Outlook for iOS – Privacy Issues

Email Apps and Privacy

Back in May 2014 we reported on our investigations in to two smartphone/tablet apps that had been launched. We were worried to find that the apps did not use our outgoing SMTP servers directly, and instead sent email through non-Runbox servers. This made for much easier set up of accounts, but we didn’t like that it wasn’t obvious to the user what was going on.

Those apps were myMail and Evomail (the later is no longer available).

Outlook and Privacy

Outlook now has IMAP compatibility and is able to work with Runbox accounts, however, like myMail and Evomail it doesn’t connect directly to the Runbox SMTP servers for outgoing mail. In fact, we don’t know if it retrieves email directly from our servers either. We do know that it stores some details of your account on servers that are part of Amazon Web Services.

If this doesn’t bother you, then that’s fine as Outlook is turning in to a nice email app that sits nicely alongside the other Microsoft offerings for iOS and Android.

Using Email Apps that Connect Directly to the Runbox Service

We believe that for maximum security and privacy email apps should be connecting directly to the Runbox service and not connecting via other servers, or storing account details anywhere other than in the app on the device.

Usually if you have to enter the server details for incoming and outgoing mail then the app is likely to connect to those services directly. If you have any doubts about an app, please get in touch with Runbox Support and we will investigate how it behaves.

Continue Reading →

Upgrading Runbox 5 Customers

Today we have upgraded the remaining Runbox 5 users to the latest version of the Runbox webmail interface. We introduced Runbox 6 in January 2013 and gradually most of our customers have moved over to this.

This latest interface has a number of new features, and is built on programming that is more stable and allows us to add new features more easily.

You can read more about the features in the original blog post about Runbox 6.

The change to the latest webmail version also allows those customers previously using Runbox 5 to access the new webmail design called Runbox Aero. This is a modern and more user-friendly design, with graphics that are compatible with the newer high resolution screens featured on laptop and desktop computers.

If you have any questions about this change, please get in touch with us at Runbox Support or email support@nullrunbox.com

Continue Reading →

Email, Encryption and Data Surveillance

As each day goes by there seem to be new revelations about which countries are spying on each other, or have secret agreements to monitor traffic by putting “taps” on strategically important cables entering or leaving countries. It is hard to keep track of all this information, and even harder to verify what is fact and what is speculation.

Questions, questions!

If you care about your data or email and whether it is private or not, then all of this should bother you; in fact it should bother you quite a lot. But how do you make sense of it all, and what action can you take, assuming you can take action that is? Which countries will look after your data best? And who can actually read your email as it is delivered to and from your email provider?

At Runbox we get asked a lot of questions like the ones above, and we have come to the conclusion that often we are worrying about the wrong things.

Who are the players in this real-life James Bond story?

five-eyesThe United States National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) have featured heavily in the media, and along with three other countries (Canada, Australia and New Zealand) they make up the so called “Five Eyes” countries that are known to be monitoring communications.

These countries have an agreement to share data that they collect through their extensive networks. This is not speculation, this is hard fact in the public domain, and together they form the single biggest data sharing network ever conceived. The allegations that they spy on each others citizens and then share data with each other to get around domestic regulations relating to spying on your own citizens is one of the most controversial claims that have been made in the last few years.

There are other revelations that suggest many countries also have agreements with the NSA and GCHQ in return for various kind of technological assistance that might benefit the collaborating nation.

More recently, and closer to home for Runbox, we have seen allegations that Denmark is monitoring data entering and leaving Norway, and that Sweden is pretty much in league with the NSA about as much as the other “five eyes” countries. At a glance this can seem worrying given that Runbox is based in Norway.

But does it really matter?

Data everywhere, and no place to hide

surveillanceOn a political front it probably does matter, but on a practical level if you email someone who is outside of Norway the chances are the data passes through a number of countries and worrying about the ones geographically adjacent to Norway seems a little pointless. For example, if you email anyone on Gmail, Yahoo, Outlook, iCloud or any of the other major providers, the chance is your data is going to end up in the one country that is at the centre of the recent revelations – the USA.

The reason we get asked questions about security is because people want to take positive action to protect their data, so what can you actually do?

Stored email and data

The question about which email provider will protect your data best when it is on their servers is a separate issue to the one surrounding your data when it is being transferred from one place to another. In respect of your email provider, you are better to keep your email data in a country that has strong privacy laws, and with a provider that tries to encrypt the transfer of that data to and from your account. Runbox is based in a country that does have strong privacy laws, and we always try to encrypt your data when transferring it to and from your account.

So choosing an email provider isn’t too difficult once you know what to look for.

So what about data transfer?

Given that we know agencies are monitoring Internet communications (it doesn’t matter how much or little of this is going on) it is best to assume that anything that you do on the Internet, or anything you email can be monitored by someone. You can think of this as being like sending a private message on a postcard through the usual mail where everyone including the post office and your family can read the postcard.

Fundamentally the data that makes up your email can be read by any server it passes through on its way to its destination. Mail servers also write information to their hard drives and then use that data when sending your email on to the next destination. This means that temporary copies of your email are also made!

There is very little you can do about this, it’s how email works.

Email-EncryptionAn obvious solution to prevent prying eyes from reading your email is to use some sort of code that only the sender and recipient can decode, and that is exactly what encryption is. If you encrypt a message with a strong enough key then it is currently not possible for anyone to read it without having the private key and passphrase. For now we will ignore allegations that encryption has been subverted by governments as it is clear that strong encryption does still work adequately.

Regardless of whether you encrypt messages yourself, Runbox attempts to encrypt your email when it sends to and receives email from other providers on your behalf. This is an important security feature, but it isn’t universally used and even some major email providers do not offer this kind of encryption. Where it is not offered your email is delivered unencrypted and it is just as vulnerable to interception then as a postcard is.

End-to-end encryption

Email is about 40 years old, and it hasn’t changed much in all that time. For decades computer security experts have been aware of the insecure nature of email, which is why email encryption has been around for about half the time email has existed. Encrypting your enigmail_gnupg_thunderbirdemail is not a new idea at all, but as a proportion of email sent very little is encrypted by the sender.

The best overall solution is to encrypt the message before it leaves your computer and not rely on anyone else to protect the data for you. The data can then only be decrypted at the recipients end if the correct key is available and the passphrase for that key is known. This is called end-to-end encryption.

There are various ways in which you can encrypt your email, some involve email client (app/program) like Thunderbird, Outlook or Apple Mail and others are integrated in to the webmail service of email providers.

You don’t need to be an expert to encrypt your email

Encrypting your email is not as difficult as you might think, but you might need to make some changes to how you use email.

We are used to having a very wide variety of email providers at our fingertips, and encryption isn’t necessarily going to be compatible with all of those various interfaces. Elsewhere on this blog and on the Runbox help website we explain some of the easier ways to implement strong email encryption that can be used with most email providers.

Yes, you are going to have to give your friends, family and colleagues keys so they can decrypt email and also send encrypted email to you, but is that really much more difficult than having to give them a key to get in to your home (assuming you want them in your home that is)?

If you encrypt your email it won’t matter what revelations are in the news next week, only you and your recipients will be able to read your email. Unless of course the revelations are about encryption having been compromised…

For more information

Continue Reading →

Warning About Insecure Email Apps

We have become aware of at least one email app (application software) available for smartphones and tablets that undermines the security of email sent using your Runbox account.

The email app is very easy to set up with only your email address and password, and you can get it working within a few minutes at most. It was due to this ease of set-up that we became suspicious. There is always a push towards making things easier for users of technology, but we believe that this is one step too far.

We discovered that the email app was not sending email through the Runbox mail servers. There was no SSL encryption between the email client and the servers, and no onwards encryption to a destination that we know normally uses encryption when sent via our servers. Instead of using our servers in Norway, the app used a mail server in another European country!

If this wasn’t bad enough, there was no user notification that the app hadn’t used the correct servers and was instead using an alternative server.

We won’t mention this particular app by name here as that wouldn’t be fair, especially when there may be others that do the same. We do not recommend this type of email app for phones, tablets or computers in general, and we cannot be held responsible for the delivery of email not sent through our servers, but apparently coming from your Runbox email address.

We would urge all Runbox customers to consider the following:

If you are not asked to enter the secure server settings as detailed on our settings page, then you are not in control of how your email is received or sent.

If you have any further questions about this, or would like further advice, please contact Runbox Support.

Continue Reading →

Runbox No Longer Uses Tracking Cookies

From 1st October 2013 the Runbox websites will no longer use browser-based tracking cookies to collect anonymous statistics about visitors to the public part of our website.

We have never used tracking cookies on the logged-in pages of the website that make up the email service itself.

What are tracking cookies?

Tracking cookies are small pieces of code embedded into web pages that can collect useful information about browsers that access those pages. The statistics are used to find out how visitors use a website, and in turn this information can be useful to improve the website for visitors. The cookies we used could also tell us something about the types of browsers being used, and help us identify problems with our web pages. Statistics such as which countries people visit the web site from can also help with our marketing, and in turn this can help make Runbox more cost effective for our members.

So if tracking cookies are so useful, why are you removing them?

Over recent months there has been increased awareness of privacy and security in online communications. You will probably have heard about this in the news on many occasions. Runbox is very certain of what it does with the personal details of its members, and Norwegian law makes it illegal for us to share that information with anyone without a Norwegian court order.

Like some of our members, we have become uncomfortable with us sharing even anonymous information with other services. Therefore, we have taken the decision to remove Google Analytics from our website. We also tried an open source alternative that recorded data only on our own servers. However, after various conversations both within the Runbox team and with some members, we felt we needed to move away from tracking that uses code inserted into the web pages themselves.

How can I check that you have removed tracking cookies?

If you want to see what kind of tracking cookies are used on any website, you can download a free browser add-on such as Ghostery. This add-on shows you the cookies being used, and also allows you to block them.

Are you using any kind of cookies on your website?

Yes, we use session cookies when you log in so that you can use the webmail interface. These sorts of cookies are very common on websites where you need to log in to an account and mean that you only have to provide your details at the login page and not on each page you access. You can read more about why we use session cookies in our Privacy Policy. Session cookies are not tracking cookies and do not record information about which pages you visit on our website.

So are you collecting any kind of statistics?

Like any other responsible service our servers automatically log* each request in case something goes wrong. This anonymous information is considered essential information from an administration and technical point of view. Many would regard us as being irresponsible if we didn’t know something about what pages had been accessed on our own servers. No personal information is recorded in these logs. Anonymous statistics can be compiled from the logs, and when we do this we will use that information internally only. This information will be subject to the same rules as any personal information we have about members, and not shared with third parties.

A note about IP addresses

Some members tell us they are concerned that the IP (Internet Protocol) address assigned to them by their Internet Service Provider (ISP) could be used to find where they live. It is true that some IP addresses are arranged regionally by ISPs, and this might reveal some information about where the Internet connection that IP address is assigned to is located. If you are concerned that your IP address reveals too much information about you, then we suggest that you contact your ISP to find out if they are able to help you in any way. There are websites that can give you some idea about what geographical information your allocated IP address gives away about your Internet connection. Just do a search for “geoip”.

It is possible to use Virtual Private Network (VPN) services to get more privacy. These effectively give you an alternative IP address to the one given by your ISP, and this can even be in a different country to where you live. VPN connections like this work by providing a secure encrypted connection to a server in another location, and it is from this remote location that you access the rest of the Internet.

If I still have concerns what should I do?

If you still have questions about Runbox and how we ensure your privacy please get in touch with us by using our support website at https://support.runbox.com.

 

 * The word log is a shortening of log-book. A ship’s log-book was a record of its journey and was called this because a log would be thrown overboard with a rope attached, and the progress of the ship would be measured by the number of knots that would pass through the sailor’s hands in a given time.

Continue Reading →

Runbox not Accessible (routing problems outside our network)

Update 01-Sep-2013 0915 CEST: We believe the routing issue has now been resolved. If you know otherwise, please get in touch.
——–

A small number of our customers are reporting that they cannot access the Runbox servers via their Internet service provider.

It appears that there is a problem with one or more Internet service providers outside the Runbox network. Our network carrier Blix, along with carriers Cogent and Telia, are working to identify the problem but as yet there is no known cause and no estimated time for a solution.

If you are experiencing problems reaching the Runbox servers and wish to send us your IP address and a traceroute to www.runbox.com, please do as they are useful to the Internet providers trying to sort this out. To do this, enter “tracert runbox.com” in a Command Prompt window on Windows (or “traceroute runbox.com” in Terminal on OS X), and copy & paste the result into a support request via https://support.runbox.com.

We will post updates here when we know more.

Continue Reading →

Emails being rejected

UPDATE: As of midnight EST on August 25 this block appears to have been removed. We have yet to be told what caused it however.

Some members may find that emails they are sending are being rejected by some email services. The Runbox servers have been blacklisted for some reason by Proofpoint despite their own website saying there is no recent reason for doing so. We have contacted Proofpoint to find out why we are listed and to get our servers removed.

Addresses affected will vary but we are aware that Apple use Proofpoint on their @me.com, @mac.com and @icloud.com addresses and it seems a variety of educational organizations also use their list on email addresses ending in .edu

Rejected emails will usually include mention of Proofpoint in them, and this is how you will know if your emails are being affected by this.

We apologize for any inconvenience.

Continue Reading →

New Runbox Help Website

We are pleased to announce that Runbox now has a new help website at help.runbox.com.

While we wanted a new format so that information was clearer and easier to find, we also recognized that some of the information on the old help website needed updating.  With the new website, we have done both at the same time!

We have highlighted some of the main areas that Runbox members are likely to need at the top of the page: How-tos, FAQ, and Documentation.

Lower down you will find facilities to search the help website, and also select topics from the tag cloud and category list.

How-tos

On the new Help site you will see we have a new section called How-tos. These are articles on how to set up services or software to work with Runbox, like how to set up the Thunderbird email client, or how to change the MX settings with a domain host so that you could use your own domain with your Runbox account.

We will continue to add to these as we are sure there are other things that would be useful. If you think of any, let us know!

Frequently Asked Questions

We have updated the Frequently Asked Questions, and put them in a section that is easier to find and navigate.  If you think there are additional questions and answers that should be in there that aren’t, please let us know.

Documentation

On the new Help site you will see we have brought across all the usual Documentation and also updated it.  We still have work to do on graphics for some areas, and will be producing some updated and new video guides explaining how to use certain features.

How to find what you’re looking for

Finally, a word about Search and Categories/Tags. You can now find what you are looking for by using the Tag Cloud, or the list of categories (Site map) on the right-hand side. Clicking on a tag or category will take you to an alphabetical list of pages that are related to that topic.

Search will of course look for keywords in documents, and attempt to list them in order of relevance.

We hope that you find the new help website useful, and we would be pleased to hear from you about ways in which we could improve it.

Continue Reading →

Email Privacy, Security and Runbox

In recent weeks (for some reason) we have seen an increase in demand for information about whether Runbox collaborates with any government law enforcement agencies when it comes to the email sent and received by our members.  We have also had numerous enquiries asking what we do to ensure the privacy of email sent and received by Runbox members.

It seems like a good time to review what Runbox does and doesn’t do.

Monitoring by Law Enforcement & Security Agencies

Runbox is not involved in any routine exchange of members’ data with anyone.

All email data is stored in a secure facility in Norway and access to the data center is very strictly controlled.

Casual requests for information about Runbox members and their email are categorically rejected.  More formal requests are always directed to the Norwegian court system.  Only if a valid Norwegian court order is received, and the proper procedures have been followed, will the request be considered. At that point it will be referred to our legal representatives.

We adhere to our own strict Terms of Service as well as Norwegian laws and regulations, and if we become aware of activity that is contrary to those we will take appropriate action.

Details of laws and regulations as they apply to Runbox can be found on our Email Privacy and Offshore Email page.

Email Privacy and Security

In recent weeks certain claims have been made that email can be intercepted by government agencies as it crosses international borders. Regardless of any truth or otherwise in these claims, the security of email transfer is essential.

It is important to distinguish between three points of security.

  1. Security of the connection between you and the Runbox email service.
  2. Security of the connection used between the Runbox email service and other email services.
  3. Securing the content of your email in addition to 1 and 2 above.

In the case of the first point Runbox provides the facility for email to be encrypted during transmission to and from our members. All that the member needs to do is use our server secure.runbox.com with the appropriate settings.

On the second point, we employ encryption techniques when sending to and receiving from other email services. However, this is only available if the other service also offers this facility.  If it doesn’t then we have to use an unsecured connection.

The third point is entirely under user control.  If a message’s content is encrypted before sending or receiving through Runbox, then whether it is transmitted securely or not is much less important because only the sender and recipient will be able to decrypt the message and read it.

Runbox is planning to provide a method of allowing members to encrypt and decrypt messages using PGP (Pretty Good Privacy) within the Runbox Webmail.

The best way to encrypt messages with your Runbox account today is to use the Thunderbird email client with the Enigmail Open PGP add-on.

For more information about email security see our page on Secure Transfer of Email.

Continue Reading →

Unlimited Aliases – Using Domain Catch All with Filters

Aliases

From time to time we get asked by members if we could allow unlimited aliases on domains as part of our standard plans that have email hosting included. We understand that if you own a domain you want to use it in a way that suits your needs.

You can of course purchase additional aliases for your account and use them with your domain.  However, this comes at additional cost, and there is another way that you can effectively create aliases for free.

Using Catch All

In Account > Email Hosting you will see a list of your domains (if you have any) and next to each one is the option to allow that domain to “catch all” email that is sent to it.  The benefit of selecting catch all for a domain is that all email sent to anything@nulldomainyouown.com will be delivered to your account.

Pros:

  • you don’t need to set up aliases you can just make up anything@nulldomainyouown.com and use it immediately
  • emails where people mistype the alias will still be delivered (as long as they spell the domain correctly of course)
  • effectively unlimited aliases

Cons:

  • it could increase the amount of spam you receive because all email is delivered and spammers may try to guess aliases

As you can see, the pros outweigh the cons, and there is even something you can do about the spam issue (see below).

Using Filters with Catch All

When using catch all, emails can still be filtered just as with any alias that is set up.  With the careful use of filters a lot of flexibility can be achieved.  If you look at the screen-shot below, you will see a number of filters are being used for different purposes. An explanation of each filter follows the screen-shot.

alias_filters


In the case of each filter the “Header” option is used because the use of “To” would not match emails where someone sends to your address/alias in the CC or BCC fields.

Filter 1:  Filters emails sent to alias1@nulldomainyouown.com and moves them to the Inbox.

Filter 2:  Filters emails sent to alias2@nulldomainyouown.com and moves them to a folder called Personal.

Filter 3:  Redirects emails sent to alias3@nulldomainyouown.com to any other email address you want, and does not leave a copy of the email in your Inbox.

Filter 4:  When you use your own domain with Runbox, by default we always allow email to postmaster@nulldomainyouown.com to get to your Inbox unless you decide to filter them. This is good email practice and this is common across email providers. You will require something like Filter 4 if you decide to implement Filter 5.

Filter 5:  This is where we can do some spam control. This filter deletes all email addressed to your domain that doesn’t match one of the filters that comes before it.  Filters are matched in order, so this one has to come last. If a spammer tries to guess at an address at your domain, this filter will prevent those emails reaching your Inbox.  However, it does not reject them, and people who might mistype your alias will also have their emails deleted with no rejection email to warn them that the email was not  delivered.

A Note about Filter Orders

As mentioned earlier, filters are used in the order they are listed. In the example above the ordering is deliberate even though the order of the first 4 does not matter too much in this case. Filter 5 has to come last otherwise it would delete all email to your domain before the others could filter it.

The order 1-4 that we have used in our example places the filters after our spam filters.  This might be desirable.  However, if you were using a filter to redirect email to another email address, you might want all email to that address including possible spam to be sent to the other address so that filtering can happen in the destination account.

To do this you need to place any filters before filter value -2 (minus 2) as this is where the Runbox spam filters are. You can see a list of filter order values in the Runbox discussion form under Order Values for Filter Processing.

Continue Reading →