On the EU-US data transfer problem

At Runbox we are always concerned about data privacy – “privacy is priceless” – and we put some effort into keeping ourselves updated on how the EU’s General Data Protection Regulation (GDPR) affects privacy related issues. That’s because we want to be prepared in case something happens within the area that will affect the Runbox organization, our services, and consequently and most important: our customers.

The case of EU-US data transfer is highly relevant because Runbox has an organizational virtual modus operandi, and that this could lead to an opportunity to involve consultants that are residing in the US. We know that many of our customers are as concerned as we are about data privacy, so we believe it is pertinent to share our findings.

In blogpost #15 in our series of the GDPR we referred to the Executive Order signed by US President Joe Biden on 07 October 2022. This happened six months after the US President and the President of the EU Commission Ursula von der Leyen with much publicity signed the Trans-Atlantic Data Privacy Framework on 25 March 2022.

Joe Biden and Ursula von der Leyen at a press conference in Brussels. [Xavier Lejeune/European Commission]

In this blog post we will take a closer look at the Trans-Atlantic Data Privacy Framework, and the process thereafter.

Trans-Atlantic Data Privacy Framework

The objective of the Framework is to (re)establish a legal (with regards to the GDPR) mechanism for transfers of EU personal data to the United States, after two former attempts (Safe Harbour and Privacy Shield) were deemed illegal by the Court of Justice of the European Union (CJEU).

The Framework ascertains United States’ commitment to implement new safeguards to ensure that ‘signals intelligence activities’ (SIGINT, intelligence-gathering by interception of signals) are necessary and proportionate in the pursuit of defined national security objectives. In addition, the Framework commits the US to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.

Following up the 25 March 2022 Biden–von der Leyen agreement, the US president signed on the 7 October 2022 the Executive Order (EO) ‘Enhancing Safeguards for United States Signals Intelligence Activities’.

US compliance with the GDPR

Subsequently a process was initiated on 13 December 2022 within the EU Commission to assess whether the US, after the implementation of the EO, will meet the requirements qualifying the US to the list of nations that is compliant with the GDPR Article 45 “Transfers on the basis of an adequacy decision”. That is, whether the European Commission has decided that a country outside the EU/EEA offers an adequate level of data protection. To those countries, personal data may be transferred seamlessly, without any further safeguard being necessary, from the EU/EEA.

Inclusion of the US on that list is of course very important, not least for companies like Facebook and Google, and US companies offering cloud-based services as well. The Court of Justice of the European Union (CJEU) has deemed earlier transfer schemes (Safe Harbour and Privacy Shield) illegal, so “the whole world” is waiting for the EU Commission’s adequacy decision.

This came, as a draft, 14 February 2023 where the Commission concludes (page 54) that “… it should be decided that the United States ensures an adequate level of protection within the meaning of Article 45 of Regulation (EU) 2016/679, …)

(The figure below illustrates the “road” for legislative decisions in the EU. A more comprehensive description of the legislative procedure can be found here.)

However, the same day, 14 February 2023, the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament concludes.. the EU-US Data Privacy Framework fails to create actual equivalence in the level of protection; ..” and “..urges the Commission not to adopt the adequacy finding;”.

Incompatible legislative frameworks

There are two important arguments, among others, behind the Commission’s conclusion: 1) There is no federal privacy and data protection legislation in the United States, and 2) the EU and the US have differing definitions of key data protection concepts such as principles of necessity and proportionality (for surveillance activities etc.), as pointed out by the Court of Justice of the European Union (CJEU).

Shortly thereafter, on 28 February 2023, the European Data Protection Board (EDPB) made public their opinion on the decision of the EU Commission regarding the adequacy. The EDPB has some concerns that should be clarified by the Commission, for instance relating to exemptions to the right of access, and the absence of key definitions.

Furthermore, the EDPB remarks that the adequacy decision is only applicable to US organizations which have self-certified, and that the possibility for redress provided to the EU data subjects in case of violation of their rights is not clear. “The EDPB also expresses concerns about the lack of a requirement of prior authorization by an independent authority for the collection of data in bulk under Executive Order 12333, as well as the lack of systematic independent review ex post by a court or an equivalently independent body.”, as stated in Opinion 5/2023.

The next step in the process is voting over the Commissions proposal in the European Parliament, probably in April, and thereafter the adequacy decision must be approved by all member states, before the EU Commission’s final decision.

The Commission may set aside the results of the voting in The Parliament, but one should expect that the critics from The Committee on Civil Liberties, Justice and Home Affairs, and the concerns of EDPB, will impact the implementation of the Framework.

Here it would be prudent to recall the statement made by the Austrian non-profit organization NOYB, chaired by Maxmillian Schrems: “At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later.”. This refers to the verdicts of the CJEU (Court of Justice of the European Union) condemning the former frameworks Safe Harbour and Privacy Shield – the verdicts bearing the name Schrems I and Schrems II, respectively.

Bottom Line: The final outcome of the process is unclear, but in any event we have to wait for the final decision of the EU Commission.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought regarding any specific circumstances.

Continue Reading →

Runbox 7 updates November 2022 – March 2023: Performance improvements and other upgrades

Improvements to the app performance as well as several bug fixes.

  1. Visual changes (start): Improve formatting. (cdd4304)
  2. New feature ure(index): Separate message updating into its own thread (0c5470a)
  3. Internal changes (index): Tweak tests (and code to pass tests) for web workers (0a9f4b0)
  4. Bug fix (index): Ensure we verify folder counts against the api (1830cbb)
  5. style(payment): Clarify main accounts vs sub-accounts. (f5bd0ef)
  6. Visual changes (payment): Improve tables and buttons, and default to USD. (bf9d7a2)
  7. Visual changes (payment): Correct button style declarations. (6ed082a)
  8. Bug fix (test): Update tests. (5bcb46d)
  9. Internal changes (index): Tidy up some debugging code (6c80615)
  10. Internal changes (deps): bump engine.io and socket.io (9f38fd3)
  11. Internal changes (deps): bump decode-uri-component from 0.2.0 to 0.2.2 (f6d83a1)
  12. Internal changes (deps): bump tinymce from 5.10.0 to 5.10.7 (e0637d9)
  13. Internal changes (deps): bump express from 4.17.1 to 4.18.2 (f173b2c)
  14. Internal changes (index): Remove some index/worker console logging (f257902)
  15. Bug fix (messagelist): Ensure drag&drop of selected emails moves them all (633515d)
  16. New feature (messagelist): Allow drag&drop from more table columns (db21e68)
  17. Geir/condensed layout 2 (#1338) (8640b1d)
  18. Bug fix (inbox): Show notification when new messages appear (ef603ef)
  19. Geir/condensed layout 2 (#1344) (42a7a72)
  20. Bug fix (maillist): Add error catching for the mail list updating (89499bd)
  21. Bug fix (messagelist): Ensure user-actions don’t stop the index updates (509839a)
  22. Bug fix (messagelist): Log errors thrown by postMessage, keep worker alive (034dbb9)
  23. Visual changes (payment): Add link to Sub-account section. (2384b37)
  24. Internal changes (deps): bump json5 from 1.0.1 to 1.0.2 (6b8514b)
  25. Internal changes (deps): bump luxon and rrule (fe0405e)
  26. Internal changes (deps): bump qs from 6.5.2 to 6.5.3 (ac8703c)
  27. Internal changes (deps): bump moment-timezone from 0.5.28 to 0.5.35 (3516498)
  28. New feature (overview): Improve time span options. (02358ef)
  29. Internal changes (deps): bump ua-parser-js from 0.7.31 to 0.7.33 (75df34d)
  30. Internal changes (deps): bump jszip from 3.7.1 to 3.10.1 (ef32ab1)
  31. Internal changes (deps): bump http-cache-semantics from 4.1.0 to 4.1.1 (0f6c62f)
  32. Visual changes (payment): Change description of pending/incomplete transactions. (#1371) (6952fa6)
  33. Bug fix (overview): Make Inbox selection more lenient. (50d5218)
  34. Bug fix (folders): Ensures we refresh the folder list on a name change (5fd354a)
  35. Internal changes (api): Filter for successes in te API folder calls (c13796f)
  36. Visual changes (login): Simplify and improve login screen. (#1377) (a5c5f85)
  37. Bug fix (drafts): Ensure we only refresh drafts once per folders update (f024af2)
  38. Visual changes (folders): Increase width of folders modal. (a50aa6d)

Continue Reading →

Christmas wrap-up: Runbox 7 Upgrades in 2022

Here at Runbox we have been hard at work over the past several months making improvements to Runbox 7, our cutting edge webmail app available at https://runbox.com/app.

Our goal is to develop the fastest and most user-friendly email service available, and as we’re winding down a bit for the holidays we take the opportunity to tell you all about the many bug fixes and other improvements we have made based on feedback from you, our customers.

The most noticeable change is that we have decreased the font sizes slightly, which allows a much more efficient use of the available space in your browser:

Runbox 7 screenshot

Based on your feedback we have fixed a large number of issues that makes the Runbox 7 app more streamlined in everyday use. Through a series of Quality Milestones and a thorough review of Runbox 7 feedback along with diverse support requests we have made over 70 improvements to:

  • The overall performance and reliability of the app
  • Folder and message list displays
  • Compose and the Draft Desk, including attachment handling
  • Message view including the display of HTML and images
  • Settings including Identities and Account Security
  • Contacts and Calendar interfaces
  • Product and payment pages

You can find a complete list of all the updates made to Runbox 7 as well as a detailed changelog in the Runbox 7 app itself.

After this period dedicated to improving the quality of existing functionality in Runbox 7 we are gearing up to continue implementing the Runbox 7 Roadmap in 2023, so stay tuned for new features and improvements coming your way in 2023!

Continue Reading →

Runbox 7 updates August-November 2022: Streamlining and bug fixing

Improvements and bug fixes to several parts of the app.

  1. Internal changes (deps-dev): bump karma from 6.3.2 to 6.3.16 (cf19be5)
  2. Bug fix (account-security): Load App Passwords switch enabled, if in use (cdbef1c)
  3. Internal changes (deps): bump terser from 4.8.0 to 4.8.1 (4234974)
  4. Bug fix (2fa): QRCodes for 2fa should be readable in more browsers (f450220)
  5. Bug fix (tests): Github actions tests failing, try more heap size (d96715c)
  6. Internal changes (deps): bump moment from 2.29.2 to 2.29.4 (7f25bbc)
  7. Checks the msg IDs given to API for certain endpoints are valid (ef6acfa)
  8. Replaced text for alias as per request from #1091 (dccf1a9)
  9. Adds a link to caldav sync guide on calendar (c30f4ab)
  10. Bug fix (api): Don’t show errors while loading data in the background (ac23654)
  11. Bug fix (searchservice): Fix compilation error (d4156c8)
  12. sstyle(payment): Clarify main accounts vs sub-accounts. (e7a2c18)
  13. Visual changes (payment): Improve tables and buttons, and default to USD. (84dc7e9)
  14. Visual changes (payment): Correct button style declarations. (4f4f50a)
  15. Bug fix (test): Update tests. (24ac6d0)
  16. Internal changes (calendar): Correctly ad/modify events in calendar service tests (ddeaf33)
  17. Bug fix (changelog): Ensure typos in commit entries do not break the page (09ed2e4)
  18. Visual changes (payment): Payment interface updates. (#1319) (ee47246)
  19. Bug fix (compose): Ensure we can attach same file twice in compose (014c462)
  20. Bug fix (compose): Only run one draft saving attempt at a time (bf44d90)
  21. Bug fix (compose): Adds code checks to fix issues from sentry reports (3769663)
  22. Bug fix (messaging): Ensure msg fetching works after network is restored (0233288)
  23. Bug fix (calendar): Setting “all day” flag on events now saves properly (007b2d5)
  24. Bug fix (compose): Enable drag&drop of images into HTML compose window (87a06f9)
  25. Bug fix (compose): Enable inserting attached files into HTML compose (ea1d989)
  26. Bug fix (compose): Remove drag&drop to compose html window (788fb1a)

Continue Reading →

Privacy, GDPR, and Google Analytics

This is blog post #15 in our series on the GDPR.

GDPR

Four European Data Protection Authorities (DPAs) have thus far concluded that the transfer of personal data to the United States via Google Analytics is unlawful according to the General Data Protection Regulation (GDPR).

It is quite certain that other European DPAs, including the Norwegian Data Protection Authority, will follow suit because all members of EU/EEA are committed to comply with the GDPR.

Website analytics vs privacy

Everyone who manages a website is (or should be) interested in the behavior of users across web pages. For this purpose there are analytics platforms that measure activities on a website, for example how many users visit, how long they stay, which pages they visit, and whether they arrive by following a link or not.

To help measure those parameters (and a lot of others) there exists a market of web analytics tools of which Google Analytics (GA), launched in 2005, is the dominant one. In addition, GA includes features that support integration with other Google products, for example Google Ads, Google AdSense and many more.

The use of GA implies collecting data that is personal by GDPR definition, for instance IP-addresses, which can be used to identify a person even if done in an indirect way. GA may use pseudonymization, using their own identifier, but the result is still personal data.

The fact that data collected by GA, of which some data is personal, is transferred to the USA and processed there, has brought the DPAs of Austria, Denmark, France, and Italy to conclude that the use of Google Analytics is not compliant with the GDPR.

None Of Your Business

This conclusion has been reached after complaints submitted by the Austrian non-profit organization NOYB (“my privacy is None Of Your Business”) to a number of European DPAs.

The complaints are based on the Court of Justice of the European Union (CJEU) concluding that the transfer of personal data to the US, without special measures, violates the GDPR.

According to NOYB the Executive Order signed by US President Joe Biden recently will not solve the problem with EU-US data transfers with regards to the potential for mass surveillance.

DPAs on the case

The Danish DPA writes that even if Google has indicated that they have implemented such measures, these measures are not satisfactory in order “to prevent access to transferred personal data by US law enforcement authorities”.

Datatilsynet logo

The Norwegian DPA has thus far received one complaint regarding Google Analytics, and they are saying on their web site that the case is being processed.

They “will place great emphasis on what other countries have come up with”, they say in an email conversation.

Runbox will continue following these developments and keep you updated.

Note: Runbox used GA during a short period between 2011 and 2013. When we became aware of how Google collects data and how they potentially could use these data across their various services, we terminated the use of GA in October 2013. Since then we use only internal statistics to monitor our service and visitor traffic on our web site, and these data are not shared with anyone in accordance with our Privacy Policy.

Continue Reading →

Runbox 7 updates August-September 2020: Webmail improvements

Webmail improvements including Saved Searches, which lets you instantly bring up results of previously saved search terms.

  1. New feature (identities): Order From entries by priority
  2. New feature (dkim): Add a note about selector2 and when it will become active
  3. New feature (account security): Improve password validation and error messages on Account Security to avoid confusion
  4. New feature (dialog): Allow submitting dialogs with Enter/Return key
  5. Bugfix (canvastable): Make sort icons show actual sorting direction
  6. New feature (webmail): add a way to save and reuse searches
  7. Visual fix (app): Remove obsolete instances of mat-icons
  8. Bugfix (startdesk): Fix linter and policy errors
  9. Bugfix (folders): Improve folder count reliability in some edge cases

Continue Reading →

Runbox 7 updates July-August 2020: Performance and Contacts improvements

Improved and more consistent performance, a new menu for marking messages read and flagged, improved Contacts layout, and many other fixes and improvements.

  1. Bugfix (webmail): Update local (non-index) folder counts on refresh
  2. New feature (login): Set inputmode to show email and numeric keyboards on mobile as appropriate
  3. New feature (webmail): Always show popular recipients component if enabled, even with no local index
  4. Bugfix (account): Redirect domain renewals to domain registration app
  5. Bugfix (webmail): Ensure folder counts are updated after read/unread
  6. New feature (webmail): Change icons and tooltips when a message is deleted from trash
  7. New feature (compose): Add debug logs for measuring impact of recipient loading
  8. New feature (folder): Speed up folder size calculations
  9. New feature (webmail): Separate read/unread, flag/unflag in multi-menu
  10. Bugfix (menu): Hide account security until its backend issues are resolved
  11. Bugfix (mailviewer): Load mailpane status (vert/horiz) on page load
  12. Bugfix (compose): Set focus in textarea for replies
  13. Bugfix (contacts-app): Correct filtering options background color
  14. Bugfix (contacts-app): Fix positioning of email contact icon
  15. Bugfix (contacts-app): Make middle column width adjust to its content

Continue Reading →

Runbox 7 updates July-August 2020: Contacts improvements

A brand new Contacts interface, one-click view all email by recipient, contact avatar support, and many other improvements and bug fixes.

  1. New feature (app): Implement indicators for multipart background activities
  2. New feature (contacts): Add background activity indicator
  3. Bugfix (mailviewer): React to avatar settings as soon as they change
  4. New feature (contacts): Add a tooltip to picture upload button if gravatars are disabled
  5. Bugfix (contacts): Hide pictures in contact details if they’re disabled
  6. Bugfix (identitys): make main identity email field read only
  7. New feature (contacts): Add avatar settings to Contacts settings
  8. Visual fix (compose): Show suggested recipients with light gray background. (#693)
  9. Bugfix (webmail): Redraw folders properly after new item completed.
  10. Bugfix (contacts): Scroll details to top when new contact is selected
  11. New feature (contacts): Add settings to adjust avatar use in the app
  12. New feature (mailviewer): Use pictures from contacts when available
  13. New feature (contacts): Allow uploading/deleting contact pictures
  14. New feature (contacts): Show pictures/gravatars on contact details page
  15. New feature (mailviewer): Show gravatars when available
  16. Visual fix (webmail): Add a tooltip for webmail settings button
  17. Bugfix (webmail): Make sure we can still use saved searches when no folder is selected
  18. Bugfix (contacts): Make contacts draggable again
  19. Bugfix (webmail): Fix switching folders not working in some cases
  20. New feature (contacts): Add hints to columns indicating what they’re for when they’re empty
  21. Visual fix (contacts): Minor layout fixes to contactlist
  22. Visual fix (contacts): Make the 3-column layout more rigid
  23. Bugfix (contacts): Fix a template crash when deleted contacts exist as group members
  24. Visual fix (calendar-app): Side-nav menu styles fix
  25. Visual fix (contacts-app): Side-nav menu styles fix
  26. Bugfix (contacts): Make contactlist scroll independently of contact details
  27. New feature (webmail): Show folder count for drafts
  28. New feature (webmail): Add webmail settings, allowing the disabling of popular recipients
  29. Visual fix (webmail): Move message action menu to middle column
  30. Visual fix (compose): Differentiate “Recently used” from recipients
  31. Visual fix (compose): Differentiate “Recently used” from recipients
  32. Bugfix (compose): From-specific reply-to addresses saved/stored if setup
  33. New feature (contacts): Add a way to edit group members from the group page in mobile view

Continue Reading →

Runbox 7 updates May-July 2022: Improvements to Compose and mail viewer

Improved HTML handling and numerous other fixes.

  1. Visual changes (login): Reorder links. (2f1947e)
  2. Bug fix (index): Ensure deleting index and resyncing doesnt stop updates (eb40fec)
  3. Bug fix (mailviewer): Default dates to 1970 where not supplied (0dcc9da)
  4. New feature ure(mailviewer): Store “show html images” per sender (2e32a9f)
  5. Internal changes (deps): bump async from 2.6.3 to 2.6.4 (4e88aab)
  6. New feature ure(mailviewer): Store “show html images” per sender (94dbc1e)
  7. Bug fix (mailviewer): Ensure “with images” always turns them off/on (31b6440)
  8. Bug fix (mailviewer): HTML status buttons indicate state has been saved (#1254) (ddb0440)
  9. Visual changes (mailviewer): Adjust message display option style and formatting. (8b01d16)
  10. Bug fix (print): Print full width email with non-full viewpane (f8e89de)
  11. Bug fix (compose): Do not run a search after index loaded on compose (8e7193c)
  12. Bug fix (compose): Allow a mix of contact and typed recipients (e6d91ce)
  13. Internal changes (mailviewer): Improving the errors when an email won’t load (c79f9f5)
  14. Bug fix (mailviewer): Output mail load error message strings (f7b0f72)
  15. Bug fix (mailviewer): Cope with non-standard js errors on email fetch (1729a19)
  16. Internal changes (mailviewer): Fix tests hanging (0f2de33)
  17. Internal changes (all): Fix dev test e2e issue (mockserver crashing) (8c70f1e)
  18. Internal changes (deps): bump dexie from 3.0.3 to 3.2.2 (1759231)
  19. Bug fix (drafts): Ensure drafts sent/edited outside runbox7 are updated (2264440)
  20. Bug fix (messagelist): Enable showing empty folders, when index is off (c4a0c46)
  21. Internal changes (api): Improve error/catching debugging on msg updates (8429855)
  22. Bug fix (all): Remove unused imports (lint complains) (b1a6556)
  23. Internal changes (deps): bump eventsource from 1.1.0 to 1.1.1 (8727e1f)
  24. Bug fix (mailviewer): Don’t try to go to the url msg id if no rows loaded (4a03350)
  25. Bug fix (compose): Keep any in-progress drafts when refreshing all drafts (0814ba9)
  26. Internal changes (all): Ensure we wait long enough in e2e tests (fbcc262)
  27. Bug fix (compose): Only create new draft (new=true) once (34588b2)
  28. Bug fix (compose): Tidy up navigate “back” from compose (fde01e4)
  29. Bug fix (compose): Ensure we don’t lose content of in-progress drafts (6b0c16d)
  30. Bug fix (compose): Ensure drafts refresh keeps compose in-progress (0f4f4c9)
  31. Bug fix (compose): Speed up drag&drop of attachments onto compose editor (def6506)
  32. Bug fix (maillist): Ensure we display errors when api returns them (7d7a201)
  33. Bug fix (compose): Display drop zone (again) when files are dragged over (582dd97)
  34. Bug fix (folderlist): Check current folder counts for all folder types (987904c)
  35. Bug fix (compose): Display compose drag/drop zone (again) (cd320b7)
  36. Bug fix (compose): Keep edited draft open after refresh (7bf4fd1)
  37. Bug fix (folders): Ensure creating a new folder does not show above Inbox (4c153b3)
  38. Bug fix (compose): Refreshing drafts should not current edited draft (969cad6)

Continue Reading →