A few months ago, we hired an independent security research firm to conduct an audit on the encryption specification used by Standard Notes. In building out our product, we spent a lot of time making sure our encryption is as strong and fool-proof as possible. While it's easy for one to feel confident of their own work, a security audit is a must for any privacy-focused project to assure the developers and customers alike that data being encrypted and transferred is done safely and securely.
We're happy to announce the results of our first third-party security audit, and share in this milestone with you while we continue on our journey to build the most private notes app in the world.
The full report is attached below for the crypto-minded. Security is a moving target, but we're happy to report that this report does not find any major weaknesses in our data encryption flow, which is the largest part of our crypto implementation. Instead, it identified two main places in which security could be improved:
1. Verifying login parameters from the server. It's standard practice for a modern web app to trust that what the server has sent for a particular user is associated with that user. For Standard Notes, we distrust the server a little more, and instead place trust on the applications that are running on the machines our users control. We were happy to learn about this as it has allowed us to add an additional layer of protection from the out-of-sight server.
2. Ensuring that the ID of the data item is not exchanged with another item. This is an issue with little practical exploitability. But it is important to protect against nonetheless. Now, when your app decrypts an item, it makes sure that the data contents of the item match the ID of the item it was originally created with.
Both of these improvements, along with others, are now live in the latest versions of Standard Notes on all platforms. With this launch, we also release the latest version of our encryption specification. Any new data you create is automatically secured with the most powerful version of our encryption spec. For data created before this launch, read here for instructions on re-syncing.
We're proud to say that we're amongst the only private notes apps to have completed a third-party security audit. With our applications built for maximum longevity, we're confident we can continue protecting your data now and long into the future.
As always, thanks for your support. Please don't hesitate to reach out with any questions.
We're excited to announce the launch of four new powerful extensions that take your simple Standard Notes experience to a new level.
We decided early on that simplicity is the only way to achieve quality, stability, and longevity in software. Too often we see apps we depend on implode from their own complexity or become completely unusable from endless bloat. We knew that if we wanted to avoid this death trap, we had to design our system differently.
Extensions have been the perfect solution for us. We get to keep our core suite of applications as simple, fast, and reliable as possible. For the million and one other features users will want and invariably need, we created Standard Notes to be extensible.
Up until now, extensions have been limited to only certain parts of the app, like menu actions and custom editors. Today we're announcing a new class of extensions called components.
Components allow you to completely swap out sections of the app with custom modules. With components, you can build a custom tagging system, custom note list views, utility bars that allow pushing a note to WordPress and GitHub, and more.
Today we're announcing four new components:
Components use a special offline messaging system to deliver an extensible application even in the web browser. In fact, we make sure that our web application is always as powerful as our desktop applications. This is essential to our goal of longevity, because while desktop platforms may come and go, or be updated to oblivion, we're counting on the web to always be present no matter which platform you use. Powerful web access means as long as web browsers exist, Standard Notes exists.
Developers should check out our getting started guide to learn more about developing a component for Standard Notes.
We're beyond excited to get this in your hands and begin exploring the possibility of what a fully extensible notes app looks like.
If you have any questions, please don't hesitate to get in touch.
In a crime case, investigators don't have access to "the truth"—the data, if you will. All they have are clues which can be put together to make as perfect a guess as possible as to what the nature of the truth is. Metadata.
In the U.S, governments have played coy and attempted to talk down efforts of mass surveillance, particularly phone surveillance, by asserting that the actual contents of the call are not collected—only the metadata is:
In a crime investigation, having the answers to these kinds of questions could potentially make or break a case.
And that's precisely why governments collect this kind of information: it is powerful fodder in a legal setting. In an example most of us are probably familiar with, you can see that who Adnan Syed called and when were some of the most important deciding factors in placing him in a jail cell.
And as it can be used for legal justice in some cases, or the "good", it can also be used against you, like you're warned of in your Miranda rights.
So what do we do?
We protect ourselves and the people we care about, not against the government, but the possibility of government. We don't speak unless we have an attorney present. We plead the fifth.
We encrypt our data.
Smarter people before us have understood the unstoppable nature of government power, and have put in provisions such as separations of power and the Miranda rights precisely for this reason.
And today, smart people advocate endlessly for the encryption of your data as a form of self-protection. With anti-privacy legislation being signed today with a flick of a pen, it's more important than ever to understand that even metadata can and will be used against you. And, in the court of law, even if you have nothing to hide, or are fully innocent, you are still advised and even required to have a lawyer present before you can testify. Why? Because history.
Legal waters are not somewhere you want to swim in alone.
So the next time you hear that it's only "metadata" being collected, don't be fooled: metadata is the data.
This isn't to say that you shouldn't use apps that record metadata. Metadata is what allows a lot of your favorite apps to organize and keep your data in sync.
It's to instead say you should find no comfort in the fact that governments rely on the "metadata" crutch to make you feel ok with what they're doing.
The Bill of Rights of the United States constitution is about personal protections. These being such a fundamental part of our constitution is no coincidence: these were real dangers at some point.
In today's world, we are the forefathers of a new constitution, a new amendment:
The right to encrypt.
It won't come easy, but then again, nothing important ever does.
You can join the privacy movement by using and supporting software that encrypts your data. The go-to word here is "end-to-end encryption". You can learn more about what that means in our post "What is end-to-end encryption?"
It's the greatest love story of all: you find an app that you absolutely love. It solves all your problems. And it makes your life better. It's a fairytale and the both of you live happily ever-after.
Except, it never quite happens like that does it? The app you depend on to solve your life's problems begins wanting to "scale." The company who makes the app took out an investment to build it, and now those investors want to see bigger returns. How? By attracting more customers.
Attracting more customers in today's world is done by adding more features that cater to a wider audience. Month after month, your beloved app grows and grows in features and complexity. It takes a little longer to load now. You notice a lag here and a bug there. On some days, you find it completely unusable. There are so many moving parts now that the developers can't keep up, and when they fix one bug, five others pop up.
It's the dreaded software bloat. And unless you take very careful measures to prevent it, it is guaranteed to happen.
Let us take a moment of silence for all of our fallen apps.
We don't want to treat you this way. We don't want to grow by doing more things. We want to grow by doing one thing so well that the entire world knows it and entrusts us to do this one job for them.
For us, it's your notes. Notes are one of the most important byproducts of our existence. It's how we know ourselves. And it's how we know our past. While your favorite social networking app desires to entertain you and thus finds new ways of doing so every quarter, we're not here to entertain you. We're here to protect something that is important to you. And we're here to make sure it's the easiest thing you'll do all day.
You won't find fancy text recognition algorithms in our apps. No fancy machine learning, notebooks, real time collaboration and commenting. Not even close. But you will find an app that respects you as a long-term user. An app that won't degrade with time. An app you know will be there for you tomorrow, to protect and maintain your most valuable life assets: your notes.
That's our promise to you. In fact, we apologize whenever we release new features, and celebrate when we have the luxury of simplifying.
This is what we mean by being a long-lasting, sustainable notes app. Imagine you bought a notebook from a bookstore that said "this notebook will begin disintegrating from the day you buy it until it completely implodes and disappears one day." You wouldn't buy that notebook.
Think of us as a long lasting notebook. The kind of notebook you'd expect.
And now you know what "Standard Notes" means :)
Privacy is a topic with which you are either a) completely tired of chasing after or b) not exactly sure on. In most cases, we all feel a little of both.
But privacy doesn't have to be hard. Privacy is hard when you expect it from a company that really has no interest in giving it to you. Common web companies today make privacy hard because it's truly against their interests to make it easy.
For us, privacy is our core business. It starts by making sure nobody can read your information, especially us! And its important that we take a moment and explain to you exactly how we do that. The term to know here is End-To-End Encryption.
Here is why it matters.
Encryption is the act of turning information into gibberish using secret passwords. The opposite of encryption is decryption, and if you don't know the secret password used, even the largest intelligence agency in the world couldn't decrypt your data. Encryption makes your data private. And it makes it effectively yours.
Where privacy gets tricky is there are basically two families of encryption, and far too many companies will confuse what each family does for their own gain, usually so they can secretly read your information.
There is the family of "encrypted" data. And the much smaller family of "end-to-end encrypted" data.
Encrypted data means your information uses a password to turn your thoughts into a random hash. But it doesn't make any reference as to when that data is encrypted. In most cases, companies will claim to encrypt your information, but what they are actually doing is encrypting it after the data is received in their data center. There is plenty of opportunity for any Web weirdo to peer in at your height, weight and steamy messages to your friends.
It's sort of like locking the door with the intruder already in the room. When instead you want to lock the door before the intruder can get in.
We created Standard Notes was so we could have end-to-end encryption for our own notes. And we realized there was an awesome business in providing you end-to-end encyrption for your notes.
We're so proud that we can say that all of our apps, from mobile, to desktop, to web come with end-to-end encryption built-in.
When a company like us can't read your data, it forces us to instead rely on creating a great user experience to win your business. And that's exactly what we set out to do.
Some simple notes on simplicity: Engineering Standard Notes to be "un-elaborate" was anything but easy for us. In an era where software degrades by the day and the life expectancy of the apps we use is anything but ideal, getting our software simple took time. We were slow pokes on this idea. It took 3 years to realize simplicity was our only solution.
Why? It takes time to realize that less lines of code directly translate to a better experience. Simple means less bugs. It means less moving parts. Fewer things break. Simpler experiences ensure our users won't get frustrated. A simple app gets out of your way and lets you do your work. Simple forced us to focus on the functions that do exist, and to make them exist well. That's hard.
It also took those years to realize that simplicity makes a better business. Simple is honest. It lowers engineering costs and the fees to maintain applications. Simple code may be slower to build, but so much less of it exists that it's cheaper over all. We just sort of knew when we were done. We could sense that were clearly in the golden mean between a good user experience and a good business. We just decided to stop. And keep it simple.
There's also the ugly side to simplicity that takes time to accept. It forced us to admit how, well, unpleasant much of our previous work had been. Like everybody else, we poured our hearts and souls into apps that tried to do too much. We have all fought through the deep depressions when an app we depend on loses its way. We've all walked off development jobs after a few months, when the tool stopped serving users and instead obstructed them. We don't want to speak for you, but we're sure you've felt it: Ever notice how your favorite applications seem to get slower over time? That's no coincidence. They call that "growth". It happens because panicked teams were frantically trying to throw more functions at what was a good idea for some stupid business goal. And a good idea turns into something that isn't, real quick. That thing you loved metastasized into something you hate.
If simplicity keeps us from adding features, so be it. Standard Notes is officially an anti-growth company. We don't mind. We set out to do one thing well: Allow you to write your notes and thoughts privately without friction, on every device you own. And keep those thoughts for as long as your and your electronic devices exist. There are impressive technologies under the hood: sync, encryption, and clever development. But they're hidden. By choice. You simply never have to worry about them.
We're betting you'll sense the proper weight of that simplicity. And how that momentum will keep both you and us around for the long run.