In an article in The New York Times discussing the challenges E.U. leaders face in protecting individuals’ data, Runbox is mentioned along with Deutsche Telekom as examples of companies providing services that increasingly protect their customers’ privacy.
Being firmly located in Norway, the Runbox email service is governed by strict privacy regulations and is a safe alternative to American email services as well as cloud-based services that move data across borders and jurisdictions.
In recent weeks there has been some discussion in news outlets about SSL/TLS, which is used by many websites to encrypt the data being transferred between web servers and web browsers.
Since it’s theoretically possible for outsiders to break such encryption, an increasing number of people are requesting improved encryption methods.
What is SSL/TLS?
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic methods used to secure communication on the Internet. By using pairs of private and public keys, the web server and the client can securely encrypt and decrypt the data being transferred between two parties.
When a web browser connects to a website protected with SSL or TLS (indicated by a padlock icon in the browser) it receives the public key from the server, which is then used to encrypt the subsequent communication. The data can only be decrypted using the private key, which resides on the server.
The problem with keys
However, if someone was able to break in and copy the private key from a server, they would theoretically be able to decrypt any communication to/from that server — provided that they were also able to eavesdrop on the communication.
The solution: Unique keys
To counter this it’s recently become possible to configure web servers to issue a unique key pair for every single connection, and immediately destroy the keys once the session is complete.
This method is called Forward Secrecy because it prevents anyone from retroactively breaking the encryption.
Forward Secrecy on Runbox
Runbox has now implemented Forward Secrecy in order to further improve the security and privacy of our services. It’s now virtually impossible to eavesdrop on the data being transmitted between your web browser and Runbox’ web servers — and you don’t have to do anything in order to enjoy this new level of security.
For those who are interested in the technical details, here is an analysis of the security provided by https://runbox.com, which is now our main address:
In the last few days we have seen an increase in inquiries about privacy and security, and particularly whether Runbox could be involved in programs similar to those outlined in the recent allegations about interception of communications data by law enforcement agencies.
As a Norwegian company and service, Runbox is protected by Norwegian law and privacy regulations because all our email servers are located in a secure facility in Oslo, Norway. No entity, domestic or foreign, can access email or files stored in our data center without a Norwegian court order.
To protect data being transferred to and from the Runbox servers in Norway, it’s important to use encryption such as SSL (Secure Sockets Layer) which is available both in the Runbox Webmail and in email clients.
When using Webmail, make sure that the SSL padlock icon is visible in the browser’s address bar and that the domain’s identity is verified as runbox.com.
In email clients such as Outlook and Thunderbird, set up your Runbox account with SSL according to the instructions found on our IMAP help page.
Runbox plans to extend our encryption support in the near future to allow complete encryption of messages all the way from sender to recipient.
There are some who are concerned about US authorities’ ability to monitor their citizens’ data. According to the EU report “Fighting cyber crime and protecting privacy in the cloud” (PDF, 1.3 MB), a little known piece of legislation could give US authorities the right to access foreign users’ data stored in the US as well.
Data stored outside the US, for instance in Norway where all the Runbox email servers are located, is not affected by this legislation.
As Runbox is based in and operates from Norway, a number of our users has expressed concerns regarding whether Runbox does use Google Analytics and how.
Runbox users do not need to worry. We have stopped using any type of Analytics and you can read about it here.
Runbox does indeed use Google Analytics on public pages, such as www.runbox.com to gain statistical information about where visitors come from, how much time they spend reading various public pages, e.g. about our pricing plans etc. However, Runbox does not use Google Analytics on logged-in pages.
In an independent.co.uk article, Google chief Eric Schmidt expresses concerns over the amount of personal data people publish online without considering the possible privacy implications.
Personal data will increasingly become a monetizing commodity among the social network and search engine services, while privacy and protection from data exploitation will diminish until its true value is appreciated.
While social network services bring functionality that allow people to connect in new and unexpected ways, email is inherently private and personal to the sender and recipient, as long as that privacy is enforced with a balanced policy.