Structuring our GDPR project

March 21, 2019 Leave a comment

As mentioned in our previous blog post about our GDPR project plan, we structured our implementation plan in 14 sub-projects.

In this blog post we’ll take a look at the first of these sub-projects.

Mapping status compared to the Regulation

The foundation for the sub-projects was (of course) the requirements in the GDPR Regulation, which we had mapped in subproject # 1: Compliancy Status Tables mapping Runbox’ status compared to regulations.

In order to prepare ourselves, we did that before the final regulation was decided. We also did this for the requirements from the Norwegian Personal Data Regulation at that point in time.

Of course, the mapping had to be made compliant with the final version of the GDPR after the EU decision in 2016 – and so we did.

Controller and processor

At that point in time, we had our project nicely structured in the 14 sub-projects mentioned above. That was pretty easy, because of the mapping we had done. An important fact in this context, is that Runbox is a controller and a processor as well, depending on the circumstances, according to the GDPR definitions. It was important to be exact about where and when.

Subprojects definitions and delimitations

In the GDPR we found some important points that we had to consider:

  • Our agreement with our main processor, Copyleft Solutions – and what about the agreements with our affiliates, partners and the like? Are confidentiality clauses regarding protection of personal data adequate any longer?
  • Do our Terms of Service and Privacy Policy correspond to the new requirements?
  • What changes have to be done in our systems to fulfill GPDRs requirement regarding customers’ rights?
  • Do we have a systematic documentation of our systems, and what about access control?
  • Does our information security policy cover the necessary elements, and is our risk analysis up to date?
  • What about the processing of personal data we do for internal processing? Obviously it was necessary to take a look into the agreements we have with internal and external personnel.
  • What about the internal control mechanism we have – do they comply?

Those points (and some more) made the foundation for establishing delimitations between each sub-project, which we will continue blogging about in the weeks to come.

Continue Reading →

Runbox 7 Feature and Bug Bounty Program

February 6, 2019 1 Comment

The Runbox 7 project represents an ambitious plan to revolutionize the world of webmail services, and with the Runbox 7 open source launch on https://github.com/runbox/runbox7 we have invited skilled developers to join us in this quest.

Now we are excited to announce a bounty program to accelerate development further. The program is two-fold and introduces bounties for both features and bugs.


Feature bounties

We encourage you to contribute to Runbox 7 with your skill and talent by adding new functionality that all Runbox 7 users can enjoy.

All contributions must include tests and documentation in order to be accepted.

Gold – $1,000 reward

Gold bounties are rewarded for contributing major new features that involve substantial additions to the Runbox 7 code base.

Examples of such features can be found on the Runbox 7 Roadmap and include complete, new screens for Account, Files, or Manager with REST endpoint specifications.

Other examples are significant optimizations of the code that improve performance or substantially restructures or refactors the code base.

Silver – $500 reward

Silver bounties are given for contributions of medium-sized new features or additions of new functionality that improves existing features.

Examples of such features can be found on the Runbox 7 Roadmap and include new screens for sections under Account, Files, or Manager with REST endpoint specifications.

Bronze – $100 reward

Smaller features or functionality that extends or improves existing features.

Examples include those listed on Github as Runbox 7 enhancement issues (urgent and critical).

Iron – $10 reward

Minor features or functionality that extends or improves existing features.

Examples include those listed on Github as Runbox 7 enhancement issues (trivial, low, and medium).

Bug bounties

Integrity and reliability is paramount to our operations and although we take all reasonable precautions to prevent bugs, all open source software benefits from thorough reviews from the community.

Therefore we provide bug bounties with an emphasis on problems that could impact the integrity of our services.

High – $1,000 reward

Reporting severe errors that could lead to elevated privileges, significant data compromise, or service downtime.

To be eligible for this bounty:

  • You must not publicly disclose your finding.
  • You must never exploit any found vulnerability.
  • You must send a detailed explanation with steps to reproduce the bug.
  • You may submit a patch that fixes the issue for a double bounty!

Examples include issues listed on Github as Runbox 7 bug issues (critical).

Medium – $500 reward

Reporting vulnerabilities that provide limited access and that could result in denial of service, manipulation of individual accounts, or temporary problems that affect limited data sets.

To be eligible for this bounty:

  • You must not publicly disclose your finding.
  • You must never exploit any found vulnerability.
  • You must send a detailed explanation with steps to reproduce the bug.
  • You may submit a patch that fixes the issue for a double bounty!

Examples include issues listed on Github as Runbox 7 bug issues (critical).

Low – $100 reward

Vulnerabilities that have a low impact on our operations or that require significant knowledge about our systems.

Examples include issues listed on Github as Runbox 7 bug issues (urgent).

Trivial – $10 reward

Minor bugs that are annoyances rather than vulnerabilities, and that don’t affect the integrity or reliability of our services.

Examples include those listed on Github as Runbox 7 bug issues (trivial, low, and medium).

How to get started

To get started with our bounty program, have a look at our Runbox 7 GitHub repository at https://github.com/runbox/runbox7.

We are marking issues that are suitable for new contributors with “good first issue“.

Then review our contribution guidelines and follow the instructions there: https://github.com/runbox/runbox7/blob/master/CONTRIBUTING.md


Continue Reading →

Know where your email is, wherever you are!

February 5, 2019 Leave a comment

When you access web pages and other services such as email a whole range of things go on in the background to ensure that your request for a web page or accessing your email is achieved no matter where you are in the World, or which Internet Service Provider (ISP) you are using at the time. As part of that process, the companies that provide these services can do some useful things to ensure that your access is as fast and as reliable as possible.

Edge services

One thing service providers can do is make use of edge services that move data and processing closer to the location of the device you are using. This will mean that when you access the service the route that the data takes is shorter geographically, and that a central data centre is not having to handle all the network traffic and processing. This reduces the time it takes from when you perform some action on your device to when you get the response from the service. This is often referred to as latency.

As more and more devices become connected to the Internet, and 5G mobile services are rolled out fast responsiveness will become increasingly important for providing a good experience.

Runbox and edge services

Despite all the benefits of edge services and why they are used, we are pleased to say that Runbox doesn’t use any of them – and for good reason.

We understand that privacy and knowing who looks after you data is important to you as a Runbox customer, and to that end we are happy to say that we can offer you the confidence of knowing where your email is stored no matter where you access it from.

We only store your email on servers that are located in a data centre in Oslo, Norway. In addition to our own security features, it is protected by the highly regarded legislation of Norway which is very focused on the privacy of communications and data more generally.

All networks point to Norway

When you access your email with an email program or via our web interface data to and from your phone is routed between your location and Oslo, and the only place your data can be accessed from is the servers in Oslo.

Between you and our data centre the data can travel across many networks with your current ISP at one end and ours at the Oslo end. However, all our services encrypt your data between your device and our servers and this means the email content isn’t readable as it passes through the ISPs that provide your connection to us.

We believe that rather than distributing your data to data centres around the World, it is important for it to be treated as a valuable commodity and give it location specific protection. This means all access to your data is in accordance with Norwegian law.

Internet routing

Runbox doesn’t control the entire route of your data to our servers, and the further from Oslo you are the less influence our choice of ISPs has on the route your data takes.

The geographical distance between you and our servers can make a difference to how responsive our servers appear to be. This is because of the number of ISPs and routers involved in the network between you and us, as well as the quality and speed of the service those ISPs provide.

Usually this doesn’t cause any significant issues and we have happy customers in 170 countries including Australia and New Zealand, which is about a far as you can get from Oslo. However, sometimes it can cause an issue and we can help customers try to deal with this if they contact us.

Speeding up your email access

While we are pleased to offer the certainty of knowing where you data is stored, we are also keen to make sure that you have a good experience using Runbox.

Using an email program like Thunderbird, Outlook or Apple Mail and therefore having your mail stored on your device can improve access to your messages. Doing this means that instead of having to download details for all of your messages each time you access your account, mail that has already been downloaded to your device is already there and only new messages need to be fetched from the server.

Using an email program is a great idea for many reasons and not just because it helps solve potential network issues, but also because of the ability to manage more than one email account in the same interface, use the local search capabilities of the email program and access previous messages when you don’t have an Internet connection.

And now we can speed up your web access too

Recently we’ve introduced local storage to the Runbox webmail in the form of the Runbox 7 web app. When you log in to the new interface you will be given the choice to download an index of all your messages that will be stored in your web browser. This index will remain there and be updated as new mail arrives until you decide to delete it. We also pre-load the content of the messages that are shown in your message list so that when you open the message the content is already on your device ready to be shown to you. This makes Runbox 7 a very fast webmail client with excellent search capabilities.

Know where your email is, wherever you are

So not only do you have the peace of mind knowing where your email is stored when it arrives in your account, but you also have the option to store it securely on your own personal devices for even greater performance.

This means you don’t need to worry about what edge services are doing with your data, because with Runbox you know where your email is, wherever you are!

Continue Reading →

Runbox’ road to GDPR compliance

January 28, 2019 Leave a comment

How we did it and what we learned on the way

In our blog post May 25, 2018 we described the main areas of Runbox’ GDPR implementation.

On this Data Privacy Day we’d like to update you on our GDPR implementation, how we did it, and what we learned on the way.

There is an enormous amount of information out there describing GDPR content, simple copies of the regulation, some templates of varying quality – and a lot of warnings.

So first of all, let’s recap what the GDPR is.

What is the GDPR, and why did it come about?

In 2012, the European Union (EU) first proposed a set of rules for protection of data inside and outside the EU. An important reason for this decision was a desire to improve the ability for individuals to control data registered about themselves.

In 2016, the GDPR (General Data Protection Regulation) was formally adopted by the European Parliament and the Council of the European Union to take effect for all individuals within the EU and the European Economic Area (EEA).

Runbox’ approach to the GDPR

Runbox' GDPR Implementation

At Runbox, which is located in the privacy bastion Norway and within the EEA, we started the GDPR planning and implementation process as early as 2014.

At that point in time, we had followed the process in the EU about a comprehensive reform of the EU’s 1995 data protection rules. In the spring of 2014, the European Parliament demonstrated strong support for the GDPR proposal set forward by the Article 29 Working Party. (You can find more information about the history of the GDPR in the article The History of the General Data Protection Regulation.) Shortly thereafter, in September 2014, our GDPR Compliancy Project was launched.

We didn’t know at that time when the GDPR would take effect, but we knew the direction – that is: The GDPR was indicated to move in the direction of existing Norwegian privacy regulations, based on Article 29 Working Party documents.

Our GDPR project plan

We structured our implementation project in 14 partly parallel sub-projects, and after the decision by the European Parliament and of the Council by April 27, 2016, we updated our project plan towards the target date May 25, 2018.

We started out mapping exactly our position compared to Article 29 proposal, which in 2015 was replaced by The European Data Protection Board, and then we went ahead to work out our main planning document, Rules and Regulations for Information Security Management.

The groundwork was done, and we proceeded the project towards fulfillment of our obligations regarding privacy under the new legislation, implemented in Norwegian law by July 20, 2018.

We will share more information in forthcoming blog posts, so stay tuned!

Continue Reading →

Data Privacy Day

Leave a comment

January 28th is Data Privacy Day, and was initiated by the Council of Europe in 2007. Since then, many advances to protect individuals’ right to privacy have been made.

The most important of these is the European Union’s General Data Protection Regulation (GDPR) which was implemented on May 25, 2018. Runbox has promoted data privacy for many years, anchored in Norway’s strong privacy legislation.

At Runbox, which is located in the privacy bastion Norway, we believe that privacy is an intrinsic right and that data privacy should be promoted every day of the year.

Your data is safe in the privacy bastion of Norway

We’re pleased that Data Privacy Day highlights this important cause. Many who use the Internet and email services in particular may think they have nothing to hide, not realizing that their data may be analyzed and exploited by corporations and nation states in ways they aren’t aware of and can’t control.

While threats to online privacy around the world are real and must be addressed, we should not be overly alarmed or exaggerate the problem. Therefore we take the opportunity to calmly provide an overview of Norway’s and Runbox’ implementation of data privacy protection.

Norway enforces strong privacy legislation

First of all, Norway has enacted strong legislation regulating the collection, storage, and processing of personal data, mainly in The Personal Data Act.

The first version of Norway’s Personal Data Act was implemented as early as 1978. This was a result of the pioneering work provided by the Department of Private Law at the University of Oslo, where one of the first academic teams within IT and privacy worldwide was established in 1970.

Additionally, the Norwegian Data Protection Authority, an independent authority, facilitates protection of individuals from violation of their right to privacy through processing of their personal data.

For an overview of privacy related regulations in the US, in Europe, and in Norway, and describes how Runbox applies the strong Norwegian privacy regulations in our operations, see this article: Email Privacy Regulations

Runbox enforces a strong Privacy Policy

The Runbox Privacy Policy is the main policy document regulating the privacy protection of account information, account content, and other user data registered via our services.

If you haven’t reviewed our Privacy Policy yet we strongly encourage you to do so as it describes how data are collected and processed while using Runbox, explains what your rights are as a user, and helps you understand what your options are with regards to your privacy.

Runbox is transparent

Runbox believes in transparency and we provide an overview of requests for disclosure of individual customer data that we have received directly from authorities and others.

Our Transparency Report is available online to ensure that Runbox is fully transparent about any disclosure of user data.

Runbox is GDPR compliant

Runbox spent 4 years planning and implementing EU’s General Data Protection Regulation, starting the process as early as 2014.

We divided the activities implementing the GDPR in Runbox into 3 main areas:

  • Internal policies and procedures
  • Partners and contractors
  • Protection of users’ rights

This blog post describes how we did it: GDPR and Updates to our Terms and Policies

Runbox' GDPR Implementation

More information

For more information about Runbox’ commitment to data privacy, we recommend reviewing the Runbox Privacy Commitment.

Continue Reading →

The secret behind Runbox 7’s speed

January 26, 2019 Leave a comment

Runbox 7 SpeedRunbox 7 Webmail recently entered open beta, and if you haven’t tried it yet you are missing out!

When you log into Runbox 7 the first thing you’ll notice — aside from its beautiful design — is the speed.

Your folders and messages will load instantly, and no matter how many messages you have the message list will scroll without delay and without any limit.

Gone are the days of waiting for the next screen-full of messages to load, or having to click to navigate between pages. Switching between folders, sorting the message list, and moving messages — any action you perform is executed instantly.

Runbox 7 Speed from Runbox on Vimeo.

And the message search is lightning fast — results will show up immediately while you type into the search field. Combined with message threading and inline message previews, this makes email management extremely efficient with Runbox 7.

Under the hood

WebAssembly LogoWe have modified Xapian by porting Xapian to WebAssembly using the C to WebAssembly compiler from emscripten, which lets it run both in NodeJS on the server and in the browser. Our fork of Xapian will be merged into Xapian’s repository on Github so that it will become available for others to use.

Xapian logoThis is accomplished by utilizing a custom version of the open source Xapian email indexer. We have always been impressed with Xapian’s processing speed, reliability, and adaptability, and it’s ability to index large amounts of messages.

The Runbox 7 Webmail App is open source and is available in our main repo at https://github.com/runbox/runbox7. We encourage you to check out our code base, and invite you to join the Runbox revolution by getting involved in our growing community at https://community.runbox.com!

A separate repo at https://github.com/runbox/runbox-searchindex generates the xapian.wasm module in WebAssembly in C++.

The Xapian database is stored in the browser using IndexedDB, which is available through the IDBFS file system of emscripten.

Combined with a central message database and the use of websockets, this allows the indices to stay in sync when new email arrives on the server and when changes are made locally.

The user interface

The power of the WebAssembly Xapian port is matched by the message listing which is written in HTML5 Canvas. This makes it possible to handle large tables and quick re-rendering, and provides good control of the rendering process.

Ordinary HTML tables would suffer slowdown penalties on sorting, filtering, and resizing, and would require pagination, and would not be efficient enough for our needs.

The Canvas element is wrapped in a  user interface written in HTML/Typescript using Angular 2+, and is built using UI elements from https://material.angular.io/.

Mail parsing is done using the HTML parser from Andris Reinmann which is written for NodeJS and can be found here: https://github.com/andris9/mailparser.

Continue Reading →

Happy New Year from Runbox

January 1, 2019 5 Comments

As 2018 draws to a close and the sun returns in the northern hemisphere we can conclude that it’s been another dramatic year for the world, especially with regards to our environment and the climate.

From heatwaves in Europe to wildfires in California, flooding in Asia, and hurricanes in the eastern US, 2018 has continued the trend of increasing temperatures, increasing sea levels, and an increasing population, and the environmental crises are almost too numerous to count.

The ominous climate report from the IPCC summarizes our shared predicament, and undisputably illustrates that all of humanity, indeed all of the species on our planet, are in one and the same boat.

However, we are nowhere near on track to avoid dramatic warming of the climate, according to the recent IPPC report.

In Norway these changes are also noticeable, and although we are more fortunate than many other areas of the world with the majority of our electricity being generated by hydropower, both our personal convictions and our company values compel us to do more.

Among the strongest indicators that our planet’s ecosystems are collapsing is the increasing rate of species extinction, and in particular those at the top of the ecosystems.

In Norway, aside from the polar bear and the arctic fox, especially the seabirds along the Norwegian west coast are endangered. Among these the lomvi (thin-billed murre; Uria aalge aalge) in Norway has seen its population decrease 90% in the past 50 years due to climate change, food shortages, fisheries, and fishing gear and is now critically endangered here.

Lomvi
Lomvi
Credit: environment.no/NINA

In order to improve the condition of these birds it’s crucial that information about their condition is gathered through observations and reported through the media so that the authorities can make informed decisions.

Therefore, instead of a special holiday offer to improve our result for the year, we want to give back to the environment. We have decided to donate NOK 10,000 to Lista Bird Observatory, an organization on the southwestern coast of Norway whose purpose is “to document development of bird populations by monitoring bird migration over time”.

We encourage other small businesses around the world to do the same for their preferred non-profit environmental organization. We may be small, but if we all contribute according to our ability we can make a difference.

From all of us at Runbox, we wish everyone the very best for 2019.

Continue Reading →

Runbox 7 is going open source

December 12, 2018 4 Comments

We are very excited to announce that we are now making the Runbox 7 App available as open source software!

Runbox 7 is our new Webmail service currently in open beta, featuring unprecedented email indexing and search capabilities. It’s the first product whose source code we are making publicly available, and marks a major milestone for Runbox.

Open source software powers most of the Internet, and makes up a large part of the platform Runbox is running on. Now Runbox 7 will become part of this global collaboration, and you can join in by visiting the Runbox repository on Github: https://github.com/runbox.

Why we are going open source

GPLv3 LogoRunbox has utilized and promoted open source software since the very beginning, and we owe much of our success to the open source community.

Now we’re contributing back to the community with the front-end of Runbox 7, which will allow others to review our code and verify that it’s safe and secure.

It also allows others to copy and modify the codebase for their own use, and contribute back to Runbox and our community.

Additionally it means that we will automatically publish the Runbox 7 changelog and issues, and even let Runbox users create issues for bug reports or feature requests.

Why we chose GPLv3

It was important to Runbox that we ensure that any derivative work remains open source, which the GNU General Public License does.

Another reason for selecting the GPLv3 license is that Runbox 7 utilizes the open source Xapian search engine library which is licensed under GPLv2.

What’s new in Runbox 7

Runbox 7 isn’t merely an upgrade to our existing services, it’’s a bold step into a new world of synchronized Webmail apps that provide unprecedented speed and usability.

Our new app is the cornerstone of Runbox 7, and is the first of several development stages that will culminate in a completely new user interface.

Runbox 7 Webmail currently features superior speed, incremental search, infinite listing, inline message previews, threaded conversation views, web push notifications, and a Progressive Web App for mobile phones.

Contributing to Runbox 7

In the future we plan to publish the entire Runbox 7 codebase including the backend, but you can already develop the Runbox 7 App while using the Runbox servers as the backend.

More information about this can be found at https://github.com/runbox/Runbox7.

Ready to give it a test drive? Head to https://runbox.com/app !

Continue Reading →

New search function in Runbox 6

December 5, 2018 11 Comments

We have now replaced the search function in Runbox 6 with an improved version that is based on the groundbreaking search feature we have developed for Runbox 7.

You will find the new search area at the top of the message list when clicking Search in the Webmail menu.

The new search function will show results while you type into the search field, so there is no need to manually click on a Search button.

Note that in Runbox 7 the search function is dramatically faster and returns results instantaneously thanks to its innovative search index synchronization. Runbox 7 also introduces many new features such as infinite message listing, inline message previews, threaded conversation view, and a mobile app version. Give it a test drive!

Search options

By clicking on the wrench icon to the right, the following options will be shown:

  • to: Search by recipient address
  • from: Search by sender address
  • subject: Search by subject line
  • current folder: Limit search to the current folder
  • year/month/date: Shows a calendar where you can select a time frame

Selecting an option will insert an example into the search field which you can then modify.

You can also just type these operators directly into the the search field and you can can combine them with the AND operator, like: folder:Inbox AND subject:something

More information can be found on our Help pages.

Continue Reading →

Runbox 7 Webmail entering open beta phase

November 21, 2018 Leave a comment

Runbox 7 illustrationWe are excited to announce that the Runbox 7 Webmail beta test is now open to the public!

A large number of improvements and bug fixes have been made since our previous update, including an even faster Webmail, web push notifications on incoming email, and inline message previews.

There is now a Runbox 7 mobile app (Progressive Web App) available too, making Runbox a joy to use on your mobile phone!

We’d like to thank the hundreds of beta testers in our beta test community for all their contributions thus far, and helping us build the fastest webmail app on the planet!

What Runbox 7 Webmail is…

PWARunbox 7 isn’t merely an upgrade to our existing services, it’s a bold step into a new world of synchronized Webmail apps that provides unprecedented speed and usability.

Our new app is the cornerstone of Runbox 7, and is the first of several development stages that will culminate in a completely new user interface.

Runbox 7 Webmail features superior speed, incremental search, infinite listing, message previews, threaded views, a draft desk, as well as a mobile app version.

…and what it isn’t (just yet)

Note that we are initially focusing on the core Webmail service, and that the Runbox 7 Webmail therefore currently only includes this service.

Other areas such as Manager, Files, etc. will be added as we continue working on Runbox 7, so clicking on these menu items in Runbox 7 will currently take you back to Runbox 6.

Runbox 7 roadmap

We have an ambitious plan for the development of Runbox 7, with the following planned activities:

  • Open beta test phase
  • Open source Runbox 7 App
  • Profiles and Contacts integration
  • Files, Manager, and Settings
  • End-to-end encryption
  • Web calendar
  • Message/task management
  • Synchronous messaging

How to provide feedback

Our Runbox 7 team is working hard to make Runbox 7 the best webmail app on the planet, and your feedback will help decide what we develop next.

Tell us what you think about Runbox 7 Webmail in our dedicated forum at https://community.runbox.com/. Sign up to the forum using your Runbox email address so that there will be no issues gaining access to the forum.

Note that before you post requests or bug reports, it’s a good idea to review other posts to see if your issue has already been mentioned.

With that out of the way, please find the Runbox 7 Webmail app here:

https://runbox.com/app

We hope you’ll enjoy a modern, user-friendly, beautiful, and above all fast webmail experience!

Screenshots

Check out the screenshots below for a few highlights, and click on each one to bring up a hi-res version with more details.

Message list view

When you first log in to Runbox 7 Webmail you will find a beautiful interface with a design that is clean and efficient, yet packed with features. Its speed can’t be conveyed by a screenshot however, so try it out for yourself to get the real experience.

Two- or three-pane message preview

You can preview messages either in a horizontal pane beneath the message list, or to the right of the message list as shown below.

Draft Desk

The Draft Desk shows your current drafts in a convenient desk-like layout.

Ready for a test drive?

Just head to https://runbox.com/app and then join our community at community.runbox.com to take part in the Runbox revolution!

Continue Reading →