Scheduled network maintenance

September 30th, 2014  |  Published in Status

Due to network maintenance there will be some periods of downtime on 2014-10-06, between 00:01 and 07:59 CET.

This maintenance will require rebooting routers, which will cause about 10 minutes of downtime for
each router.

We apologize for any inconvenience caused.

Why Runbox being in Norway is important

August 18th, 2014  |  Published in News  |  6 Comments

We are emphasizing Runbox’ location in Norway as something that is important to you as an email user, and you may wonder why. This article will explain it all.

Summary

  • Norwegian ShieldAll your Runbox email is privacy protected because our servers are located in Norway, and Runbox strictly adheres to the Norwegian privacy legislation.
  • Runbox protects your data against disclosure because the authorities must present a valid court order based on evidence of criminal activity to seize any data.
  • Any foreign nation requesting account information or contents have to send a formal request to Norwegian judicial authorities, and only with a Norwegian court order can any data be disclosed.
  • Norwegian authorities are not allowed to perform surveillance of data traffic without a court order.
  • Under Norwegian legislation, Runbox is not required to keep any traffic logs, and is permitted to delete your data if you ask us to.

Norwegian privacy legislation and regulations

First of all, Norway has enacted strong legislation regulating the collection, storage, and processing of personal data, mainly in The Personal Data Act (Lov om behandling av personopplysninger; Personopplysningsloven) and Regulations on the Processing of Personal Data (Forskrift om behandling av personopplysninger; Personopplysningsforskriften).

The first version of The Personal Data Act was implemented as early as 1978. This was a result of the pioneering work provided by the Department of Private Law at the University of Oslo, where one of the first academic teams within IT and privacy worldwide was established in 1970.

Additionally, the Norwegian Data Protection Authority (Datatilsynet), an independent authority, facilitates protection of individuals from violation of their right to privacy through processing of their personal data. It also verifies that statutes and regulations which apply to the processing of personal data are complied with, and that errors or deficiencies are rectified.

Any complaint against decisions made by The Data Protection Authority may be reported to The Privacy Tribunal (Personvernnemda), another independent authority, for decision.

The Norwegian Criminal Procedure Act (Lov om rettergangsmåten i straffesaker; Straffeloven, unofficial translation) is an important law governing the seizure of objects or data when a criminal act has been reported to the police. Section 211 states that mail may only be seized from an electronic communication service pursuant to a court order.

Another important law in this context is the Norwegian Penal Code (NPC, Almindelig borgelig straffelov; Straffeloven, unofficial translation) which states that it is illegal to access information systems or data unauthorized (NPC §145), and this includes all employees in the public sector (NPC §116).

We must also mention Norwegian Law on Electronic Communications (Lov om elektronisk kommunikasjon; Ekomloven), which regulates telecommunications in Norway. This law contains rules for the interception of electronic communications and for the duration of storage of personal data.

Because Runbox is similar to an Internet service provider and not a telecommunications company, Runbox is NOT affected by this law. This means that Runbox for instance is permitted to delete your email data upon your request at any time, and that we are not required to store any traffic logs.

The bottom line is that a request from Norwegian police authorities to disclose data from any Runbox account will be rejected by Runbox unless a Norwegian court has decided otherwise.

What does compliance with Norwegian privacy laws mean?

So what does Runbox’ compliance to Norwegian laws mean regarding your personal data when using Runbox, and the content of your emails stored on our servers?

Runbox does not collect any data about you except what is necessary to provide you with our services. This is in accordance with our Terms of Service and Privacy Policy, which is compliant to The Personal Data Act §8. This paragraph states that personal details can only be collected and processed with consent from the registrant.

Similarly important is §11, stating that personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.

Only if presented with a court ordered seizure pursuant to the Norwegian Criminal Procedure Act may Runbox be forced to disclose information to The Norwegian Police Service. It is therefore an absolute prerequisite that a crime has been committed.

What about requests from authorities outside Norway?

A request from foreign authorities or agencies regarding Runbox account details or user data has a long way to go before it reaches Runbox:

It will in general start with a legal request (letter rogatory) submitted through diplomatic channels to the Norwegian Ministry of Foreign Affairs, who sends it to the Attorney General at the Norwegian Office of the Prime Minister, who will, if appropriate, forward the request to the Ministry of Justice and Public Security who in turn sends it to the appropriate police unit, for example the National Criminal Investigation Service, Norway (Den nasjonale enhet for bekjempelse av organisert og annen alvorlig kriminalitet; Kripos) or The Norwegian Police Security Service (Politiets sikkerhetstjeneste; PST) for independent investigation. All requests will of course be evaluated with regards to Norwegian laws and regulations.

The Norwegian police authorities may then present Runbox with a subpoena, which will be rejected by Runbox as a matter of principle. The case may then be submitted to a Norwegian court, and an attorney will be appointed to represent the account owner. If the court finds that there is evidence or probable cause for suspicion of criminal activity on the part of the account owner, Runbox may be presented with a court order requesting us to disclose the requested information.

Norway has entered into agreements with some foreign nations to cooperation in criminal matters regarding disclosure of objects and data, that may simplify the procedure above:

Through the European Convention on Mutual Assistance in Criminal Matters requests go directly to the Ministry of Justice and Public Security, through the Schengen Agreement requests go to the public prosecutor in Norway, and between Nordic countries, requests go to central or local police (district chiefs of police). Requests from Canada and Thailand go directly to the Ministry of Justice and Public Security.

All other nations, the United States included, have to follow the general rule outlined above: Requests must be sent through diplomatic channels to the Norwegian Ministry of Foreign Affairs. The agreement between Norway and the United States (and Australia) is about extradition of criminals only, not about assistance in “ordinary” legal matters.

Since Runbox Solutions was founded in 2011 we have received 0 court orders for disclosure of account details or user data. We have received 3 requests directly from attorneys in the United States, all of which have been rejected outright.

What about surveillance…

According to the laws mentioned above, the Norwegian police authorities can not execute communication control, for instance surveillance of electronic messages, without a valid court order. An independent tribunal, the Control Committee for Wiretapping (Kontrollutvalget for kommunikasjonskontroll) is established to control that the police’s use of wiretapping occurs within the framework of the law and that the use of such methods is as limited as possible.

This means that no surveillance of traffic to or from Runbox can occur unless a valid court order is presented. However, the regulation that governs wiretapping (Forskrift om kommunikasjonskontroll; Kommunikasjonskontrollforskriften) and the Control Committee for Wiretapping do not pertain to intelligence, which is the domain of The Norwegian Parliamentary Intelligence Oversight Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste), see below.

…and intelligence?

Let us examine the various Norwegian intelligence agencies and their mandates:

The Norwegian Intelligence Service (Etterretningstjenesten) is a body established in order to survey and monitor civil and military activities outside Norway. This body is not authorized to survey or collect information about Norwegian natural or legal persons, which includes companies. For that reason, Runbox is beyond the authority of this agency.

The Norwegian Police Security Service (Politiets sikkerhetstjeneste; PST) do NOT have any legal rights beyond The Norwegian Police Service, which is discussed above.

The Norwegian Defence Security Department (Forsvarets sikkerhetsavdeling, FSA) applies to military institutions only, and is not relevant for Runbox customers at all.

The National Security Authority (Nasjonal sikkerhetsmyndighet, NSM) is established to control governmental and civil institutions regarding security, and because Runbox does not provide services to such institutions, this authority is not relevant to Runbox or our customers.

Joint Counter-terrorism Center (Felles kontraterrorsenter, FKTS), is a recently established department within PST staffed with people from PST and EtterretningstjenestenFKTS is a cooperation agency sharing information and analyzing terror threats against Norway. FKTS is subject to the laws and regulations governing the activities of The Norwegian Police Security Service and the Norwegian Intelligence Service.

In order to monitor these agencies and ensure they are acting in accordance with laws and regulations, the Norwegian Parliament has established The Norwegian Parliamentary Intelligence Oversight Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste), and Control Committee for Wiretapping (Kontrollutvalget for kommunikasjonskontroll). Their mandate is to ensure that the police’s use of wiretapping is in accordance with the law and is as limited as possible.

What is the conclusion of all this?

All your Runbox email stored on our servers is safe because Runbox is located in Norway. Runbox strictly adheres to the Norwegian Personal Data Act and the Norwegian Criminal Procedure Act, which is the main legislation governing our operations. This fact, along with our ethics, prevent us from doing anything unauthorized with your data.

Specifically, Runbox protects your data against disclosure requested by the authorities because they must present a valid court order to seize any data. Such a court order is difficult to obtain, because it must be based on evidence of criminal activity related to the account owner.

Norwegian authorities are not allowed to perform surveillance of data traffic without a valid court order. Norway has established independent agencies to ensure that these agencies follow the laws and regulations under which they operate. In addition, Norway is an open democracy with a critical and investigative press which readily publicizes any suspicion of breached laws and regulations.

Any foreign nation asking for data have to send a formal request according to established protocols and strict rules. And any such legal request will be scrutinized by Norwegian judicial authorities, and only in cases where Norwegian law is breached could a request result in a court ordered seizure which is necessary to obtain data from Runbox.

In short, no authority or agency can monitor Runbox’ data or traffic without a court order, which can only be issued on evidence of criminal activity in violation of Norwegian penal code.

Additional protection

Runbox customers automatically have an advantage by storing their email in Norway, and you can add another layer of protection by encrypting your communication with Runbox.

To protect your privacy even further, Runbox does NOT use Google Analytics or any other third-party tracking of our customers’ usage. We never use data or traffic information for any other purpose than anonymous statistics in order to improve our services and our system’s performance. Our service is absolutely ad-free, and we do not share or sell your personal details to anyone.

The combination of the strict Norwegian legal environment, our solid IT infrastructure, Runbox’ ethics and Privacy Policy, and the technology Runbox provides, means that Runbox provides a service that is uniquely private and secure.

For more information about the privacy and security of Runbox’ services, please see the following links — and feel free to contact us with any questions or concerns.

Tags: ,

[Resolved] Email service network problems

July 24th, 2014  |  Published in Status

We are currently experiencing problems with either our network or our firewall, and all Runbox email services are currently unavailable.

Our system administrators are working to correct the problem. Meanwhile, any incoming email will be queued on other servers for later delivery.

Our web and domain hosting services are not affected by this problem.

UPDATE 23:50 CET: A power strip inside a server rack had died, causing the firewall server to go down. We expect this to be resolved shortly.

UPDATE 23:51 CET: Problem has been resolved and email services are back online.

Email Encryption with Runbox

July 18th, 2014  |  Published in Security  |  4 Comments

There has been much talk in the media recently about using email encryption to avoid surveillance and monitoring. In this article we help you understand what email encryption is, how it works, and the options that are available to you as a Runbox customer.

Summary of this Article

  • Email communication involves at least a sending email client, a sending email server, a receiving email server, and a receiving email client.
  • Email communication between client and server is typically encrypted using basic encryption methods such as TLS or SSL.
  • In addition to this, you can use end-to-end encryption with any email service — and we show you how to use encryption with Runbox.

First, the Basics

Email Communication

Email Communication
The client establishes a connection with the sending server, which passes the message on to the receiving server from which the recipient downloads the message.

In order to understand how email encryption works, we need to cover the basics of email communication. Don’t worry, we’ll keep it non-technical and it’s pretty simple.

To send an email to someone, 4 things are usually needed (in addition to the Internet itself):

  1. A sending email client such as Outlook, Apple Mail, and Thunderbird.
    An email client is a program or app, which is running on a computer, tablet, or smart phone. When you use a webmail service such as Runbox Webmail, your browser acts as the email client. Whatever it’s called, it’s the program you use to write your email messages.
  2. A sending email server such as Runbox.
    When you use Runbox your email client connects to our servers, which takes care of figuring out where on the Internet the recipient is located. More correctly, it looks up the domain name part of the recipient’s email address and connects to the servers responsible for that domain name.
  3. A receiving email server such as Gmail.
    The receiving email server accepts the message and stores it until the recipient downloads it to her email client.
  4. A receiving email client such as Outlook, Apple Mail, and Thunderbird.
    Similar to the sending email client, the recipient uses an email program to send and receive email. The email client regularly connects to the receiving email server to check for new email, and usually keeps a copy of the messages on the server so that they are available to other devices the recipient may be using.

Standard Email Encryption

Encrypted Communication

Encrypted Communication
The server presents a valid SSL/TLS certificate and the encrypted connection is indicated by a padlock and green bar in the browser.

The email communication between the client and server (#1 and #2 above) is already encrypted by default if you are using the recommended settings. When using Runbox Webmail encryption is always enabled, which you can tell by the padlock in the address bar and the web address starting with “https” (where the “s” stands for secure).

This type of encryption is called Transport Layer Security or TLS for short (which has succeeded Secure Sockets Layer, SSL) and protects your data from being eavesdropped on its way from your email client to our servers.

After accepting the message for relay, the Runbox outbound email server then looks up the email service responsible for the recipient’s domain name and connects to one of their servers. Runbox always attempts to establish an encrypted connection using TLS, but many services do not support such connections yet.

After connecting to the receiving server (#3 above), Runbox hands over the message for further processing.

The final step (#4 above) between the receiving email server and the recipient is usually encrypted, but it depends on the encryption support of the receiving email service’s servers and the settings in the recipient’s email client. More details: Secure Transfer of Email

Why this type of encryption isn’t sufficient

In other words, there is no way of knowing whether the communication is actually encrypted all the way from you to the recipient. Although some email services provide encrypted email storage, this doesn’t resolve the problem of unencrypted connections further down the message’s path.

In the event that someone was able to eavesdrop on communication encrypted using SSL/TLS, they would in principle not be able to decrypt the contents without somehow accessing the private encryption key which is only stored on the provider’s servers (unless Perfect Forward Secrecy was implemented, which is the case with Runbox).

However, this type of encryption is still theoretically vulnerable to surveillance because the encryption standards used have been developed in cooperation with US intelligence agencies, although any such weakening has been denied by NIST (National Institute of Standards and Technology).

End-to-end encryption of email

End-To-End Encryption

End-To-End Encryption
Sender and recipient have exchanged encryption keys and the communication is encrypted from end to end, in addition to the SSL/TLS encryption which is attempted established by the sending server.

The best solution available is to add another layer of encryption on the email communication all the way from sender to recipient. This is called end-to-end encryption and is already available for use with virtually any email service or provider.

When using end-to-end encryption, the contents of messages will be unreadable to a potential eavesdropper all the way from sender to recipient. It is of course always important that the two parties take great caution to secure their computers or devices to prevent them from being compromised.

Note that the metadata (sender and recipient addresses, subject line, timestamp, etc) of email messages is always unencrypted in order for the message to be routed to its recipient.

There are two main email encryption standards available: PGP and S/MIME. This may look cryptographic in itself, but we will explain both of them. Runbox supports both standards, which can be used with an email client or with Runbox Webmail.

See Encrypting Your Runbox Email for an overview of email clients and their encryption support.

PGP: Pretty Good Privacy

Despite the name, PGP is considered to be cryptographically very strong and is probably the most popular email encryption standard today.

PGP is the easiest encryption standard to get started with because it doesn’t involve anyone but the sender and recipient of a message. It is based on a “web of trust” because it only involves the sender and recipient and assumes that they trust each other.

  • Both parties must have a PGP enabled email client or webmail service.
  • The sender must have generated a private/public encryption key pair using software that is downloaded and installed locally.
  • The recipient must have downloaded the sender’s public key, because the recipient’s public key is used by the sender to encrypt the message. The recipient’s private key is used to decrypt the message.
  • Can be used with webmail services with a web browser.

To get started, see our Encrypting and Securing Email Using OpenPGP help page.

S/MIME: Secure/Multipurpose Internet Mail Extensions

S/MIME is a standard being adopted by the IETF (Internet Engineering Task Force) and requires some more preparation on the part of the email user.

  • S/MIME functionality is built into most major email client programs.
  • Both parties must have an S/MIME enabled email client.
  • A certificate must be obtained from a Certificate Authority and installed in the sender’s email client.
  • Is based on a “chain of trust” because the Certificate Authority validates the sender’s identity and makes the public key available to others.
  • Is not suitable for use with webmail services using a web browser.

We hope this article helped you understand how email encryption works and how to get started using it. And as always, please contact us if you have any questions.

Tags:

Email, Encryption and Data Surveillance

July 16th, 2014  |  Published in News

As each day goes by there seem to be new revelations about which countries are spying on each other, or have secret agreements to monitor traffic by putting “taps” on strategically important cables entering or leaving countries. It is hard to keep track of all this information, and even harder to verify what is fact and what is speculation.

Questions, questions!

If you care about your data or email and whether it is private or not, then all of this should bother you; in fact it should bother you quite a lot. But how do you make sense of it all, and what action can you take, assuming you can take action that is? Which countries will look after your data best? And who can actually read your email as it is delivered to and from your email provider?

At Runbox we get asked a lot of questions like the ones above, and we have come to the conclusion that often we are worrying about the wrong things.

Who are the players in this real-life James Bond story?

five-eyesThe United States National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) have featured heavily in the media, and along with three other countries (Canada, Australia and New Zealand) they make up the so called “Five Eyes” countries that are known to be monitoring communications.

These countries have an agreement to share data that they collect through their extensive networks. This is not speculation, this is hard fact in the public domain, and together they form the single biggest data sharing network ever conceived. The allegations that they spy on each others citizens and then share data with each other to get around domestic regulations relating to spying on your own citizens is one of the most controversial claims that have been made in the last few years.

There are other revelations that suggest many countries also have agreements with the NSA and GCHQ in return for various kind of technological assistance that might benefit the collaborating nation.

More recently, and closer to home for Runbox, we have seen allegations that Denmark is monitoring data entering and leaving Norway, and that Sweden is pretty much in league with the NSA about as much as the other “five eyes” countries. At a glance this can seem worrying given that Runbox is based in Norway.

But does it really matter?

Data everywhere, and no place to hide

surveillanceOn a political front it probably does matter, but on a practical level if you email someone who is outside of Norway the chances are the data passes through a number of countries and worrying about the ones geographically adjacent to Norway seems a little pointless. For example, if you email anyone on Gmail, Yahoo, Outlook, iCloud or any of the other major providers, the chance is your data is going to end up in the one country that is at the centre of the recent revelations – the USA.

The reason we get asked questions about security is because people want to take positive action to protect their data, so what can you actually do?

Stored email and data

The question about which email provider will protect your data best when it is on their servers is a separate issue to the one surrounding your data when it is being transferred from one place to another. In respect of your email provider, you are better to keep your email data in a country that has strong privacy laws, and with a provider that tries to encrypt the transfer of that data to and from your account. Runbox is based in a country that does have strong privacy laws, and we always try to encrypt your data when transferring it to and from your account.

So choosing an email provider isn’t too difficult once you know what to look for.

So what about data transfer?

Given that we know agencies are monitoring Internet communications (it doesn’t matter how much or little of this is going on) it is best to assume that anything that you do on the Internet, or anything you email can be monitored by someone. You can think of this as being like sending a private message on a postcard through the usual mail where everyone including the post office and your family can read the postcard.

Fundamentally the data that makes up your email can be read by any server it passes through on its way to its destination. Mail servers also write information to their hard drives and then use that data when sending your email on to the next destination. This means that temporary copies of your email are also made!

There is very little you can do about this, it’s how email works.

Email-EncryptionAn obvious solution to prevent prying eyes from reading your email is to use some sort of code that only the sender and recipient can decode, and that is exactly what encryption is. If you encrypt a message with a strong enough key then it is currently not possible for anyone to read it without having the private key and passphrase. For now we will ignore allegations that encryption has been subverted by governments as it is clear that strong encryption does still work adequately.

Regardless of whether you encrypt messages yourself, Runbox attempts to encrypt your email when it sends to and receives email from other providers on your behalf. This is an important security feature, but it isn’t universally used and even some major email providers do not offer this kind of encryption. Where it is not offered your email is delivered unencrypted and it is just as vulnerable to interception then as a postcard is.

End-to-end encryption

Email is about 40 years old, and it hasn’t changed much in all that time. For decades computer security experts have been aware of the insecure nature of email, which is why email encryption has been around for about half the time email has existed. Encrypting your enigmail_gnupg_thunderbirdemail is not a new idea at all, but as a proportion of email sent very little is encrypted by the sender.

The best overall solution is to encrypt the message before it leaves your computer and not rely on anyone else to protect the data for you. The data can then only be decrypted at the recipients end if the correct key is available and the passphrase for that key is known. This is called end-to-end encryption.

There are various ways in which you can encrypt your email, some involve email client (app/program) like Thunderbird, Outlook or Apple Mail and others are integrated in to the webmail service of email providers.

You don’t need to be an expert to encrypt your email

Encrypting your email is not as difficult as you might think, but you might need to make some changes to how you use email.

We are used to having a very wide variety of email providers at our fingertips, and encryption isn’t necessarily going to be compatible with all of those various interfaces. Elsewhere on this blog and on the Runbox help website we explain some of the easier ways to implement strong email encryption that can be used with most email providers.

Yes, you are going to have to give your friends, family and colleagues keys so they can decrypt email and also send encrypted email to you, but is that really much more difficult than having to give them a key to get in to your home (assuming you want them in your home that is)?

If you encrypt your email it won’t matter what revelations are in the news next week, only you and your recipients will be able to read your email. Unless of course the revelations are about encryption having been compromised…

For more information

[Completed] Email Alias Quota Increased to 100

July 1st, 2014  |  Published in News  |  2 Comments

In order to further simplify our price plans and improve our offering we have decided to increase the email alias quota of all account subscriptions to 100 (except the Max plan which already has it).

This change has already taken effect, which you can tell from the Alias Administration screen.

If you are wondering what an email alias is and what it can be used for, it’s basically an alternative email address pointing to your Runbox account. This is very useful in order to manage identities/profiles, especially if you host a domain with Runbox.

For more information and tips, head over to our help page on Aliases!

Tags:

[Completed] Adjustments to Bandwidth and Outgoing Message Quotas

May 9th, 2014  |  Published in News  |  1 Comment

In order to simplify our Price Plans and improve the reliability of messages sent from Runbox, we are introducing standard quotas on email bandwidth usage per week and on the daily outgoing message limit across all subscription plans (with a few important exceptions).

Please continue reading to find out what is being changed and how this may affect your account. We will also notify all our customers by email within the next few days.

What is being done

As of June 1, 2014 we will make the following changes to the Runbox subscription plans (with a few exceptions):

  • The bandwidth quota will be upgraded corresponding to the Max subscription plan’s 10 GB per week.
  • The outgoing message quota for all subscription plans will be set to 500 messages per day*.

*) Those who have purchased extra quotas will of course keep them, and we will accommodate those who do need to send a larger number of messages — please see below for details.

If you are unsure about which subscription plan you currently have, please see Account > Subscription Information.

Why we are making these changes

The recent revelations in the media of mass surveillance of online communication especially in the US has brought many new customers to Runbox over the past months. This has lead Runbox to garner international attention by publications such as Der Spiegel and The New York Times, and Runbox has gained a position as a leading provider of secure and private email services.

In accordance with our growth strategy we have invested heavily in new hardware to replace and modernize our server park, which will increase our capacity and further improve the reliability and security of our services.

While we continue to roll out these upgrades we have reviewed our subscription plans and decided to simplify and adapt the bandwidth and outgoing message quotas.

Bandwidth quota change

Our growing number of customers access their email on an increasing number of laptops, tablets, and smartphones. Additionally, people increasingly use email to share multimedia files such as images and videos.

The new hardware we have installed greatly improves our ability to support this “email-on-the-go” trend and we have therefore decided to upgrade the bandwidth quota to a level corresponding to the Max subscription plan for all existing and future accounts.

With many more people sending digital photographs and videos to friends, family, and colleagues, this new higher quota will allow you to make even better usage of our market leading 100MB attachment size.

Outgoing message quota change

There are two different reasons for the change of outgoing message quotas:

1) A few of our customers send a large amount of legitimate email. While our systems cope well with this, there is an ever increasing volume and therefore cost to processing this kind of email. There is also an increase in staff time dealing with any issues that arise as a result of recipients sometimes reporting such email as spam.

We see that those who send large amounts of bulk email don’t necessarily need large storage quotas, so we have decided to decouple the outgoing message quota from the subscription plans. You can then freely purchase outgoing message quota upgrades independently of your subscription plan.

Please note that this change need not affect your account as you can keep your current quota upon request.

2) Runbox enforces a strict policy on email sent from our service. Unfortunately, some of our customers still have poor password or computer hygiene, which in some cases can cause their Runbox account to be used by spammers to max out the currently very high outgoing message quotas.

This not only causes problems for the account owner, but sending large amounts of unsolicited email via our outgoing mail servers can potentially affect all our customers. If a receiving server detects that unsolicited email has been sent from one of our servers, Runbox may be blacklisted and in turn be prevented from reliably delivering email sent by our customers.

By lowering the outgoing message quota we protect all accounts from jeopardizing the reputation of Runbox’ mail servers. You as a Runbox customer will benefit directly because email sent from reputable mail servers are delivered promptly and reliably to their recipients’ Inboxes.

As part of our aforementioned server upgrades we will have the ability to implement new security features that will also help protect customers’ accounts.

How these changes may affect your account

The bandwidth quota change will only affect your subscription positively if at all, since all subscription plans will now have the maximum 10 GB bandwidth limit per week. With many more people sending digital photographs and videos to friends, family, and colleagues, this new higher quota will allow you to make better use of our market leading 100 MB attachment size.

The outgoing message quota adjustment will only affect customers who send more than 500 messages per day. Please note that the number of messages equals the total number of recipients, because e.g. 1 message with 20 recipients is 20 messages when delivered from our servers.

If you need a higher outgoing message volume we will restore the old quota upon request.

Customers who have paid specifically for increased outgoing message quotas will keep their full quotas as long as they are renewed.

If you are unsure about your current outgoing message quota, please refer to our subscription plans.

We hope you will understand that these changes are not only necessary but beneficial to Runbox and you as a Runbox customer.

And please let us know by contacting Support if you have any questions or concerns about these changes.

Tags: , ,

New Privacy Products Available

May 7th, 2014  |  Published in News  |  6 Comments

Runbox prioritizes security, reliability, and privacy above all else. As you probably know, Runbox’ email servers are hosted in Norway, and Runbox Solutions operates under Norwegian legislation which protects our customers’ data.

Our services are protected by Extended Validation SSL with Perfect Forward Secrecy, ensuring encrypted communications between client and server. We enforce a strong Privacy Policy and we do not share any account details or user data with any third party.

To complement our security and privacy features we are now launching the following products:

No Backup

Store your email and files on a separate, dedicated disk volume without backup. This means that when you delete an email it is immediately and permanently removed from our servers.

Read more about No Backup

Domain Registration in Norway

You can register any top-level domain (TLD) name with a Norwegian registrar via Runbox and operating under Norwegian jurisdiction.

By registering a domain name ending with for instance .no, .cc, or .co, your domain’s records are kept in Norway and in the country corresponding with the TLD of your choice.

Read more about Domain Registration in Norway

Domain Management

Runbox can register a domain name for your exclusive use. Runbox Solution’s company name, address, and contact information will be used and we will be the legal registrant. Your personal or business details will not be associated with the domain name, but you will be reserved the right to use it exclusively.

Read more about Domain Management

Tags: , ,

Warning About Insecure Email Apps

May 2nd, 2014  |  Published in News  |  2 Comments

We have become aware of at least one email app (application software) available for smartphones and tablets that undermines the security of email sent using your Runbox account.

The email app is very easy to set up with only your email address and password, and you can get it working within a few minutes at most. It was due to this ease of set-up that we became suspicious. There is always a push towards making things easier for users of technology, but we believe that this is one step too far.

We discovered that the email app was not sending email through the Runbox mail servers. There was no SSL encryption between the email client and the servers, and no onwards encryption to a destination that we know normally uses encryption when sent via our servers. Instead of using our servers in Norway, the app used a mail server in another European country!

If this wasn’t bad enough, there was no user notification that the app hadn’t used the correct servers and was instead using an alternative server.

We won’t mention this particular app by name here as that wouldn’t be fair, especially when there may be others that do the same. We do not recommend this type of email app for phones, tablets or computers in general, and we cannot be held responsible for the delivery of email not sent through our servers, but apparently coming from your Runbox email address.

We would urge all Runbox customers to consider the following:

If you are not asked to enter the secure server settings as detailed on our settings page, then you are not in control of how your email is received or sent.

If you have any further questions about this, or would like further advice, please contact Runbox Support.

U.S. judge rules search warrants extend to U.S. companies’ overseas email accounts

April 29th, 2014  |  Published in News  |  14 Comments

A U.S. federal judge has ruled that U.S. Internet Service Providers must hand over customer emails and other content sought by U.S. government search warrants, even when the data is stored overseas.

The ruling addressed a search warrant against Microsoft Inc. for one of its customers whose email is stored on a server in Ireland.

As a Norwegian company and email service operating under Norwegian jurisdiction, Runbox is not affected by this ruling.

Runbox will not disclose account information or email data to authorities unless presented with a Norwegian court order.

Find out more about Runbox’ privacy policies and Norwegian privacy regulations.

Read the full story at Reuters.

Tags: ,