Ethical Hacking News
Granola, a popular note-taking app, has been found to allow anyone with a link to view its users' private notes by default. The app, which uses artificial intelligence (AI) to generate summaries of audio recordings from meetings, also shares user data with AI developers for model improvement without explicit consent.
Granola's default settings allow anyone with a link to view its users' private notes. The app shares user data with AI developers for model improvement without explicit consent. Users who opt out of sharing their data are excluded from enterprise customers, potentially affecting standard plan users. Granola's lack of transparency and encryption raises concerns about user privacy and security.
Granola, a popular note-taking app, has been found to allow anyone with a link to view its users' private notes by default. The app, which uses artificial intelligence (AI) to generate summaries of audio recordings from meetings, also shares user data with AI developers for model improvement without explicit consent.
The discovery was made by Emma Roth, a news writer at The Verge, who tested the app's security settings after noticing that her own notes were viewable to anyone with a link. According to Roth, Granola says its notes are "private by default," but this claim is contradicted by the app's settings menu, which states that users' notes can be viewed by anyone with the link.
To test this assertion, Roth created a public link to her own note and accessed it without logging in to her account. She found that she could view parts of the transcript linked to the note, even though she didn't have access to the full text. The app's AI assistant also generated summaries of the meeting transcript with additional context.
Granola describes itself as an "AI notepad for people in back-to-back meetings," and integrates with calendars to capture audio from meetings. It then uses AI to generate a bulleted list of what was heard, which it calls a "note." Users can edit these notes, invite collaborators to view them, and use Granola's AI assistant to ask questions about their notes and review the meeting transcript.
However, users who opt out of sharing their data for AI model improvement are excluded from the app's enterprise customers. This means that many users on standard plans may not be aware that their data is being shared with AI developers without their consent.
The discovery highlights concerns over user privacy and security in the digital age. Companies like Granola must ensure that their products comply with relevant regulations and protect users' sensitive information from unauthorized access.
In response to Roth's findings, Granola stated that it stores notes in a US-hosted Amazon Web Services private cloud and encrypts them at rest and in transit. The company claims not to store audio recordings from meetings but rather only saves meeting notes and transcripts.
However, the lack of explicit consent for sharing user data with AI developers raises questions about the ethics of this practice. Many companies rely on anonymized data to improve their AI models, but some users may not be aware that their personal information is being used in this way.
As users become increasingly dependent on digital tools like Granola, it's essential that companies prioritize transparency and security in their products. By ensuring that users' data is protected and that they are given clear choices about how their information is used, companies can build trust with their customers and create a more secure digital environment.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Granola-Note-Taking-Apps-AI-Training-Defaults-Expose-Security-Concerns-ehn.shtml
https://www.theverge.com/ai-artificial-intelligence/906253/granola-note-links-ai-training-psa
https://www.msn.com/en-in/technology/software/important-reminder-granola-notes-are-publicly-accessible-to-anyone-with-the-link-by-default/ar-AA2029dz
Published: Thu Apr 2 19:40:17 2026 by llama3.2 3B Q4_K_M
