Runbox Two-Factor Authentication

Runbox recently launched Two-Factor Authentication (2FA). 2FA is a log in procedure where an additional piece of information is required in addition to your username and account password.

This additional factor is a code that can only be used once, or for a limited period of time.

Two-Factor Authentication
Runbox Two-Factor Authentication

Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.
 

Runbox is the only 2FA-enabled email provider in Norway

NorwayRunbox is located in Norway, which has some of the strongest privacy regulations in the world.

By choosing Runbox as your email provider, your data will be protected by these regulations while ensuring your email is secure from unauthorized access.

Read on to find out how Runbox 2FA works and which options are available.

 

Timed One-Time Passwords (TOTP)

2FA Timed One-Time Passwords
2FA Timed One-Time Passwords

To use this option you will need a smartphone and some free software.

Timed one-time passwords works by giving you a login code which changes over time, in addition to your password.

To get started, download a TOTP app such as Authy, FreeOTP or Google Authenticator onto your mobile phone and follow their instructions.

Note: It is essential that your smartphone has the correct date/time set as this is used by the TOTP app to generate the correct codes that allow you to log in.

 

One-Time Passwords (OTP)

2FA One-Time Passwords
2FA One-Time Passwords

When you enable this option, the system will generate random passwords that you can use only once. Used passwords are discarded automatically and cannot be used again.

You can download the the list of passwords to a computer or mobile device, or you can print them out if necessary. However, you must keep the list secure as these passwords can be used to access your account along with your usual username and account password.

 

 

Trusted browsers

2FA Trusted Browsers
2FA Trusted Browsers

This option allows the server to trust your current web browser so that you don’t have to use a 2FA code. The option places a small piece of code in your browser (a cookie) that tells the server not to require the 2FA details and you can just log in with username and password.

You should only use this method of bypassing 2FA on a computer or device that you are confident nobody else can log in to. You can temporarily turn on/off individual browsers from the trusted list, or you can delete the browser entry entirely which will force that browser to require the 2FA details.

 

Unlock code

2FA Unlock Code
2FA Unlock Code

If for some reason you are unable to log in with 2FA after it has been enabled, this code can be used to disable 2FA.

The code can be used in conjunction with a secure question/answer for additional security.

 

 

Continue Reading →

Terms of Service and Privacy Policy updates

On July 1st, 2015 Runbox will introduce updated Terms of Service and a more detailed Privacy Policy.

We strongly recommend that you review the documents as they comprise the contract between you and Runbox. They also form the backbone of legal protection of your data, anchored in strong Norwegian privacy regulations.

We have worked hard to make the documents clear, balanced, and easy to understand, and we think you will agree upon reviewing them.

Please note that the changes apply to all current and future Runbox accounts, and that by continuing to use Runbox you in effect accept the updated terms and policies.

(more…)

Continue Reading →

Why Runbox being in Norway is important

We are emphasizing Runbox’ location in Norway as something that is important to you as an email user, and you may wonder why. This article will explain it all.

Summary

  • Norwegian ShieldAll your Runbox email is privacy protected because our servers are located in Norway, and Runbox strictly adheres to the Norwegian privacy legislation.
  • Runbox protects your data against disclosure because the authorities must present a valid court order based on evidence of criminal activity to seize any data.
  • Any foreign nation requesting account information or contents have to send a formal request to Norwegian judicial authorities, and only with a Norwegian court order can any data be disclosed.
  • Norwegian authorities are not allowed to perform surveillance of data traffic without a court order.
  • Under Norwegian legislation, Runbox is not required to keep any traffic logs, and is permitted to delete your data if you ask us to.

Norwegian privacy legislation and regulations

First of all, Norway has enacted strong legislation regulating the collection, storage, and processing of personal data, mainly in The Personal Data Act (Lov om behandling av personopplysninger; Personopplysningsloven) and Regulations on the Processing of Personal Data (Forskrift om behandling av personopplysninger; Personopplysningsforskriften).

The first version of The Personal Data Act was implemented as early as 1978. This was a result of the pioneering work provided by the Department of Private Law at the University of Oslo, where one of the first academic teams within IT and privacy worldwide was established in 1970.

Additionally, the Norwegian Data Protection Authority (Datatilsynet), an independent authority, facilitates protection of individuals from violation of their right to privacy through processing of their personal data. It also verifies that statutes and regulations which apply to the processing of personal data are complied with, and that errors or deficiencies are rectified.

Any complaint against decisions made by The Data Protection Authority may be reported to The Privacy Tribunal (Personvernnemda), another independent authority, for decision.

The Norwegian Criminal Procedure Act (Lov om rettergangsmåten i straffesaker; Straffeloven, unofficial translation) is an important law governing the seizure of objects or data when a criminal act has been reported to the police. Section 211 states that mail may only be seized from an electronic communication service pursuant to a court order.

Another important law in this context is the Norwegian Penal Code (NPC, Almindelig borgelig straffelov; Straffeloven, unofficial translation) which states that it is illegal to access information systems or data unauthorized (NPC §145), and this includes all employees in the public sector (NPC §116).

We must also mention Norwegian Law on Electronic Communications (Lov om elektronisk kommunikasjon; Ekomloven), which regulates telecommunications in Norway. This law contains rules for the interception of electronic communications and for the duration of storage of personal data.

Because Runbox is similar to an Internet service provider and not a telecommunications company, Runbox is NOT affected by this law. This means that Runbox for instance is permitted to delete your email data upon your request at any time, and that we are not required to store any traffic logs.

The bottom line is that a request from Norwegian police authorities to disclose data from any Runbox account will be rejected by Runbox unless a Norwegian court has decided otherwise.

What does compliance with Norwegian privacy laws mean?

So what does Runbox’ compliance to Norwegian laws mean regarding your personal data when using Runbox, and the content of your emails stored on our servers?

Runbox does not collect any data about you except what is necessary to provide you with our services. This is in accordance with our Terms of Service and Privacy Policy, which is compliant to The Personal Data Act §8. This paragraph states that personal details can only be collected and processed with consent from the registrant.

Similarly important is §11, stating that personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.

Only if presented with a court ordered seizure pursuant to the Norwegian Criminal Procedure Act may Runbox be forced to disclose information to The Norwegian Police Service. It is therefore an absolute prerequisite that a crime has been committed.

What about requests from authorities outside Norway?

A request from foreign authorities or agencies regarding Runbox account details or user data has a long way to go before it reaches Runbox:

It will in general start with a legal request (letter rogatory) submitted through diplomatic channels to the Norwegian Ministry of Foreign Affairs, who sends it to the Attorney General at the Norwegian Office of the Prime Minister, who will, if appropriate, forward the request to the Ministry of Justice and Public Security who in turn sends it to the appropriate police unit, for example the National Criminal Investigation Service, Norway (Den nasjonale enhet for bekjempelse av organisert og annen alvorlig kriminalitet; Kripos) or The Norwegian Police Security Service (Politiets sikkerhetstjeneste; PST) for independent investigation. All requests will of course be evaluated with regards to Norwegian laws and regulations.

The Norwegian police authorities may then present Runbox with a subpoena, which will be rejected by Runbox as a matter of principle. The case may then be submitted to a Norwegian court, and an attorney will be appointed to represent the account owner. If the court finds that there is evidence or probable cause for suspicion of criminal activity on the part of the account owner, Runbox may be presented with a court order requesting us to disclose the requested information.

Norway has entered into agreements with some foreign nations to cooperation in criminal matters regarding disclosure of objects and data, that may simplify the procedure above:

Through the European Convention on Mutual Assistance in Criminal Matters requests go directly to the Ministry of Justice and Public Security, through the Schengen Agreement requests go to the public prosecutor in Norway, and between Nordic countries, requests go to central or local police (district chiefs of police). Requests from Canada and Thailand go directly to the Ministry of Justice and Public Security.

All other nations, the United States included, have to follow the general rule outlined above: Requests must be sent through diplomatic channels to the Norwegian Ministry of Foreign Affairs. The agreement between Norway and the United States (and Australia) is about extradition of criminals only, not about assistance in “ordinary” legal matters.

Since Runbox Solutions was founded in 2011 we have received 0 court orders for disclosure of account details or user data. We have received 3 requests directly from attorneys in the United States, all of which have been rejected outright.

What about surveillance…

According to the laws mentioned above, the Norwegian police authorities can not execute communication control, for instance surveillance of electronic messages, without a valid court order. An independent tribunal, the Control Committee for Wiretapping (Kontrollutvalget for kommunikasjonskontroll) is established to control that the police’s use of wiretapping occurs within the framework of the law and that the use of such methods is as limited as possible.

This means that no surveillance of traffic to or from Runbox can occur unless a valid court order is presented. However, the regulation that governs wiretapping (Forskrift om kommunikasjonskontroll; Kommunikasjonskontrollforskriften) and the Control Committee for Wiretapping do not pertain to intelligence, which is the domain of The Norwegian Parliamentary Intelligence Oversight Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste), see below.

…and intelligence?

Let us examine the various Norwegian intelligence agencies and their mandates:

The Norwegian Intelligence Service (Etterretningstjenesten) is a body established in order to survey and monitor civil and military activities outside Norway. This body is not authorized to survey or collect information about Norwegian natural or legal persons, which includes companies. For that reason, Runbox is beyond the authority of this agency.

The Norwegian Police Security Service (Politiets sikkerhetstjeneste; PST) do NOT have any legal rights beyond The Norwegian Police Service, which is discussed above.

The Norwegian Defence Security Department (Forsvarets sikkerhetsavdeling, FSA) applies to military institutions only, and is not relevant for Runbox customers at all.

The National Security Authority (Nasjonal sikkerhetsmyndighet, NSM) is established to control governmental and civil institutions regarding security, and because Runbox does not provide services to such institutions, this authority is not relevant to Runbox or our customers.

Joint Counter-terrorism Center (Felles kontraterrorsenter, FKTS), is a recently established department within PST staffed with people from PST and EtterretningstjenestenFKTS is a cooperation agency sharing information and analyzing terror threats against Norway. FKTS is subject to the laws and regulations governing the activities of The Norwegian Police Security Service and the Norwegian Intelligence Service.

In order to monitor these agencies and ensure they are acting in accordance with laws and regulations, the Norwegian Parliament has established The Norwegian Parliamentary Intelligence Oversight Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste), and Control Committee for Wiretapping (Kontrollutvalget for kommunikasjonskontroll). Their mandate is to ensure that the police’s use of wiretapping is in accordance with the law and is as limited as possible.

What is the conclusion of all this?

All your Runbox email stored on our servers is safe because Runbox is located in Norway. Runbox strictly adheres to the Norwegian Personal Data Act and the Norwegian Criminal Procedure Act, which is the main legislation governing our operations. This fact, along with our ethics, prevent us from doing anything unauthorized with your data.

Specifically, Runbox protects your data against disclosure requested by the authorities because they must present a valid court order to seize any data. Such a court order is difficult to obtain, because it must be based on evidence of criminal activity related to the account owner.

Norwegian authorities are not allowed to perform surveillance of data traffic without a valid court order. Norway has established independent agencies to ensure that these agencies follow the laws and regulations under which they operate. In addition, Norway is an open democracy with a critical and investigative press which readily publicizes any suspicion of breached laws and regulations.

Any foreign nation asking for data have to send a formal request according to established protocols and strict rules. And any such legal request will be scrutinized by Norwegian judicial authorities, and only in cases where Norwegian law is breached could a request result in a court ordered seizure which is necessary to obtain data from Runbox.

In short, no authority or agency can monitor Runbox’ data or traffic without a court order, which can only be issued on evidence of criminal activity in violation of Norwegian penal code.

Additional protection

Runbox customers automatically have an advantage by storing their email in Norway, and you can add another layer of protection by encrypting your communication with Runbox.

To protect your privacy even further, Runbox does NOT use Google Analytics or any other third-party tracking of our customers’ usage. We never use data or traffic information for any other purpose than anonymous statistics in order to improve our services and our system’s performance. Our service is absolutely ad-free, and we do not share or sell your personal details to anyone.

The combination of the strict Norwegian legal environment, our solid IT infrastructure, Runbox’ ethics and Privacy Policy, and the technology Runbox provides, means that Runbox provides a service that is uniquely private and secure.

For more information about the privacy and security of Runbox’ services, please see the following links — and feel free to contact us with any questions or concerns.

Continue Reading →

New Privacy Products Available

Runbox prioritizes security, reliability, and privacy above all else. As you probably know, Runbox’ email servers are hosted in Norway, and Runbox Solutions operates under Norwegian legislation which protects our customers’ data.

Our services are protected by Extended Validation SSL with Perfect Forward Secrecy, ensuring encrypted communications between client and server. We enforce a strong Privacy Policy and we do not share any account details or user data with any third party.

To complement our security and privacy features we are now launching the following products:

No Backup

Store your email and files on a separate, dedicated disk volume without backup. This means that when you delete an email it is immediately and permanently removed from our servers.

Read more about No Backup

Domain Registration in Norway

You can register any top-level domain (TLD) name with a Norwegian registrar via Runbox and operating under Norwegian jurisdiction.

By registering a domain name ending with for instance .no, .cc, or .co, your domain’s records are kept in Norway and in the country corresponding with the TLD of your choice.

Read more about Domain Registration in Norway

Domain Management

Runbox can register a domain name for your exclusive use. Runbox Solution’s company name, address, and contact information will be used and we will be the legal registrant. Your personal or business details will not be associated with the domain name, but you will be reserved the right to use it exclusively.

Read more about Domain Management

Continue Reading →

U.S. judge rules search warrants extend to U.S. companies’ overseas email accounts

A U.S. federal judge has ruled that U.S. Internet Service Providers must hand over customer emails and other content sought by U.S. government search warrants, even when the data is stored overseas.

The ruling addressed a search warrant against Microsoft Inc. for one of its customers whose email is stored on a server in Ireland.

As a Norwegian company and email service operating under Norwegian jurisdiction, Runbox is not affected by this ruling.

Runbox will not disclose account information or email data to authorities unless presented with a Norwegian court order.

Find out more about Runbox’ privacy policies and Norwegian privacy regulations.

Read the full story at Reuters.

Continue Reading →

Runbox mentioned in The New York Times

In an article in The New York Times discussing the challenges E.U. leaders face in protecting individuals’ data, Runbox is mentioned along with Deutsche Telekom as examples of companies providing services that increasingly protect their customers’ privacy.

Being firmly located in Norway, the Runbox email service is governed by strict privacy regulations and is a safe alternative to American email services as well as cloud-based services that move data across borders and jurisdictions.

Read the full article here: E.U. Leaders Seek Way to Protect Individuals’ Data

Continue Reading →

Privacy is Priceless

To highlight the importance of online privacy, we have created two privacy-themed Runbox T-shirts now available from our Cafepress store.

Organic Women's T-Shirt: Privacy Is Priceless
Organic Women’s T-Shirt: Privacy Is Priceless
Organic Men's T-Shirt: Privacy Is Priceless
Organic Men’s T-Shirt: Privacy Is Priceless

In line with our values they are of course organic, which also means they’re a little pricier than your regular T-shirt.

But as a Runbox member, you will receive a free year added to your subscription when purchasing one or more of these T-shirts.

They are currently available in two colors, one for men and one for women.

Just forward your receipt to billing@nullrunbox.com and we will happily extend your subscription by one year!

 

Continue Reading →

Runbox now supports Forward Secrecy

In recent weeks there has been some discussion in news outlets about SSL/TLS, which is used by many websites to encrypt the data being transferred between web servers and web browsers.

Since it’s theoretically possible for outsiders to break such encryption, an increasing number of people are requesting improved encryption methods.

What is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic methods used to secure communication on the Internet. By using pairs of private and public keys, the web server and the client can securely encrypt and decrypt the data being transferred between two parties.

Gold-padlock.svgWhen a web browser connects to a website protected with SSL or TLS (indicated by a padlock icon in the browser) it receives the public key from the server, which is then used to encrypt the subsequent communication. The data can only be decrypted using the private key, which resides on the server.

The problem with keys

However, if someone was able to break in and copy the private key from a server, they would theoretically be able to decrypt any communication to/from that server — provided that they were also able to eavesdrop on the communication.

The solution: Unique keys

To counter this it’s recently become possible to configure web servers to issue a unique key pair for every single connection, and immediately destroy the keys once the session is complete.

This method is called Forward Secrecy because it prevents anyone from retroactively breaking the encryption.

Forward Secrecy on Runbox

Runbox has now implemented Forward Secrecy in order to further improve the security and privacy of our services. It’s now virtually impossible to eavesdrop on the data being transmitted between your web browser and Runbox’ web servers — and you don’t have to do anything in order to enjoy this new level of security.

For those who are interested in the technical details, here is an analysis of the security provided by https://runbox.com, which is now our main address:

https://www.ssllabs.com/ssltest/analyze.html?d=runbox.com

Continue Reading →

Runbox, email privacy, and the recent news

In the last few days we have seen an increase in inquiries about privacy and security, and particularly whether Runbox could be involved in programs similar to those outlined in the recent allegations about interception of communications data by law enforcement agencies.

As a Norwegian company and service, Runbox is protected by Norwegian law and privacy regulations because all our email servers are located in a secure facility in Oslo, Norway. No entity, domestic or foreign, can access email or files stored in our data center without a Norwegian court order.

You can read more about US, European, and Norwegian privacy regulations here: Email Privacy and Offshore Email

Email encryption

To protect data being transferred to and from the Runbox servers in Norway, it’s important to use encryption such as SSL (Secure Sockets Layer) which is available both in the Runbox Webmail and in email clients.

When using Webmail, make sure that the SSL padlock icon is visible in the browser’s address bar and that the domain’s identity is verified as runbox.com.

In email clients such as Outlook and Thunderbird, set up your Runbox account with SSL according to the instructions found on our IMAP help page.

Runbox plans to extend our encryption support in the near future to allow complete encryption of messages all the way from sender to recipient.

 

Continue Reading →