On marketing EssentialPIM
https://www.essentialpim.com as a private Personal
Information Manager alternative to Microsoft Outlook which remains offline
in an encrypted database and then synchronised with an Android phone, the
developers and, more importantly, the administrators who try to cope with
the constant barrage of various complaints about the program, put a lot of
emphasis on the user's ability to protect their personal information by
being able to hold it all in a password-protected database and sychronise it
with their Android device. Sounds promising. However, when synchronising the
opened database on your PC with the database on your phone a log file is
created elsewhere on their PC. In my case, I find it in
'C:\Users\*username*\AppData\Roaming\EssentialPIM Pro\Logs'
When unzipping this log file and opening it using a simple notepad, far down
the page of gobbledegook near the bottom I find every entry I've made in the
program's 'Calendar' module in plain text, every note in the 'Notes' module,
and everything I've entered into the program's separate modules that are
said to be safely encrypted from anyone who might gain access to my PC or
hard drive. All a bad agent needs to do is quickly copy this easy-to-find
log folder and peruse all your bank details, online passwords, and just
about everything you were led to believe is held in a tightly encrypted
database file. I mentioned this data breach on the user's forum
(tinyurl.com/26uk79) but because it was buried on the second page of many
replies a user suggested I make a new topic to warn others about this
dreadful security risk. I did and it was promtly removed, so I took my
concerns and my warning to Trustpilot. Again, it was removed from there,
too, but only after the developers admitted that, yes, a user's log file is
made up unencrypted on their hard drive, and when asked for any sensitive or
private information is "trimmed."
When appealing Trustpilot's decision to remove my review I wrote,
"The information I gave about the serious data concerns of this piece of
software is valid and true, and if the moderators of the 'help and support'
group had responded to my concerns, I would probably not have felt the
pressing need to warn customers who might come to Trustpilot to view
testimonies and reviews. Like I said in the review you removed, the
developers and those who form a team of moderators in the 'help and support'
team of this software, here,
https://bit.ly/4a7JPs8 , especially, market the
software on being a private Personal Information Manager alternative to
Microsoft Outlook which remains offline in an encrypted database and then
synchronised with an Android phone. The encrypted database on the PC works
fine, or so it seems, but each time that database is encrypted a log file of
all its contents is made and stored in
'C:\Users\*username*\AppData\Roaming\EssentialPIM Pro\Logs'.
These logs are written in plain text for anyone to read should your PC be
compromised, and, worse, on most occasions when a request for help by a user
having difficulties with synchronising the database between their PC and
their Android device is made the administrators there ask that user to send
along their logfile, ostensibly to help them resolve the issue. You can see
by the reply from EssentialPIM to my review that this is indeed the case,
and to salve anyone's concerns that their most private data isn't being held
or scrutinised by the staff at EssentialPIM they replied,
"
the information contained in the log files will be carefully trimmed to
provide only the necessary details for troubleshooting purposes. This
proactive step can significantly expedite the resolution process and ensure
a smoother experience with EssentialPIM."
This simply isn't good enough. To hide the fact that a user's most private
banking details, passwords, diary entries and everything else considered
private to the extent that they would use this software to keep it offline
by removing those concerns on a help forum from other users is bad enough,
and to trust that this data is "carefully trimmed in the log files" is
ludicrous. As we can see by their response to the review I made about data
in the log files being written in plain text unencrypted and regularly asked
for by the developers, The developers admit that this is true by responding
with "
the information contained in the log files will be carefully
trimmed
" I wrote this honest review in good faith and, as we can see by the
response from the company, it is perfectly true that my concerns are
genuine. Users can not and should not hope that their most private data is
trimmed by the software company's developers. Also, users need to know that
though their database is encrypted to give them the assurance that their
data is safe from bad agents who might gain access to their PC, it is easily
available in plain text in the log files made up by default by the program
on each synchronisation."
I have my doubts that my review will be reinstated, so where do I go from
here to alert users and future users that, despite what this software
company says about the security of their user's data, it is anything but
safe? It's actually being asked for on a daily basis in the support forum
and possibly harvested by this small company in Tallinn Estonia, ostensibly
to resolve bugs and errors while sycnchronising.