the "Work" group selected.

    When checking my online library, a file named ShouldNotSync_2.pdf, newly added to the "Personal" group on my personal device, does not appear anywhere.


    I have several questions then:

    - Is my fix still flawed in ways I don't perceive at the moment?

    - Could you clarify how the different options in Settings > Sync, both in the "Data Syncing > Choose libraries" submenu, and in the "File Syncing" submenu (i.e. the two checkboxes "Sync attachment files in [My Library/group libraries]") are supposed to behave ?

    I have read through the Syncing part of the documentation of course, but don't understand why unchecking the Data syncing for my library as described above accomplished what I wanted to do, while unchecking "Sync attachment files in My Library with Zotero" did not. Is the latter only supposed to prevent download, not upload?

    - On the online side of things, you wrote that groups without file editing can't have files in them at all; what is the purpose of selecting that option then, and why was I able to put ShouldNotSync.pdf in such a group locally?


    Thanks again in advance!
  • prbt
    edited 14 days ago
    Sorry for the double post, but I'm very eager to get the sync set up.

    I'll try to rephrase the central question I asked above in a more direct manner:

    - I have created 2 groups, one named "Work", the other named "Personal".
    - On my personal laptop, in Settings > Sync > Choose Libraries, I unchecked "My Library & Feeds", as well as "Personal", leaving only the "Work" group selected.
    - I also unchecked "Sync attachment files in My Library using Zotero" in Edit > Settings > Sync.

    This setup seems to work as intended: documents I put in the "Personal" group don't show up in my online library, nor on my synced work laptop, whereas documents I put in the "Work" group do.

    As per @dstillman previous reply, this should not work:
    Your only option would be to maintain a local profile that wasn't tied to a Zotero account, and then have another that syncs, but note that that's an advanced configuration that we don't recommend for most people.
    Am I missing something here, or heading for trouble down the line? Are the documents I put in the "Personal" group still being uploaded onto Zotero's servers, despite them not appearing in my online library nor on my work laptop?
  • dstillman Zotero Team
    edited 13 days ago
    This isn't a supported way to do what you want. That option is to avoid constantly downloading items and files in group libraries that aren't relevant on a given computer, not for avoiding uploading them. If the setting got reset for some reason, Zotero would upload the items that you don't want to upload, and there would be no way to remove them from the online library without deleting them permanently across all devices.

    In a future version, unchecking a library there will cause the local copy of the library to be removed locally, which is how most people expect the feature to work. Zotero will prompt you if you have unsynced local changes before removing the local library, and if you canceled, you would just keep getting that prompt until you allowed the local library to be removed.

    Again, if you're using syncing at all, there is currently no supported way to not upload a given local library or part of a given local library. We could consider the ability to create multiple local personal libraries, including some designated as non-syncing libraries, but that does not exist now. Profiles are the only way to do that now.
  • prbt
    Thanks again for the clarifications. I've tried the profile-based solution, it's actually very simple.
    We could consider the ability to create multiple local personal libraries, including some designated as non-syncing libraries, but that does not exist now. Profiles are the only way to do that now.
    A quality of life improvement that might be easier to implement would be to allow switching profiles within Zotero, as well as switching on the fly which profile Zotero Connector should use, regardless of the one opened in the background.

    As far as I'm concerned, for my use case, these are the only minor hang-ups I have with the use of profiles.
    In a future version, unchecking a library there will cause the local copy of the library to be removed locally, which is how most people expect the feature to work. Zotero will prompt you if you have unsynced local changes before removing the local library, and if you canceled, you would just keep getting that prompt until you allowed the local library to be removed.
    It would definitely make the design intent clearer to the users, which, if I'm getting it correctly, is to have one's entire library uploaded on your servers, then pick and choose which parts of it get downloaded locally on a given device.

    I do still maintain the position that, for the privacy-conscious amongst us, having a more seamless way to keep some files exclusively local (though again, profiles are 70% of the way there) would really cement Zotero as a great personal knowledge/archive system, rather than just one made specifically for academics.
    Your snapshot feature is perfect, the only one that's ever worked for me, but I really don't want, e.g., any politics-related article uploaded on servers, for fear it might be one day interpreted as an endorsement rather than simple intellectual curiosity/a basis for informed disagreement.

    Another option would be to have an encryption policy where noone can ever have access to synced files except the end user.

    Your current policy is a bit confusing while I'm at it, with the Security section mentioning data being encrypted at rest with AES-256 with only a few Zotero employees potentially having access to it, while the Privacy section mentions that you collect the library data and attachments (in other words, everything).
    I feel that this latter part defeats the purpose of the at-rest encryption: what is the point if you have all my data available by default, not just when under e.g. a subpoena?
  • dstillman Zotero Team
    edited 10 days ago
    A quality of life improvement that might be easier to implement would be to allow switching profiles within Zotero, as well as switching on the fly which profile Zotero Connector should use, regardless of the one opened in the background.
    As I say, we would just allow creating local libraries that didn't sync. Profiles use entirely separate data directories, which limits their utility (e.g., no easy way to copy data between them) and creates confusing mix-ups with Zotero accounts.
    Your current policy is a bit confusing while I'm at it, with the Security section mentioning data being encrypted at rest with AES-256 with only a few Zotero employees potentially having access to it, while the Privacy section mentions that you collect the library data and attachments (in other words, everything).
    This is just standard security practice. The at-rest encryption prevents data from being read by, like, some rogue employee in an Amazon datacenter. Zotero servers still need access to the data in order to display it in the web library, serve it to you, share it between group members, etc.
    I feel that this latter part defeats the purpose of the at-rest encryption: what is the point if you have all my data available by default, not just when under e.g. a subpoena?
    Whether a company has access to user data is a technical question — whether they're ever legally compelled to produce it is irrelevant. (Zotero has never received a request for user data.)

    Encrypting data in transit and at rest, with tightly controlled access from company servers, is just how nearly every web service works, except for the very few that use end-to-end encryption (e.g., Signal). The idea that this somehow limits use to academics is silly — this is just how the web mostly works.

    We've talked about supporting E2EE libraries — with no web access — but our sense is that E2EE wouldn't actually address most organizational policies that have blanket prohibitions on data leaving the internal network. Not necessarily a reason not to do it, but it would be a major investment, and it's not clear how broadly useful it would be.
  • prbt
    edited 2 days ago
    As I say, we would just allow creating local libraries that didn't sync. Profiles use entirely separate data directories, which limits their utility (e.g., no easy way to copy data between them) and creates confusing mix-ups with Zotero accounts.
    I understand that this is the proper way to do it, I was simply making a (unasked-for, my apologies) passing comment from a user perspective about a stopgap measure that would be, I assume, way easier to implement.
    This is just standard security practice. The at-rest encryption prevents data from being read by, like, some rogue employee in an Amazon datacenter. Zotero servers still need access to the data in order to display it in the web library, serve it to you, share it between group members, etc.
    To be a bit clearer: my confusion comes from the term "collect", which doesn't define the scope of use of data collected this way. I understand this is somewhat necessary for the web library and other services, but there's no explicit commitment about never selling that data for instance, except for the mention at the top of the privacy policy ("We are an independent, nonprofit organization and have no financial interest in your private information."), which is vague enough to allow anything.
    This is - in my opinion - a bit different, at least in spirit, than saying that "access is tightly restricted to the small number of Zotero staff members who need access to maintain the service".
    Encrypting data in transit and at rest, with tightly controlled access from company servers, is just how nearly every web service works, except for the very few that use end-to-end encryption (e.g., Signal). The idea that this somehow limits use to academics is silly — this is just how the web mostly works.
    (emphasis mine)

    Let me try to once again develop: as an academic, my work is ultimately not private and not particularly controversial, so potentially having it exploited by an unknown third party is not that important, though of course the idea that someone could wade through my thought process, my intermediate notes and my mistakes makes my skin scrawl.

    In this context, given the time investment/risk balance, I am OK with putting my trust in the Zotero team to not misuse my data, though I'd rather rely on E2EE than trust.

    It would be an entirely different beast if I were to use sync to manage and archive all my personal interests, whether it be political readings, hobbies, medical stuff, etc. This is something that I want to maintain full control over (meaning E2EE, or keeping it exclusively local), because it would draw a picture of my entire being, with the exception of my interpersonal relationships.

    I acknowledge that this is unfortunately a position that most people do not maintain (whether they have given up, don't actually care, or aren't informed enough I don't know), and thus this kind of concern ranks pretty low in your priorities, especially given what you explained in your last paragraph.


    Regardless, thanks for your willingness to elaborate and thanks for the great work!
  • dstillman Zotero Team
    edited 2 days ago
    there's no explicit commitment about never selling that data for instance, except for the mention at the top of the privacy policy ("We are an independent, nonprofit organization and have no financial interest in your private information."), which is vague enough to allow anything
    Literally the next sentence:

    "We fund further development by offering additional online storage space to people who find the software useful, not by selling data."
Sign In or Register to comment.