Path: ...!2.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Arthur Newsgroups: comp.mobile.android Subject: EssentialPIM could very well be archiving users' most private data Date: Sat, 16 Mar 2024 16:58:03 +0000 Lines: 85 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: individual.net Fy12mhakcuoeHwauJBmS1A0p9B4DHmj5GQyAkimAaeFBkaiuT3 Cancel-Lock: sha1:X9Ot56nmzdBvNojZs/qLbHWGnzE= sha256:B35UMSPybrVJY5oLAWtB+o1BH0/Hsewi4JH/01I109s= User-Agent: ForteAgent/8.00.32.1272 Bytes: 6189 On marketing EssentialPIM https://www.essentialpim.com as a private Personal Information Manager alternative to Microsoft Outlook which remains offline in an encrypted database and then synchronised with an Android phone, the developers and, more importantly, the administrators who try to cope with the constant barrage of various complaints about the program, put a lot of emphasis on the user's ability to protect their personal information by being able to hold it all in a password-protected database and sychronise it with their Android device. Sounds promising. However, when synchronising the opened database on your PC with the database on your phone a log file is created elsewhere on their PC. In my case, I find it in 'C:\Users\*username*\AppData\Roaming\EssentialPIM Pro\Logs' When unzipping this log file and opening it using a simple notepad, far down the page of gobbledegook near the bottom I find every entry I've made in the program's 'Calendar' module in plain text, every note in the 'Notes' module, and everything I've entered into the program's separate modules that are said to be safely encrypted from anyone who might gain access to my PC or hard drive. All a bad agent needs to do is quickly copy this easy-to-find log folder and peruse all your bank details, online passwords, and just about everything you were led to believe is held in a tightly encrypted database file. I mentioned this data breach on the user's forum (tinyurl.com/26uk79) but because it was buried on the second page of many replies a user suggested I make a new topic to warn others about this dreadful security risk. I did and it was promtly removed, so I took my concerns and my warning to Trustpilot. Again, it was removed from there, too, but only after the developers admitted that, yes, a user's log file is made up unencrypted on their hard drive, and when asked for any sensitive or private information is "trimmed." When appealing Trustpilot's decision to remove my review I wrote, "The information I gave about the serious data concerns of this piece of software is valid and true, and if the moderators of the 'help and support' group had responded to my concerns, I would probably not have felt the pressing need to warn customers who might come to Trustpilot to view testimonies and reviews. Like I said in the review you removed, the developers and those who form a team of moderators in the 'help and support' team of this software, here, https://bit.ly/4a7JPs8 , especially, market the software on being a private Personal Information Manager alternative to Microsoft Outlook which remains offline in an encrypted database and then synchronised with an Android phone. The encrypted database on the PC works fine, or so it seems, but each time that database is encrypted a log file of all its contents is made and stored in 'C:\Users\*username*\AppData\Roaming\EssentialPIM Pro\Logs'. These logs are written in plain text for anyone to read should your PC be compromised, and, worse, on most occasions when a request for help by a user having difficulties with synchronising the database between their PC and their Android device is made the administrators there ask that user to send along their logfile, ostensibly to help them resolve the issue. You can see by the reply from EssentialPIM to my review that this is indeed the case, and to salve anyone's concerns that their most private data isn't being held or scrutinised by the staff at EssentialPIM they replied, "… the information contained in the log files will be carefully trimmed to provide only the necessary details for troubleshooting purposes. This proactive step can significantly expedite the resolution process and ensure a smoother experience with EssentialPIM." This simply isn't good enough. To hide the fact that a user's most private banking details, passwords, diary entries and everything else considered private to the extent that they would use this software to keep it offline by removing those concerns on a help forum from other users is bad enough, and to trust that this data is "carefully trimmed in the log files" is ludicrous. As we can see by their response to the review I made about data in the log files being written in plain text unencrypted and regularly asked for by the developers, The developers admit that this is true by responding with "… the information contained in the log files will be carefully trimmed…" I wrote this honest review in good faith and, as we can see by the response from the company, it is perfectly true that my concerns are genuine. Users can not and should not hope that their most private data is trimmed by the software company's developers. Also, users need to know that though their database is encrypted to give them the assurance that their data is safe from bad agents who might gain access to their PC, it is easily available in plain text in the log files made up by default by the program on each synchronisation." I have my doubts that my review will be reinstated, so where do I go from here to alert users and future users that, despite what this software company says about the security of their user's data, it is anything but safe? It's actually being asked for on a daily basis in the support forum and possibly harvested by this small company in Tallinn Estonia, ostensibly to resolve bugs and errors while sycnchronising.