GDPR in the Wake of COVID-19: Privacy Under Pressure

Tech companies all over the world are rushing to support health authorities in combating the spread of the SARS-CoV2 virus, which is causing the more well-known COVID-19 disease. Whether those companies do so by invitation, by commitment, or by sheer self-interest, country after country is embracing mobile phone tracking and other technological means of tracking their citizens.

It might be worthwhile to take a deep breath and understand what’s currently technologically possible, and what might be at stake.

Tracking the infection

Everyone wants to avoid infection, and every government wishes to decrease the consequences of the pandemic within their country. And modern technology makes it possible to impose on citizens surveillance systems that represents a significant step towards realizing a Big Brother scenario.

In fighting the spread of the virus, it is crucial to know who is infected, track where the infected are located, and inform others that have been, or may come, in contact with the infected. It is precisely in this context that mobile phone tracking is playing a role, and this is currently being explored and implemented in some countries, raising ethical and privacy related questions.

Smartphone tracking apps

Once tracking of individuals’ phones is established for this particular and possibly justifiable reason, it could be tempting for a government or company to use it for other purposes as well. For instance, tracking data could be combined with other personal data such as health data, travel patterns, or even credit card records. Or the location of the infected individuals could be presented on a map along with the persons’ recent whereabouts, perhaps supplemented with warnings to avoid that area. Privacy is under pressure.

A smartphone can also be used as “electric fence” to alert authorities when someone who is quarantined at home is leaving their premises, or to fulfill an obligation from the authorities to send geolocated selfies to confirm the quarantine. Some authorities even provide individuals with wristbands that log their location and share it with the relevant authorities. The examples are many, and they are real, underlining the ongoing pressure on privacy.

Big tech gets involved

Very recently two of the world’s biggest tech companies, Apple and Google, announced they are joining forces to build an opt-in contact-tracing tool using Bluetooth technology, and will draw on beacon technology as well. The tool will work between iPhones and Android phones, and open up for future applications one cannot currently imagine.

In the first version, the solution is announced as an opt-in API (application programming interface) that will let iOS and Android applications become interoperable, and — now comes crux no 1 — the API will be open for public health authorities to build applications that support Bluetooth-based contact tracing. The tool is planned for a second step — here is crux no 2 — an upcoming update of both iOS and Android will make the API superfluous. Of course, you can opt-out, but then you can’t download the operating system software update at all.

It is a double-edged sword: It is great that big tech companies are mobilizing resources to help in a public health crisis, but do we really want these companies to potentially know even more about our personal lives (in the name of the common good)? Privacy is under pressure.

Norway’s privacy oriented approach

Norway has also launched a mobile phone application to help limit the spread of the infection, but this development is done under the strict regime of privacy regulations and in accordance with the GDPR. The decision to implement the app was taken by the Government in a regulation containing specifications and strict requirements adhering to the GDPR is taken care of, including limited use until December 1, 2020.

It should be added that some of the exceptions in GDPR for authorities is put into effect because of the extraordinary situation. However, the Norwegian parliament (Stortinget) may terminate the law supporting the regulation at any time if 1/3 of the parliament members decides so.

Even if, at least in theory, it might be feasible to use a similar app from other countries, it is crucial that the software is developed from scratch in Norway. This will ensure that Norwegian authorities maintains control over all functions and data, and that the privacy regulations in the GDPR are respected.

It is also comforting that the app is developed in cooperation with The Norwegian Data Protection Authority (Datatilsynet). Other countries allow similar apps to store health information, access images or video from cameras, or even establish direct contact with the police. Such functionality is naturally out of the question in Norway’s case.

The app is designed and will be used for purposes of tracking the pandemic only, and installation and usage is voluntary. When installed and activated the app collects location data using GPS and Bluetooth, which is encrypted and stored in a registry.

In case of a diagnosed infected individual, health personnel will check if the person has installed the app. Individuals that have been in closer contact than two meters for more than 15 minutes with the “infected phone” will be notified by text message. The location data is kept for up to 30 days, and when the virus is no longer a threat the app will stop collecting data. The app users may at any time delete the app and all personal data that is collected.

What does it take to succeed?

In order for the tracking to have any impact on the spread of infections, around 60% of the population* must use the application. At the time of writing (late April), 1,218,000 inhabitants had downloaded the application, that is about 30 % of the population for which downloading is allowed (age limit 16 years).

However, the number of downloads is not a good metric and there are a few obstacles for making it operable. For instance, the “app” must be installed on the phone, permission to use GPS and Bluetooth must be given, the 4 pages long privacy declaration* has to be accepted, and the battery must provide sufficient power at any time.

The battery issue turns out to be a problem because of GPS-positioning* and the simultaneous use of Bluetooth, which seems necessary to obtain precise location data.

Furthermore, not everyone is accustomed to using the smartphone functionality that is needed, depending of the user interface. For instance elderly people and people with vision impairments* may find it difficult to use the app. And, will the criteria two meters for more than 15 minutes represent a filter that is too coarse to provide useful results and subsequent notification to the user?

For these reasons, the skeptical may wonder if using the app implies that privacy is traded for uncertain and unreliable results from infection tracking.

What the application will provide even if 60% adoption is not realized is data for later research. For instance, data from mobile phone operators who can trace mobile phones movements between base stations could be correlated to instances of infections.

In the name of fighting the pandemic, the main telecommunication companies* are now, with strict privacy considerations, cooperating with The Norwegian Institute of Public Health to analyze movement patterns of the population compared with reported infections. Data is collected in groups of at least 20 people (phones), and identification of individual persons (phones) is not possible*.

Bottom Line

At Runbox we are very concerned about privacy and any type of user tracking that may infringe on this right. While various nations are developing and implementing technological solutions to combat the spread of the decease, we are grateful that we reside in a country with strong privacy traditions. In fact, the first version of personal data protection legislation was implemented in Norway as early as 1978.

It is crucial that The Norwegian Institute of Public Health and The Norwegian Data Protection Authority ensure that the app developers at Simula Research Laboratory (a Norwegian non-profit research organization) attend to both privacy and information security issues in a responsible manner according to the well established tradition in Norway.

When privacy is under threat, as in this case, it is absolutely justified that objections arise. It is often too easy to accept privacy intrusions in the name of a perceived common good.

But one related point could be made as a final remark: Perhaps it would be more appropriate to be concerned about personal data that is collected and shared through one’s use of social media, where personal data is traded and used for purposes that are literally out of control.

* Article unfortunately only available in Norwegian.

Continue Reading →

GDPR implementation part 5: Risk Assessment and Gap Analysis

In previous posts in this blog series we have referred to our main planning document, Rules and Regulations for Information Security Management, or RRISM for short, where our road to GDPR compliance started out. In that document we worked out the structure of the project, based on descriptions and definitions of the various components.

Obviously, risk management has to be taken very seriously, and the RRISM lays the groundwork for how we should handle this aspect of information security. The baseline is that risk management is an essential part of the company’s life, and one that comprises all its assets.

Defining and assessing risks

As usual, we first had to agree upon some definitions, and we found the following to be adequate for our purpose — directly from NIST (National Institute of Standards and Technology):

Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

In order to assess risks, we first have to identify possible threats that may exploit vulnerabilities in our systems or our organization.

In short: Risk management shall first and foremost have as objective to protect assets that are at potential risk.

Analyzing assets

Then we outlined the methodology we adopted:

  1. Identify the assets that could be at risk.
  2. Identify possible threats and vulnerabilities.
  3. Identify the possible consequences of each potential vulnerability.

Each threat was characterized by probability and criticality which together gives one of four risk levels: Very High (red), High (orange), Medium (yellow), and Low (green). This helped us decide what we should prioritize regarding improvements, measures, and other actions.

Analyzing our assets we actually found more of these than anticipated, grouped in 21 different asset types, ranging from our customer base, general software in use and our own key business systems, through hardware and communication lines, and employees and partners – and more.

Threat, vulnerability, and gap analysis

Then we reviewed the vulnerability potentials (what could go wrong) for each asset and created scenarios for possible consequences if something happened that exploited a vulnerability.

The question raised thereafter was: Do we have the necessary measures and remedies in place to eliminate the potential vulnerabilities, or mitigate the consequences if things went wrong — or is there a gap?

The next step was to find out what actions should be taken in order to close the gaps in cases where we were not satisfied with the situation, and this will be the topic of future blog posts in this series.

Conclusion

Our mantra through this process has been: Threats we can imagine will sooner or later be reality, but never as we expect them to happen, and never where we expect them.

We live in an ever-changing environment, which means that risks have to be monitored continuously, and so our risk assessment and gap analysis is continually evolving as well.

Continue Reading →

POP v IMAP – battle of the protocols

POP (Post Office Protocol) and IMAP (Internet Message Access Protocol) both have their place, but for most customers Runbox recommends that IMAP is used.

POP and IMAP are both ways in which an email program (client) can access your messages on an email service (server). This client-server relationship needs the two systems to communicate with each other and depending on which of these you choose your options for managing your email will be different.

Synchronisation

Generally speaking IMAP can be regarded as synchronising what is on the server (which you can see in the Runbox webmail) and what is on the device or computer that is using IMAP. With the increase in the number of devices we each use if you want your email contents to be the same across all your devices, then IMAP is the best option.

Online v Offline

POP is quite different to IMAP and the basic idea is to allow you to download messages from an Inbox on a server and remove them from the server. The idea behind this was that it would be particularly useful if you have intermittent Internet access and want to manage your email on your device. POP clients also have the option to leave email on the server in case you want to keep it there as a backup or download it to another device later. Some clients also have an option to delete the email after a certain period of time.

However, caching (keeping a copy) of messages in the email program also allows IMAP to provide a way of working without an Internet connection. POP still has the advantage that generally speaking all your email is downloaded and you can be confident it is stored on your machine whereas with IMAP you may need to ensure specifically that the email you want to access offline is downloaded.

Sent messages

Another of the key differences between POP and IMAP is that with IMAP email that is sent from a device is usually copied to the Sent folder on the server. This means if you start using a different IMAP device or access your email via the webmail you can also see your Sent messages sent on all other devices. Sent messages are never copied to the Sent folder when using POP and are stored locally only on the device that sent the message.

Folders

IMAP allows you to structure your email in a variety of folders and these are reflected across your devices. POP only allows access to messages from a particular folder, usually the Inbox (though Runbox has a feature called “POP from folder” that allows you to access a particular folder in your account).

Storage

If you regularly access your email then POP could mean you only need a small amount of server storage and therefore cost you less in hosting charges. For example, if you always download you email and delete it from the server then you won’t need as much storage space compared to someone who leaves all their email on the server using IMAP and may also have a folder structure they need to maintain that wouldn’t be possible with POP.

Of course with IMAP you can also copy messages to a local folder in your email program and then delete them from the server, but this needs a bit more effort whereas with POP it is a feature of this way of accessing messages in the first place.

Backups

Using POP to download all your email and at the same time deleting it from the server does mean that you might want to consider making your own backups of your email. With IMAP your email is stored on the server and this acts as a kind of backup in itself. Runbox also makes backup snapshots of your account (unless you opt out of this), but if you download all your email using POP and leave little on the server, then there might not be anything for us to make a backup snapshot of.

Why we generally recommend IMAP

Generally speaking if a customer asks us whether IMAP or POP is best for them we will recommend IMAP. There are a number of reasons for this, and some are listed below:

  • The experience across devices and between devices and the webmail is consistent.
  • It’s easy to set up two or more devices and know that you will see all the email that is in your account.
  • If you need to remove the account from a device and set it up again you won’t automatically lose your messages (with POP you would need to make a local copy first).
  • It’s easy to change your mind about what email program you want to use because email is stored on the server.

When we would recommend POP

A customer might have a specific reason for not leaving email on the server. They may want to keep their storage plan small so that they don’t need to upgrade over a period of time. They may also want to ensure that data is not stored on our servers for too long, or in our backup system.

They may also need to filter email for different purposes using the filters built in to every Runbox account, and then just access a particular folder as if it was the Inbox using the POP from folder feature mentioned above.

Server details

The server details for POP and IMAP are very similar, except that you use port 995 for POP and 993 for IMAP. You will find the full details on our server details page.

If you need any further information about POP and IMAP just contact Runbox Support.

Continue Reading →

GDPR implementation part 2: Structuring our GDPR project

As mentioned in our previous blog post about our GDPR project plan, we structured our implementation plan in 14 sub-projects.

In this blog post we’ll take a look at the first of these sub-projects.

Mapping status compared to the Regulation

The foundation for the sub-projects was (of course) the requirements in the GDPR Regulation, which we had mapped in subproject # 1: Compliancy Status Tables mapping Runbox’ status compared to regulations.

In order to prepare ourselves, we did that before the final regulation was decided. We also did this for the requirements from the Norwegian Personal Data Regulation at that point in time.

Of course, the mapping had to be made compliant with the final version of the GDPR after the EU decision in 2016 – and so we did.

Controller and processor

At that point in time, we had our project nicely structured in the 14 sub-projects mentioned above. That was pretty easy, because of the mapping we had done. An important fact in this context, is that Runbox is a controller and a processor as well, depending on the circumstances, according to the GDPR definitions. It was important to be exact about where and when.

Subprojects definitions and delimitations

In the GDPR we found some important points that we had to consider:

  • Our agreement with our main processor, Copyleft Solutions – and what about the agreements with our affiliates, partners and the like? Are confidentiality clauses regarding protection of personal data adequate any longer?
  • Do our Terms of Service and Privacy Policy correspond to the new requirements?
  • What changes have to be done in our systems to fulfill GPDRs requirement regarding customers’ rights?
  • Do we have a systematic documentation of our systems, and what about access control?
  • Does our information security policy cover the necessary elements, and is our risk analysis up to date?
  • What about the processing of personal data we do for internal processing? Obviously it was necessary to take a look into the agreements we have with internal and external personnel.
  • What about the internal control mechanism we have – do they comply?

Those points (and some more) made the foundation for establishing delimitations between each sub-project, which we will continue blogging about in the weeks to come.

Continue Reading →

The secret behind Runbox 7’s speed

Runbox 7 SpeedRunbox 7 Webmail recently entered open beta, and if you haven’t tried it yet you are missing out!

When you log into Runbox 7 the first thing you’ll notice — aside from its beautiful design — is the speed.

Your folders and messages will load instantly, and no matter how many messages you have the message list will scroll without delay and without any limit.

Gone are the days of waiting for the next screen-full of messages to load, or having to click to navigate between pages. Switching between folders, sorting the message list, and moving messages — any action you perform is executed instantly.

And the message search is lightning fast — results will show up immediately while you type into the search field. Combined with message threading and inline message previews, this makes email management extremely efficient with Runbox 7.

Under the hood

WebAssembly LogoWe have modified Xapian by porting Xapian to WebAssembly using the C to WebAssembly compiler from emscripten, which lets it run both in NodeJS on the server and in the browser. Our fork of Xapian will be merged into Xapian’s repository on Github so that it will become available for others to use.

Xapian logoThis is accomplished by utilizing a custom version of the open source Xapian email indexer. We have always been impressed with Xapian’s processing speed, reliability, and adaptability, and it’s ability to index large amounts of messages.

The Runbox 7 Webmail App is open source and is available in our main repo at https://github.com/runbox/runbox7. We encourage you to check out our code base, and invite you to join the Runbox revolution by getting involved in our growing community at https://community.runbox.com!

A separate repo at https://github.com/runbox/runbox-searchindex generates the xapian.wasm module in WebAssembly in C++.

The Xapian database is stored in the browser using IndexedDB, which is available through the IDBFS file system of emscripten.

Combined with a central message database and the use of websockets, this allows the indices to stay in sync when new email arrives on the server and when changes are made locally.

The user interface

The power of the WebAssembly Xapian port is matched by the message listing which is written in HTML5 Canvas. This makes it possible to handle large tables and quick re-rendering, and provides good control of the rendering process.

Ordinary HTML tables would suffer slowdown penalties on sorting, filtering, and resizing, and would require pagination, and would not be efficient enough for our needs.

The Canvas element is wrapped in a  user interface written in HTML/Typescript using Angular 2+, and is built using UI elements from https://material.angular.io/.

Mail parsing is done using the HTML parser from Andris Reinmann which is written for NodeJS and can be found here: https://github.com/andris9/mailparser.

Continue Reading →

How To Use Email Securely

Much has been said and written in the media recently regarding email, and here at Runbox we’d like to take the opportunity to help make it all a bit more understandable.

What is email, anyway?

Email, or electronic mail, is the most common method of exchanging digital messages.

It is easily the most flexible online messaging service available, because it lets users send and receive unlimited text, multimedia, and other files to anyone with an email address anywhere in the world.

Email was invented in the 1960s and is still one of the most popular services currently available via the Internet, with over 90% of US Internet users actively using email.

How does email work?

Email systems consist of computers and devices that are connected via the Internet. These computers and devices can be servers that process and store electronic mail, or clients such as laptops and smartphones that are used to send and receive email.

Email clients and server Email clients connected to a server

When someone sends an email, the message is transferred from his or her device to a server that processes the message.

Based on the recipient email address, the server finds out where to send the message next.

This is usually to another server associated with the recipient’s address, and often via a number of other servers that act as dispatchers.

There are many different types of email software that can send, receive, and store email. If you use a computer or a smartphone, you might be familiar with software such as Outlook, Apple Mail, or Thunderbird.

Where is my email actually stored?

Because the volume of email is so large, email clients typically let servers store all the email that is received and sent and only download messages when they are opened.

This is very convenient because the server can then do resource intensive things like filtering out spam and viruses, and other kinds of sorting and processing.

Another important reason for keeping emails stored on a server is that it lets more than one client access the same messages.

For instance, you can set up your laptop, your tablet, and your smartphone to access all the email that is stored in your account on the server. You can also use a webmail in your web browser, which essentially works as an email client.

This means that your email will be synchronized across all your devices, without you having to do anything manually.

You can read more about how this works in our Help article Using an Email Client with IMAP.

How can I be sure that no one else can access my email?

When you sign up for an email account, you select a username and a password that only you know. This ensures that only you can access the email that is stored in your account on the server.

As you can imagine, it is important that you choose a strong password to make sure that no one else can guess it. It’s also important to be aware of scams that may try to trick you into revealing information that could let someone gain access to your account.

End-To-End Encryption
End-To-End Encryption

However, to be certain no one can read your email even if they were to gain access to it, you can use encryption.

Email encryption can protect your messages all the way from your device to the recipient’s, by encoding them in such a way that it’s virtually impossible for someone unauthorized to unscramble them.

You can read more about this in our Blog post Email Encryption with Runbox and our Help article Encrypting Your Runbox Email.

We hope this article helped clarify what email is, how it works, and how to use it securely. For a more in-depth article, please see How Email Works.

Continue Reading →

Email Privacy, Security and Runbox

In recent weeks (for some reason) we have seen an increase in demand for information about whether Runbox collaborates with any government law enforcement agencies when it comes to the email sent and received by our members.  We have also had numerous enquiries asking what we do to ensure the privacy of email sent and received by Runbox members.

It seems like a good time to review what Runbox does and doesn’t do.

Monitoring by Law Enforcement & Security Agencies

Runbox is not involved in any routine exchange of members’ data with anyone.

All email data is stored in a secure facility in Norway and access to the data center is very strictly controlled.

Casual requests for information about Runbox members and their email are categorically rejected.  More formal requests are always directed to the Norwegian court system.  Only if a valid Norwegian court order is received, and the proper procedures have been followed, will the request be considered. At that point it will be referred to our legal representatives.

We adhere to our own strict Terms of Service as well as Norwegian laws and regulations, and if we become aware of activity that is contrary to those we will take appropriate action.

Details of laws and regulations as they apply to Runbox can be found on our Email Privacy and Offshore Email page.

Email Privacy and Security

In recent weeks certain claims have been made that email can be intercepted by government agencies as it crosses international borders. Regardless of any truth or otherwise in these claims, the security of email transfer is essential.

It is important to distinguish between three points of security.

  1. Security of the connection between you and the Runbox email service.
  2. Security of the connection used between the Runbox email service and other email services.
  3. Securing the content of your email in addition to 1 and 2 above.

In the case of the first point Runbox provides the facility for email to be encrypted during transmission to and from our members. All that the member needs to do is use our server secure.runbox.com with the appropriate settings.

On the second point, we employ encryption techniques when sending to and receiving from other email services. However, this is only available if the other service also offers this facility.  If it doesn’t then we have to use an unsecured connection.

The third point is entirely under user control.  If a message’s content is encrypted before sending or receiving through Runbox, then whether it is transmitted securely or not is much less important because only the sender and recipient will be able to decrypt the message and read it.

Runbox is planning to provide a method of allowing members to encrypt and decrypt messages using PGP (Pretty Good Privacy) within the Runbox Webmail.

The best way to encrypt messages with your Runbox account today is to use the Thunderbird email client with the Enigmail Open PGP add-on.

For more information about email security see our page on Secure Transfer of Email.

Continue Reading →

Regarding concerns over US surveillance legislation

There are some who are concerned about US authorities’ ability to monitor their citizens’ data. According to the EU report “Fighting cyber crime and protecting privacy in the cloud” (PDF, 1.3 MB), a little known piece of legislation could give US authorities the right to access foreign users’ data stored in the US as well.

Data stored outside the US, for instance in Norway where all the Runbox email servers are located, is not affected by this legislation.

If you have any concerns about the privacy of your Runbox email, please see our Privacy Policy and our article Email Privacy and Offshore Email.

Continue Reading →

Regarding usage of Google Analytics

Recently the Norwegian Data Protection Authority concluded that usage of Google Analytics might be illegal in Norway.

As Runbox is based in and operates from Norway, a number of our users has expressed concerns regarding whether Runbox does use Google Analytics and how.

Runbox users do not need to worry. We have stopped using any type of Analytics and you can read about it here.

Runbox does indeed use Google Analytics on public pages, such as www.runbox.com to gain statistical information about where visitors come from, how much time they spend reading various public pages, e.g. about our pricing plans etc. However, Runbox does not use Google Analytics on logged-in pages.

Norway gives strong protection to personal data and Runbox has a strict privacy policy. Runbox does not allow third parties to access your information. Therefore, once a user reached the pages which require authentication, neither Google Analytics nor any other third party service is allowed to monitor their activity, as theoretically such third party could obtain information about user’s private information, such as their contacts and email contents. At Runbox we guard users’ privacy and such leak of information would be non-acceptable.

Continue Reading →