The Norwegian Consumer Council’s voice is heard worldwide

The Norwegian Consumer Council (NCC) has taken a strong position against commercial surveillance online, and has made it very visible how the Ad-Tech industry is exploiting personal data for business purposes.

“Big data” has since the entry of social platforms on the Internet, been accumulated and used unscrupulously by some companies for profit. Some of the players in the field are sharing information they collect on users with third party advertisers without their users’ knowledge or consent. The driver is all the money connected to targeted advertising. However, sharing of personal data in this way is prohibited according to the EU’s General Data Protection Regulation (GDPR).

The NCC has no authority to enforce personal data legislation, but the Norwegian Data Protection Authority (NDPA) does. And so, the NCC can freely report findings of breaches of the GDPR and Norwegian data protection regulations to the NDPA.

NCC and NDPA at the forefront

A good illustration of this interaction is the case against Grindr. Earlier this year the NCC, based on the report “Out of Control” (2020), raised the case against Grindr and five Ad-Tech companies that were receiving personal data through the app: Twitter`s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato.

All the complaints were filed (in cooperation with the European Center for Digital Rights, noyb.eu), at the NDPA because of violations of the GDPR. The complaints concern Grindr transmitting sensitive personal data as for example group affiliation, sexual orientation, and geographic location, with several other parties without encrypting the traffic.

Even if data is anonymised, such as when third parties operate with their own proprietary identification numbers, it is possible to combine data from various sources with openly available information to produce a picture that can identify an individual.

In January, the NDPA announced a fine of 100 mill NOK (€ 9.63 M or $ 11.69 M) on Grindr. The NCC has also in May this year acted against 8 companies and asked for details of their surveillance through the services Perfect365 and MyDays.

The Norwegian urge to protect personal data was also illustrated in May 2021. Then the NDPA submitted an advance notification of an administrative fine of NOK 25 mio to Disqus Inc. The company does widget tracking, analysing and profiling, and disclosing personal data to third party advertisers, and in doing so violates multiple articles (i.e. Article 6 and Article 7) of the GDPR.

The privacy movement grows stronger

All of these cases illustrate the NCC mission, but the NCC is working from a broader perspective: To establish a broad, international movement towards surveillance-based advertising.

This movement got a push with NCC’s seminal report Out of Control (2020), which has received media coverage in more than 70 countries, included the US and Japan (see our previous blog post).

Recently (June 2021), the NCC released another report: Time to ban surveillance-based advertising, with the subtitle The case against commercial surveillance online.

On page 4 there is quite a good summary of what the driving force is:

…today’s dominant model of online advertising is a threat to consumers, democratic societies, the media, and even to advertisers themselves. These issues are significant and serious enough that we believe that it is time to ban these detrimental practices.

In a coalition with more than 60 organizations from Europe and the US, including some 10 consumer organisations and the umbrella organisation BEUC – the European Consumer Organisation – the NCC on June 23 2021 sent an open letter to EU and US policymakers. The letter urges the policymakers to “…take a stand and consider a ban of surveillance-based advertising as part of the Digital Services Act in the EU, and for the U.S. to enact a long overdue federal privacy law.” The coalition is backing up its call with the reports by NCC.

On behalf of NCC, the consumer research company YouGov conducted a survey among a representative selection (internet population) 18 years+ about their attitude to surveillance-based advertising. The result was unambiguous: Only 10% responded positively to the idea of commercial actors collecting information about them online, and only one in five think that ads based on personal information is OK

Runbox has a clear standing against the collection of consumer data and surveillance-based advertising: Our service is ad-free, and we never expose our customers’ data for commercial purposes. We are very strict when law enforcement authorities in Norway or foreign countries request that we disclose data about our customers.

At Runbox we are proud to reside in a country that puts privacy first, and we wholeheartedly support the appeal to ban surveillance-based advertising. Therefore Runbox will annually donate to support noyb.eu, and we have joined the list of individuals supporting the appeal.

Continue Reading →

Annual Message 2021 from the Board of Directors

Dear customers, business partners, and shareholders,

Upon the completion of the Annual General Meeting in Runbox Solutions for the fiscal year 2020 we take the opportunity to review our company’s status in accordance with our commitment to transparency.

Although 2020 was in general a difficult and challenging year due to the corona pandemic and the worsening climate change, we celebrated the 20th anniversary of the Runbox email service in October with special subscription offers to our loyal customers. This, together with continued growth in our customer base and favorable currency exchange rates, resulted in a record year for Runbox financially.

Through the year we made significant progress on Runbox 7 development, and reinforced our commitment to privacy, security, and the environment.

Runbox 7 Developments

During 2020 we continued to improve and expand the groundbreaking Runbox 7 webmail application, which features search capabilities in the browser that provides immediate searching and listing of email. Runbox 7 combines the unique database-accelerated Runbox architecture with cutting-edge technologies such as WebAssembly, HTML 5 Canvas, and Progressive Web Apps to create an immediate email experience.

Developments have focused on expanding Runbox 7 toward a complete web application, and numerous enhancements have been made to Mail, Contacts, and Calendar. Additionally we have added innovative new features such as the Mail Overview and Popular Recipients, which provide a new level of message overviews based on sender and recipient data.

Runbox 7 development can be followed on our Runbox 7 Roadmap in the Runbox Forum and aims to solve the growing challenges of email interfaces and bringing forth the future of email.

The project is partially funded by the Research Council of Norway as a research and development (R&D) project in support of the innovative aspects of the solution.

Environmental Engagement

The operation of all business continues to depend on the foundation of our natural environment, which is under increasing pressure from human activity. In 2020 the world has seen a continued growth in greenhouse gas emissions with subsequent increases in extreme weather, wildfires, and droughts around the globe.

As inhabitants of Earth we all share the responsibility to decrease our negative impact on our environment. Runbox is built with a strong ethical foundation and we are dedicated to decreasing our ecological footprint and other environmental impacts that result from our operations.

The environment is a primary consideration when developing our services, and in 2020 we continued strengthening our commitment to having a positive ecological impact.

The data center where our email servers are located is 100% hydro-powered, and the electricity powering our email architecture is utilized exclusively by the Runbox email service.

In 2020 we achieved CO2 double negative operations by implementing our Environmental Policy and supporting the organization World Land Trust. In 2021 we have extended our commitment by partnering with the Norwegian tree-planting organization Trefadder, which creates and nurtures climate forests in Norway.

Renewed Commitment to Privacy and Security

Through the year we renewed our commitment to privacy and security, and the GDPR in particular. Our GDPR implementation has continued with reinforced policies, procedures, and technologies, and as a company located in Norway our service can rely on the strong Norwegian privacy protections.

All user data processed through the Runbox email service is stored on our own physical servers in Norway, and last year we completed the transition to encrypted SSD storage for all email account data.

We have continued our blog post series outlining our road towards GDPR compliance, and made further progress with privacy and security improvements to our services.

Growing our operations

We are working closely with our system management partner Copyleft Solutions to scale our email service infrastructure with a distributed system architecture to support the continued growth of our customer base.

Together with our development partners Shadowcat Systems and Peregrine Computer Consultants Corporation, our diverse team includes members from Norway, the UK, Poland, Brazil, and the US. The background, geographical location, and diversity of our team combined with a steadfast commitment to the ethics and policies of our company forms the core of our organization.

The contributions from our open source community on Github increase the security and speed of Runbox 7 development further, and we are excited to continue the race to revolutionize email in 2021.

Continue Reading →

Out of Control: Apps that share personal data revealed by the Norwegian Consumer Council

If you are not paying for the product, then you are the product”.

This is a common saying when referring to online services that are offered for no financial payment (“free”).

The reason is that they often collect some personal data about you or your use of the service that the provider then can sell to the online advertising and marketing industry for payment. The payment they get for this covers the cost of providing the service to you and also allows for a profit to be made.

And so, they earn their money, and the app users are their product.

Apps as a source for big personal data

At Runbox we collect only the data that is required in order for us to provide our services to you, and that data is never shared with anyone for marketing or financial purposes.

However, it is common knowledge that companies like Google and Facebook use our personal data for targeted advertising. The personal data collected is anonymized and often aggregated to produce larger data sets, which enable them to target individuals or groups based on common preferences — for instance that they live in a certain location or like to drink coffee.

The idea that your data is anonymized might provide some comfort. But because of smartphones and the smartphone software applications (“apps”) many people use, companies can collect a large range of types of data and so trace individuals without asking for personal details such as your name. An example of this type of data is your smartphone unique identifier (IMEI-number1), and IP-address (when connected via WiFi).

Combined with your email address, GPS data, app usage etc., it is possible to identify specific individuals -– namely you!

Exposing the AdTech industry

To investigate this issue, The Norwegian Consumer Council (NCC), a government funded organization representing consumer interests in Norway, published a groundbreaking report last year about how the online marketing and AdTech (Advertising Technology) industry operates.

The report’s title immediately raised the flag: “Out of Control” (OuC)2. And the subtitle outlines the findings: “How consumers are exploited by the online advertising industry”.

The report tested and analyzed 10 popular “apps” under the umbrella “social networking apps”, and the findings were concerning. Most users of such apps know that registering your personal data is optional, and after the introduction of the GDPR every app is careful to ask for your consent and encourages you to click OK to accept their Privacy Policy.

What many users will not know is how much and how far the personal data is distributed. Only a few users will be aware that clicking OK implies that your data is fed into the huge AdTech and MarTech industry, which is predicted to grow to USD 8.3 billion in annual revenues by 20213.

The players in this industry are giants such as Amazon, Facebook, Google and Twitter. If that was not enough, both iOS (Apple) and Android (Google) have their ways to track consumers across different services.

Apple being more privacy minded than some others have recently developed options to allow the user to reset the “unique” advertising identifier in devices and also stop tracking across WiFi networks to break the identification chain and make it harder to target a specific user.

But the industry also has a large number of third-party data and marketing companies, operating quietly behind the scenes.

The far-reaching consequences of AdTech

This is what the NCC’s report is about, and the findings are concerning:

The ten apps that were tested transmit “user data to at least 135 different third parties involved in advertising and/or behavioral profiling” (OuC, page 5).

A summary of the findings is presented on OuC page 7, and here we find social networking apps, dating apps and apps that are adapted to other very personal issues (for instance makeup and period tracking). The data that is gathered can include IP address, GPS data, WiFi access points, gender, age, sexual orientation, religious beliefs, political view, and data about various activities the users are involved in.

This means that companies are building very detailed profiles of users, even if they don’t know their names, and these data are sent to for instance Google’s advertising service DoubleClick and Facebook. Data may also be sold in bidding processes to advertising companies for targeting advertising.

It is one thing to see ads when you perform a Google search, but it’s quite another to be alerted on your phone with an ad while you are looking at a shop’s window display, or passing a shop selling goods the advertiser knows you are interested in. Scenarios like these are quite possible, if you have clicked “OK” to a privacy policy in an app.

Personalized directed ads are annoying, but even worse is that the collection and trade of personal data could result in data falling into the hands of those who may then target users with insults, discrimination, widespread fraud, or even blackmail. And there is clear evidence that personal data have recently been used to affect democratic elections4.

What happened after The Norwegian Consumer Council published “Out of Control”, will be covered in our next blog post, but we can reveal that one of the companies studied had a legal complaint filed against them for violating the GDPR and is issued an administrative fine of € 9.6 million.

So stay tuned!

References:

  1. IMEI stands for International Mobile Equipment Identity.
  2. The report Out of Control was referred to in our previous blog post GDPR in the Wake of COVID-19: Privacy Under Pressure.
  3. Source: https://privacyinternational.org/learn/data-and-elections
  4. Source: https://bidbalance.com/top-10-trends-in-adtech-martech/

Continue Reading →

Happy New Year from Runbox

2020 was a very challenging year for many people around the world, and especially as a consequence of the ongoing global health situation. As we begin a new year we think about all those who have been impacted by the COVID-19 pandemic.

At the same time it is important that we don’t forget about other global challenges, and as Runbox celebrated 20 years in 2020 we naturally considered the current state of the environment compared to the year 2000.

Since the year Runbox was founded, global energy-related carbon dioxide emissions have increased over 40% from approximately 23 to 33 gigatons as illustrated by the figure below.

Source: IEEE Earthzine (https://earthzine.org/climate-indicators-in-the-covid-19-season/)

There was a significant increase in emissions over the past year, and despite the pandemic-related drop during 2020 world liquid fuels production and consumption is forecast to continue nearly unabated in 2021 and beyond.

Source: US EIA (https://www.eia.gov/outlooks/steo/)

It is clear that the global environmental crises in all likelihood remain the most essential and existential challenges facing mankind, and that 2020 only represents a temporary interruption.

Still, Runbox remains optimistic, and will in 2021 renew and reinforce our commitment to our Environmental Policy, our offer to provide free email services to environmental non-profit organizations, and a double negative carbon footprint through our support for World Land Trust.

Continue Reading →

The Norwegian COVID-19 contact tracing app is banned by the Data Protection Authority

GDPR in the Wake of COVID Spread: Privacy under Pressure – Part 2

Our previous blog post in this series concerned mobile phone applications under development, or already developed, in various countries for tracing the spread of COVID-19 infections. In particular the blog described the situation in Norway, and we expressed our concerns, but also our trust, in the fact that The Norwegian Data Protection Authority (‘Datatilsynet’) would be on the spot to safeguard privacy – as regulated by strict Norwegian privacy regulations.

The Norwegian Data Protection Authority — more than a watchdog

Temporary suspension of the Norwegian Covid-19 contact tracing app
The Norwegian Smittestopp app

We were right, and we are proud of the intervention by the Norwegian Data Protection Authority (NDPA), which in June banned the Norwegian COVID-19 tracker app Smittestopp. The ban illustrates NDPA’s independency, and that NDPA has legal power to enforce privacy protection when public (and private) organizations violate the law.

This power is anchored in the Personal Data Act (personopplysningsloven), the Norwegian implementation of GDPR, and the Personal Data Regulations (personopplysningsforskriften).

After evaluating the app Smittestopp as it was implemented in April this year, NDPA concluded that the app violated the privacy legislation in mainly two respects:

  1. The app was not a proportionate intervention of the user’s fundamental right to data protection.
  2. The app was in conflict with the principle of data minimization.

On June 12, The NDPA notified The Norwegian Institute of Public Health (NIPH) that the app would be banned, which was confirmed on July 6. Consequently, NIPH immediately stopped collecting data from the around 600,000 active users of the app, and deleted all stored data on their Azure server.

What the requirement for proportional intervention means

The breach of the requirement for proportional intervention concerned the expected low value of the app regarding infection tracking, due to the relatively small number of the population in the testing areas actually using the app (only 16%).

The reason for the breach of the principle of data minimization was that the app was designed to cover three different purposes:

  1. Movement tracing of individuals (for research purposes).
  2. Spread of the infection among the population.
  3. The effectiveness of infection control measures.

The NDPA was also critical to the app because it was not possible for the users to choose for which of the three purposes their data would be used.

A new app is already being planned

The government has decided to terminate further development of Smittestopp, and will instead focus on the development of a new app. After seeking advice from NIPH, the government has decided to base a new app on the Google Apple Exposure Notification (GAEN) System, or ENS, which they call “the international framework from Google and Apple” because many countries (for instance Denmark, Finland, Germany, Great Britain) are going “the GAEN way”.

Important arguments for the government’s decision are that GAEN supports digital infection tracking only (Bluetooth-based), involves no central data storage, and includes the possibility to exchange experiences and handle users’ border crossings. In the meantime the EU has implemented a recommendation for decentralized Corona tracking applications, putting GAEN “squarely in the frame“.

NIPH was given the task to specify a request for proposal in an open competition for the development assignment of the new app, and now (October 20) the Danish Netcompany is hired to do the development. Netcompany has a similar contract with the Danish health authorities, and was the only bidder (!). The new app expected to be implemented this year (2020).

The privacy debate continues

Three main issues are still being debated, and the first is technical: Is Bluetooth reliable enough? Experiences show that false positives, but also false negatives, do occur when Bluetooth is being used.

The second issue is of course privacy. Even if personal data is stored locally on the phone, notifications between phones have to be relayed through a network – so what about hacking? In addition, Trinity College in Dublin has uncovered that on Android phones, GAEN will not work unless it is sending owner and location information back to Google.

This leads to the third issue: Is it sensible to let the tech giants control a solution that involves processing very personal information? “Do Google or Apple get to tell a democratically elected government or its public health institutions what they may or may not have on an app?”

The Norwegian Data Protection Authority published a report on digital solutions for COVID-19 (‘Coronavirus’) infection tracking on September 11 this year. The report was developed by Simula Research Laboratory, who did not bid on the contract for the new GAEN-based application (arguing that they are a research institution and not a software development company).

The report “… focuses on efficiency, data privacy, technology-related risks, and effectiveness for government use. In terms of privacy and data protection, the report notes that if location data is still stored by Google, the COVID-19 app Smittestopp would be less privacy intrusive than the GAEN one.”

Conclusion

We will conclude with a quote (in our translation): “There is no perfect solution for digital infection tracking. Effective infection control and privacy stand in opposition to each other.”

For us at Runbox, privacy is priceless, and we are still wondering if the pros outweigh the cons.

Continue Reading →

Runbox doubles the storage capacity on all account plans

It’s our 20th birthday, and we’re giving YOU a present!

Our goal has always been to provide professional email services with massive storage space that is also affordable and flexible.

When Runbox was officially launched on October 12, 2000, Hotmail was the market leader with 2 MB storage space.

Runbox then decided to launch an email service with a whopping (at the time) 100 MB free storage — and received more attention (and signups) than we could have anticipated.

It’s now 2020 and we are doing it again, by multiplying the storage space on all our subscription plans by 2!

Our plans will now include storage space as follows:

Email StorageFile Storage
Runbox Micro2 GB200 MB
Runbox Mini10 GB1 GB
Runbox Medium25 GB2 GB
Runbox Max50 GB5 GB

These quotas will take effect for your account upon your next Runbox subscription purchase or renewal. So don’t forget to take advantage of the double subscription time on all product purchases through October!

Proceed to our Product page right away to automatically upgrade your account.

And we hope you will enjoy Runbox at least twice as much going forward. 😀

Continue Reading →

Runbox Celebrates 20 Years with 2 Years for the price of 1 through October 2020

On October 12, 2000 the Runbox email service was officially launched, on an Internet that was quite different from what we are used to today.

Initially, Runbox was a basic email forwarding service with a permanent @runbox.com email address. The original idea was to eliminate the need for email users to inform their contacts about a new email address when they changed schools or work places.

We soon expanded the Runbox service with a custom made Webmail interface, and offered a whopping 100 MB storage space. This was substantial compared to the 2 MB offered by Hotmail, who was the market leader at the time.

At that time Runbox was a free service, and the offering brought international attention and a large number of users. We then expanded with POP, SMTP, and IMAP access, email retrieval and filtering management, file storage, and support for email domains and domain hosting.

In 2012 we were once again at the forefront by strengthening the security and privacy aspects of our services following the surveillance revelations especially in the US.

Since those early years we have founded a new employee-owned company, continued hardening the security and privacy of our services, and built new partnerships and new server infrastructures, while broadening the foundation of our operations to embrace strong environmental and ethical principles, a diverse and dedicated team, a global customer base, and an inclusive virtual organization.

Now we are hard at work making Runbox 7 the fastest webmail app on the planet. In a world that is experiencing several global crises simultaneously we are increasingly focusing on features that facilitate global interconnectedness, telecommuting, and remote work by making our service more people and activity centric.

In an uncertain future one thing is for sure: Runbox will reinforce our mission to help people communicate better, more efficiently, and in a more organized way.

To demonstrate this we celebrate our 20th anniversary by doubling the subscription time on all Runbox products and renewals free of charge through October.

This means that when you purchase a subscription or add-on you get 2 years for the price of 1 year!

Proceed to our Product page right away to take advantage of this offer.

Thank you to all the customers who have supported us through the years — here’s to the next 20!

Note:

  • The additional subscription time will be applied automatically upon subscribing.
  • All initial subscriptions come with a full 60-day money back guarantee.
  • Hosted domains and other third party purchases are exempt.

Continue Reading →

GDPR in the Wake of COVID-19: Privacy Under Pressure

Tech companies all over the world are rushing to support health authorities in combating the spread of the SARS-CoV2 virus, which is causing the more well-known COVID-19 disease. Whether those companies do so by invitation, by commitment, or by sheer self-interest, country after country is embracing mobile phone tracking and other technological means of tracking their citizens.

It might be worthwhile to take a deep breath and understand what’s currently technologically possible, and what might be at stake.

Tracking the infection

Everyone wants to avoid infection, and every government wishes to decrease the consequences of the pandemic within their country. And modern technology makes it possible to impose on citizens surveillance systems that represents a significant step towards realizing a Big Brother scenario.

In fighting the spread of the virus, it is crucial to know who is infected, track where the infected are located, and inform others that have been, or may come, in contact with the infected. It is precisely in this context that mobile phone tracking is playing a role, and this is currently being explored and implemented in some countries, raising ethical and privacy related questions.

Smartphone tracking apps

Once tracking of individuals’ phones is established for this particular and possibly justifiable reason, it could be tempting for a government or company to use it for other purposes as well. For instance, tracking data could be combined with other personal data such as health data, travel patterns, or even credit card records. Or the location of the infected individuals could be presented on a map along with the persons’ recent whereabouts, perhaps supplemented with warnings to avoid that area. Privacy is under pressure.

A smartphone can also be used as “electric fence” to alert authorities when someone who is quarantined at home is leaving their premises, or to fulfill an obligation from the authorities to send geolocated selfies to confirm the quarantine. Some authorities even provide individuals with wristbands that log their location and share it with the relevant authorities. The examples are many, and they are real, underlining the ongoing pressure on privacy.

Big tech gets involved

Very recently two of the world’s biggest tech companies, Apple and Google, announced they are joining forces to build an opt-in contact-tracing tool using Bluetooth technology, and will draw on beacon technology as well. The tool will work between iPhones and Android phones, and open up for future applications one cannot currently imagine.

In the first version, the solution is announced as an opt-in API (application programming interface) that will let iOS and Android applications become interoperable, and — now comes crux no 1 — the API will be open for public health authorities to build applications that support Bluetooth-based contact tracing. The tool is planned for a second step — here is crux no 2 — an upcoming update of both iOS and Android will make the API superfluous. Of course, you can opt-out, but then you can’t download the operating system software update at all.

It is a double-edged sword: It is great that big tech companies are mobilizing resources to help in a public health crisis, but do we really want these companies to potentially know even more about our personal lives (in the name of the common good)? Privacy is under pressure.

Norway’s privacy oriented approach

Norway has also launched a mobile phone application to help limit the spread of the infection, but this development is done under the strict regime of privacy regulations and in accordance with the GDPR. The decision to implement the app was taken by the Government in a regulation containing specifications and strict requirements adhering to the GDPR is taken care of, including limited use until December 1, 2020.

It should be added that some of the exceptions in GDPR for authorities is put into effect because of the extraordinary situation. However, the Norwegian parliament (Stortinget) may terminate the law supporting the regulation at any time if 1/3 of the parliament members decides so.

Even if, at least in theory, it might be feasible to use a similar app from other countries, it is crucial that the software is developed from scratch in Norway. This will ensure that Norwegian authorities maintains control over all functions and data, and that the privacy regulations in the GDPR are respected.

It is also comforting that the app is developed in cooperation with The Norwegian Data Protection Authority (Datatilsynet). Other countries allow similar apps to store health information, access images or video from cameras, or even establish direct contact with the police. Such functionality is naturally out of the question in Norway’s case.

The app is designed and will be used for purposes of tracking the pandemic only, and installation and usage is voluntary. When installed and activated the app collects location data using GPS and Bluetooth, which is encrypted and stored in a registry.

In case of a diagnosed infected individual, health personnel will check if the person has installed the app. Individuals that have been in closer contact than two meters for more than 15 minutes with the “infected phone” will be notified by text message. The location data is kept for up to 30 days, and when the virus is no longer a threat the app will stop collecting data. The app users may at any time delete the app and all personal data that is collected.

What does it take to succeed?

In order for the tracking to have any impact on the spread of infections, around 60% of the population* must use the application. At the time of writing (late April), 1,218,000 inhabitants had downloaded the application, that is about 30 % of the population for which downloading is allowed (age limit 16 years).

However, the number of downloads is not a good metric and there are a few obstacles for making it operable. For instance, the “app” must be installed on the phone, permission to use GPS and Bluetooth must be given, the 4 pages long privacy declaration* has to be accepted, and the battery must provide sufficient power at any time.

The battery issue turns out to be a problem because of GPS-positioning* and the simultaneous use of Bluetooth, which seems necessary to obtain precise location data.

Furthermore, not everyone is accustomed to using the smartphone functionality that is needed, depending of the user interface. For instance elderly people and people with vision impairments* may find it difficult to use the app. And, will the criteria two meters for more than 15 minutes represent a filter that is too coarse to provide useful results and subsequent notification to the user?

For these reasons, the skeptical may wonder if using the app implies that privacy is traded for uncertain and unreliable results from infection tracking.

What the application will provide even if 60% adoption is not realized is data for later research. For instance, data from mobile phone operators who can trace mobile phones movements between base stations could be correlated to instances of infections.

In the name of fighting the pandemic, the main telecommunication companies* are now, with strict privacy considerations, cooperating with The Norwegian Institute of Public Health to analyze movement patterns of the population compared with reported infections. Data is collected in groups of at least 20 people (phones), and identification of individual persons (phones) is not possible*.

Bottom Line

At Runbox we are very concerned about privacy and any type of user tracking that may infringe on this right. While various nations are developing and implementing technological solutions to combat the spread of the decease, we are grateful that we reside in a country with strong privacy traditions. In fact, the first version of personal data protection legislation was implemented in Norway as early as 1978.

It is crucial that The Norwegian Institute of Public Health and The Norwegian Data Protection Authority ensure that the app developers at Simula Research Laboratory (a Norwegian non-profit research organization) attend to both privacy and information security issues in a responsible manner according to the well established tradition in Norway.

When privacy is under threat, as in this case, it is absolutely justified that objections arise. It is often too easy to accept privacy intrusions in the name of a perceived common good.

But one related point could be made as a final remark: Perhaps it would be more appropriate to be concerned about personal data that is collected and shared through one’s use of social media, where personal data is traded and used for purposes that are literally out of control.

* Article unfortunately only available in Norwegian.

Continue Reading →

Runbox Email is officially an ethical buy

We are delighted that Ethical Consumer has rated the Runbox email service one of their ethical best buys.

Following a thorough assessment of our business that included areas relating to our privacy policy and whether we were acting in an environmentally friendly way our email service gained one of the highest scores and was given the prestigious title of being an Ethical Consumer Best Buy product (you will need to be a subscriber to see the list of Best Buys and individual email service scores).

We’re obviously very pleased with the outcome of this assessment and it further confirms that our efforts to run a privacy and environmentally conscious service are valued in the wider market of ethical products that consumers seek out.

If you would like to know more about the work that Ethical Consumer do there is information on their website. For more information about the services that Runbox provides please visit runbox.com

Continue Reading →

Message from Runbox regarding the global health situation

In situations such as the one we are currently experiencing with COVID-19, uncertainty spreads easily and one may wonder whether services we rely upon will continue to function as usual. We are aware that our email service is of great importance to our customers, and that many rely upon Runbox in their professional and personal lives.

We can assure you that our operations will continue to function normally.

Runbox is located in Norway, a country with robust and reliable Internet services, and the Norwegian government and telecommunication operators are on the alert to ensure that Internet services are running as normal.

In our organization telecommuting is the modus operandi, and we are used to working from home offices or remote locations. For the immediate future the use of our headquarters is suspended in accordance with the advisory from our health authorities, but this will not have any impact on our day-to-day operations.

These are also the regulations our partners in Norway adhere to, and our affiliates abroad will naturally follow the advice in their respective countries. The data center where our servers are located will be enforcing stricter access procedures, but will otherwise operate normally.

This means that maintenance, support, development, and other internal functions will continue to work as usual. Our services are running on our own infrastructure, and there are no indications that our service will be exposed to any consequences of the current situation.

Our mission is to provide electronic communication between people, which is more important than ever in these times. We will continue fulfilling this obligation with dedication and determination.

Continue Reading →