In recent weeks (for some reason) we have seen an increase in demand for information about whether Runbox collaborates with any government law enforcement agencies when it comes to the email sent and received by our members. We have also had numerous enquiries asking what we do to ensure the privacy of email sent and received by Runbox members.
It seems like a good time to review what Runbox does and doesn’t do.
Monitoring by Law Enforcement & Security Agencies
Runbox is not involved in any routine exchange of members’ data with anyone.
All email data is stored in a secure facility in Norway and access to the data center is very strictly controlled.
Casual requests for information about Runbox members and their email are categorically rejected. More formal requests are always directed to the Norwegian court system. Only if a valid Norwegian court order is received, and the proper procedures have been followed, will the request be considered. At that point it will be referred to our legal representatives.
We adhere to our own strict Terms of Service as well as Norwegian laws and regulations, and if we become aware of activity that is contrary to those we will take appropriate action.
Details of laws and regulations as they apply to Runbox can be found on our Email Privacy and Offshore Email page.
Email Privacy and Security
In recent weeks certain claims have been made that email can be intercepted by government agencies as it crosses international borders. Regardless of any truth or otherwise in these claims, the security of email transfer is essential.
It is important to distinguish between three points of security.
- Security of the connection between you and the Runbox email service.
- Security of the connection used between the Runbox email service and other email services.
- Securing the content of your email in addition to 1 and 2 above.
In the case of the first point Runbox provides the facility for email to be encrypted during transmission to and from our members. All that the member needs to do is use our server secure.runbox.com with the appropriate settings.
On the second point, we employ encryption techniques when sending to and receiving from other email services. However, this is only available if the other service also offers this facility. If it doesn’t then we have to use an unsecured connection.
The third point is entirely under user control. If a message’s content is encrypted before sending or receiving through Runbox, then whether it is transmitted securely or not is much less important because only the sender and recipient will be able to decrypt the message and read it.
Runbox is planning to provide a method of allowing members to encrypt and decrypt messages using PGP (Pretty Good Privacy) within the Runbox Webmail.
The best way to encrypt messages with your Runbox account today is to use the Thunderbird email client with the Enigmail Open PGP add-on.
For more information about email security see our page on Secure Transfer of Email.
7 thoughts on “Email Privacy, Security and Runbox”
You are wonderful.
In these days many government trying to tapping all communications.
The latest one is PRISM by US Government.
there is a site that may be used for testing how encryption is set up on web sites. I tried https://secure.runbox.com (only to find someone had done it before). The result seems to be very disappointing, secure.runbox.com got the lowest possible rating!
A VERY HAPPY note on the other hand is that https://rmm6.runbox.com got the highest possible rating! Which among other things includes Perfect Forward Security!
Security results are somewhat uneven then 😉
The site in question is https://www.ssllabs.com/ssltest/index.html, try entering secure.runbox.com to get a rather comprehensive report on the state of SSL encryption.
A small disclaimer is in order. I have no idea about the reliability of ssllabs, I only find that they are referenced from several different sites on the Internet.
Thanks for providing this service, I have been a customer for a long time now and I am not looking back!
We are working to upgrade the secure.runbox.com server to improve its SSL certificate rating, but are planning to move all web traffic to RMM6 which has an A rating as you mention.
Although you get an A rating for RMM6 you don’t have Perfect Forward Secrecy enabled, according to the results. Plus you are using the RC4 cipher, which is now known to be insecure (https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what).
Apart from those 2 issues, splendid job.
Mikael Lundgren said that rmm6.runbox.com supports Perfect Forward Secrecy. However, I just did a test on ssllabs.com and it shows that rmm6 does not support Forward Secrecy (FS).
From what I know, you’ve been working on it for the last 2 months, so there’s probably a big update coming about. Is runbox gonna support FS?
Why is the Norwegian landing page http://runbox.no page not redirected to HTTPS like http://runbox.com is?
I never liked the idea of having a separate secure environment. The web site should just be secure by default.
Yes we agree and it will be will be in not too much time.