Freedom of the Press Foundation
Show Navigation

Beyond pen and paper: Secure note-taking apps for journalists

Photo: Kevin Pham, digital security intern
Kevin Pham

Digital Security Intern

Last updated
Image of a laptop with notebook, phone, and espresso on a table
Credit: Unsplashed (CC0)

Most major note-taking apps (e.g., Notion, Evernote) make your notes readable to the service provider. This makes them more vulnerable to hacking and legal requests that could expose your most sensitive private notes. Some even have a history of customer data loss and security breaches. End-to-end encryption resolves this issue by making the document unreadable by the company or any third party.

We examine five applications — Standard Notes, Obsidian, Joplin, Notesnook, and Signal’s Note to Self feature — that provide a reasonably private note-taking experience. Not all these solutions are perfect, but they incorporate end-to-end encryption and are available for most major phones and computers.

Here are the factors that we looked for:

Get Notified. Take Action.

  • Does the application support two-factor authentication to prevent unwanted access to your notes?
  • When connecting to the internet to sync notes, are they end-to-end encrypted?
  • If someone has physical access to your device, are the notes stored within it encrypted and protected with a password? (Some apps use the terms at-rest encryption or on-device encryption when referring to this feature.)
  • Is the application available on most major devices and operating systems?
  • Are there other features like password protection, web clipping, and extended document support?

Standard Notes

Screenshot of a Standard Notes desktop app.

Standard Notes lists privacy as one of its core principles, claiming that it presents “peer-reviewed and auditable policies that the entire world can see, touch, and debate.” It does not collect usage information on its website, desktop, or mobile applications, relying solely on a self-hosted analytics suite called Plausible that anonymizes IP addresses. Although registration requires an email, it could be anonymized at the cost of forgoing future customer support. Finally, all data is end-to-end encrypted before being stored on Amazon Web Services cloud servers.

When looking at user experience, Standard Notes offers a suite of productivity and security tools. Besides emailing an encrypted backup of your notes daily, it provides two-factor authentication support, on-device encryption, and password protection for individual notes. Standard Notes could even replace your two-factor authentication app entirely in its paid tiers.

Obsidian

Screenshot of the Obsidian desktop app.

Compared to most note-taking apps, Obsidian has a higher learning curve. It acts as a self-hosted knowledge base, allowing users to create links to other notes like a personalized Wikipedia page.

The standard version of Obsidian has a simplified privacy policy for desktop and mobile apps. Obsidian claims, “All data is saved locally on your device and is never sent to our servers.” So, Obsidian does not require account registration or an email address. However, its paid sync feature requires a connection to its servers, offering end-to-end encryption on a personalized remote vault. These vaults are hosted by cloud servers powered by DigitalOcean.

Obsidian also has two-factor authentication but lacks password protection and on-device encryption. If this is a requirement, you might be interested in enabling full-disk encryption with Veracrypt.

Joplin

Screenshot of the Joplin desktop app.

Although not marketed as a hardened or privacy-respecting notes application, Joplin can be configured to have two-factor authentication and end-to-end encryption through Joplin Cloud, but misses out on password protection or on-device encryption. There is no account registration requirement for its free, non synced tier. Joplin’s privacy policy clarifies, “Any data that Joplin saves, such as notes or images, are saved to your own device and you are free to delete this data at any time.”

Screenshot showing where users can remove geolocation from notes within Joplin.

In addition to local storage, Joplin allows its users to upload their notes onto the Joplin Cloud, Dropbox, and Microsoft OneDrive. Regardless of what you choose, you should think about disabling geolocation in its settings page. Its privacy policy elaborates, “Joplin saves geo-location information in note properties when you create a note.” Joplin inscribes your location into the metadata of each note by default. After disabling this setting, your location would be less discoverable.

NotesNook

Screenshot from the NotesNook desktop app.

Created in 2021, Notesnook is a Pakistani-based notes app that prioritizes customer privacy and security. Its founder, Abdullah Atta, says he created Notesnook to maximize user privacy without sacrificing functionality.

The app offers numerous security features like passcode-locking, end-to-end encryption, protected note-sharing, and on-device encryption. Unique to Notesnook, the monograph feature grants the ability to publish notes to the internet. The note is attached to a shareable website URL and has the option to be set for one-time viewing.

As for stored customer data, its privacy policy states, “We do not sell, collect, use, disclose, read, edit, modify or distribute any data that you create in our Service.” All customer data is encrypted on the device before being transmitted on the internet. Notesnook’s cloud servers are hosted by Wasabi and based in Germany.

Signal Note to Self

Screenshot of Signal's desktop app.

Unlike other apps in our short list, Signal is an end-to-end encrypted messaging service with an estimated 40 million active users in 2022.

Note to Self allows users to send encrypted messages — such as texts, voice memos, images, and videos — to themselves. They can be configured to disappear after an allotted time frame.

No messages are stored on third-party cloud servers; instead, they sync to linked devices that belong to the user. Its privacy policy clarifies that “Signal cannot decrypt or otherwise access the content of your messages or calls. Signal queues end-to-end encrypted messages on its servers for delivery to devices that are temporarily offline (e.g. a phone whose battery has died). Your message history is stored on your own devices.”

Note to Self cannot replace a word processor or a dedicated note-taking application, lacking basic features such as document exporting or text formatting. Most users should use this feature for casual note-taking. If you need an alternative to your phone’s Notes or Keep apps, consider adopting Signal. Read our guide on locking down Signal here.

Other potential alternatives

From their technical documentation and privacy policies, compared to their competitors, these five applications offer a much more secure and private experience for their users. There might be other note-taking applications that fit our recommended settings and features. However, they might not be available on every device and would sacrifice functionality for increased security. If your newsroom would like to further explore this, contact us for our training options.

Donate to support press freedom

Your support is more important than ever.
Donate now