Previous posts on note-taking apps

For those of you who haven’t had a chance to read our previous contributions on the topic, we refer you to the following posts about some note-taking and note-writing apps:

It is worth pointing out, however, that in our opinion, it would be appropriate to keep “note-taking” and “note-writing” apps separate.

Among the apps we mentioned, in our opinion, Joplin is one of those for writing notes, i.e., short texts.

On the other hand, Obsidian should be considered a broader and more complete app that doesn’t only allow you to write notes but to write much larger texts. Obsidian is gaining acceptance as a full app as a valid and helpful editor for writing.

Standard Notes

Today we present another note writing app called “Standard Notes”.

Standard Notes is an open-source app, and you can see the source code on their repository on GitHub, developed and distributed by the American company (based in Chicago) Standard Notes.

Standard Notes is multiplatform: it is available for Mac, Windows, Linux, iOS, Android, and the Web.

You can use Standard Notes in the free or paying version by choosing the Plus or Pro plan.

As indicated on the official page about plans, with the free version you can:

  • choose between 3 themes;
  • choose the editor between:
    • plain text;
    • rich text;
    • markdown;
  • enable two-factor authentication (2FA).

The paid versions, of course, allow you to use additional features, including more editors available, the ability to add code and tables, more security solutions, all as indicated on the mentioned page.

For example, in the Pro version, the following editors are available.


Encryption and security levels

One of the most relevant features of Standard Notes is the cryptography and the high level of security.

In fact, in the FAQ, to the question “How does Standard Notes secure my notes?” precise clarifications are provided.

The developers state that:

All your notes, tags, and other data generated using the Standard Notes applications are encrypted using XChaCha20-Poly1305, one of the strongest forms of encryption available (recommended by leading technology companies like Cloudflare and Google as a replacement to AES-256).

SN clarifies that data is encrypted using the keys generated by the user’s password. In this regard, it is clarified:

When you choose your account password during registration, we use a password-stretching algorithm called Argon2 to strengthen your password and generate the necessary keys.

When you make a change to a note, the note is encrypted using your secret keys. Your encrypted data is also automatically “signed”. Upon decryption, this signature is validated to ensure that no one, including us, has tampered with your data.

The entirety of the encryption and decryption process happens completely offline and in the safety of your own private device. Once it is encrypted, it is synced to your private notes account over a secure, encrypted connection.

The algorithm used by Standard Notes takes care of the cryptography basing it on the password chosen by the user; therefore, it’s very appropriate to choose a “strong” password.

SN, moreover, highlights how - to demonstrate the high level of security adopted - the code of the app is open-source and therefore verifiable also about the processes related to security (in this regard, on the official website are published the reports of the security audits carried out).

In addition to the above, Standard Notes clarifies how the data are encrypted and precisely answering to the question “How does Standard Notes encrypt data on my device?”, available in the FAQ.

It is clarified “Our approach to security is on by default, so there are no settings you must proactively configure to attain the most secure experience possible.”.
Essentially, the app is structured to be, precisely, secure by default, meaning that the user doesn’t have to configure any settings. This approach is admirable, even if we think about the principle expressed by art. 25(2) of the GDPR.

Regarding security, we quote what Standard Notes specifies on their website:

  • Application Passcode: A passcode is a device-specific secret you can configure that increases the level of protection on your local device. When you add a passcode, a set of keys are generated using the same procedures used to generate your account keys from your account password. Your passcode keys are never saved to disk, either in encrypted or unencrypted form, and are generated each time you start the application, and reside in memory until you lock or quit the application. When you lock or quit the application, all working memory is deleted. When the application is re-opened, it will need to generate your passcode keys in order to decrypt and display your data. To generate your passcode keys, the application will prompt you for your passcode. Without your passcode entered on launch, it is not possible for the application to generate your passcode keys, and thus not possible for it to decrypt your account keys (if applicable) or notes data.

  • mobile (iOS e Android) Specifics: The mobile application provides the ability to customize two additional options not found on desktop and web.

  • Biometrics: Biometrics allow you to configure face or finger scanning to access your locked application. Note that biometrics are a non-cryptographically backed form of protection. This means that adding or removing biometrics does not affect the cryptographic state of your data on disk.

  • Device Storage Encryption: For some older mobile devices, decryption performance on application launch can be short of instant, especially if your notes database is particularly large (thousands of notes). For these contexts, the mobile application provides the option to disable Device Storage Encryption (DSE), if it suits the user’s threat model. DSE is of course always enabled by default, so most users will not need to worry about this. If however you decide that local device access is not something you’re concerned about, and the application launch decryption performance is not acceptable, you may decide to disable this feature. Disabling this feature will store data in your device database in an unencrypted state. Data sent to the server however still (always) remains encrypted.

  • Web Browser Specifics: Unlike the desktop application, web browsers such as Chrome, Safari, and Firefox do not provide a safe keychain storage mechanism. Therefore, when using the web application with configuration With account but no passcode, your account keys are stored in your application database in unencrypted form. We recommend adding a passcode to web-application usage to encrypt storage of your account keys. This would make the web application behave identically to the desktop application, in terms of secure storage.

Installing Standard Notes as a self-hosted solution

You can also install Standard Notes on your server as a self-hosted version, and instructions are available at this page.

Conclusions and privacy

Standard Notes is a viable solution for writing notes, especially when the content is confidential.

SN has based its solution on security with robust cryptographic solutions that are the app’s strength, as illustrated above.

Regarding privacy, on the one hand, we must say that robust encryption would be suitable to protect information that may not be personal (let’s imagine that it is numbers or data that cannot allow us to trace back to any individual).

On the other hand, however, the notes could contain personal information with the consequent application of the current discipline, which, for Europe, is the EU Regulation 2016/679 (GDPR).

Standard Notes states that the servers on which data are saved are located in the United States.
Therefore, while security profiles guarantee the confidentiality of personal information, those in Europe cannot overlook the topic of “transfers of personal data to third countries or international organizations” governed by Chapter V - Articles 44-50 - of EU Regulation 2016/679 (GDPR).

The topic of personal data transfers to third countries or international organizations, moreover, was the subject of the Judgment of the Court (Grand Chamber) of 16 July 2020 (request for a preliminary ruling from the High Court (Ireland) — Ireland) — Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (Case C-311/18), by which the Commission’s Implementing Decision (EU) 2016/1250 of July 12, 2016, on the adequacy of the protection offered by the EU-US Privacy Shield regime was declared invalid.

It is well known, especially for those who deal ex professo with this matter, the consequences it has entailed and the repercussions that are still being felt in recent months (most recently the CNIL measure).

Therefore, one of the problems could concern the processing of personal data by subjects in the EEA in light of the existing legal framework.

However, in our humble opinion and without this constituting an endorsement for Standard Notes, if the data controller adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk (as provided for by Article 32 of the GDPR), such as the encryption of personal data (expressly referred to in Article 32 GDPR), the transfer could be considered admissible. Moreover, the data subject to robust cryptographic processing would be indecipherable, and therefore there would be no elements that would allow the data subject to be identified. Moreover, the data controller, according to art. 32(1) - in addition to encryption - could ensure on a permanent basis the confidentiality, integrity, availability, and resilience of the processing systems and services, as well as the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident and also a procedure to regularly test, verify and evaluate the effectiveness of technical and organizational measures to ensure the security of processing. These measures, which would seem to have been adopted by SN according to what they stated, and a strong password chosen by the user, would allow them to be considered adequate to the risk of varying probability and severity for the rights and freedoms of individuals.

More specifically, Standard Contractual Clauses (SCCs) could be used, by agreement between the parties.

The topic is not straightforward, and we have succinctly expressed our views.

Stay tuned!