Email malware botnet dismantled by the FBI

Runbox was recently informed via our Internet Service Provider that a global botnet (robot network) consisting of hundreds of thousands of computers has been disrupted by the FBI.

In a coordinated operation taking place on August 29 in the US and several European countries, the malware (malicious software) known as Qakbot was removed from a large number of infected computers around the world.

What is Qaknet?

Since 2008, Qakbot had spread to victim computers mainly through spam email messages that contained malicious attachments or links. The infected computers effectively comprised a multinational infrastructure that cybercriminals utilized to commit ransomware, financial fraud, and other criminal activities.

In recent years the Qaknet botnet grew rapidly and some estimates state that it was related to around 25% of malware websites and responsible for extorting their victims through ransom payments amounting to tens of millions of dollars over the past couple of years.

Protecting your email account

As a security and privacy conscious email service we welcome this news and congratulate law enforcement on disrupting a vast network of cyber criminals who have victimized individuals and businesses on a large scale for decades.

Qaknet has also impacted some Runbox customers and we are contacting those affected directly via email in order to ensure their accounts are secured.

We strongly recommend that all email users utilize antivirus and antimalware software in addition to the spam and virus filters that are available in your email account. You can find a comparison of such software for various platforms at Wikipedia.

More information

More information about the dismantling of Qaknet can be found here:

Continue Reading →

Be privacy concerned when using ChatGPT (and other AI chatbots)

This is blog post #18 in our series on the GDPR.

Don’t tell anything to a chatbot you want to keep private.” [source]

Writing about AI in general and about chatbots specifically is like shooting at a moving target because of the speed of development. However, at Runbox we are always concerned about privacy and must examine the chatbots case in that respect.

Due to its popularity, we have mainly used ChatGPT from OpenAI as the target of our examination. NOTE: ChatGPT and the images from text captions DALL-E are both consumer services from OpenAI.

This blog post is a summary of our findings, leading to advice on how to avoid putting your privacy at risk when using the Natural Language Processing (NLP)-based ChatGPT.

Our examination is based on OpenAIs Privacy Policy, Terms of Use, and FAQ, and a number of documents resulting from hours of Internet browsing.

The blog post consists of two parts: PART I is a summary of our understanding of the technology behind language models in order to grasp the concepts and better understand its implications regarding privacy. In PART II we mainly discuss the relevant privacy issues. It is written as a stand alone piece, and can be read without necessarily have read PART I.

PART I: Generative AI technology

The basics

GPT stands for Generative Pre-trained Transformer, and GPT-3 is a 175 billion parameter language model that can compose fluent original writings in response to a short text prompted by a user. The current version of ChatGPT is built upon GPT-3.5 and GPT-4 from OpenAI.

ChatGPT was launched publicly on November 30, 2022. ChatGPT was released as a freely available research preview, but due to its popularity, OpenAI now operates the service on a freemium model [source].

The GPTs are the result of three main steps: 1) Development and use of the underpinning technology Large Language Models (LLMs), 2) Collection of a very large amount of data/information, and 3) Training of the model.

Let us also keep in mind that all this is possible only because of today’s advancements of computational power.

Language models

A language model is a system which denotes mathematics “converted” to computer programs that predict the next word/words in a sentence, or a complete sentence, based on probabilities. The model is a mathematical representation of the principle that words in a sentence depend of the words that precede them.

Since computers basically can only process numbers (in fact only additions and comparisons), text input to the model (prompts) must be converted to numbers, and likewise the output numbers have to be converted to text (response). Text in this context consists of phrases, single words, or parts of words called tokens.

When prompting a GPT then, your query is converted to tokens (represented by numbers), and used by the transformer where its attention mechanism generates a score matrix that determines how much weight should be put on each word in the input (prompt). This is used to produce the answer to the prompt, using the model’s generative capability – that is to predict the next word in a sentence by selecting relevant information from the pre-processed text with high level of probability of being fluent and similar to human-like text [source].

The learning part of the model is handled by a huge number of parameters representing the weights and also statistical biases for preventing unwanted associations between words. For instance, GPT-3 has 175 billion parameters, and GPT-4 is approximated to have around 1 trillion.

(The label “large in LLM refers to the number of values (parameters) the model can change autonomously as it learns.)

Collecting the data

The texts the GPT model generate stems from OpenAIs scraping of some 500 billion words (in the case of GPT-3, the predecessor for the current version of ChatGPT) systematically from the Internet: books, articles, websites, blogs – all open and available information, from libraries to social media – without any restriction regarding content, copyrights or privacy.

The scraping includes pictures and program codes as well and is filtered resulting in a subset where “bad” websites are excluded

The pre-training process

All that data is fundamental for pre-training the model. This process analyses the huge volume of data (the corpus) for linguistics patterns, vocabulary, grammatic properties etc. in order to assign probabilities to combinations of tokens and combinations of words. The aforementioned transformer architecture is used in the training process, where the attention mechanism makes it possible to capture the dependencies between words independent of their position in a sentence.

The result of the pre-training process is an intermediate stage that has to be fine-tuned to the specific task the model is intended for, for instance providing texts, program code, or translation of speech as response to a prompt. The fine-tuning process uses appropriate task-specific datasets containing examples typically for the task in question, and the weights and parameters are adjusted accordingly.

Of cause, a ChatGPT-response to a prompt is not “burdened” with the ethical, contextual, or other considerations a human will perform. To prevent undesired responses (toxicity, bias, or incorrect information), the fine-tuning process is supervised by humans in order to correct inappropriate or erroneous responses, using prompt-based learning. Here the responses are given a “toxicity” score that incorporates human feedback information [source].

ChatGPT usage training

The learning process continues when response generated following by a user’s prompts is saved and subject to the training process, at least for 30 days, but “forever” if chat history isn’t turned off. In any event it is not possible to delete specific prompts from user history [source], only entire conversations

In the world of AI and LLMs, hallucinations are the word used when responses are like “pulled from thin air”.

OpenAI offers an API that makes it possible for “anyone” to train GPT-n models for domain specific tasks [source], that is to build a customized chatbot. In addition, they have launched a feature that allow GPT-n to “remember” information that otherwise will have to be repeated [source, source].

Takeaways

  • The huge volume of data scraped is obviously a cacophony of contents and qualities that will affect the corpus and so also the probability pattern and the responses produced [source].
  • ChatGPT has limited knowledge of events that have occurred after September 2021, the cutoff date for the data it was trained on [source].
  • The response you get from ChatGPT to your prompt is based on probabilities, and as such you have no guarantee of the validity [source].
  • A prompt starts a conversation, unlike a search engine like DuckDuckGo and Google that gives you a list of websites matching your search query [source].
  • ChatGPT uses information scraped from all over the Internet, without any restrictions regarding content, copyrights, or privacy. However, manual training of a model was introduced to detect harmful content [source]. Violations of copyrights has resulted in lawsuits [source], and also signing of more than 10 000 authors of an open letter to the CEOs of prominent AI companies [source].
  • Your conversation is normally used to train the models that power ChatGPT, unless you specifically opt-out [source].

PART II: Chatbot privacy considerations

The privacy considerations with something like ChatGPT cannot be overstated” [source]

The following introduction is mainly made for readers that have skipped this blog post PART I.

Generative AI systems, such as ChatGPT, use information scraped from all over the Internet, without permissions nor restrictions regarding content, copyrights, or privacy (more on this in PART II). This means that what you have written on social media, blogs, comments on an article online etc. may have been stored and used by AI companies to train their chatbots.

Another source for training of generative AI systems is prompts, that is information from users when asking the chatbot something. What you ask ChatGPT, the sentences you write, and the generated text as well, is “taken care of” by the system and could be available for other users through the answer of their questions/prompts.

However, according to Open AI’s help center article, you can opt-out of training the model, but “opt-in” is obviously default.

So, both the Internet scraping and any personal information included in your prompts can have as result that personal information could turn up in a generated answer to another arbitrary prompt.

This is very problematic for several reasons.

Is Open AI breaching the GDPR?

First, OpenAI (and other scraping of the Internet) never asked for permission to use the collected data, which could contain information that may be used to identify individuals, their location, and all kinds of sensitive information from hundreds of millions of Internet users.

Even if Internet scraping is not prohibited by law, it is ethically problematic because data can be used outside the context in which it was produced, and so can breach contextual integrity, which has de facto been manifested in the EU’s General Data Protection Regulation (GDPR) Article 6, 1 (a) as prerequisite for lawful processing of personal data:

…the data subject has given consent to the processing of his or her personal data for one or more specific purposes

Here language models, like Open AI’s ChatGPT, are in trouble: Personal data can be used for any purpose – a clear violation of Article 6.

Second, there is no procedures given by Open AI for individuals to check if their personal data is stored and thereby can potentially be revealed by arbitrary prompt, and far less can data be deleted by request. This “right to erasure” is set forth in the GDPR Article 17, 1:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay …” on the grounds that “(d) the personal data have been unlawfully processed

It is inherent in language models that data can be processed in ways that are not predictable and presented/stored anywhere, and therefore the “right to be forgotten” is unobtainable.

Third, and without going into details, the GDPR gives the data subjects (individuals) regarding personal data the right to be informed, the right of access, the right to rectification, the right to object, and the right to data portability. It is questionable if generative AI systems can ever accommodate such requirements since an individual’s personal data could be replicated arbitrarily in the system’s huge dataset.

Fourth, Open AI stores all their data, including personal data they collect, one way or another, on servers located in the US. That mean they are subject to the EU-US Data Privacy Framework (see our blog Privacy, GDPR, and Google Analytics – Revisited), and the requirements set there.

To answer the question posed in the headline of this paragraph, Is OpenAI breaching the GDPR?It is very difficult to understand how ChatGPT, and other language models for generative use (Generative AI systems) as well, can ever comply with the GDPR.

What about the privacy regulations in the US?

Contrary to the situation in Europe, there is no federal privacy law in the United States – each state has their own jurisdiction in this area. There are only federal laws such as HIPAA (Health Insurance Portability and Accountability Act) and COPPA (Children’s Online Privacy Protection Act) which regulate the collection and use of personal data categorized as sensitive. However, there are movements towards regulation of personal information in several states as tracked by IAPP (The International Association of Privacy Professionals).

How do OpenAI use data they collect?

When signing up to ChatGPT, you have to agree to OpenAI’s Privacy Policy (PP), and allow them to gather and store a lot of information about you and your browsing habits. Of course, you have to submit all the usual account information, and to allow them to collect your IP-address, browser type, and browser settings.

But you also allow them to automatically collect information about for instance

“… the types of content that you view or engage with, the features you use and the actions you take, as well as your time zone, country, the dates and times of access, user agent and version, type of computer or mobile device, and your computer connection”.

All this data made it possible to build a profile of each user – bare facts, but also more tangible information such as interests, social belongingness, concerns etc. This is similar to what search engines do, but ChatGPT is not a search engine — it is a “conversational” engine and as such is able to “learn” more about you depending on what you submit in a prompt, that is, how you engage with the system. According to their PP and the citation above, that information is collected.

The PP acknowledges that users have certain rights regarding their personal information, with indirect reference to the GDPR, for instance the right to rectification. However, they add:

“Given the technical complexity of how our models work, we may not be able to correct the inaccuracy in every instance.”

OpenAI reserves the right to provide personal information to third parties, generally without notice to the user, so your personal information could be spread to actors in OpenAI’s economic infrastructure and is very difficult to control.

Misuse of your personal information – what are the risks?

It is reasonable to assume that OpenAI will not knowingly and willfully set out to abuse your personal information because they have to adhere to strict regulations such as GDPR, where misuse could result in fines of hundreds of millions of dollars.

The biggest uncertainty is linked to how the system responds to input in combination with the system’s “learning” abilities.

If asked the “right” question, the system can expose personal information, and may combine information about a person, e.g. a person’s name, with characteristics and histories that are untrue, and which may be very unfortunate for that individual. For instance, asking the system something about a person by name, can result in an answer that “transforms” a credit card fraud investigator to be a person adhered to credit card scam.

Takeaways

Using generative AI systems, for example ChatGPT, is like chatting with a “black box” – you never know how the “box” utilizes your input. Likewise, you will never know the sources of the information you get in return. Also, you will never know if the information is correct. You may also receive information about other individuals that you shouldn’t have, potentially even sensitive and confidential information.

Similarly, other individuals chatting with the “box”, may learn about you, your friends, your company etc. The only way to avoid that, is to be very careful when writing your prompts.

That said, OpenAI has introduced some control features in their ChatGPT where you can disable your chat histories through the account settings – however the data is deleted first after 30 days, which means that your data can be used for training ChatGPT in the meantime.

You can object to the processing of your personal data by OpenAI’s models by filling out and submitting the User Content Opt Out Request form or OpenAI Personal Data Removal Request form, if your privacy is covered by the GDPR. However, when they say that they reserve the right “to determine the correct balance of interests, rights, and freedoms and what is in the public interest”, it is an indication of their reluctance to accept your request. The article in Wired is recommended in this regard.

Valuable sources

  1. GPT-3 Overview. History and main concepts (The Hitchhiker’s Guide to GPT3)
  2. GPT-3 technical overview
  3. Transformers – step by step explanation
  4. LMM training and fine-tuning

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Continue Reading →

Privacy, GDPR, and Google Analytics – Revisited

This is blog post #17 in our series on the GDPR.

Summary of the case

In our blog post on 23 October 2022, we referred to the Data Protection Authorities (DPAs) of Austria, Denmark, France, and Italy who were concluding that the use of Google’s Universal Analytics (UA or GA3) is not compliant with the EU’s General Data Processing Regulation (GDPR).

The reason for this is that the use of GA3 implies that personal data is transferred to the US, which at that point in time was not on the EU’s list of countries that have adequate level of protection of personal data. This means that the US was not fulfilling the requirements set by the EU/GDPR regarding ‘the protection of fundamental rights and freedoms of natural persons’, which is a key expression in the GDPR.

Furthermore, the Norwegian DPA (Datatilsynet) had up until 23 October 2022 received one (1) complaint regarding Google Analytics. Before any final decision is made, they have to confer with other supervisory authorities in the EEA that also have received similar complaints, according to GDPR Article 60 (One-Stop-Shop mechanism).

(We regret that links in italics in this article point to web pages in Norwegian.)

Universal Analytics (GA3) replaced by GA4

In October 2020, Google released Google Analytics 4, the new version of Google Analytics. In March 2022, Google announced that the Google Universal Analytics tool will be sunset in July 2023 and that Google would only provide the GA4 tool after 1 July 2023.

The Danish DPA have analyzed the GA4 regarding privacy, and concludes on their website that even if improvements have been made, it is still the case that “law enforcement authorities in the third country can obtain access to additional information that allows the data from Google Analytics to be assigned to a natural person.” That said, GA4 is illegal in terms of the GDPR because servers in the US are involved in the process, as long as an adequacy decision EU/US is not made.

The Norwegian DPA decision

Norwegian DPA reports on their website 27 July 2023 that they have concluded on the complaint mentioned above. The complaint stems from the noyb who lodged it against 101 European websites to the data supervisory authorities in the EEA for the use of GA. One of these was the Norwegian telecom-company Telenor, who at that time was using GA.

The conclusion is that personal data then was transferred to the US in violation of the GDPR, Article 44. In other words, the use of Google Analytics was illegal. Because Telenor discontinued use of GA on January 15, 2021, the Norwegian DPA in a letter on 26 July 2023 finds that a reprimand “to be an adequate and proportionate corrective measure”.

The Norwegian DPA relies on the Danish authority by claiming that the conclusion will be the same regardless of whether Google Analytics 3 or 4 has been used (see above).

What about adequacy EU/US?

On 10 July 2023 the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework and announced a new data transfer pact with the United States.

Accordingly, companies from the EEA area should be able to legally use GA as long as Google enter into a so-called Standard Contractual Clauses that provide data subjects with a number of safeguards and rights in relation to the transfer of personal data to Google LLC (Limited Liability Company) in the US.

However there is a big “but”: Max Schrems at noyb writes: “We have various options for a challenge already in the drawer, …. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it.”

To use the same phrase as in the recent update of our blog post On the EU-US data transfer problem: The last words are obviously not said.

Continue Reading →

Better search functionality and HTML view controls in Runbox 7

With this release we are adding more advanced search features including date range searches, as well as improved HTML view controls that let you save display preferences per individual sender.

💡 To access these features, ensure that Runbox 7 is updated by reloading it in a web browser or restarting it on your phone.

More advanced search functionality

Search field controls

By clicking the wrench icon next to the search field you can now easily search only for messages that:

  • Have one or more attachments.
  • Have been replied to.
  • Are flagged.
  • Are unread.

This screenshot shows the advanced search area that provides you with extensive options for message search:

Advanced search screenshot
Advanced search area screenshot

Additionally you can now search by date ranges, for instance messages that were:

  • Received in 2023: date:2023
  • Received between 2020 and 2021: date:2020..2021
  • Received in 2021 or later: date:2021..

Improved HTML message view controls

We have also improved the HTML message view controls that allow you to save HTML and image display preferences for individual senders or for all senders.

The examples below illustrate how this functionality can be used.

HTML view options example 1

Show the text version for the current message:

HTML view options example 2

Show the HTML version with images for all messages from this sender:

Larger popular recipients list

The popular recipients list in Compose has also been improved by increasing the number of contacts from 5 to 10.

The addresses shown beneath the To field can be added to the To field by clicking on them, or dragged to the To, CC, or BCC fields.

Note that this functionality is only available when using the local search index, which is controlled by the “Synchronize index” button in the lower left corner.

Changelog since the previous release

For the more technically inclined, a list of the changes made to Runbox 7 since the previous release can be found below.

Please see https://runbox.com/app/changelog for the complete and categorized changelog.

Commits from fd5c902 to d6c1dca:

  1. Visual changes (preview): Improve formatting of the empty preview pane. (60fcacf)
  2. Visual changes (mailviewer): Increase vertical flexibility of subject field. (364272b)
  3. Visual changes (mail menu): Improve read and unread icons. (93e75ae)
  4. New feature (search): Add more options to advanced search pane. (f2104ac)
  5. Visual changes (preview): Improve HTML display buttons. (16b7a77)
  6. Internal changes (preview): Update test. (7cfda5f)
  7. New feature (search): Enable date range searches (6e8acdb)
  8. New feature (search): Enable Unread Only checkbox only if other options set (45ee5be)
  9. Bug fix (preview): Add tooltip for all senders button. (d86b6eb)
  10. Visual changes (compose): Improve and fix recently used recipients list. (ccbf85b)
  11. Bug fix (payments): Always show “payment not loading” for stripe (ff53567)
  12. Bug fix (payments): Change “payment not loading” to “not working” (e137b26)
  13. Bug fix (payments): Change “legacy” to “alternative” (d6c1dca)

Continue Reading →

Runbox 7 updates March – May 2023: Framework upgrades and interface improvements

This constitutes a major upgrade to the framework and libraries that Runbox 7 is built on, which will facilitate further continuous upgrades and features.

It also includes several bug fixes and improvements, including storing display preferences on the server. This will make the user interface work more consistently across browsers, devices, and sessions and result in a more streamlined experience.

  1. Internal changes (deps): bump ua-parser-js from 0.7.31 to 0.7.33 (75df34d)
  2. Internal changes (deps): bump jszip from 3.7.1 to 3.10.1 (ef32ab1)
  3. Bug fix (drafts): Ensure we only refresh drafts once per folders update (f024af2)
  4. Bug fix (delete): Catch/Prevent more errors by ensuring defaults (5e83f89)
  5. New feature (mailviewer): Display incoming attachment sizes (926ab4b)
  6. Bug fix (compose): More readable attachment file size display (e44fc63)
  7. Visual changes (security): Specify which special characters are allowed in passwords. (#1401) (c575f06)
  8. Internal changes (deps): Update angular2-hotkeys to v13 (85aee64)
  9. Internal changes (deps): Upgrade to angular 12 (11b3aeb)
  10. Internal changes (deps): Update nodejs version for CI (a5cd077)
  11. Internal changes (deps): Upgrade angular-datetime-picker (2a87817)
  12. Internal changes (deps): Upgrade to v13 (4c744c1)
  13. Internal changes (deps): Change swupdate.available to swupdates.versionUpdates (ad7b36a)
  14. Internal changes (deps): Move from tslint to eslint (c010fca)
  15. Internal changes (deps): Remove –aot for start-use-mockserver (08afe91)
  16. Internal changes (deps): Remove SingleMailViewerComponent from rmm6.module.ts (ddebc3f)
  17. Internal changes (deps): Upgrade cypress to 9.7 (c38f460)
  18. Internal changes (deps): Update ical.js to 1.5.0 and use ES2020 modules (9bf6dda)
  19. Internal changes (deps): Fix selectFile file path (ee83c8f)
  20. Internal changes (deps): Update dependant packages (2c11d60)
  21. Internal changes (deps): Upgrade to angular v14 (cddac42)
  22. Internal changes (deps): Explicitly specify runbox7 for build (1b07233)
  23. Internal changes (deps): Upgrade angular/material to v13 (adef6c3)
  24. Internal changes (deps): Revert to angular/material v11 for auto upgrade (97f89cc)
  25. Internal changes (deps): Manually upgrade to angular material v12 (3e04baa)
  26. Internal changes (deps): Upgrade material to v13 (3096d97)
  27. Internal changes (deps): Upgrade angular-datetime-picker to v14 (3876111)
  28. Internal changes (deps): Upgrade to material v14 (c280c39)
  29. Internal changes (deps): Fix missing hues for SCSS (6a916d5)
  30. Internal changes (deps): Update @angular-eslint packages (8b0c16f)
  31. Internal changes (deps): Upgrade to angular v15 (2374336)
  32. Internal changes (deps): Upgrade to angular material v15 (6dc73b2)
  33. Internal changes (deps): Remove duplicate @include from SCSS (b35a68a)
  34. Internal changes (deps): Change default browser for CI to firefox (ab522f6)
  35. Internal changes (deps): Upgrade npm, comment out pre-build.js integrity check (ff13958)
  36. Internal changes (deps): remove –browser firefox from e2e tests (ab8b437)
  37. Internal changes (tests): Add DISPLAY=” to ci-tests (8441a51)
  38. Internal changes (deps): Remove unused protractor dependency (6e0f935)
  39. Internal changes (deps): Upgrade core.js to v3 (7aa65d3)
  40. Internal changes (deps): Remove unused protractor files (b7c312b)
  41. Internal changes (deps): Upgrade @angular-devkit/build-angular and move angular/compiler-cli to devDependencies (4cd4bc2)
  42. Internal changes (deps): Remove unused ajv dependency (b447972)
  43. Internal changes (deps): Upgrade angular-calendar (a273376)
  44. Internal changes (deps): Update rxjs to v7 (a87c0b3)
  45. Internal changes (deps): Upgrade @angular/pwa (d4850f0)
  46. Internal changes (deps): Remove array-flat-polyfill (8c527d8)
  47. Internal changes (deps): Update moment-timezone and remove uneeded @types/moment-timezone (478eb5a)
  48. Internal changes (deps): Update rest of dependencies (excluding timymce) (5ed129b)
  49. Internal changes (deps): Update jasmine to latest version (d0084df)
  50. Internal changes (deps): Upgrade karma to latest version (da8a151)
  51. Internal changes (deps): Update ts-* deps and node types (0b7abb4)
  52. Internal changes (deps): Update start-server-and-test (ee77754)
  53. Internal changes (deps): Update eslint and @typescript-eslint (4285f0d)
  54. Internal changes (deps): Update cypress to v10 (d350af9)
  55. Internal changes (deps): Update cypress to v11 (480b506)
  56. New feature (all): Store user preferences on the server (1409515)
  57. New feature (compose): Store last used HTML compose setting (dc1a75e)
  58. Bug fix (mailview): Store “prompted for local index” preference on server (0d9085e)
  59. Internal changes (preferences): Ensures tests set defaults, test correct values (035f28c)
  60. Bug fix (preferences): Remove old style local storage after conversion (7ca13b7)
  61. Bug fix (preferences): Ensure higher server version takes precedence (d8766f8)
  62. Bug fix (preferences): Load screensize before settings (da76123)
  63. Internal changes (deps): Update cypress to v12 (4ba7f7e)
  64. Internal changes (lint): Only include src/ else we run out of js heap memory (f359c38)
  65. Internal changes (deps): bump @npmcli/arborist and npm (9cf4279)
  66. Bug fix (compose): Generate Reply/Fwd header text only when needed (7afcbf7)
  67. Bug fix (compose): Convert reply/fwd text if compose HTML default is on (c512556)
  68. Bug fix (maillist): Store and reload column widths from preferences (cfb732d)
  69. Visual changes (preview): Improve formatting of the empty preview pane. (60fcacf)
  70. Visual changes (mailviewer): Increase vertical flexibility of subject field. (364272b)
  71. Visual changes (mail menu): Improve read and unread icons. (93e75ae)
  72. Bug fix (changelog): Add missing categories and improve formatting. (fd5c902)

Continue Reading →

Phishing: What it is and how to avoid being scammed

There’s an uptick in phishing emails again. Here’s a refresher.

In the past few weeks there have been a series of phishing attacks aimed at a small subset of Runbox customers. The goal of these scams is to trick unsuspecting email users into clicking on malicious web links and entering their Runbox username and password, enabling the scammers to steal their password.

At Runbox we are constantly on guard against phishing attacks against our customers, and here we take a closer look at this increasing problem and some simple steps you can take to protect yourself.

As a summary, ensure that you check:

  1. The From address. Phishing messages almost always come from a random email address that do not match our list of Official Runbox Email Addresses.
  2. The message addresses you by name. Scammers typically only have lists of email addresses without any first or last names, so if the message does not address you by your first and last name it is likely to be a scam.
  3. The legitimacy of any email with links. Check where the link will actually take you. Hover over it with your mouse, and you can see whether it will in fact take you to some random address not associated with Runbox at all.
  4. Any false urgency. Runbox will never pressure you to act suddenly. Scammers may try to create a sense of urgency to persuade you to do what they’re asking.

What is phishing?

Example of a recent phishing message

Phishing is a type of cyber attack in which an attacker attempts to obtain sensitive information such as usernames, passwords, or credit card details by posing as a trustworthy entity via email messages.

The word “phishing” is derived from fishing and refers to using lures to “fish” for sensitive information. Phishing attacks typically use social engineering to gain a victim’s trust, and use spoofing such as faking an email address or URL to make the attack appear legitimate.

When phishing attacks are targeted at certain services or individuals it’s called “spear phishing”, and in this case they appear to be sent from Runbox Support, the Runbox Team, or other similar official sounding names.

Email users who are unfortunate enough to receive a spear phishing message and end up divulging their Runbox login details can end up having their Runbox accounts hijacked and used to send spam, which then forces us to suspend the accounts until the customer can regain access.

With access to an email user’s account the attackers may then be able to access their personal information and use it to commit fraud or identity theft, which can in turn result in financial loss or worse.

Naturally such account hijacking causes much confusion for the affected customers in addition to the privacy intrusion and consequences for the recipients of the spam being sent, which is often another phishing scam. The phishing then continues to cascade to new groups of innocent users of other email services, while exploiting people’s trust and rarely being caught.

It is important to understand that these scammers are criminals, and that being tricked into disclosing any login details can have serious consequences.

How to spot phishing

The easiest way to see whether a message is in fact from Runbox is to check the From address, as phishing emails almost always come from a random email address not on any Runbox domain names such as runbox.com.

Example of legitimate email from Runbox

You can find more details on this here: How can I tell whether an email is legitimate?

Another important clue is whether the email addresses you by name, or whichever name you have entered in your Runbox Account details. Attackers typically only have lists of email addresses without any first or last names, so if the message does not address you by name it is likely to be a scam.

The third way to check the legitimacy of any email which asks you to click on a link, is to check where the link will actually take you. Some phishing links look like they link to a Runbox web page, but if you hover over it with your mouse, you can see that it will in fact take you to some random address not associated with Runbox at all.

If in doubt, go to our main website Runbox at https://runbox.com for information, or contact us via Runbox Support at https://support.runbox.com.

Do not be fooled or threatened by the scams

Most phishing emails have a very urgent and even threatening tone, trying to scare the recipient into acting right away to avoid having their account shut down or disrupted.

The scammers might even read our blog or other web pages and notice that we have two webmail versions, and subsequently send messages claiming that if you don’t switch to the newer version within X days, then your account will be shut down, for instance.

Legitimate messages from the Runbox Team will always give notice about something happening in the future, or optional new features.

Catching the scammers

We are constantly working to improve our defenses against phishing attacks, spam, and viruses, and we take immediate action to remove spear phishing messages as soon as we become aware of an attack.

If you have received any scam emails like the ones described above without responding in any way then your account is perfectly safe. We do however appreciate you notifying us via Runbox Support at https://support.runbox.com so that we can take steps to protect you and our other customers against the attack.

We also highly recommend enabling our Two-Factor Authentication features, which will keep your account safe even if your password should be stolen. For more on this, please see our Account Security Help page at https://help.runbox.com/account-security/.

If you have any doubts about an email you have received, then please don’t hesitate to contact Runbox Support at https://support.runbox.com.

Continue Reading →

On the EU-US data transfer problem

This is blog post #16 in our series on the GDPR.

At Runbox we are always concerned about data privacy – “privacy is priceless” – and we put some effort into keeping ourselves updated on how the EU’s General Data Protection Regulation (GDPR) affects privacy related issues.

That’s because we want to be prepared in case something happens within the area that will affect the Runbox organization, our services, and consequently and most important: our customers.

Update 2023-08-06

On 10 July the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework and announced a new data transfer pact with the United States. See the full text here: COMMISSION IMPLEMENTING DECISION.

A flyer from the European Commission is also available, and a summary of the situation is available from Reuters.

The Austrian non-profit organization NOYB, chaired by Maxmillian Schrems, stated:

We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ – but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.

We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it.” [source]

The last words are obviously not said.

Originally published 2023-03-19

The case of EU-US data transfer is highly relevant because Runbox has an organizational virtual modus operandi, and that this could lead to an opportunity to involve consultants that are residing in the US. We know that many of our customers are as concerned as we are about data privacy, so we believe it is pertinent to share our findings.

In blogpost #15 in our series of the GDPR we referred to the Executive Order signed by US President Joe Biden on 07 October 2022. This happened six months after the US President and the President of the EU Commission Ursula von der Leyen with much publicity signed the Trans-Atlantic Data Privacy Framework on 25 March 2022.

Joe Biden and Ursula von der Leyen at a press conference in Brussels. [Xavier Lejeune/European Commission]

In this blog post we will take a closer look at the Trans-Atlantic Data Privacy Framework, and the process thereafter.

Trans-Atlantic Data Privacy Framework

The objective of the Framework is to (re)establish a legal (with regards to the GDPR) mechanism for transfers of EU personal data to the United States, after two former attempts (Safe Harbour and Privacy Shield) were deemed illegal by the Court of Justice of the European Union (CJEU).

The Framework ascertains United States’ commitment to implement new safeguards to ensure that ‘signals intelligence activities’ (SIGINT, intelligence-gathering by interception of signals) are necessary and proportionate in the pursuit of defined national security objectives. In addition, the Framework commits the US to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.

Following up the 25 March 2022 Biden–von der Leyen agreement, the US president signed on the 7 October 2022 the Executive Order (EO) ‘Enhancing Safeguards for United States Signals Intelligence Activities’.

US compliance with the GDPR

Subsequently a process was initiated on 13 December 2022 within the EU Commission to assess whether the US, after the implementation of the EO, will meet the requirements qualifying the US to the list of nations that is compliant with the GDPR Article 45 “Transfers on the basis of an adequacy decision”. That is, whether the European Commission has decided that a country outside the EU/EEA offers an adequate level of data protection. To those countries, personal data may be transferred seamlessly, without any further safeguard being necessary, from the EU/EEA.

Inclusion of the US on that list is of course very important, not least for companies like Facebook and Google, and US companies offering cloud-based services as well. The Court of Justice of the European Union (CJEU) has deemed earlier transfer schemes (Safe Harbour and Privacy Shield) illegal, so “the whole world” is waiting for the EU Commission’s adequacy decision.

This came, as a draft, 14 February 2023 where the Commission concludes (page 54) that “… it should be decided that the United States ensures an adequate level of protection within the meaning of Article 45 of Regulation (EU) 2016/679, …)

(The figure below illustrates the “road” for legislative decisions in the EU. A more comprehensive description of the legislative procedure can be found here.)

However, the same day, 14 February 2023, the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament concludes.. the EU-US Data Privacy Framework fails to create actual equivalence in the level of protection; ..” and “..urges the Commission not to adopt the adequacy finding;”.

Incompatible legislative frameworks

There are two important arguments, among others, behind the Commission’s conclusion: 1) There is no federal privacy and data protection legislation in the United States, and 2) the EU and the US have differing definitions of key data protection concepts such as principles of necessity and proportionality (for surveillance activities etc.), as pointed out by the Court of Justice of the European Union (CJEU).

Shortly thereafter, on 28 February 2023, the European Data Protection Board (EDPB) made public their opinion on the decision of the EU Commission regarding the adequacy. The EDPB has some concerns that should be clarified by the Commission, for instance relating to exemptions to the right of access, and the absence of key definitions.

Furthermore, the EDPB remarks that the adequacy decision is only applicable to US organizations which have self-certified, and that the possibility for redress provided to the EU data subjects in case of violation of their rights is not clear. “The EDPB also expresses concerns about the lack of a requirement of prior authorization by an independent authority for the collection of data in bulk under Executive Order 12333, as well as the lack of systematic independent review ex post by a court or an equivalently independent body.”, as stated in Opinion 5/2023.

The next step in the process is voting over the Commissions proposal in the European Parliament, probably in April, and thereafter the adequacy decision must be approved by all member states, before the EU Commission’s final decision.

The Commission may set aside the results of the voting in The Parliament, but one should expect that the critics from The Committee on Civil Liberties, Justice and Home Affairs, and the concerns of EDPB, will impact the implementation of the Framework.

Here it would be prudent to recall the statement made by the Austrian non-profit organization NOYB, chaired by Maxmillian Schrems: “At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later.”. This refers to the verdicts of the CJEU (Court of Justice of the European Union) condemning the former frameworks Safe Harbour and Privacy Shield – the verdicts bearing the name Schrems I and Schrems II, respectively.

Bottom Line: The final outcome of the process is unclear, but in any event we have to wait for the final decision of the EU Commission.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought regarding any specific circumstances.

Continue Reading →

Runbox 7 updates November 2022 – March 2023: Performance improvements and other upgrades

Improvements to the app performance as well as several bug fixes.

  1. Visual changes (start): Improve formatting. (cdd4304)
  2. New feature ure(index): Separate message updating into its own thread (0c5470a)
  3. Internal changes (index): Tweak tests (and code to pass tests) for web workers (0a9f4b0)
  4. Bug fix (index): Ensure we verify folder counts against the api (1830cbb)
  5. style(payment): Clarify main accounts vs sub-accounts. (f5bd0ef)
  6. Visual changes (payment): Improve tables and buttons, and default to USD. (bf9d7a2)
  7. Visual changes (payment): Correct button style declarations. (6ed082a)
  8. Bug fix (test): Update tests. (5bcb46d)
  9. Internal changes (index): Tidy up some debugging code (6c80615)
  10. Internal changes (deps): bump engine.io and socket.io (9f38fd3)
  11. Internal changes (deps): bump decode-uri-component from 0.2.0 to 0.2.2 (f6d83a1)
  12. Internal changes (deps): bump tinymce from 5.10.0 to 5.10.7 (e0637d9)
  13. Internal changes (deps): bump express from 4.17.1 to 4.18.2 (f173b2c)
  14. Internal changes (index): Remove some index/worker console logging (f257902)
  15. Bug fix (messagelist): Ensure drag&drop of selected emails moves them all (633515d)
  16. New feature (messagelist): Allow drag&drop from more table columns (db21e68)
  17. Geir/condensed layout 2 (#1338) (8640b1d)
  18. Bug fix (inbox): Show notification when new messages appear (ef603ef)
  19. Geir/condensed layout 2 (#1344) (42a7a72)
  20. Bug fix (maillist): Add error catching for the mail list updating (89499bd)
  21. Bug fix (messagelist): Ensure user-actions don’t stop the index updates (509839a)
  22. Bug fix (messagelist): Log errors thrown by postMessage, keep worker alive (034dbb9)
  23. Visual changes (payment): Add link to Sub-account section. (2384b37)
  24. Internal changes (deps): bump json5 from 1.0.1 to 1.0.2 (6b8514b)
  25. Internal changes (deps): bump luxon and rrule (fe0405e)
  26. Internal changes (deps): bump qs from 6.5.2 to 6.5.3 (ac8703c)
  27. Internal changes (deps): bump moment-timezone from 0.5.28 to 0.5.35 (3516498)
  28. New feature (overview): Improve time span options. (02358ef)
  29. Internal changes (deps): bump ua-parser-js from 0.7.31 to 0.7.33 (75df34d)
  30. Internal changes (deps): bump jszip from 3.7.1 to 3.10.1 (ef32ab1)
  31. Internal changes (deps): bump http-cache-semantics from 4.1.0 to 4.1.1 (0f6c62f)
  32. Visual changes (payment): Change description of pending/incomplete transactions. (#1371) (6952fa6)
  33. Bug fix (overview): Make Inbox selection more lenient. (50d5218)
  34. Bug fix (folders): Ensures we refresh the folder list on a name change (5fd354a)
  35. Internal changes (api): Filter for successes in te API folder calls (c13796f)
  36. Visual changes (login): Simplify and improve login screen. (#1377) (a5c5f85)
  37. Bug fix (drafts): Ensure we only refresh drafts once per folders update (f024af2)
  38. Visual changes (folders): Increase width of folders modal. (a50aa6d)

Continue Reading →

Christmas wrap-up: Runbox 7 Upgrades in 2022

Here at Runbox we have been hard at work over the past several months making improvements to Runbox 7, our cutting edge webmail app available at https://runbox.com/app.

Our goal is to develop the fastest and most user-friendly email service available, and as we’re winding down a bit for the holidays we take the opportunity to tell you all about the many bug fixes and other improvements we have made based on feedback from you, our customers.

The most noticeable change is that we have decreased the font sizes slightly, which allows a much more efficient use of the available space in your browser:

Runbox 7 screenshot

Based on your feedback we have fixed a large number of issues that makes the Runbox 7 app more streamlined in everyday use. Through a series of Quality Milestones and a thorough review of Runbox 7 feedback along with diverse support requests we have made over 70 improvements to:

  • The overall performance and reliability of the app
  • Folder and message list displays
  • Compose and the Draft Desk, including attachment handling
  • Message view including the display of HTML and images
  • Settings including Identities and Account Security
  • Contacts and Calendar interfaces
  • Product and payment pages

You can find a complete list of all the updates made to Runbox 7 as well as a detailed changelog in the Runbox 7 app itself.

After this period dedicated to improving the quality of existing functionality in Runbox 7 we are gearing up to continue implementing the Runbox 7 Roadmap in 2023, so stay tuned for new features and improvements coming your way in 2023!

Continue Reading →

Runbox 7 updates August-November 2022: Streamlining and bug fixing

Improvements and bug fixes to several parts of the app.

  1. Internal changes (deps-dev): bump karma from 6.3.2 to 6.3.16 (cf19be5)
  2. Bug fix (account-security): Load App Passwords switch enabled, if in use (cdbef1c)
  3. Internal changes (deps): bump terser from 4.8.0 to 4.8.1 (4234974)
  4. Bug fix (2fa): QRCodes for 2fa should be readable in more browsers (f450220)
  5. Bug fix (tests): Github actions tests failing, try more heap size (d96715c)
  6. Internal changes (deps): bump moment from 2.29.2 to 2.29.4 (7f25bbc)
  7. Checks the msg IDs given to API for certain endpoints are valid (ef6acfa)
  8. Replaced text for alias as per request from #1091 (dccf1a9)
  9. Adds a link to caldav sync guide on calendar (c30f4ab)
  10. Bug fix (api): Don’t show errors while loading data in the background (ac23654)
  11. Bug fix (searchservice): Fix compilation error (d4156c8)
  12. sstyle(payment): Clarify main accounts vs sub-accounts. (e7a2c18)
  13. Visual changes (payment): Improve tables and buttons, and default to USD. (84dc7e9)
  14. Visual changes (payment): Correct button style declarations. (4f4f50a)
  15. Bug fix (test): Update tests. (24ac6d0)
  16. Internal changes (calendar): Correctly ad/modify events in calendar service tests (ddeaf33)
  17. Bug fix (changelog): Ensure typos in commit entries do not break the page (09ed2e4)
  18. Visual changes (payment): Payment interface updates. (#1319) (ee47246)
  19. Bug fix (compose): Ensure we can attach same file twice in compose (014c462)
  20. Bug fix (compose): Only run one draft saving attempt at a time (bf44d90)
  21. Bug fix (compose): Adds code checks to fix issues from sentry reports (3769663)
  22. Bug fix (messaging): Ensure msg fetching works after network is restored (0233288)
  23. Bug fix (calendar): Setting “all day” flag on events now saves properly (007b2d5)
  24. Bug fix (compose): Enable drag&drop of images into HTML compose window (87a06f9)
  25. Bug fix (compose): Enable inserting attached files into HTML compose (ea1d989)
  26. Bug fix (compose): Remove drag&drop to compose html window (788fb1a)

Continue Reading →