Out of Control: Apps that share personal data revealed by the Norwegian Consumer Council

April 13, 2021 Leave a comment

If you are not paying for the product, then you are the product”.

This is a common saying when referring to online services that are offered for no financial payment (“free”).

The reason is that they often collect some personal data about you or your use of the service that the provider then can sell to the online advertising and marketing industry for payment. The payment they get for this covers the cost of providing the service to you and also allows for a profit to be made.

And so, they earn their money, and the app users are their product.

Apps as a source for big personal data

At Runbox we collect only the data that is required in order for us to provide our services to you, and that data is never shared with anyone for marketing or financial purposes.

However, it is common knowledge that companies like Google and Facebook use our personal data for targeted advertising. The personal data collected is anonymized and often aggregated to produce larger data sets, which enable them to target individuals or groups based on common preferences — for instance that they live in a certain location or like to drink coffee.

The idea that your data is anonymized might provide some comfort. But because of smartphones and the smartphone software applications (“apps”) many people use, companies can collect a large range of types of data and so trace individuals without asking for personal details such as your name. An example of this type of data is your smartphone unique identifier (IMEI-number1), and IP-address (when connected via WiFi).

Combined with your email address, GPS data, app usage etc., it is possible to identify specific individuals -– namely you!

Exposing the AdTech industry

To investigate this issue, The Norwegian Consumer Council (NCC), a government funded organization representing consumer interests in Norway, published a groundbreaking report last year about how the online marketing and AdTech (Advertising Technology) industry operates.

The report’s title immediately raised the flag: “Out of Control” (OuC)2. And the subtitle outlines the findings: “How consumers are exploited by the online advertising industry”.

The report tested and analyzed 10 popular “apps” under the umbrella “social networking apps”, and the findings were concerning. Most users of such apps know that registering your personal data is optional, and after the introduction of the GDPR every app is careful to ask for your consent and encourages you to click OK to accept their Privacy Policy.

What many users will not know is how much and how far the personal data is distributed. Only a few users will be aware that clicking OK implies that your data is fed into the huge AdTech and MarTech industry, which is predicted to grow to USD 8.3 billion in annual revenues by 20213.

The players in this industry are giants such as Amazon, Facebook, Google and Twitter. If that was not enough, both iOS (Apple) and Android (Google) have their ways to track consumers across different services.

Apple being more privacy minded than some others have recently developed options to allow the user to reset the “unique” advertising identifier in devices and also stop tracking across WiFi networks to break the identification chain and make it harder to target a specific user.

But the industry also has a large number of third-party data and marketing companies, operating quietly behind the scenes.

The far-reaching consequences of AdTech

This is what the NCC’s report is about, and the findings are concerning:

The ten apps that were tested transmit “user data to at least 135 different third parties involved in advertising and/or behavioral profiling” (OuC, page 5).

A summary of the findings is presented on OuC page 7, and here we find social networking apps, dating apps and apps that are adapted to other very personal issues (for instance makeup and period tracking). The data that is gathered can include IP address, GPS data, WiFi access points, gender, age, sexual orientation, religious beliefs, political view, and data about various activities the users are involved in.

This means that companies are building very detailed profiles of users, even if they don’t know their names, and these data are sent to for instance Google’s advertising service DoubleClick and Facebook. Data may also be sold in bidding processes to advertising companies for targeting advertising.

It is one thing to see ads when you perform a Google search, but it’s quite another to be alerted on your phone with an ad while you are looking at a shop’s window display, or passing a shop selling goods the advertiser knows you are interested in. Scenarios like these are quite possible, if you have clicked “OK” to a privacy policy in an app.

Personalized directed ads are annoying, but even worse is that the collection and trade of personal data could result in data falling into the hands of those who may then target users with insults, discrimination, widespread fraud, or even blackmail. And there is clear evidence that personal data have recently been used to affect democratic elections4.

What happened after The Norwegian Consumer Council published “Out of Control”, will be covered in our next blog post, but we can reveal that one of the companies studied had a legal complaint filed against them for violating the GDPR and is issued an administrative fine of € 9.6 million.

So stay tuned!

References:

  1. IMEI stands for International Mobile Equipment Identity.
  2. The report Out of Control was referred to in our previous blog post GDPR in the Wake of COVID-19: Privacy Under Pressure.
  3. Source: https://privacyinternational.org/learn/data-and-elections
  4. Source: https://bidbalance.com/top-10-trends-in-adtech-martech/

Continue Reading →

Runbox 7 updates March 2021: Video conferencing and other improvements

March 31, 2021 Leave a comment
  1. Bug fixes (account): Make sure sub-accounts can access account security and other not payment related paths
  2. New feature (onscreen): Hide onscreen behind the Konami code
  3. New feature (onscreen): Basic Jitsi integration
  4. New feature(overview): Add usage tracking to Overview
  5. Visual changes (onscreen): Positioning adjustments
  6. Visual changes (payment): Replace cryptocurrency logo and improve formatting.

Continue Reading →

Runbox 7 updates January-February 2021: Improvements to Account Security and Profiles

March 1, 2021 Leave a comment

Much better mobile views and many other improvements.

  1. New feature (usage): Add usage stats for tracking the popularity of components/settings
  2. Bug fixes (app): Hide the overview button if no local index is available
  3. Bug fixes (mailviewer): Fix disappearing mail viewer menu
  4. Bug fixes (mailviewer): Delete trash more efficiently (with less errors)
  5. New feature (account): Make transactions page usable on mobile
  6. Visual changes (account): Move the shopping cart icon to the toolbar in mobile
  7. Visual changes (account): Improve the cart listing on mobile screens
  8. Visual changes (account): Make product cards more responsive
  9. Bug fixes (canvastable): Be a bit more lenient when detecting message selection Visual changes (account): Make payment methods more responsive
  10. Visual changes (account): Improve payment form responsiveness
  11. Visual changes (account-security): Make section toggles lay out better
  12. Visual changes (account-security): Make HTML code formatting consistent
  13. Visual changes (account-security): Improve layout responsiveness for TOTP
  14. Visual changes (account-security): Improve responsiveness of trusted browser entry
  15. Visual changes (account-security): Replace trusted browsers table
  16. Visual changes (account-security): Make Services table more mobile-friendly
  17. Visual changes (account-security): Don’t wrap dates in Trusted Browsers table
  18. Visual changes (account-security): Fix minor alignment issue in trusted browser
  19. Visual changes (account-security): Fix name and mobile alignment for the status
  20. Visual changes (account-security): Make app passwords usable on mobile
  21. Visual changes (mobilequery): Allow for phone/tablet/desktop layouts
  22. Visual changes (profiles): Make Identities page mobile friendly
  23. Visual changes (profiles): Reposition warning message and make it more visible
  24. Visual changes (profiles): Make editor modal mobile friendly
  25. Bug fixes (searchservice): Fix test failures that Angular 10 uncovered
  26. Bug fixes (mailviewer): Remove an excessive icon description
  27. New feature (account): Integrate account security in the account sidemenu
  28. New feature (account): Include identities in the account settings sidemenu
  29. New feature (webmail): Monitor users’ local index dialog decision
  30. Bug fixes (compose): Always set a reply to when the “From” changes
  31. Bug fixes (tinymce_spellcheck): fixes issue 480 where TinyMCE intercept right-click and breaks spell check
  32. Bug fixes (tinymce): Make icons load again
  33. New feature (identity): Make main identity editable
  34. Bug fixes (calendar): Ensure events are displayed chronologically
  35. New feature (webmail): Track instances of index removal
  36. Bug fixes (contacts): Improve error strictness/messaging on contacts import
  37. Visual changes (account-security): Fix responsivity, add last-logins table
  38. Visual changes (account-security): Add Sessions table for mobile
  39. Bug fixes (account-app): Fix a typo in Subscriptions
  40. Visual changes (account): Change font formatting for more minimal look
  41. New feature (app): Redirect standalone identities and accountsecurity
  42. New feature (payments): Disable Bitpay payment option

Continue Reading →

Happy New Year from Runbox

January 2, 2021 Leave a comment

2020 was a very challenging year for many people around the world, and especially as a consequence of the ongoing global health situation. As we begin a new year we think about all those who have been impacted by the COVID-19 pandemic.

At the same time it is important that we don’t forget about other global challenges, and as Runbox celebrated 20 years in 2020 we naturally considered the current state of the environment compared to the year 2000.

Since the year Runbox was founded, global energy-related carbon dioxide emissions have increased over 40% from approximately 23 to 33 gigatons as illustrated by the figure below.

Source: IEEE Earthzine (https://earthzine.org/climate-indicators-in-the-covid-19-season/)

There was a significant increase in emissions over the past year, and despite the pandemic-related drop during 2020 world liquid fuels production and consumption is forecast to continue nearly unabated in 2021 and beyond.

Source: US EIA (https://www.eia.gov/outlooks/steo/)

It is clear that the global environmental crises in all likelihood remain the most essential and existential challenges facing mankind, and that 2020 only represents a temporary interruption.

Still, Runbox remains optimistic, and will in 2021 renew and reinforce our commitment to our Environmental Policy, our offer to provide free email services to environmental non-profit organizations, and a double negative carbon footprint through our support for World Land Trust.

Continue Reading →

Runbox 7 updates December 2020: Improvements to Start Desk

December 25, 2020 Leave a comment
  1. New feature (usage): Add usage stats for tracking the popularity of components/settings
  2. Bug fixes (app): Hide the overview button if no local index is available
  3. Bug fixes (mailviewer): Fix disappearing mail viewer menu
  4. New feature (webmail): Integrate startdesk as a webmail “folder”
  5. Bug fixes (recursive_dynamic_builder): Lint errors fix
  6. Bug fixes (startdesk): Remove timeperiod-specific wording
  7. Visual changes (start): Fix breakpoints for mobile
  8. Visual changes (start): Condense layout in heading area
  9. Visual changes (start): Move section title to the top bar for mobile
  10. Visual changes (start): Clean up and remove unused code
  11. Visual changes (start): Remove heading and adjust the space in top area
  12. Bug fixes (calendar): Ensure we show recurring events correctly color-tagged
  13. New feature (builder): Remove unused var
  14. New feature (builder): Runbox dynamic builder research
  15. New feature (startdesk): Implement folder selectors
  16. New feature (start): Add folder selector.
  17. Visual changes (startdesk): Make folder selector a little more bearable on mobile
  18. Bug fixes (start): Fix case sensitivity for address matching
  19. Visual changes (start): Improve responsivity for mobile screens
  20. Bug fixes (contacts): Only sync once during import of many contacts
  21. New feature (sentry): Include user data in error reports
  22. Bug fixes (account_security): Fix modal typo s/reasions/reasons/

Continue Reading →

Runbox 7 updates September-November 2020: Account Security screen and other improvements

November 11, 2020 Leave a comment

Brand-new Account Security screen, and numerous other improvements and bug fixes.

  1. Bug fixes (account security): Total number of cols is 6 and not 7
  2. New feature (account): Add a way to view sub-accounts associated with a product
  3. New feature (account security): Add missing main app password toggle
  4. Bug fixes (account security): List FTP last on services
  5. New feature (account security): Update last logins labels. show success/fail insteac of 1/0
  6. New feature (account security): Hide account security access control
  7. Bug fixes (account security: Suppress always block button
  8. Bug fixes (mailviewer): Show missing From content when not using local index
  9. Visual changes (payment): Remove 20th Anniversary special offer promotion.
  10. Bug fixes (account): Invert the condition checking for the limited time offer
  11. Bug fixes (account-timer): Make sure RunboxTimer is always properly initialized
  12. Bug fixes (webmail): Fix URL navigation
  13. Bug fixes (cart): Allow purchases (with warnings) even if unavailable products are in the cart
  14. New feature (mailviewer): Add select-all option for selecting messages
  15. Bug fixes (contacts, calendar): Warn user on incorrect import file types
  16. Bug fixes (mailviewer): Stop select-all-menu from jamming
  17. Bug fixes (cart): Fix an exception upon viewing an empty cart
  18. Bug fixes (cart): Fix a cart bug when two separate, identical products appear in it
  19. Bug fixes (calendar): Editing an item displays the correct times
  20. Visual changes (payment): Add 20th Anniversary special offer promotion.
  21. Bug fixes (account security): Don’t display bottom pane “invalid password” msg
  22. Bug fixes (start): Comment out panel mockups from the view
  23. Bug fixes (webmail): Select loaded row url correctly on refresh
  24. New feature (account security): Update account security menu link
  25. Bug fixes (account security): Use routerLink in the account security link
  26. Bug fixes (account): Don’t require Micro accounts to purchase addons for own domain usage

Continue Reading →

The Norwegian COVID-19 contact tracing app is banned by the Data Protection Authority

October 24, 2020 1 Comment

GDPR in the Wake of COVID Spread: Privacy under Pressure – Part 2

Our previous blog post in this series concerned mobile phone applications under development, or already developed, in various countries for tracing the spread of COVID-19 infections. In particular the blog described the situation in Norway, and we expressed our concerns, but also our trust, in the fact that The Norwegian Data Protection Authority (‘Datatilsynet’) would be on the spot to safeguard privacy – as regulated by strict Norwegian privacy regulations.

The Norwegian Data Protection Authority — more than a watchdog

Temporary suspension of the Norwegian Covid-19 contact tracing app
The Norwegian Smittestopp app

We were right, and we are proud of the intervention by the Norwegian Data Protection Authority (NDPA), which in June banned the Norwegian COVID-19 tracker app Smittestopp. The ban illustrates NDPA’s independency, and that NDPA has legal power to enforce privacy protection when public (and private) organizations violate the law.

This power is anchored in the Personal Data Act (personopplysningsloven), the Norwegian implementation of GDPR, and the Personal Data Regulations (personopplysningsforskriften).

After evaluating the app Smittestopp as it was implemented in April this year, NDPA concluded that the app violated the privacy legislation in mainly two respects:

  1. The app was not a proportionate intervention of the user’s fundamental right to data protection.
  2. The app was in conflict with the principle of data minimization.

On June 12, The NDPA notified The Norwegian Institute of Public Health (NIPH) that the app would be banned, which was confirmed on July 6. Consequently, NIPH immediately stopped collecting data from the around 600,000 active users of the app, and deleted all stored data on their Azure server.

What the requirement for proportional intervention means

The breach of the requirement for proportional intervention concerned the expected low value of the app regarding infection tracking, due to the relatively small number of the population in the testing areas actually using the app (only 16%).

The reason for the breach of the principle of data minimization was that the app was designed to cover three different purposes:

  1. Movement tracing of individuals (for research purposes).
  2. Spread of the infection among the population.
  3. The effectiveness of infection control measures.

The NDPA was also critical to the app because it was not possible for the users to choose for which of the three purposes their data would be used.

A new app is already being planned

The government has decided to terminate further development of Smittestopp, and will instead focus on the development of a new app. After seeking advice from NIPH, the government has decided to base a new app on the Google Apple Exposure Notification (GAEN) System, or ENS, which they call “the international framework from Google and Apple” because many countries (for instance Denmark, Finland, Germany, Great Britain) are going “the GAEN way”.

Important arguments for the government’s decision are that GAEN supports digital infection tracking only (Bluetooth-based), involves no central data storage, and includes the possibility to exchange experiences and handle users’ border crossings. In the meantime the EU has implemented a recommendation for decentralized Corona tracking applications, putting GAEN “squarely in the frame“.

NIPH was given the task to specify a request for proposal in an open competition for the development assignment of the new app, and now (October 20) the Danish Netcompany is hired to do the development. Netcompany has a similar contract with the Danish health authorities, and was the only bidder (!). The new app expected to be implemented this year (2020).

The privacy debate continues

Three main issues are still being debated, and the first is technical: Is Bluetooth reliable enough? Experiences show that false positives, but also false negatives, do occur when Bluetooth is being used.

The second issue is of course privacy. Even if personal data is stored locally on the phone, notifications between phones have to be relayed through a network – so what about hacking? In addition, Trinity College in Dublin has uncovered that on Android phones, GAEN will not work unless it is sending owner and location information back to Google.

This leads to the third issue: Is it sensible to let the tech giants control a solution that involves processing very personal information? “Do Google or Apple get to tell a democratically elected government or its public health institutions what they may or may not have on an app?”

The Norwegian Data Protection Authority published a report on digital solutions for COVID-19 (‘Coronavirus’) infection tracking on September 11 this year. The report was developed by Simula Research Laboratory, who did not bid on the contract for the new GAEN-based application (arguing that they are a research institution and not a software development company).

The report “… focuses on efficiency, data privacy, technology-related risks, and effectiveness for government use. In terms of privacy and data protection, the report notes that if location data is still stored by Google, the COVID-19 app Smittestopp would be less privacy intrusive than the GAEN one.”

Conclusion

We will conclude with a quote (in our translation): “There is no perfect solution for digital infection tracking. Effective infection control and privacy stand in opposition to each other.”

For us at Runbox, privacy is priceless, and we are still wondering if the pros outweigh the cons.

Continue Reading →

Runbox doubles the storage capacity on all account plans

October 12, 2020 7 Comments

It’s our 20th birthday, and we’re giving YOU a present!

Our goal has always been to provide professional email services with massive storage space that is also affordable and flexible.

When Runbox was officially launched on October 12, 2000, Hotmail was the market leader with 2 MB storage space.

Runbox then decided to launch an email service with a whopping (at the time) 100 MB free storage — and received more attention (and signups) than we could have anticipated.

It’s now 2020 and we are doing it again, by multiplying the storage space on all our subscription plans by 2!

Our plans will now include storage space as follows:

Email StorageFile Storage
Runbox Micro2 GB200 MB
Runbox Mini10 GB1 GB
Runbox Medium25 GB2 GB
Runbox Max50 GB5 GB

These quotas will take effect for your account upon your next Runbox subscription purchase or renewal. So don’t forget to take advantage of the double subscription time on all product purchases through October!

Proceed to our Product page right away to automatically upgrade your account.

And we hope you will enjoy Runbox at least twice as much going forward. 😀

Continue Reading →

Runbox Celebrates 20 Years with 2 Years for the price of 1 through October 2020

October 5, 2020 17 Comments

On October 12, 2000 the Runbox email service was officially launched, on an Internet that was quite different from what we are used to today.

Initially, Runbox was a basic email forwarding service with a permanent @runbox.com email address. The original idea was to eliminate the need for email users to inform their contacts about a new email address when they changed schools or work places.

We soon expanded the Runbox service with a custom made Webmail interface, and offered a whopping 100 MB storage space. This was substantial compared to the 2 MB offered by Hotmail, who was the market leader at the time.

At that time Runbox was a free service, and the offering brought international attention and a large number of users. We then expanded with POP, SMTP, and IMAP access, email retrieval and filtering management, file storage, and support for email domains and domain hosting.

In 2012 we were once again at the forefront by strengthening the security and privacy aspects of our services following the surveillance revelations especially in the US.

Since those early years we have founded a new employee-owned company, continued hardening the security and privacy of our services, and built new partnerships and new server infrastructures, while broadening the foundation of our operations to embrace strong environmental and ethical principles, a diverse and dedicated team, a global customer base, and an inclusive virtual organization.

Now we are hard at work making Runbox 7 the fastest webmail app on the planet. In a world that is experiencing several global crises simultaneously we are increasingly focusing on features that facilitate global interconnectedness, telecommuting, and remote work by making our service more people and activity centric.

In an uncertain future one thing is for sure: Runbox will reinforce our mission to help people communicate better, more efficiently, and in a more organized way.

To demonstrate this we celebrate our 20th anniversary by doubling the subscription time on all Runbox products and renewals free of charge through October.

This means that when you purchase a subscription or add-on you get 2 years for the price of 1 year!

Proceed to our Product page right away to take advantage of this offer.

Thank you to all the customers who have supported us through the years — here’s to the next 20!

Note:

  • The additional subscription time will be applied automatically upon subscribing.
  • All initial subscriptions come with a full 60-day money back guarantee.
  • Hosted domains and other third party purchases are exempt.

Continue Reading →

Runbox 7 updates August-September 2020: Webmail improvements

September 25, 2020 Leave a comment

Webmail improvements including Saved Searches, which lets you instantly bring up results of previously saved search terms.

  1. New feature (identities): Order From entries by priority
  2. New feature (dkim): Add a note about selector2 and when it will become active
  3. New feature (account security): Improve password validation and error messages on Account Security to avoid confusion
  4. New feature (dialog): Allow submitting dialogs with Enter/Return key
  5. Bugfix (canvastable): Make sort icons show actual sorting direction
  6. New feature (webmail): add a way to save and reuse searches
  7. Visual fix (app): Remove obsolete instances of mat-icons
  8. Bugfix (startdesk): Fix linter and policy errors
  9. Bugfix (folders): Improve folder count reliability in some edge cases

Continue Reading →