The one thing that bothers me about Notion (and Slack and other "everything in one place" tools), is the lack of encryption. I might have FAANGophobia, but whenever there is a free tier without a form of end-to-end encryption in place, it feels like a data puddle waiting to become a lake.
That being said, having clear-text data would allow features like an API on publicly shared pages/blocks, to use Notion as a CMS. I have seen some attempts [1] at reverse-engineering their internal API, but an official one on a paid plan could be a nice addition.
this is the only thing that stops me from using Notion, too. just downloaded it and it looks like it would change my life... except i don't own the data.
right now i'm trying out Outline [1] which has an option for self hosting.
I just checked outline out and went to try the hosted version, but looks like they don't let me sign up with my own email. I generate emails for each service I use, and am much too lazy to generate a Slack account just to use it to sign into this. I suppose I could spin up an instance and self-host, but don't want to dedicate 30 mins to just setting this up to test it out.
I can tell you that a large majority of in-production API docs use Stripe's docs as a template. I did it for my company, and I've seen a ton of other API services do it. Stripe leads in API docs, so it's easier to not reinvent the wheel and just do what works. I know this instance isn't even for a production product, but meh.
i've only been using it for a little bit, but here goes:
* unlike Notion, it's one workspace per instance. makes sense, but worth noting as using workspaces as for organisational purposes won't work so well here.
* for personal instances, Slack doesn't make all that much sense. i see a PR for LDAP support on GitHub, so i will play around with that
* supports embeds just like Notion - paste the link and it just works. supports codepen, figma, gsuite, youtube and others. this was the feature that made me take notice of notion, so it's good to see it here.
* even better, the embed API seems pretty easily extensible, so the sky's the limit here. i can't wait to make some sweet dashboards based on entirely self-hosted data!
* no mobile app is a bit of a bummer, but the PWA experience works pretty well. considering i'll be authoring predominantly on desktop and only reading on iPhone, this isn't so much of a big deal for my use case
* no auto-save :(
* you can share a read-only, fully public link of any page you want. pretty damn cool.
all in all i'm pretty impressed. it seems pretty robust! i mean, it's definitely not as full-fat as Notion, but perhaps that's a good thing - and OSS means it's easily extensible for whatever you need to use it for. who knows which way my opinion will change after some more extensive use, but this definitely shows promise.
There is no easy way to implement client side encryption. You will have a private key or long password the you will keep safe. You lose that all your data in gone. Plus it's difficult to securely move that password to a new platform
People rightfully get skittish when there's no "forgot password" mechanism to get their account and data back.
I certainly agree that that's the point, but such a system needs some potential usability affordances. For instance, a key stored in the browser rather than a password the user has to remember, and ideally a key synced between multiple devices controlled by the user so that the loss or failure of one device does not mean loss of the account.
For example, imagine having the browser generate an asymmetric key for the user, and making sure browsers store such keys (encrypted) in Firefox Sync or equivalent, so that the keys are safe even if the user moves to a new device or an existing device fails or gets lost.
Keeping an unencrypted local mirror on your own device(s) would solve that problem, as well as potentially the "my data is stuck on their servers" problem. On devices with space for it, I mean, so maybe laptop but not phone by default.
You derive a master key from a password, and use that to encrypt other keys, or a more complex key chain if needed. You then only sync encrypted keys with the server.
1Password figured it out, and even wrote a paper about it. So it's a solvable problem. They even figured out a good model for helping recover lost passwords when my family members forget it.
Much more critical (imo) software such as Backblaze offers full encryption, it’s the user choice and responsibility. That’s what privacy is also about.
The idea is not to move the password, or any derived key, but the clear-text data. GDPR and other laws enforce that you give customers the right to access their data (in clear text), if possible in an interoperable form. Notion does so in CSV and Markdown, which is good enough to transfer to another service.
We've been working on Portabella (https://portabella.io) for the last four weeks in an effort to bring end-to-end encryption to everyday tasks. Currently we support basic kanban boards and lists. Like other comments have highlighted there is no reason for data not to be encrypted in this day and age.
Currently everything happens client side, however we believe homomorphic encryption is at a level of sophistication that should support most users and their needs.
Made me puke when Evernote introduced the "Context" feature, a disgusting data grab. It's a much worse option than just searching for whatever I want by myself, with the added anti-feature of losing all privacy to Evernote staff (and whomever hacks/has already hacked them).
My guess is that all these apps are salivating over the data to be able to train their NLP models which they can sell to an acquirer. I can't wait for Obsidian or some other app to reach feature parity (including wide, stable platform support). Would happily pay $$$ per year for it.
Hi there. I'm a co-founder of Emvi [1] and we have an API on our paid plan (free as we are in beta right now) that you can use as a headless CMS. Our blog is an example of it. We have (incomplete) client libraries on GitHub [2].
I'm assuming you are talking about end-to-end encryption, which in case of tools like Slack doesn't really make sense because it's the company that owns and has total control of the data, not you the end user. What happens when they need to hand over records for discovery, for example?
It's a legal term - https://en.wikipedia.org/wiki/Discovery_(law). Most countries/industries have some kind of regulation around data storage and retention for exactly this purpose.
The entire point of end-to-end encryption is to prevent this from being automated and abused by either the legal system or the company. Requiring a warrant to access the secret key on the user device reduces the risk of mass surveillance. Metadata (access logs) remain in clear text and can still be used to help authorities identify nefarious activity.
That being said, having clear-text data would allow features like an API on publicly shared pages/blocks, to use Notion as a CMS. I have seen some attempts [1] at reverse-engineering their internal API, but an official one on a paid plan could be a nice addition.
[1] https://github.com/splitbee/notion-api-worker