Structuring our GDPR project

As mentioned in our previous blog post about our GDPR project plan, we structured our implementation plan in 14 sub-projects.

In this blog post we’ll take a look at the first of these sub-projects.

Mapping status compared to the Regulation

The foundation for the sub-projects was (of course) the requirements in the GDPR Regulation, which we had mapped in subproject # 1: Compliancy Status Tables mapping Runbox’ status compared to regulations.

In order to prepare ourselves, we did that before the final regulation was decided. We also did this for the requirements from the Norwegian Personal Data Regulation at that point in time.

Of course, the mapping had to be made compliant with the final version of the GDPR after the EU decision in 2016 – and so we did.

Controller and processor

At that point in time, we had our project nicely structured in the 14 sub-projects mentioned above. That was pretty easy, because of the mapping we had done. An important fact in this context, is that Runbox is a controller and a processor as well, depending on the circumstances, according to the GDPR definitions. It was important to be exact about where and when.

Subprojects definitions and delimitations

In the GDPR we found some important points that we had to consider:

  • Our agreement with our main processor, Copyleft Solutions – and what about the agreements with our affiliates, partners and the like? Are confidentiality clauses regarding protection of personal data adequate any longer?
  • Do our Terms of Service and Privacy Policy correspond to the new requirements?
  • What changes have to be done in our systems to fulfill GPDRs requirement regarding customers’ rights?
  • Do we have a systematic documentation of our systems, and what about access control?
  • Does our information security policy cover the necessary elements, and is our risk analysis up to date?
  • What about the processing of personal data we do for internal processing? Obviously it was necessary to take a look into the agreements we have with internal and external personnel.
  • What about the internal control mechanism we have – do they comply?

Those points (and some more) made the foundation for establishing delimitations between each sub-project, which we will continue blogging about in the weeks to come.

Continue Reading →

The secret behind Runbox 7’s speed

Runbox 7 SpeedRunbox 7 Webmail recently entered open beta, and if you haven’t tried it yet you are missing out!

When you log into Runbox 7 the first thing you’ll notice — aside from its beautiful design — is the speed.

Your folders and messages will load instantly, and no matter how many messages you have the message list will scroll without delay and without any limit.

Gone are the days of waiting for the next screen-full of messages to load, or having to click to navigate between pages. Switching between folders, sorting the message list, and moving messages — any action you perform is executed instantly.

Runbox 7 Speed from Runbox on Vimeo.

And the message search is lightning fast — results will show up immediately while you type into the search field. Combined with message threading and inline message previews, this makes email management extremely efficient with Runbox 7.

Under the hood

WebAssembly LogoWe have modified Xapian by porting Xapian to WebAssembly using the C to WebAssembly compiler from emscripten, which lets it run both in NodeJS on the server and in the browser. Our fork of Xapian will be merged into Xapian’s repository on Github so that it will become available for others to use.

Xapian logoThis is accomplished by utilizing a custom version of the open source Xapian email indexer. We have always been impressed with Xapian’s processing speed, reliability, and adaptability, and it’s ability to index large amounts of messages.

The Runbox 7 Webmail App is open source and is available in our main repo at https://github.com/runbox/runbox7. We encourage you to check out our code base, and invite you to join the Runbox revolution by getting involved in our growing community at https://community.runbox.com!

A separate repo at https://github.com/runbox/runbox-searchindex generates the xapian.wasm module in WebAssembly in C++.

The Xapian database is stored in the browser using IndexedDB, which is available through the IDBFS file system of emscripten.

Combined with a central message database and the use of websockets, this allows the indices to stay in sync when new email arrives on the server and when changes are made locally.

The user interface

The power of the WebAssembly Xapian port is matched by the message listing which is written in HTML5 Canvas. This makes it possible to handle large tables and quick re-rendering, and provides good control of the rendering process.

Ordinary HTML tables would suffer slowdown penalties on sorting, filtering, and resizing, and would require pagination, and would not be efficient enough for our needs.

The Canvas element is wrapped in a  user interface written in HTML/Typescript using Angular 2+, and is built using UI elements from https://material.angular.io/.

Mail parsing is done using the HTML parser from Andris Reinmann which is written for NodeJS and can be found here: https://github.com/andris9/mailparser.

Continue Reading →

How To Use Email Securely

Much has been said and written in the media recently regarding email, and here at Runbox we’d like to take the opportunity to help make it all a bit more understandable.

What is email, anyway?

Email, or electronic mail, is the most common method of exchanging digital messages.

It is easily the most flexible online messaging service available, because it lets users send and receive unlimited text, multimedia, and other files to anyone with an email address anywhere in the world.

Email was invented in the 1960s and is still one of the most popular services currently available via the Internet, with over 90% of US Internet users actively using email.

How does email work?

Email systems consist of computers and devices that are connected via the Internet. These computers and devices can be servers that process and store electronic mail, or clients such as laptops and smartphones that are used to send and receive email.

Email clients and server Email clients connected to a server

When someone sends an email, the message is transferred from his or her device to a server that processes the message.

Based on the recipient email address, the server finds out where to send the message next.

This is usually to another server associated with the recipient’s address, and often via a number of other servers that act as dispatchers.

There are many different types of email software that can send, receive, and store email. If you use a computer or a smartphone, you might be familiar with software such as Outlook, Apple Mail, or Thunderbird.

Where is my email actually stored?

Because the volume of email is so large, email clients typically let servers store all the email that is received and sent and only download messages when they are opened.

This is very convenient because the server can then do resource intensive things like filtering out spam and viruses, and other kinds of sorting and processing.

Another important reason for keeping emails stored on a server is that it lets more than one client access the same messages.

For instance, you can set up your laptop, your tablet, and your smartphone to access all the email that is stored in your account on the server. You can also use a webmail in your web browser, which essentially works as an email client.

This means that your email will be synchronized across all your devices, without you having to do anything manually.

You can read more about how this works in our Help article Using an Email Client with IMAP.

How can I be sure that no one else can access my email?

When you sign up for an email account, you select a username and a password that only you know. This ensures that only you can access the email that is stored in your account on the server.

As you can imagine, it is important that you choose a strong password to make sure that no one else can guess it. It’s also important to be aware of scams that may try to trick you into revealing information that could let someone gain access to your account.

End-To-End Encryption
End-To-End Encryption

However, to be certain no one can read your email even if they were to gain access to it, you can use encryption.

Email encryption can protect your messages all the way from your device to the recipient’s, by encoding them in such a way that it’s virtually impossible for someone unauthorized to unscramble them.

You can read more about this in our Blog post Email Encryption with Runbox and our Help article Encrypting Your Runbox Email.

We hope this article helped clarify what email is, how it works, and how to use it securely. For a more in-depth article, please see How Email Works.

Continue Reading →

Email Privacy, Security and Runbox

In recent weeks (for some reason) we have seen an increase in demand for information about whether Runbox collaborates with any government law enforcement agencies when it comes to the email sent and received by our members.  We have also had numerous enquiries asking what we do to ensure the privacy of email sent and received by Runbox members.

It seems like a good time to review what Runbox does and doesn’t do.

Monitoring by Law Enforcement & Security Agencies

Runbox is not involved in any routine exchange of members’ data with anyone.

All email data is stored in a secure facility in Norway and access to the data center is very strictly controlled.

Casual requests for information about Runbox members and their email are categorically rejected.  More formal requests are always directed to the Norwegian court system.  Only if a valid Norwegian court order is received, and the proper procedures have been followed, will the request be considered. At that point it will be referred to our legal representatives.

We adhere to our own strict Terms of Service as well as Norwegian laws and regulations, and if we become aware of activity that is contrary to those we will take appropriate action.

Details of laws and regulations as they apply to Runbox can be found on our Email Privacy and Offshore Email page.

Email Privacy and Security

In recent weeks certain claims have been made that email can be intercepted by government agencies as it crosses international borders. Regardless of any truth or otherwise in these claims, the security of email transfer is essential.

It is important to distinguish between three points of security.

  1. Security of the connection between you and the Runbox email service.
  2. Security of the connection used between the Runbox email service and other email services.
  3. Securing the content of your email in addition to 1 and 2 above.

In the case of the first point Runbox provides the facility for email to be encrypted during transmission to and from our members. All that the member needs to do is use our server secure.runbox.com with the appropriate settings.

On the second point, we employ encryption techniques when sending to and receiving from other email services. However, this is only available if the other service also offers this facility.  If it doesn’t then we have to use an unsecured connection.

The third point is entirely under user control.  If a message’s content is encrypted before sending or receiving through Runbox, then whether it is transmitted securely or not is much less important because only the sender and recipient will be able to decrypt the message and read it.

Runbox is planning to provide a method of allowing members to encrypt and decrypt messages using PGP (Pretty Good Privacy) within the Runbox Webmail.

The best way to encrypt messages with your Runbox account today is to use the Thunderbird email client with the Enigmail Open PGP add-on.

For more information about email security see our page on Secure Transfer of Email.

Continue Reading →

Regarding concerns over US surveillance legislation

There are some who are concerned about US authorities’ ability to monitor their citizens’ data. According to the EU report “Fighting cyber crime and protecting privacy in the cloud” (PDF, 1.3 MB), a little known piece of legislation could give US authorities the right to access foreign users’ data stored in the US as well.

Data stored outside the US, for instance in Norway where all the Runbox email servers are located, is not affected by this legislation.

If you have any concerns about the privacy of your Runbox email, please see our Privacy Policy and our article Email Privacy and Offshore Email.

Continue Reading →

Regarding usage of Google Analytics

Recently the Norwegian Data Protection Authority concluded that usage of Google Analytics might be illegal in Norway.

As Runbox is based in and operates from Norway, a number of our users has expressed concerns regarding whether Runbox does use Google Analytics and how.

Runbox users do not need to worry. We have stopped using any type of Analytics and you can read about it here.

Runbox does indeed use Google Analytics on public pages, such as www.runbox.com to gain statistical information about where visitors come from, how much time they spend reading various public pages, e.g. about our pricing plans etc. However, Runbox does not use Google Analytics on logged-in pages.

Norway gives strong protection to personal data and Runbox has a strict privacy policy. Runbox does not allow third parties to access your information. Therefore, once a user reached the pages which require authentication, neither Google Analytics nor any other third party service is allowed to monitor their activity, as theoretically such third party could obtain information about user’s private information, such as their contacts and email contents. At Runbox we guard users’ privacy and such leak of information would be non-acceptable.

Continue Reading →

Google chief fears for Generation Facebook

In an independent.co.uk article, Google chief Eric Schmidt expresses concerns over the amount of personal data people publish online without considering the possible privacy implications.

Personal data will increasingly become a monetizing commodity among the social network and search engine services, while privacy and protection from data exploitation will diminish until its true value is appreciated.

While social network services bring functionality that allow people to connect in new and unexpected ways, email is inherently private and personal to the sender and recipient, as long as that privacy is enforced with a balanced policy.

Continue Reading →