We are emphasizing Runbox’ location in Norway as something that is important to you as an email user, and you may wonder why. This article will explain it all.
Summary
All your Runbox email is privacy protected because our servers are located in Norway, and Runbox strictly adheres to the Norwegian privacy legislation.- Runbox protects your data against disclosure because the authorities must present a valid court order based on evidence of criminal activity to seize any data.
- Any foreign nation requesting account information or contents have to send a formal request to Norwegian judicial authorities, and only with a Norwegian court order can any data be disclosed.
- Norwegian authorities are not allowed to perform surveillance of data traffic without a court order.
- Under Norwegian legislation, Runbox is not required to keep any traffic logs, and is permitted to delete your data if you ask us to.
Norwegian privacy legislation and regulations
First of all, Norway has enacted strong legislation regulating the collection, storage, and processing of personal data, mainly in The Personal Data Act (Lov om behandling av personopplysninger; Personopplysningsloven) and Regulations on the Processing of Personal Data (Forskrift om behandling av personopplysninger; Personopplysningsforskriften).
The first version of The Personal Data Act was implemented as early as 1978. This was a result of the pioneering work provided by the Department of Private Law at the University of Oslo, where one of the first academic teams within IT and privacy worldwide was established in 1970.
Additionally, the Norwegian Data Protection Authority (Datatilsynet), an independent authority, facilitates protection of individuals from violation of their right to privacy through processing of their personal data. It also verifies that statutes and regulations which apply to the processing of personal data are complied with, and that errors or deficiencies are rectified.
Any complaint against decisions made by The Data Protection Authority may be reported to The Privacy Tribunal (Personvernnemda), another independent authority, for decision.
The Norwegian Criminal Procedure Act (Lov om rettergangsmåten i straffesaker; Straffeloven, unofficial translation) is an important law governing the seizure of objects or data when a criminal act has been reported to the police. Section 211 states that mail may only be seized from an electronic communication service pursuant to a court order.
Another important law in this context is the Norwegian Penal Code (NPC, Almindelig borgelig straffelov; Straffeloven, unofficial translation) which states that it is illegal to access information systems or data unauthorized (NPC §145), and this includes all employees in the public sector (NPC §116).
We must also mention Norwegian Law on Electronic Communications (Lov om elektronisk kommunikasjon; Ekomloven), which regulates telecommunications in Norway. This law contains rules for the interception of electronic communications and for the duration of storage of personal data.
Because Runbox is similar to an Internet service provider and not a telecommunications company, Runbox is NOT affected by this law. This means that Runbox for instance is permitted to delete your email data upon your request at any time, and that we are not required to store any traffic logs.
The bottom line is that a request from Norwegian police authorities to disclose data from any Runbox account will be rejected by Runbox unless a Norwegian court has decided otherwise.
What does compliance with Norwegian privacy laws mean?
So what does Runbox’ compliance to Norwegian laws mean regarding your personal data when using Runbox, and the content of your emails stored on our servers?
Runbox does not collect any data about you except what is necessary to provide you with our services. This is in accordance with our Terms of Service and Privacy Policy, which is compliant to The Personal Data Act §8. This paragraph states that personal details can only be collected and processed with consent from the registrant.
Similarly important is §11, stating that personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.
Only if presented with a court ordered seizure pursuant to the Norwegian Criminal Procedure Act may Runbox be forced to disclose information to The Norwegian Police Service. It is therefore an absolute prerequisite that a crime has been committed.
What about requests from authorities outside Norway?
A request from foreign authorities or agencies regarding Runbox account details or user data has a long way to go before it reaches Runbox:
It will in general start with a legal request (letter rogatory) submitted through diplomatic channels to the Norwegian Ministry of Foreign Affairs, who sends it to the Attorney General at the Norwegian Office of the Prime Minister, who will, if appropriate, forward the request to the Ministry of Justice and Public Security who in turn sends it to the appropriate police unit, for example the National Criminal Investigation Service, Norway (Den nasjonale enhet for bekjempelse av organisert og annen alvorlig kriminalitet; Kripos) or The Norwegian Police Security Service (Politiets sikkerhetstjeneste; PST) for independent investigation. All requests will of course be evaluated with regards to Norwegian laws and regulations.
The Norwegian police authorities may then present Runbox with a subpoena, which will be rejected by Runbox as a matter of principle. The case may then be submitted to a Norwegian court, and an attorney will be appointed to represent the account owner. If the court finds that there is evidence or probable cause for suspicion of criminal activity on the part of the account owner, Runbox may be presented with a court order requesting us to disclose the requested information.
Norway has entered into agreements with some foreign nations to cooperation in criminal matters regarding disclosure of objects and data, that may simplify the procedure above:
Through the European Convention on Mutual Assistance in Criminal Matters requests go directly to the Ministry of Justice and Public Security, through the Schengen Agreement requests go to the public prosecutor in Norway, and between Nordic countries, requests go to central or local police (district chiefs of police). Requests from Canada and Thailand go directly to the Ministry of Justice and Public Security.
All other nations, the United States included, have to follow the general rule outlined above: Requests must be sent through diplomatic channels to the Norwegian Ministry of Foreign Affairs. The agreement between Norway and the United States (and Australia) is about extradition of criminals only, not about assistance in “ordinary” legal matters.
Since Runbox Solutions was founded in 2011 we have received 0 court orders for disclosure of account details or user data. We have received 3 requests directly from attorneys in the United States, all of which have been rejected outright.
What about surveillance…
According to the laws mentioned above, the Norwegian police authorities can not execute communication control, for instance surveillance of electronic messages, without a valid court order. An independent tribunal, the Control Committee for Wiretapping (Kontrollutvalget for kommunikasjonskontroll) is established to control that the police’s use of wiretapping occurs within the framework of the law and that the use of such methods is as limited as possible.
This means that no surveillance of traffic to or from Runbox can occur unless a valid court order is presented. However, the regulation that governs wiretapping (Forskrift om kommunikasjonskontroll; Kommunikasjonskontrollforskriften) and the Control Committee for Wiretapping do not pertain to intelligence, which is the domain of The Norwegian Parliamentary Intelligence Oversight Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste), see below.
…and intelligence?
Let us examine the various Norwegian intelligence agencies and their mandates:
The Norwegian Intelligence Service (Etterretningstjenesten) is a body established in order to survey and monitor civil and military activities outside Norway. This body is not authorized to survey or collect information about Norwegian natural or legal persons, which includes companies. For that reason, Runbox is beyond the authority of this agency.
The Norwegian Police Security Service (Politiets sikkerhetstjeneste; PST) do NOT have any legal rights beyond The Norwegian Police Service, which is discussed above.
The Norwegian Defence Security Department (Forsvarets sikkerhetsavdeling, FSA) applies to military institutions only, and is not relevant for Runbox customers at all.
The National Security Authority (Nasjonal sikkerhetsmyndighet, NSM) is established to control governmental and civil institutions regarding security, and because Runbox does not provide services to such institutions, this authority is not relevant to Runbox or our customers.
Joint Counter-terrorism Center (Felles kontraterrorsenter, FKTS), is a recently established department within PST staffed with people from PST and Etterretningstjenesten. FKTS is a cooperation agency sharing information and analyzing terror threats against Norway. FKTS is subject to the laws and regulations governing the activities of The Norwegian Police Security Service and the Norwegian Intelligence Service.
In order to monitor these agencies and ensure they are acting in accordance with laws and regulations, the Norwegian Parliament has established The Norwegian Parliamentary Intelligence Oversight Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste), and Control Committee for Wiretapping (Kontrollutvalget for kommunikasjonskontroll). Their mandate is to ensure that the police’s use of wiretapping is in accordance with the law and is as limited as possible.
What is the conclusion of all this?
All your Runbox email stored on our servers is safe because Runbox is located in Norway. Runbox strictly adheres to the Norwegian Personal Data Act and the Norwegian Criminal Procedure Act, which is the main legislation governing our operations. This fact, along with our ethics, prevent us from doing anything unauthorized with your data.
Specifically, Runbox protects your data against disclosure requested by the authorities because they must present a valid court order to seize any data. Such a court order is difficult to obtain, because it must be based on evidence of criminal activity related to the account owner.
Norwegian authorities are not allowed to perform surveillance of data traffic without a valid court order. Norway has established independent agencies to ensure that these agencies follow the laws and regulations under which they operate. In addition, Norway is an open democracy with a critical and investigative press which readily publicizes any suspicion of breached laws and regulations.
Any foreign nation asking for data have to send a formal request according to established protocols and strict rules. And any such legal request will be scrutinized by Norwegian judicial authorities, and only in cases where Norwegian law is breached could a request result in a court ordered seizure which is necessary to obtain data from Runbox.
In short, no authority or agency can monitor Runbox’ data or traffic without a court order, which can only be issued on evidence of criminal activity in violation of Norwegian penal code.
Additional protection
Runbox customers automatically have an advantage by storing their email in Norway, and you can add another layer of protection by encrypting your communication with Runbox.
To protect your privacy even further, Runbox does NOT use Google Analytics or any other third-party tracking of our customers’ usage. We never use data or traffic information for any other purpose than anonymous statistics in order to improve our services and our system’s performance. Our service is absolutely ad-free, and we do not share or sell your personal details to anyone.
The combination of the strict Norwegian legal environment, our solid IT infrastructure, Runbox’ ethics and Privacy Policy, and the technology Runbox provides, means that Runbox provides a service that is uniquely private and secure.
For more information about the privacy and security of Runbox’ services, please see the following links — and feel free to contact us with any questions or concerns.
I notice that if I were to create a new account with you, I would be obligated to retrieve my email messages from a .com domain, not a .no domain. Although my email addresses would reside in the .no domain, apparently access to my messages would necessarily go through the .com domain. Why is this? Doesn’t this defeat the purpose of using Norway as a legal jurisdiction for my offshore email service?
Hi John. Thanks for your comment and question; it’s an important question to ask.
Email does not “go through the .com domain” as you say. Domains are just pointers on the Internet that tell servers which other servers they need to contact to transfer information. In the case of email that information would be email messages.
We have a help article about this here: http://help.runbox.com/how-do-internet-domains-work-for-email/
If you have any further questions about this, please just let us know.
Hi Dave,
Thanks for your reply, but I’m not sure it really answers my question. The link you provide gives technical details about the routing and DNS resolution issues associated with sending/receiving email, but it doesn’t address the issue of legal jurisdiction. It’s my understanding that the entire purpose for anyone other than Norwegians to use a Norway-domained email service provider like Runbox is because of the jurisdictional protections provided by the laws of Norway. The .com domain is apparently governed by the laws of the USA, which implies that the USA can legally make a request for data which is resident on (or perhaps having passed through) any server which participates in the .com domain. Can you address this issue for me?
Hi John,
Any request for disclosure of data have to go through the authorities of the country where the data is stored, as explained in the section “What about requests from authorities outside Norway?” above.
It doesn’t matter which top-level domain the service is provided on. Runbox provides services on both the .com and the .no domains, and we offer a growing list of synonymous top-level domains for email routing (runbox.eu, runbox.us, runbox.me, etc) — but all email data is stored in Norway under Norwegian jurisdiction.
Hope that helps!
Thanks for that. You indicate that Runbox offers services on both the .com and the .no domains, and I would prefer to establish my Runbox account using only the .no domain name. However, any effort I make to establish a new account forces me to use the .com domain. Can you please explain how I might establish a new account using only the .no domain?
Hi John,
When you set up an account, it is just a generic username in our system (i.e. with no specific domain attached) and works with all our domains. The fact it looks like a .com address is just the default setting in your preferences. You can choose to change your address preferences once the account is set up and only use and tell people about your @runbox.no address.
I hope that helps.
Hm. I find this elaboration rather naive.
Yes, your privacy protection is very strong (as strong as can be, legally, I guess). And I like your service for precisely that reason.
However: what you have’t discussed is a) clandestine attacks against your service(s); they may be more relevant than the legalistic procedures you rule out.
b) also, if the US really really want my data, they will get it from you. They will find a way. Even legal if need be. And that has nothing to do with the US per se. I could also say Germany or Austria.
Joe,
Naturally no service or system can be guaranteed to be 100% secure, but the combination of Runbox’ location in Norway and the hardening put in place to protect our systems against attacks, along with the encryption methods we recommend, make it a safer choice than most alternatives.
As outlined in the article, Norway has established a strict hierarchy of authorities to process legal requests for information whether they originate within Norway or not. The rest is of course up to us as administrators of the service and the secure technologies and procedures we employ, and the encryption methods you as an end-user utilize.
As you are probably aware, there are a number of choices available to add layers of encryption to your Runbox communication: https://help.runbox.com/encrypting-your-runbox-email/
Hello, I have a quesion regarding the existence of multiple domains (runbox.com, runbox.eu etc): if I have for example the email address dali@nullrunbox.com do i also receive emails sent to dali@nullrunbox.eu ?
Dali: Correct! We currently offer the following Runbox domains, which are all synonymous:
runbox.com, runbox.us, runbox.no, runbox.co.in, runbox.co, runbox.eu, runbox.is, runbox.me, runbox.it, runbox.at, runbox.email, rnbx.uk, xobnur.uk, rbox.co, and rbox.me.
You can find an updated list of domains on the Aliases and Sub-Account screens in your account.
THIS STATEMENT IS MAYBE NOT TRUE as of Aug 2014 because:
“Since Runbox Solutions was founded in 2011 we have received 0 court orders for disclosure of account details or user data. We have received 3 requests directly from attorneys in the United States, all of which have been rejected outright.”
BUT YOU DATA REQUESTED BY FBI and NCIS
According to this article you did disclose information concerning NCIS and FBI and a tax case:
https://drittlei.wordpress.com/tag/runbox/
Here is part of the english translation:
Hans Lysglimt, tells of a disclosure order he received from the FBI via NCIS and Norwegian law in an American tax case. The petition concerned emails that were thought concerned the matter, and by order of the court handed Lysglimt this. He claims that the content was neither very extensive nor particularly controversial.
Please clear this for us.
The case you refer to related to the company that ran the Runbox email service until May 2011 when it was bought out by staff and key personnel, who started a new company (Runbox Solutions AS).
In short, the Runbox services have been under new ownership, management, and policy since May 2011, and the case you mention has nothing to do with our company.