In situations such as the one we are currently experiencing with COVID-19, uncertainty spreads easily and one may wonder whether services we rely upon will continue to function as usual. We are aware that our email service is of great importance to our customers, and that many rely upon Runbox in their professional and personal lives.
We can assure you that our operations will continue to function normally.
Runbox is located in Norway, a country with robust and reliable Internet services, and the Norwegian government and telecommunication operators are on the alert to ensure that Internet services are running as normal.
In our organization telecommuting is the modus operandi, and we are used to working from home offices or remote locations. For the immediate future the use of our headquarters is suspended in accordance with the advisory from our health authorities, but this will not have any impact on our day-to-day operations.
These are also the regulations our partners in Norway adhere to, and our affiliates abroad will naturally follow the advice in their respective countries. The data center where our servers are located will be enforcing stricter access procedures, but will otherwise operate normally.
This means that maintenance, support, development, and other internal functions will continue to work as usual. Our services are running on our own infrastructure, and there are no indications that our service will be exposed to any consequences of the current situation.
Our mission is to provide electronic communication between people, which is more important than ever in these times. We will continue fulfilling this obligation with dedication and determination.
We usually think of “personal data” as a term that contains for instance a person’s full name, home address, email address, telephone number, and date of birth.
These are ordinary data that can obviously identify a specific person. But in the personal data category of linked personal information are also data such as social security number, passport number, and credit card numbers – data that can identify us, and data we usually feel more restrictive about.
Linkable and non-linkable information
But there is another category of data that on its own may not be able to identify a person, but combined with other information could identify, trace, or locate a person. Such data are gender, race, sexual orientation, workplace, employment etc. These are examples of linkable personal information.
Then we have the category non-personally identifiable information. That is data that cannot be used on its own to identify or trace a person, for example IP addresses, cookies, device IDs, and software IDs (non-linkable personal information).
Privacy regulations differ in the EU and the US
Now, we know that there are industries that exist almost under the radar while taking advantage of personal data. For instance, companies in the AdTech and MarTech industry base their business on collecting and trading personal data for targeted advertising and marketing.
Many of these actors try to take protection of personal data seriously, and refer to the rules and regulations for processing personal data. In Europe this is the GDPR (General Data Protection Regulation) within the EU/EEA-area1, and in the US it is the responsibility of the FTC (Federal Trade Commission).
However, what the EU/GDPR and US government agencies mean by “personal data” is different. Specifically, the definition by EU/GDPR is more comprehensive than the definition often referenced by US agencies, such as that of NIST (National Institute of Technology).
For example, the
EU concept of personal data includes information such as cookies and
IP addresses, which are not considered as personal data in a US
Definitions of “personal data”
National Institute of Technology’s definition
NIST’s definition of personal data is contained in the definition of Personal Identifiable Information (PII):
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
US Office of Privacy and Open Government’s definition
Another PII-definition is
from the US Office of Privacy and Open Government (OPOG) as
The term personally identifiable information refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
EU’s GDPR definition
Compare these PII-definitions with the GDPR Article 4(1)’s definition of personal data:
…‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
It is obvious that GDPR defines personal data much broader than both NIST’s and OPOG’s PII, and this is underlined by this statement found in GDPR’s Recital 30:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
The US is lacking comprehensive regulation
That said, US authorities are moving towards stronger protection of privacy and personal data, but as late as March 2019, the US Congressional Research Service says:
Despite the increased interest in data protection, the legal paradigms governing the security and privacy of personal data are complex and technical, and lack uniformity at the federal level. The Supreme Court has recognized that the Constitution provides various rights protecting individual privacy, but these rights generally guard only against government intrusions and do little to prevent private actors from abusing personal data online. At the federal statutory level, while there are a number of data protection statutes, they primarily regulate certain industries and subcategories of data. The Federal Trade Commission (FTC) fills in some of the statutory gaps by enforcing the federal prohibition against unfair and deceptive data protection practices. But no single federal law comprehensively regulates the collection and use of personal data (our emphasis).
When US websites claim to follow the rules for processing personal data it is dubious at best, compared to the regulations in the EU/EEA – which the Norwegian legislation is based on and is what Runbox adheres to.
However, it should be mentioned that some US states, for instance California, do classify some anonymous data (i.e. IP-addresses, aliases and account data) as PII.
Above we referred to the AdTech and MarTech industries and their usage of personal data to identify, trace, or locate a person for advertising and marketing purposes. That topic is outside the scope of this blog post, but is absolutely worth writing about in a later post.
1 EEA = European Economic Area, that is the EU and three countries: Iceland, Lichtenstein, and Norway.
The year 2019 has confirmed that humanity’s collective activities have pushed Earth’s ecosystems towards the boundaries of what they can sustain.
In fact, for many ecosystems and species the boundary has already been crossed, and species are now vanishing at a rate higher than ever before in recorded history.
The realized threat of global warming
In addition to more obvious drivers of species extinction such as over-exploitation of natural resources and habitat loss caused by agriculture and other land development, the greatest immediate threat to the existing biosphere is global warming.
However, in spite of repeated and increasingly dire warnings from the scientific community for more than a century, greenhouse gas emissions from human activities have increased dramatically and continue to do so.
The chemical composition of the atmosphere and the oceans are undergoing dramatic changes with accelerating positive feedback loops involving not only CO2 but methane, nitrogen, and sulfur as well as several other essential components.
When the Earth’s temperature increases and its distribution is altered, it affects geophysical systems such as prevailing wind patterns and ocean currents — the global conveyor belt responsible for carrying salt, nutrients, and other essential chemical components upon which marine life depends.
In addition to the catastrophic loss of biodiversity, the accelerating changes in our natural environment lead to regional famine, mass migrations, conflicts, and war between peoples fighting for dwindling resources.
Current mitigation plans are inadequate
According to the UN’s Climate Action Summit report we have until 2030 to cut CO2 emissions by 45% in order to limit global warming to 1.5°C . This entails a global average reduction of 4.5% per year over the next 10 years, while emissions on average have increased 1.5% annually in recent years.
This may not sound like much, but in reality it constitutes an enormous challenge on a scale unlike any we have successfully undertaken in the past.
The bottom line is that every person, every organization, every business, and every government have to do their uttermost to reduce their ecological footprint.
Although governments, large industrial companies, and international institutions can do the most to reduce hydrocarbon dependency and restore the depletion of natural resources that is taking place, even small contributions will have an effect — but we are short on time.
At Runbox we have decided to have a positive impact on the planet and our environment, and we want to achieve this with a net negative ecological footprint.
We will take responsibility in several different ways, and have implemented the first version of our Environmental Policy to this end.
In our policy we commit to reducing our ecological footprint as much as possible through reducing, reusing, and recycling the resources we utilize.
This includes our data center, servers and other equipment we acquire, where we source our hardware, how we use and power our office spaces, and the communication and transportation involved in our operations.
For the greenhouse gas emissions that do result from our operations and activities we shall compensate doubly.
We will accomplish this by funding the planting of trees through OneTreePlanted sufficient to absorbing twice the amount of greenhouse gas emissions we are responsible for.
Planting trees is the best existing method of capturing carbon from the atmosphere, and has several other beneficial side-effects as well. So we will support rewilding the forests in order to restore and protect ecosystems, our natural environment, and a habitable climate.
We will also encourage partners, stakeholders, and associates to become more environmentally friendly. Furthermore, we will push for the development and implementation of green and renewable technologies and help encourage governments to become more environmentally responsible.
We are extending our commitment to provide free email services to non-profit organizations with an environmentally oriented profile.
We hope to inspire other companies to adopt similar policies and contribute to a positive impact on the only planet we can call home.
One of the main objectives for the European Union (EU) when they developed the replacement for the Data Protection Directive 95/46 (from 1995), was to expand individual control over the use of personal data.
This can be seen in a broader view as an implementation of the right to one’s private life, as laid down in the European Convention on Human Rights (Article 8). The right to respect for one’s private and family life is also stated in the EU Treaty on Fundamental Rights (Article 7).
Already in GDPR1 Article 1 we see the connection between the GDPR and especially the Treaty on Fundamental Rights:
This Regulation protects fundamentalrights and freedoms of natural personsand in particular their right to the protection of personal data
Article 1-2 of the GDPR
Observe the expression “rights and freedoms of natural persons“, which is very important throughout the Regulation and is used 31 times in all.
Before we go further into the subject of this post, it is important to state that Norway’s legislation on the processing of personal data was already compliant with the GDPR before the latter was declared as the new framework for the legislation in Norway. The Norwegian Personal Data Act (PDA2), as compliant with the GDPR, tok effect 20 July 2018.
First and foremost, the GDPR states that no processing of personal data shall be done unless the data subject has given consent (Article 6-1, a). Runbox obtains consent to registration of our users’ personal data when they sign up for an account and accept our Terms of Service.
The GDPR (Article 6-1, ff.) allows a controller – that is Runbox in our context – to process personal data when there is a legitimate reason for doing so, i.e. something that is necessary to use our services.
It is an important objective for the GDPR to secure one’s control of one’s own personal data. In this respect, the GDPR has given the data subjects eight fundamental rights (Article 15—17).
When implementing these rights in Runbox, we found that most of those were already there. However, the introduction of the GDPR provided us with a checklist and the opportunity to analyze our status, and to improve our services in this respect.
The right to access (Article 15): Since Runbox does not collect other types of information than what the users register by themselves, they can easily check which personal data is processed. The data processing is only done in order to process your emails, and optionally your web site and domain name.
The right to rectification (Article 16): You may at any time log in to your email account and change your personal information.
The right to erasure (‘right to be forgotten’) (Article 17): You may terminate your subscription any time, and your account contents will subsequently be deleted after 6 months. Your personal details data will be deleted after 5 years in accordance with Norwegian accounting regulations. However, you may send a request to firstname.lastname@example.org for immediate erasure of your account contents.
The right to restriction of processing (Article 18): Runbox will never use your personal information for purposes other than providing our services to you, so restrictions are not necessary in our context.
The right to be informed (Article 19): Runbox uses your personal information only in order to provide our services to you..
The right to data portability (Article 20): In case that you wish to move to another email service provider and export your data, you will find information on how to do this through our services and documentation.
The right to object (Article 21): Since we never will use your personal data for other purposes than to deliver the services you have agreed to, this right is implicitly fulfilled.
The right to individual decision-making (Article 22): This article is intended to protect data subjects against automated data-processing that might involve profiling them based on personally identifiable information, which is something Runbox doesn’t do.
Regarding questions or concerns about our implementation of the GDPR, customers may use the email address email@example.com as a direct channel to our appointed Data Protection Officer.
In our next post in this series, we will consider our contractual situation regarding GDPR requirements. Stay tuned.
1. The GDPR means Regulation EU 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC General Data Protection, General Data Processing Regulation. Article refers to Article in the GDPR, unless stated otherwise.
2. The Personal Data Act (the PDA) means the regulations that are currently in force in Norway for the protection of individuals in connection with the processing of personal data, which includes the implementation of GDPR in Norway (2018-07-20).
At Runbox we are continuously working to improve the security of our services. We are now strengthening the security of your web browser’s connection to our servers to ensure that it utilizes modern web security standards.
If you are using an updated version of one of the major web browsers such as Firefox, Chrome, Safari, Opera, and Edge you will probably not notice any effects. You can then continue using our services just like before, while knowing that the strongest encryption protocols are being utilized.
If you’re using a non-standard or not updated web browser, then please read the information below for more details about these changes and how they may affect you.
Those who are interested in the technical details of these changes may also find this information useful.
What we are doing
When you visit our website the connection between your web browser and our web servers is encrypted. This means that no one can intercept your username, password or any other transmitted data including the content of your email messages.
It’s important to use a modern browser that supports modern encryption methods to prevent that encryption from being broken and compromised. This is essential to web security because hackers increasingly use more powerful computers and techniques in their attempts to decrypt data and eavesdrop on unsuspecting users.
In order to ensure that Runbox is providing the latest and most secure encryption between your browser and our service we will therefore end support for outdated encryption methods.
This entails that we will only support the strongest encryption cipher suites that are compatible with most major web browsers.
It also helps us prevent unauthorized access to our servers and helps keep the Runbox services safe for all of our customers.
On December 1, 2019 we will retire some outdated encryption methods and this might affect some older web browsers.
Once these changes are made the TLS protocol version and cipher suites will be the same for all access methods to our email services, including web, POP, IMAP, and SMTP.
The technical details
You don’t need to delve into all the technical details, but we know many customers are interested in this and it is useful for everyone to stay educated about web security.
The changes involve retiring support for TLS (Transport Layer Security) version 1.0 and 1.1, and only provide support TLS 1.2 or later. We will also only support a small suite of strong encryption cipher suites that are recommended by the reputable organizations Mozilla and OWASP.
TLS 1.2 has been around for 10 years so there has been a long time for browsers to adopt the use of this type of encryption. However, you don’t need to understand anything about this to make any necessary changes.
All the cipher suites we will be utilizing are of the type Diffie-Hellman Ephemeral (DHE), which means that a unique cryptographic key is generated each time a new connection is made.
This in turn means that even in the unlikely event that one set of keys is compromised it cannot be used for another connection made from another client (“forward secrecy”).
An updated list of cipher suites that are supported currently include the following:
vast majority of web browsers already support TLS 1.2 and you are only
likely to have a problem if you are using an outdated browser and/or an
outdated operating system.
We have tested the following browsers and they all work with the modern encryption that we will use:
Many other modern browsers are also likely to work with TLS 1.2 and those listed above are just commonly used ones that we have tested.
What you can do
If you are not using an upgraded version of one of the major web browsers listed above, please upgrade your web browser and/or operating system now. This is the most important action you can take to ensure that your data and communications are secure.
If you’re using a web browser not listed above and are unsure whether it will continue to work with the specifications we have provided, we recommend that you keep one of the major web browsers available as an alternative.
We generally recommend Firefox as it is free, standards compliant, and open source, and therefore reviewed by the security community.
If you need any further information or help on this issue please contact Runbox Support with details of how we can help you.
Server infrastructure, including all servers and other hardware as well as the links between these.
Softwarecomponents that comprise our application stack from the operating system level to the front-end application level.
Data networks, including how and where our serves are connected to the Internet, but also the Local Area Network at our premises.
Data inventory, i.e. all personal data including customer and employee data, financial records, information about partners/associates, etc.
Applications necessary to run the company itself, meaning software that is managerial in nature.
Access control concerns permissions attached to system-related objects. Within each of the components listed above, there may be several sub-objects — servers, software modules, data files, catalogues etc., to which restricted access should be implemented.
Creating an Access Control Table
These objects then form one axis of an Access Control matrix or table (ACT). The other axis of the table include organizational units, broken down into person-related objects, for instance segments or groups, but also individuals, for each unit.
After breaking these objects down to an appropriate level, we attached roles to each of these components. In terms of the GDPR, data processor and data controller are examples of roles to use in this context.
To each of the defined roles, we attached categories of tasks, for instance sysadmin, developer, and support staff tasks.
For our email service systems we found it convenient to structure the system-related objects in 3 main categories:
Within each of these categories there are various numbers of objects, to which access permissions are attached, comprising the Access Control Table for the realm in question. For other realms of our “world” we used a similar approach, resulting in a number of ACTs that implement a principle of least privilege.
With this the groundwork was laid for establishing various mechanisms for implementing the access control regime, in order to secure our most precious pieces of hardware, software, and data.
In our next blog post in this series we will look at Information and Tools for Implementation of Users’ Rights.
In previous posts in this blog series we have referred to our main planning document, Rules and Regulations for Information Security Management, or RRISM for short, where our road to GDPR compliance started out. In that document we worked out the structure of the project, based on descriptions and definitions of the various components.
Obviously, risk management has to be taken very seriously, and the RRISM lays the groundwork for how we should handle this aspect of information security. The baseline is that risk management is an essential part of the company’s life, and one that comprises all its assets.
Defining and assessing risks
As usual, we first had to agree upon some definitions, and we found the following to be adequate for our purpose — directly from NIST (National Institute of Standards and Technology):
Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
In order to assess risks, we first have to identify possible threats that may exploit vulnerabilities in our systems or our organization.
In short: Risk management shall first and foremost have as objective to protect assets that are at potential risk.
Then we outlined the methodology we adopted:
the assets that could be at risk.
possible threats and vulnerabilities.
the possible consequences of each potential vulnerability.
Each threat was characterized by probability and criticality which together gives one of four risk levels: Very High (red), High (orange), Medium (yellow), and Low (green). This helped us decide what we should prioritize regarding improvements, measures, and other actions.
Analyzing our assets we actually found more of these than anticipated, grouped in 21 different asset types, ranging from our customer base, general software in use and our own key business systems, through hardware and communication lines, and employees and partners – and more.
Threat, vulnerability, and gap analysis
Then we reviewed the vulnerability potentials (what could go wrong) for each asset and created scenarios for possible consequences if something happened that exploited a vulnerability.
The question raised thereafter was: Do we have the necessary measures and remedies in place to eliminate the potential vulnerabilities, or mitigate the consequences if things went wrong — or is there a gap?
The next step was to find out what actions should be taken in order to close the gaps in cases where we were not satisfied with the situation, and this will be the topic of future blog posts in this series.
Our mantra through this process has been: Threats we can imagine will sooner or later be reality, but never as we expect them to happen, and never where we expect them.
We live in an ever-changing environment, which means that risks have to be monitored continuously, and so our risk assessment and gap analysis is continually evolving as well.
Privacy and security has always been a part of
the Runbox culture. However, the GDPR project made it clear to us
that we had to systematically work through how to implement the
various aspects of data protection and information security.
Let’s start by recalling the meaning of some important terms:
Privacy is about individual’s right to a private life, and the right to control all information about themselves. Grounded in European Convention on Human Rights (1950), the Norwegian Constitution § 102 states that “Everyone has the right to the respect of their privacy and family life, their home and their communication.” followed by “The authorities of the state shall ensure the protection of personal integrity».
Norway’s law on privacy, the Personal Data Act (PDA1), was introduced as early as 1978, so we have tradition for this kind of legislation. That’s why the GDPR2, in principle, didn’t result in significant changes.
In order to protect privacy, Information Security (IS) is crucial. It is mainly about how to prevent personal data from going astray, but we had to go for a more stringent definition: To secure confidentiality, integrity, authenticity, availability (for the approved purpose only), reliability, resilience (the ability to recover), possession (ownership), and utility (readable for the approved purpose) of the data.
With this in mind, we developed our Information Security Policy (ISP) as a documentation of the GDPR compliancy practices, and GDPR requirements to employees and states the company’s commitment to compliance. Article 24 in the GDPR demands controllers (such as Runbox) to implement appropriate data protection policies, and our ISP is an important part of our response to that requirement.
The purpose of Runbox’ Information
Security Policy is to provide rules and
guidance for Runbox’ employees, Runbox’ contractual
employees/consultants, and everyone else working for Runbox,
voluntarily or according to contract/agreement, so that they in all
to comply with the company’s information security policies,
to ensure that the processing of Personal Data is in accordance with the PDA/GDPR and ensure that appropriate technical and organizational measures are adapted to the purpose, extent and context of the processing, and ensure that such measures are adapted to the risks for the rights and freedoms of natural persons3.
The ISP is a very comprehensive document, stating our commitment to the protection of our customer’s data, and defining technical and organizational measures to fulfill this obligation.
For instance, we will not store customer’s data on any “cloud” (we use our own servers), we shall never disclose account information or email data to authorities (unless presented with a court order from the Norwegian prosecuting authority), and we shall never scan customer’s data to display ads. More information about this can be found on our Privacy Protection page.
An important aspect of the ISP is to define the responsibilities of two roles/positions: The Managing Director is the personified Data Controller, responsible for GDPR compliancy on behalf of the company, and the appointed Data Protection Officer, who is a watchdog regarding the company’s status where GDPR is concerned.
The ISP imposes strict rules for employees, partners, consultants etc. on how to handle systems and data, anchored in a No Disclosure Agreement and Agreement on Protection of Personal Data. This includes rules for how to process and store data and how to protect digital devices.
Finally, let’s mention that the ISP provides rules for contractual agreements with organizations Runbox has partnered with, consultants etc. so that appropriate technical and organizational measures are implemented to ensure GDPR-compliant data processing and systems development.
All together, we have developed two documents that serve as guidance, and control our behavior regarding the GDPR. These are the RRISM (planning document, mentioned in an earlier blog), and the ISP. It is worth mentioning that these documents are continuously updated when new privacy and security issues arise.
means the regulations that are currently in force in Norway for the
protection of individuals in connection with the processing of
personal data, which includes the implementation of GDPR in Norway
means Regulation EU 2016/679 of 27 April 2016 on the protection of
individuals with regard to the processing of personal data and on
the free movement of such data and repealing Directive 95/46 / EC
General Data Protection, General Data Processing Regulation. Article
refers to Article in the GDPR.