GDPR implementation part 4: Information Security Policy

The groundwork for compliancy

Privacy and security has always been a part of the Runbox culture. However, the GDPR project made it clear to us that we had to systematically work through how to implement the various aspects of data protection and information security.

Let’s start by recalling the meaning of some important terms:

Privacy is about individual’s right to a private life, and the right to control all information about themselves. Grounded in European Convention on Human Rights (1950), the Norwegian Constitution § 102 states that “Everyone has the right to the respect of their privacy and family life, their home and their communication.” followed by “The authorities of the state shall ensure the protection of personal integrity».

Norway’s law on privacy, the Personal Data Act (PDA1), was introduced as early as 1978, so we have tradition for this kind of legislation. That’s why the GDPR2, in principle, didn’t result in significant changes.

In order to protect privacy, Information Security (IS) is crucial. It is mainly about how to prevent personal data from going astray, but we had to go for a more stringent definition: To secure confidentiality, integrity, authenticity, availability (for the approved purpose only), reliability, resilience (the ability to recover), possession (ownership), and utility (readable for the approved purpose) of the data.

With this in mind, we developed our Information Security Policy (ISP) as a documentation of the GDPR compliancy practices, and GDPR requirements to employees and states the company’s commitment to compliance. Article 24 in the GDPR demands controllers (such as Runbox) to implement appropriate data protection policies, and our ISP is an important part of our response to that requirement.

The purpose of Runbox’ Information Security Policy is to provide rules and guidance for Runbox’ employees, Runbox’ contractual employees/consultants, and everyone else working for Runbox, voluntarily or according to contract/agreement, so that they in all respects act

  • to comply with the company’s information security policies,
  • to comply with the company’s Privacy Policy and Terms of Service regarding our obligations to our customers,
  • to ensure that the processing of Personal Data is in accordance with the PDA/GDPR and ensure that appropriate technical and organizational measures are adapted to the purpose, extent and context of the processing, and ensure that such measures are adapted to the risks for the rights and freedoms of natural persons3.

The ISP is a very comprehensive document, stating our commitment to the protection of our customer’s data, and defining technical and organizational measures to fulfill this obligation.

For instance, we will not store customer’s data on any “cloud” (we use our own servers), we shall never disclose account information or email data to authorities (unless presented with a court order from the Norwegian prosecuting authority), and we shall never scan customer’s data to display ads. More information about this can be found on our Privacy Protection page.

An important aspect of the ISP is to define the responsibilities of two roles/positions: The Managing Director is the personified Data Controller, responsible for GDPR compliancy on behalf of the company, and the appointed Data Protection Officer, who is a watchdog regarding the company’s status where GDPR is concerned.

The ISP imposes strict rules for employees, partners, consultants etc. on how to handle systems and data, anchored in a No Disclosure Agreement and Agreement on Protection of Personal Data. This includes rules for how to process and store data and how to protect digital devices.

Finally, let’s mention that the ISP provides rules for contractual agreements with organizations Runbox has partnered with, consultants etc. so that appropriate technical and organizational measures are implemented to ensure GDPR-compliant data processing and systems development.

All together, we have developed two documents that serve as guidance, and control our behavior regarding the GDPR. These are the RRISM (planning document, mentioned in an earlier blog), and the ISP. It is worth mentioning that these documents are continuously updated when new privacy and security issues arise.

1 The Personal Data Act (the PDA) means the regulations that are currently in force in Norway for the protection of individuals in connection with the processing of personal data, which includes the implementation of GDPR in Norway (2018-07-20).

2 The GDPR means Regulation EU 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC General Data Protection, General Data Processing Regulation. Article refers to Article in the GDPR.

3 See GDPR Article 4(1).

Continue Reading →

Runbox 7 Calendar now in beta

We are extremely pleased to be able to announce that the Runbox 7 Calendar is now in beta test.

You may be aware that Runbox for a while has provided a calendar (CalDAV) service for calendar clients such as Outlook, Thunderbird Lightning, and macOS Calendar.

If you’ve previously used our CalDAV server you’ll be pleased to be able to finally use it through the web interface, not needing a separate program anymore.

Runbox 7 Calendar

Calendar features

The Runbox 7 Calendar currently offers month, week, and day views, you may add and edit events, and perform other basic actions.

It can also be synchronized with your other programs and devices by setting them up with our CalDAV service.

As this is still a Beta, not everything that your own calendar program can do will be available in the Runbox 7 Calendar quite yet. One notable missing features is the Tasks (TODOs) support – these will be coming later on as a separate feature.

We invite you to try it out by logging into Runbox 7 and clicking Calendar in the main menu.

And let us know what you think over in the Runbox 7 Forum!

Continue Reading →

Introducing Runbox 7 Contacts

It is our pleasure to announce that the new Runbox 7 Contacts is available in open beta test!

If you’re already using Runbox 7 you may have noticed them already, and if you aren’t — here’s another reason to try it: Runbox 7 Contacts combines the best of the Runbox 7 web interface with the world of email clients.

Modern user interface

The first thing you’ll notice after clicking Contacts in the main menu in Runbox 7 is the beautiful and smooth user interface.

Runbox 7 Contacts is built with the same Angular framework that powers the Runbox 7 Webmail, and you will recognize its design components and interactive functionality.

Runbox 7 Contacts
Runbox 7 Contacts

New Contacts storage (CardDAV)

One of the key parts of the new Contacts is how we store your contacts on the servers. So far they’ve been stored in a proprietary database, with no other way to access them than through the Runbox 6 web interface.

This has been an annoyance to those of you who would like to use your contacts across many different apps and devices.

From now on in the new Runbox 7, all contacts will be stored on a CardDAV server – an open standard for sharing contacts and address books between different devices.

The advantages of Runbox 7 Contacts

If you know what CardDAV is, chances are you were eagerly awaiting this and need no further encouragement to use it. If you’ve never heard of it before, here are two key benefits it has over the existing system

First of all, Runbox 7 uses the standard vCard for representing the contacts. You may have heard the name before — if you ever sent a contact to someone over an SMS for example, it was a vCard. Using vCards in Runbox 7 Contacts means that much more flexibility when it comes to the information you can store.

vCards in Runbox 7 and CardDAV can store everything Runbox 6 can, and more — as many emails, phones and addresses as you desire, all categorized. Pictures, links to social media accounts, messengers, public keys for encryption; whatever you can think of, it’s probably there.

Second, you can access your Runbox 7 Contacts everywhere. No need to even use the Runbox 7 app — you can use any email client, any contacts app on your computer or your phone, and you’ll have access to the same contacts everywhere.

Add them on your phone, edit them on your laptop, and then they’ll still be available Runbox 7 when you compose a new email. Runbox 7 Contacts contains all the information that you need to set up any other apps that you use.

Using Runbox 7 Contacts

Until you migrate your contacts they will not be available for synchronization yet. Migrating them will move them over to CardDAV and give you all the glorious new features of Runbox 7 Contacts.

2019-04-01-121407_456x120_scrot

Try out the new Runbox 7 Contacts by logging into Runbox 7 and clicking Contacts in the main menu.

And let us know what you think over in the Runbox 7 Forum!

Continue Reading →

GDPR implementation part 3: Mapping our “world”

This is the third post in our series on Runbox’ GDPR implementation.

After having structured our GDPR project, the next piece of necessary groundwork was to map out status on relevant facts about important areas of our business. The reason is that it’s impossible to establish and maintain good security and privacy – and to determine GDPR compliancy — if the “territory” is not clearly described.

The “territory”

The “territory” in question was foremost and first of all,

  • The email service delivery system, that is the Webmail and backend systems and files – the development platform that is used, the components of which the system is built, the dependencies between the components, description of access points etc. – while being well aware of that the GDPR compliancy also includes Privacy of Design requirements.

Other realms that are necessary to describe were for example:

  • The economic system in which the company operates; i.e. mapping out the network of organizations with which our company is involved – including partners, associates, suppliers, financial institutions, government agencies, and so on – in order to serve our customers.
  • Server infrastructure with all physical links and channels, and not the least: All software components.
  • Data networks, including how and where our serves are connected to the Internet, but also the Local Area Network at our premises.
  • Data catalogue, including of course all personal data, that is, what kind of data are registered on customers and also employees and partners/associates as well.
  • Applications of all sorts necessary to run the company – applications that are managerial of nature.

Level of description

One problem encountered is how detailed the descriptions should be. Too many details will make the job unnecessarily big in the first place, followed by a lot of maintenance to keep the documentation current.

We chose to start with a “helicopter view”, to obtain an overview of the different realms with the intention to fine-grain the documentation depending on the requirements of the ultimate goal: To identify areas where privacy and security is of concern, ticking off issues that are well taken care of in light of the GDPR, or followed up with measures to improve the situation to achieve GDPR compliancy.

Of course, the GDPR Implementation Project is not a sequential one, as development projects seldom are. Therefore, from time to time we had to go back and adjust our planning tools when needs arose.

The next blog post in this series will concern our Information Security Policy.

Continue Reading →

Changes to TLS encryption security

At Runbox we are pleased to be able to provide you with secure email services. In order to maintain the security of email communications it is necessary to continually review how email systems connect and communicate with each other, and this includes how you connect to our service to send and receive email.

Encryption is important

When you connect to our service using an email program (such as Outlook, Thunderbird, Apple Mail etc.) the connection between the email program and our mail servers is encrypted so that nobody can intercept your username, password or email message content.

It’s important to use updated software that supports modern encryption methods to prevent that encryption from being broken and compromised as hackers increasingly use more and more powerful computers and techniques to decrypt data.

As such we will end support for outdated encryption methods to ensure that we provide the latest and most secure encryption between your email program and our service. This also helps us prevent unauthorised access to our servers and helps keep the Runbox service safe for all customers.

On 1 July 2019 we will retire some very old encryption protocols
and this might affect some older email programs.

The technical details

We will be retiring support for TLS 1.0 and 1.1 and will only support TLS 1.2 or later. TLS 1.2 has been around for 10 years so there has been a long time for email programs to adopt the use of this type of encryption. TLS is Transport Layer Security and is the encryption that protects your data. However, you don’t need to understand much about this to make any necessary changes.

Your email program

Most email programs that were released in the last 5 years will be compatible with the latest encryption. It is important to use the latest versions of email programs as the developers of those programs will have corrected bugs that could be a security issue. Where possible it is also advisable that you use the latest version of your computer’s operating system.

We have tested the email programs below and they all work with the most modern encryption that we use with our servers.

  • Outlook 2010 and later (Windows and macOS) – may require a registry change for Windows 7 customers.
  • Thunderbird (Windows and macOS)
  • Apple Mail (macOS) – High Sierra or later.
  • Windows Mail (Windows)
  • eM Client (Windows and macOS)
  • Gmail app (Android)
  • Mail app (iOS) – requires iOS 10 or later.
  • Maildroid (Android)

Many other email programs will also work with our service and those listed above are just commonly used ones that we have tested.

Further details and help

If you need any help on this issue, or would like us to offer advice on the email program you are using please get in touch with us.

Continue Reading →

Using your own domain name with Runbox

When you read this blog post, you will see https://blog.runbox.com in your web browser’s address bar. Our domain name is runbox.com and domains are used in this way to make the Internet easier to use. The Internet uses IP (Internet Protocol) addresses to route information from one place to another. Without domains you would need to know the IP address of the server that this page is delivered from (http://91.220.196.127).

The same is true with email addresses. If you send a message to support@nullrunbox.com, the sending mail service can work out from @runbox.com that our mail server (mx.runbox.com) has IP address 91.220.196.211.

Domains also mean that if we change our network in a way that means our IP addresses change we don’t need to tell you to remember different IP addresses as we can just point our domain at the new addresses.

Changing email provider

When choosing an email provider once of the biggest concerns expressed to us by new customers is the fact they might need to change their existing email address and tell all the people they use that address with. There are some ways that Runbox can help smooth any transition such as this, and some things you might be able to do at your current email provider:

  • Forward email from your old email provider to your new Runbox account, but reply from your Runbox address to give people time to add your new address to their address book.
  • Use the Runbox POP retrieve feature to download new messages from your old account in to your Runbox account.
  • Use the Runbox IMAP Import feature to move all your existing messages from your old email provider to Runbox.

Never change your email address again

However, as you move to Runbox, why not make changing your email address the last time you ever do this?

We would be very happy for you to stay with Runbox for as long as you like and never need to change your @runbox.com email address. However, sometimes there are good reasons why you might need to use a different email provider, or you may want to use another email provider in addition to Runbox (e.g. for business reasons). This might mean you can’t use your @runbox.com address as you don’t own the domain and can’t configure it to work as you need.

The one sure way to avoid that problem and to have maximum control and flexibility over your email services is to register your own domain.

Registering a domain – an address for life

Domains are not expensive to register and the Runbox services can work with any domain you choose to own. We offer personal support to register your domain and to help you get it up and running. You can use a domain for both email and a website, and Runbox has web hosting packages if you decide you also need a website.

Once you have your own domain, you can have an email address for life.

To find out which domains might be available for you to register, you can go to Account >> Domain Hosting in your Runbox account and use the search feature to find out if a domain you are interested in is available.

Domains cost as little as USD 14.95 per year for a .com domain, and once you have your own domain it is yours to use for as long as you like and with any email provider you like whether you are a Runbox customer or not.

Help and support

If you have any questions about registering domains, please contact us at support@nullrunbox.com or via our support website at https://support.runbox.com

Continue Reading →

Runbox 7 Feature and Bug Bounty Program

The Runbox 7 project represents an ambitious plan to revolutionize the world of webmail services, and with the Runbox 7 open source launch on https://github.com/runbox/runbox7 we have invited skilled developers to join us in this quest.

Now we are excited to announce a bounty program to accelerate development further. The program is two-fold and introduces bounties for both features and bugs.


Feature bounties

We encourage you to contribute to Runbox 7 with your skill and talent by adding new functionality that all Runbox 7 users can enjoy.

All contributions must include tests and documentation in order to be accepted.

Gold – $1,000 reward

Gold bounties are rewarded for contributing major new features that involve substantial additions to the Runbox 7 code base.

Examples of such features can be found on the Runbox 7 Roadmap and include complete, new screens for Account, Files, or Manager with REST endpoint specifications.

Other examples are significant optimizations of the code that improve performance or substantially restructures or refactors the code base.

Silver – $500 reward

Silver bounties are given for contributions of medium-sized new features or additions of new functionality that improves existing features.

Examples of such features can be found on the Runbox 7 Roadmap and include new screens for sections under Account, Files, or Manager with REST endpoint specifications.

Bronze – $100 reward

Smaller features or functionality that extends or improves existing features.

Examples include those listed on Github as Runbox 7 enhancement issues (urgent and critical).

Iron – $10 reward

Minor features or functionality that extends or improves existing features.

Examples include those listed on Github as Runbox 7 enhancement issues (trivial, low, and medium).

Bug bounties

Integrity and reliability is paramount to our operations and although we take all reasonable precautions to prevent bugs, all open source software benefits from thorough reviews from the community.

Therefore we provide bug bounties with an emphasis on problems that could impact the integrity of our services.

High – $1,000 reward

Reporting severe errors that could lead to elevated privileges, significant data compromise, or service downtime.

To be eligible for this bounty:

  • You must not publicly disclose your finding.
  • You must never exploit any found vulnerability.
  • You must send a detailed explanation with steps to reproduce the bug.
  • You may submit a patch that fixes the issue for a double bounty!

Examples include issues listed on Github as Runbox 7 bug issues (critical).

Medium – $500 reward

Reporting vulnerabilities that provide limited access and that could result in denial of service, manipulation of individual accounts, or temporary problems that affect limited data sets.

To be eligible for this bounty:

  • You must not publicly disclose your finding.
  • You must never exploit any found vulnerability.
  • You must send a detailed explanation with steps to reproduce the bug.
  • You may submit a patch that fixes the issue for a double bounty!

Examples include issues listed on Github as Runbox 7 bug issues (critical).

Low – $100 reward

Vulnerabilities that have a low impact on our operations or that require significant knowledge about our systems.

Examples include issues listed on Github as Runbox 7 bug issues (urgent).

Trivial – $10 reward

Minor bugs that are annoyances rather than vulnerabilities, and that don’t affect the integrity or reliability of our services.

Examples include those listed on Github as Runbox 7 bug issues (trivial, low, and medium).

How to get started

To get started with our bounty program, have a look at our Runbox 7 GitHub repository at https://github.com/runbox/runbox7.

We are marking issues that are suitable for new contributors with “good first issue“.

Then review our contribution guidelines and follow the instructions there: https://github.com/runbox/runbox7/blob/master/CONTRIBUTING.md


Continue Reading →

Know where your email is, wherever you are!

When you access web pages and other services such as email a whole range of things go on in the background to ensure that your request for a web page or accessing your email is achieved no matter where you are in the World, or which Internet Service Provider (ISP) you are using at the time. As part of that process, the companies that provide these services can do some useful things to ensure that your access is as fast and as reliable as possible.

Edge services

One thing service providers can do is make use of edge services that move data and processing closer to the location of the device you are using. This will mean that when you access the service the route that the data takes is shorter geographically, and that a central data centre is not having to handle all the network traffic and processing. This reduces the time it takes from when you perform some action on your device to when you get the response from the service. This is often referred to as latency.

As more and more devices become connected to the Internet, and 5G mobile services are rolled out fast responsiveness will become increasingly important for providing a good experience.

Runbox and edge services

Despite all the benefits of edge services and why they are used, we are pleased to say that Runbox doesn’t use any of them – and for good reason.

We understand that privacy and knowing who looks after you data is important to you as a Runbox customer, and to that end we are happy to say that we can offer you the confidence of knowing where your email is stored no matter where you access it from.

We only store your email on servers that are located in a data centre in Oslo, Norway. In addition to our own security features, it is protected by the highly regarded legislation of Norway which is very focused on the privacy of communications and data more generally.

All networks point to Norway

When you access your email with an email program or via our web interface data to and from your phone is routed between your location and Oslo, and the only place your data can be accessed from is the servers in Oslo.

Between you and our data centre the data can travel across many networks with your current ISP at one end and ours at the Oslo end. However, all our services encrypt your data between your device and our servers and this means the email content isn’t readable as it passes through the ISPs that provide your connection to us.

We believe that rather than distributing your data to data centres around the World, it is important for it to be treated as a valuable commodity and give it location specific protection. This means all access to your data is in accordance with Norwegian law.

Internet routing

Runbox doesn’t control the entire route of your data to our servers, and the further from Oslo you are the less influence our choice of ISPs has on the route your data takes.

The geographical distance between you and our servers can make a difference to how responsive our servers appear to be. This is because of the number of ISPs and routers involved in the network between you and us, as well as the quality and speed of the service those ISPs provide.

Usually this doesn’t cause any significant issues and we have happy customers in 170 countries including Australia and New Zealand, which is about a far as you can get from Oslo. However, sometimes it can cause an issue and we can help customers try to deal with this if they contact us.

Speeding up your email access

While we are pleased to offer the certainty of knowing where you data is stored, we are also keen to make sure that you have a good experience using Runbox.

Using an email program like Thunderbird, Outlook or Apple Mail and therefore having your mail stored on your device can improve access to your messages. Doing this means that instead of having to download details for all of your messages each time you access your account, mail that has already been downloaded to your device is already there and only new messages need to be fetched from the server.

Using an email program is a great idea for many reasons and not just because it helps solve potential network issues, but also because of the ability to manage more than one email account in the same interface, use the local search capabilities of the email program and access previous messages when you don’t have an Internet connection.

And now we can speed up your web access too

Recently we’ve introduced local storage to the Runbox webmail in the form of the Runbox 7 web app. When you log in to the new interface you will be given the choice to download an index of all your messages that will be stored in your web browser. This index will remain there and be updated as new mail arrives until you decide to delete it. We also pre-load the content of the messages that are shown in your message list so that when you open the message the content is already on your device ready to be shown to you. This makes Runbox 7 a very fast webmail client with excellent search capabilities.

Know where your email is, wherever you are

So not only do you have the peace of mind knowing where your email is stored when it arrives in your account, but you also have the option to store it securely on your own personal devices for even greater performance.

This means you don’t need to worry about what edge services are doing with your data, because with Runbox you know where your email is, wherever you are!

Continue Reading →

Runbox’ road to GDPR compliance

How we did it and what we learned on the way

In our blog post May 25, 2018 we described the main areas of Runbox’ GDPR implementation.

On this Data Privacy Day we’d like to update you on our GDPR implementation, how we did it, and what we learned on the way.

There is an enormous amount of information out there describing GDPR content, simple copies of the regulation, some templates of varying quality – and a lot of warnings.

So first of all, let’s recap what the GDPR is.

What is the GDPR, and why did it come about?

In 2012, the European Union (EU) first proposed a set of rules for protection of data inside and outside the EU. An important reason for this decision was a desire to improve the ability for individuals to control data registered about themselves.

In 2016, the GDPR (General Data Protection Regulation) was formally adopted by the European Parliament and the Council of the European Union to take effect for all individuals within the EU and the European Economic Area (EEA).

Runbox’ approach to the GDPR

Runbox' GDPR Implementation

At Runbox, which is located in the privacy bastion Norway and within the EEA, we started the GDPR planning and implementation process as early as 2014.

At that point in time, we had followed the process in the EU about a comprehensive reform of the EU’s 1995 data protection rules. In the spring of 2014, the European Parliament demonstrated strong support for the GDPR proposal set forward by the Article 29 Working Party. (You can find more information about the history of the GDPR in the article The History of the General Data Protection Regulation.) Shortly thereafter, in September 2014, our GDPR Compliancy Project was launched.

We didn’t know at that time when the GDPR would take effect, but we knew the direction – that is: The GDPR was indicated to move in the direction of existing Norwegian privacy regulations, based on Article 29 Working Party documents.

Our GDPR project plan

We structured our implementation project in 14 partly parallel sub-projects, and after the decision by the European Parliament and of the Council by April 27, 2016, we updated our project plan towards the target date May 25, 2018.

We started out mapping exactly our position compared to Article 29 proposal, which in 2015 was replaced by The European Data Protection Board, and then we went ahead to work out our main planning document, Rules and Regulations for Information Security Management.

The groundwork was done, and we proceeded the project towards fulfillment of our obligations regarding privacy under the new legislation, implemented in Norwegian law by July 20, 2018.

We will share more information in forthcoming blog posts, so stay tuned!

Continue Reading →