Runbox 7 updates December 2020: Improvements to Start Desk

  1. New feature (usage): Add usage stats for tracking the popularity of components/settings
  2. Bug fixes (app): Hide the overview button if no local index is available
  3. Bug fixes (mailviewer): Fix disappearing mail viewer menu
  4. New feature (webmail): Integrate startdesk as a webmail “folder”
  5. Bug fixes (recursive_dynamic_builder): Lint errors fix
  6. Bug fixes (startdesk): Remove timeperiod-specific wording
  7. Visual changes (start): Fix breakpoints for mobile
  8. Visual changes (start): Condense layout in heading area
  9. Visual changes (start): Move section title to the top bar for mobile
  10. Visual changes (start): Clean up and remove unused code
  11. Visual changes (start): Remove heading and adjust the space in top area
  12. Bug fixes (calendar): Ensure we show recurring events correctly color-tagged
  13. New feature (builder): Remove unused var
  14. New feature (builder): Runbox dynamic builder research
  15. New feature (startdesk): Implement folder selectors
  16. New feature (start): Add folder selector.
  17. Visual changes (startdesk): Make folder selector a little more bearable on mobile
  18. Bug fixes (start): Fix case sensitivity for address matching
  19. Visual changes (start): Improve responsivity for mobile screens
  20. Bug fixes (contacts): Only sync once during import of many contacts
  21. New feature (sentry): Include user data in error reports
  22. Bug fixes (account_security): Fix modal typo s/reasions/reasons/

Continue Reading →

Runbox doubles the storage capacity on all account plans

It’s our 20th birthday, and we’re giving YOU a present!

Our goal has always been to provide professional email services with massive storage space that is also affordable and flexible.

When Runbox was officially launched on October 12, 2000, Hotmail was the market leader with 2 MB storage space.

Runbox then decided to launch an email service with a whopping (at the time) 100 MB free storage — and received more attention (and signups) than we could have anticipated.

It’s now 2020 and we are doing it again, by multiplying the storage space on all our subscription plans by 2!

Our plans will now include storage space as follows:

Email StorageFile Storage
Runbox Micro2 GB200 MB
Runbox Mini10 GB1 GB
Runbox Medium25 GB2 GB
Runbox Max50 GB5 GB

These quotas will take effect for your account upon your next Runbox subscription purchase or renewal. So don’t forget to take advantage of the double subscription time on all product purchases through October!

Proceed to our Product page right away to automatically upgrade your account.

And we hope you will enjoy Runbox at least twice as much going forward. 😀

Continue Reading →

Runbox Celebrates 20 Years with 2 Years for the price of 1 through October 2020

On October 12, 2000 the Runbox email service was officially launched, on an Internet that was quite different from what we are used to today.

Initially, Runbox was a basic email forwarding service with a permanent @runbox.com email address. The original idea was to eliminate the need for email users to inform their contacts about a new email address when they changed schools or work places.

We soon expanded the Runbox service with a custom made Webmail interface, and offered a whopping 100 MB storage space. This was substantial compared to the 2 MB offered by Hotmail, who was the market leader at the time.

At that time Runbox was a free service, and the offering brought international attention and a large number of users. We then expanded with POP, SMTP, and IMAP access, email retrieval and filtering management, file storage, and support for email domains and domain hosting.

In 2012 we were once again at the forefront by strengthening the security and privacy aspects of our services following the surveillance revelations especially in the US.

Since those early years we have founded a new employee-owned company, continued hardening the security and privacy of our services, and built new partnerships and new server infrastructures, while broadening the foundation of our operations to embrace strong environmental and ethical principles, a diverse and dedicated team, a global customer base, and an inclusive virtual organization.

Now we are hard at work making Runbox 7 the fastest webmail app on the planet. In a world that is experiencing several global crises simultaneously we are increasingly focusing on features that facilitate global interconnectedness, telecommuting, and remote work by making our service more people and activity centric.

In an uncertain future one thing is for sure: Runbox will reinforce our mission to help people communicate better, more efficiently, and in a more organized way.

To demonstrate this we celebrate our 20th anniversary by doubling the subscription time on all Runbox products and renewals free of charge through October.

This means that when you purchase a subscription or add-on you get 2 years for the price of 1 year!

Proceed to our Product page right away to take advantage of this offer.

Thank you to all the customers who have supported us through the years — here’s to the next 20!

Note:

  • The additional subscription time will be applied automatically upon subscribing.
  • All initial subscriptions come with a full 60-day money back guarantee.
  • Hosted domains and other third party purchases are exempt.

Continue Reading →

Runbox 7 updates June-July 2020: Webmail and Compose improvements

New features such as listing messages by recipient, recently used recipients on Compose, and several other improvements.

  1. New feature (compose): Compose now accepts pasting email lists recipients
  2. Bug fixes (common): Fix edge-case email address (list) parsing
  3. Bug fixes (compose): Different positions for action buttons for mobile and desktop
  4. Bug fixes (compose): Push draft action buttons further apart
  5. Bug fixes (webmail): Only recount folder unread counts after content change
  6. New feature (webmail): Reset search when switching folders
  7. Bug fixes (compose): Make layout more responsive
  8. New feature (webmail): Add a list of popular email recipients to the sidebar
  9. Bug fixes (compose): Update recipient suggests whenever searchindex is updated
  10. New feature (multiple_msg_unread): Replace endpoint that marks multiple messages as unread/unflag
  11. Bug fixes (compose): Update angular deprecated recommendations
  12. Bug fixes (mark_multiple_msgs): Update before the request is completed
  13. Bug fixes (mark_multiple_messages): Try to use messageFlagChangeSubject.next to fix e2e errors
  14. Bug fixes (compose): Make sure suggested contacts are shown with their names
  15. Bug fixes (compose): Make sure we can still drag and drop suggestions to CC/BCC and have them show up
  16. Bug fixes (compose): Reload CC and BCC contents properly
  17. New feature (compose): Allow drag-and-drop for suggested contacts
  18. New feature (compose): Keep feeding the suggestion list after some contacts are selected
  19. Bug fixes (webmail): Make switching to the current folder a no-op
  20. Bug fixes (compose): Show only one suggestions bar per compose window
  21. Bug fixes (compose): Make sure profiles are loaded correctly regardless of races
  22. Bug fixes (compose): Cope with reply-to field in new TO format
  23. Bug fixes (compose): Ensure we cope with CC/BCC emails containing a comma
  24. Bug fixes (compose): Re-add code lost in cherry picking/merging
  25. Bug fixes (compose): Cope with replying to emails where From name contains a comma

Continue Reading →

Runbox 7 updates June 2020: Webmail and Contacts improvements

  1. Bugfix (webmail): Make sure the URL fragment updates after closing an email
  2. Bugfix (webmail): Prefer contact recipients over searchindex recipients
  3. Bugfix (webmail): Visually scroll the message list when using the up/down keys
  4. Bugfix (contacts): Contact updates now appear in compose window directly after update/addition
  5. Bugfix (webmail): Update contacts cache separately from search index contacts
  6. Refactor (compose): Remove dead code / simplify code
  7. Test (e2e): Ensure localSearchPromptDisplayed is set upon closing the dialog
  8. Test (webmail): Adapt test to new structure. Prefer contacts over searchindex

Continue Reading →

Runbox 7 updates May-June 2020: Webmail improvements and bug fixes

Runbox 7 enhancements and bug fixes, including better navigation, improved message handling, and a Welcome Desk with common tasks for new and existing users

A full changelog can be seen directly in the app at Runbox 7.

  1. New feature (webmail): Highlight currently “opened” email in mail list
  2. Bugfix (webmail): Fix up/down navigation in maillist
  3. Bugfix (webmail): Close mailviewer when email is deleted via multi-select operation
  4. Bugfix (webmail): Don’t “check” emails in folder view unless actually clicking on the checkbox
  5. Bugfix (webmail): Display selected-mail operations whenever more than one message is selected
  6. Bugfix (messagetable): Display time instead of the date for messages received after midnight
  7. Bugfix (mailviewer): Store message list view settings in browser
  8. Bugfix (mailviewer): Grow HTML view to proper size right away
  9. Bugfix (contacts): Make sure we’re not adding duplicate contacts to groups
  10. Visual fix (mailviewer): Increase the minimal width of canvastable columns
  11. Visual fix (welcome): Add note about how to return to Welcome Desk.
  12. Visual fix (welcome): Make Welcome Desk a flexbox. Use routerlinks where applicable.
  13. Visual fix (mailviewer): Increase the minimal width of canvastable columns
  14. Bugfix (styling): Fix breakpoints for iPad Pro
  15. Bugfix (compose): Ensure we can forward emails with no To or Subject
  16. New feature (login): Add password reset link to login window
  17. Bugfix (canvastable): Make it possible to open email from the bottom of the screen
  18. New feature (login): Add password reset link to login window
  19. Visual fix (login): More modern look to the login window

Continue Reading →

GDPR in the Wake of COVID-19: Privacy Under Pressure

Tech companies all over the world are rushing to support health authorities in combating the spread of the SARS-CoV2 virus, which is causing the more well-known COVID-19 disease. Whether those companies do so by invitation, by commitment, or by sheer self-interest, country after country is embracing mobile phone tracking and other technological means of tracking their citizens.

It might be worthwhile to take a deep breath and understand what’s currently technologically possible, and what might be at stake.

Tracking the infection

Everyone wants to avoid infection, and every government wishes to decrease the consequences of the pandemic within their country. And modern technology makes it possible to impose on citizens surveillance systems that represents a significant step towards realizing a Big Brother scenario.

In fighting the spread of the virus, it is crucial to know who is infected, track where the infected are located, and inform others that have been, or may come, in contact with the infected. It is precisely in this context that mobile phone tracking is playing a role, and this is currently being explored and implemented in some countries, raising ethical and privacy related questions.

Smartphone tracking apps

Once tracking of individuals’ phones is established for this particular and possibly justifiable reason, it could be tempting for a government or company to use it for other purposes as well. For instance, tracking data could be combined with other personal data such as health data, travel patterns, or even credit card records. Or the location of the infected individuals could be presented on a map along with the persons’ recent whereabouts, perhaps supplemented with warnings to avoid that area. Privacy is under pressure.

A smartphone can also be used as “electric fence” to alert authorities when someone who is quarantined at home is leaving their premises, or to fulfill an obligation from the authorities to send geolocated selfies to confirm the quarantine. Some authorities even provide individuals with wristbands that log their location and share it with the relevant authorities. The examples are many, and they are real, underlining the ongoing pressure on privacy.

Big tech gets involved

Very recently two of the world’s biggest tech companies, Apple and Google, announced they are joining forces to build an opt-in contact-tracing tool using Bluetooth technology, and will draw on beacon technology as well. The tool will work between iPhones and Android phones, and open up for future applications one cannot currently imagine.

In the first version, the solution is announced as an opt-in API (application programming interface) that will let iOS and Android applications become interoperable, and — now comes crux no 1 — the API will be open for public health authorities to build applications that support Bluetooth-based contact tracing. The tool is planned for a second step — here is crux no 2 — an upcoming update of both iOS and Android will make the API superfluous. Of course, you can opt-out, but then you can’t download the operating system software update at all.

It is a double-edged sword: It is great that big tech companies are mobilizing resources to help in a public health crisis, but do we really want these companies to potentially know even more about our personal lives (in the name of the common good)? Privacy is under pressure.

Norway’s privacy oriented approach

Norway has also launched a mobile phone application to help limit the spread of the infection, but this development is done under the strict regime of privacy regulations and in accordance with the GDPR. The decision to implement the app was taken by the Government in a regulation containing specifications and strict requirements adhering to the GDPR is taken care of, including limited use until December 1, 2020.

It should be added that some of the exceptions in GDPR for authorities is put into effect because of the extraordinary situation. However, the Norwegian parliament (Stortinget) may terminate the law supporting the regulation at any time if 1/3 of the parliament members decides so.

Even if, at least in theory, it might be feasible to use a similar app from other countries, it is crucial that the software is developed from scratch in Norway. This will ensure that Norwegian authorities maintains control over all functions and data, and that the privacy regulations in the GDPR are respected.

It is also comforting that the app is developed in cooperation with The Norwegian Data Protection Authority (Datatilsynet). Other countries allow similar apps to store health information, access images or video from cameras, or even establish direct contact with the police. Such functionality is naturally out of the question in Norway’s case.

The app is designed and will be used for purposes of tracking the pandemic only, and installation and usage is voluntary. When installed and activated the app collects location data using GPS and Bluetooth, which is encrypted and stored in a registry.

In case of a diagnosed infected individual, health personnel will check if the person has installed the app. Individuals that have been in closer contact than two meters for more than 15 minutes with the “infected phone” will be notified by text message. The location data is kept for up to 30 days, and when the virus is no longer a threat the app will stop collecting data. The app users may at any time delete the app and all personal data that is collected.

What does it take to succeed?

In order for the tracking to have any impact on the spread of infections, around 60% of the population* must use the application. At the time of writing (late April), 1,218,000 inhabitants had downloaded the application, that is about 30 % of the population for which downloading is allowed (age limit 16 years).

However, the number of downloads is not a good metric and there are a few obstacles for making it operable. For instance, the “app” must be installed on the phone, permission to use GPS and Bluetooth must be given, the 4 pages long privacy declaration* has to be accepted, and the battery must provide sufficient power at any time.

The battery issue turns out to be a problem because of GPS-positioning* and the simultaneous use of Bluetooth, which seems necessary to obtain precise location data.

Furthermore, not everyone is accustomed to using the smartphone functionality that is needed, depending of the user interface. For instance elderly people and people with vision impairments* may find it difficult to use the app. And, will the criteria two meters for more than 15 minutes represent a filter that is too coarse to provide useful results and subsequent notification to the user?

For these reasons, the skeptical may wonder if using the app implies that privacy is traded for uncertain and unreliable results from infection tracking.

What the application will provide even if 60% adoption is not realized is data for later research. For instance, data from mobile phone operators who can trace mobile phones movements between base stations could be correlated to instances of infections.

In the name of fighting the pandemic, the main telecommunication companies* are now, with strict privacy considerations, cooperating with The Norwegian Institute of Public Health to analyze movement patterns of the population compared with reported infections. Data is collected in groups of at least 20 people (phones), and identification of individual persons (phones) is not possible*.

Bottom Line

At Runbox we are very concerned about privacy and any type of user tracking that may infringe on this right. While various nations are developing and implementing technological solutions to combat the spread of the decease, we are grateful that we reside in a country with strong privacy traditions. In fact, the first version of personal data protection legislation was implemented in Norway as early as 1978.

It is crucial that The Norwegian Institute of Public Health and The Norwegian Data Protection Authority ensure that the app developers at Simula Research Laboratory (a Norwegian non-profit research organization) attend to both privacy and information security issues in a responsible manner according to the well established tradition in Norway.

When privacy is under threat, as in this case, it is absolutely justified that objections arise. It is often too easy to accept privacy intrusions in the name of a perceived common good.

But one related point could be made as a final remark: Perhaps it would be more appropriate to be concerned about personal data that is collected and shared through one’s use of social media, where personal data is traded and used for purposes that are literally out of control.

* Article unfortunately only available in Norwegian.

Continue Reading →

Message from Runbox regarding the global health situation

In situations such as the one we are currently experiencing with COVID-19, uncertainty spreads easily and one may wonder whether services we rely upon will continue to function as usual. We are aware that our email service is of great importance to our customers, and that many rely upon Runbox in their professional and personal lives.

We can assure you that our operations will continue to function normally.

Runbox is located in Norway, a country with robust and reliable Internet services, and the Norwegian government and telecommunication operators are on the alert to ensure that Internet services are running as normal.

In our organization telecommuting is the modus operandi, and we are used to working from home offices or remote locations. For the immediate future the use of our headquarters is suspended in accordance with the advisory from our health authorities, but this will not have any impact on our day-to-day operations.

These are also the regulations our partners in Norway adhere to, and our affiliates abroad will naturally follow the advice in their respective countries. The data center where our servers are located will be enforcing stricter access procedures, but will otherwise operate normally.

This means that maintenance, support, development, and other internal functions will continue to work as usual. Our services are running on our own infrastructure, and there are no indications that our service will be exposed to any consequences of the current situation.

Our mission is to provide electronic communication between people, which is more important than ever in these times. We will continue fulfilling this obligation with dedication and determination.

Continue Reading →

Runbox is double carbon negative

As explained in a previous blog post, Runbox works continuously to decrease CO2 emissions from our operations and act in an environmentally responsible manner.

We recently implemented an environmental policy to this end, which lays out our commitments to reducing, reusing, and recycling our resources.

In our policy we also pledge to doubly offset any CO2 emissions that do result from our operations despite our email service being entirely hydropowered.

We are proud to announce that we are now supporting World Land Trust in order to plant trees sufficient to compensate doubly for the emissions that result from our business.

The World Land Trust certificate for carbon dioxide emissions 2019

World Land Trust is an environmental non-profit organization working to ensure conservation of plants, animals and local communities in areas at environmental risk.

We chose World Land Trust after having researched a number of organizations offering similar services, and found World Land Trust to be the most professional and reputable candidate.

We encourage other companies to offset their own emissions in order to help achieve the goal of carbon neutrality.

Continue Reading →

GDPR implementation part 8: “Personal data” in the EU and the US is not the same

We usually think of “personal data” as a term that contains for instance a person’s full name, home address, email address, telephone number, and date of birth.

These are ordinary data that can obviously identify a specific person. But in the personal data category of linked personal information are also data such as social security number, passport number, and credit card numbers – data that can identify us, and data we usually feel more restrictive about.

Linkable and non-linkable information

But there is another category of data that on its own may not be able to identify a person, but combined with other information could identify, trace, or locate a person. Such data are gender, race, sexual orientation, workplace, employment etc. These are examples of linkable personal information.

Then we have the category non-personally identifiable information. That is data that cannot be used on its own to identify or trace a person, for example IP addresses, cookies, device IDs, and software IDs (non-linkable personal information).

Privacy regulations differ in the EU and the US

Now, we know that there are industries that exist almost under the radar while taking advantage of personal data. For instance, companies in the AdTech and MarTech industry base their business on collecting and trading personal data for targeted advertising and marketing.

Many of these actors try to take protection of personal data seriously, and refer to the rules and regulations for processing personal data. In Europe this is the GDPR (General Data Protection Regulation) within the EU/EEA-area1, and in the US it is the responsibility of the FTC (Federal Trade Commission).

However, what the EU/GDPR and US government agencies mean by “personal data” is different. Specifically, the definition by EU/GDPR is more comprehensive than the definition often referenced by US agencies, such as that of NIST (National Institute of Technology).

For example, the EU concept of personal data includes information such as cookies and IP addresses, which are not considered as personal data in a US setting.2

This means that if US websites in their privacy policy state that they are GDPR compliant, but combine their data with other data sets, they may breach the GDPR. For example, they must have the user’s consent to collect their IP address under the GDPR.

Definitions of “personal data”

National Institute of Technology’s definition

NIST’s definition of personal data is contained in the definition of Personal Identifiable Information (PII):

PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

US Office of Privacy and Open Government’s definition

Another PII-definition is from the US Office of Privacy and Open Government (OPOG) as follows:

The term personally identifiable information refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

EU’s GDPR definition

Compare these PII-definitions with the GDPR Article 4(1)’s definition of personal data:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

It is obvious that GDPR defines personal data much broader than both NIST’s and OPOG’s PII, and this is underlined by this statement found in GDPR’s Recital 30:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

The US is lacking comprehensive regulation

That said, US authorities are moving towards stronger protection of privacy and personal data, but as late as March 2019, the US Congressional Research Service says:

Despite the increased interest in data protection, the legal paradigms governing the security and privacy of personal data are complex and technical, and lack uniformity at the federal level. The Supreme Court has recognized that the Constitution provides various rights protecting individual privacy, but these rights generally guard only against government intrusions and do little to prevent private actors from abusing personal data online. At the federal statutory level, while there are a number of data protection statutes, they primarily regulate certain industries and subcategories of data. The Federal Trade Commission (FTC) fills in some of the statutory gaps by enforcing the federal prohibition against unfair and deceptive data protection practices. But no single federal law comprehensively regulates the collection and use of personal data (our emphasis).

Conclusion

When US websites claim to follow the rules for processing personal data it is dubious at best, compared to the regulations in the EU/EEA – which the Norwegian legislation is based on and is what Runbox adheres to.

However, it should be mentioned that some US states, for instance California, do classify some anonymous data (i.e. IP-addresses, aliases and account data) as PII.

In addition, as stated in our Privacy Policy, the personal data we ask customers to register in order to use our service is very limited. We are conscious about the trust our customers place in us when they register personal data in our systems, and in return we can demonstrate that we are compliant with the regulations.

Addendum

Above we referred to the AdTech and MarTech industries and their usage of personal data to identify, trace, or locate a person for advertising and marketing purposes. That topic is outside the scope of this blog post, but is absolutely worth writing about in a later post.

1 EEA = European Economic Area, that is the EU and three countries: Iceland, Lichtenstein, and Norway.

2 https://www.forbrukerradet.no/out-of-control/ footnote on page 102.

Continue Reading →