The GDPR is a set of regulations declaring that the individual should have control over their personal data by specifying how such data may be collected, processed, and stored.
Important principles include that personal data must be processed lawfully, for legitimate purposes, and with explicit consent from the user.
Runbox’ privacy commitment
Runbox has always been committed to the privacy of our users, and the GDPR principles are now fully integrated into our Privacy Policy. It provides a comprehensive overview of the policies that govern your privacy as a Runbox user, and describes in an accessible way the types of data Runbox collects in order to responsibly and reliably operate an email service.
It also lays out how user data are processed and stored, how they are being protected, and what rights you have as a user of our services.
If you haven’t already done so we ask that you review the revised terms and policies now, and invite you to contact us with any questions or concerns.
If you are already a Runbox user or customer you have already actively consented to our Terms of Service when registering a Runbox account, and you do not need to consent again now to the new version.
As a new Runbox user you will have the opportunity to consent to the terms and policies when registering your account.
On May 25, 2018 the European Union’s General Data Protection Regulation (GDPR) takes effect in all countries in the European Economic Area (EEA).
Norway, where Runbox is located, is part of the EEA and is implementing these regulations through its own legislation.
We welcome these new regulations as they greatly strengthen the rights of the individual to digital privacy and security, which we always have promoted and supported.
What is the GDPR?
The GDPR is a set of regulations declaring that the individual should have control over their personal data by specifying how such data may be collected, processed, and stored.
The regulations require that businesses and organizations integrate this right into their business practices through policies, procedures, and technologies that safeguard the users’ privacy.
Important principles are that personal data are processed lawfully, for legitimate purposes, and with explicit consent from the user. This means that your personal data can only be collected with your permission.
The regulation also sets forth a number of rights on the part of users of digital services:
The right to transparency about how data is processed.
The right to access and information about collected data.
The right to rectify stored data.
The right to erase data (“right to be forgotten”).
The right to restriction of processing.
The right to data portability.
GDPR also recognizes the term “privacy by design”, which means that privacy shall be considered in all circumstances when personal data is processed or stored. By also introducing “privacy by default”, GDPR states that appropriate measures must be implemented to ensure that personal data collected is only used for the specific purpose for which the consent is given.
How does Runbox implement the GDPR?
At Runbox we believe that the privacy and security of your data is essential, and that it’s important for you to be aware of your rights and your options when it comes to your personal data.
Runbox has therefore been working on the implementation of the GDPR throughout our organization and our services over the past three years.
The activities that implement the GDPR in Runbox can be divided into 3 main areas:
Internal policies and procedures
Partners and contractors
Protection of users’ rights
The first two areas include documentation of information security management and internal policies and procedures, as well as data processing and confidentiality agreements with our partners, contractors, and staff.
The third area relates directly to you as a Runbox user, and includes the terms and policies that govern your use of our services, how we aim to inform and educate our users about privacy, and how we are implementing tools and utilities that safeguard your privacy rights.
Runbox’ main areas of GDPR implementation
Revised Terms of Service and Privacy Policy
As part of our GDPR implementation the Runbox Terms of Service and Privacy Policy have been revised:
While the Terms of Service has only been updated with minor changes, the Privacy Policy has been restructured and amended. It provides a comprehensive overview of the policies that govern your privacy as a Runbox user, and describes in an accessible way the types of data Runbox collects in order to responsibly and reliably operate an email service.
It also lays out how user data are processed and stored, how they are being protected, and what rights you have as a user of our services.
It’s important to us that you are informed about your rights and your options with regards to your privacy. We ask that you review the revised terms and policies by May 25, 2018 when they take effect, and invite you to contact us with any questions or concerns.
Runbox has been focusing on privacy and information security from day one, and have paid attention to the strict Norwegian legislation concerning the processing of personal data ever since.
Norway is a member of European Economic Area (EEA) and as such has to implement certain EU regulations, even if Norway is not a member of the European Union (EU). When the European Parliament and the Council decided new legislation for the protection of personal data, that legislation also applied in Norway and has to be implemented by May 25, 2018.
The legislation, titled General Data Protection Regulation (GDPR), contains rules for how personal data should be processed. Using the terms of GDPR, this includes how, when, and under which conditions, personal data
can be collected, processed and stored, which demands explicit consent, and explicit stated purpose;
shall be rectified;
shall be deleted (right to be forgotten);
shall be released to the person that owns the data (right to portability);
could be transferred to third parties for processing, where a Data Processing Agreement (DPA) is mandatory;
could be transferred to processors outside EEA.
At Runbox we have followed the development of this new EU legislation from the very beginning, and as early as 2014 we initiated a project in order to become GDPR compliant.
As a first step we started developing a planning document which includes detailed plans for making our information security management complete and consistent. The document laid out a number of activities which are now outlined in 15 sub-projects, of which some are completed, and others are in process of being completed.
However, information security is a continuous effort and the sub-projects will give rise to additional activities far beyond the GDPR framework.
Runbox recently launched Two-Factor Authentication (2FA). 2FA is a log in procedure where an additional piece of information is required in addition to your username and account password.
This additional factor is a code that can only be used once, or for a limited period of time.
Runbox Two-Factor Authentication
Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.
Runbox is the only 2FA-enabled email provider in Norway
By choosing Runbox as your email provider, your data will be protected by these regulations while ensuring your email is secure from unauthorized access.
Read on to find out how Runbox 2FA works and which options are available.
Timed One-Time Passwords (TOTP)
2FA Timed One-Time Passwords
To use this option you will need a smartphone and some free software.
Timed one-time passwords works by giving you a login code which changes over time, in addition to your password.
To get started, download a TOTP app such as Authy,FreeOTP or Google Authenticator onto your mobile phone and follow their instructions.
Note: It is essential that your smartphone has the correct date/time set as this is used by the TOTP app to generate the correct codes that allow you to log in.
One-Time Passwords (OTP)
2FA One-Time Passwords
When you enable this option, the system will generate random passwords that you can use only once. Used passwords are discarded automatically and cannot be used again.
You can download the the list of passwords to a computer or mobile device, or you can print them out if necessary. However, you must keep the list secure as these passwords can be used to access your account along with your usual username and account password.
Trusted browsers
2FA Trusted Browsers
This option allows the server to trust your current web browser so that you don’t have to use a 2FA code. The option places a small piece of code in your browser (a cookie) that tells the server not to require the 2FA details and you can just log in with username and password.
You should only use this method of bypassing 2FA on a computer or device that you are confident nobody else can log in to. You can temporarily turn on/off individual browsers from the trusted list, or you can delete the browser entry entirely which will force that browser to require the 2FA details.
Unlock code
2FA Unlock Code
If for some reason you are unable to log in with 2FA after it has been enabled, this code can be used to disable 2FA.
The code can be used in conjunction with a secure question/answer for additional security.
We are excited to announce the launch of a new Account Security interface with Two-Factor Authentication (2FA) for Runbox.
This completes more than a year of development, and we are quite proud of the result. The new features will significantly improve the security of your Runbox account when you activate them.
Account Security features
The new Account Security interface includes 4 main features: Two-Factor Authentication, Manage Services, App Passwords, and Last Logins.
Used separately or in combination, these features add extra layers of security to your Runbox account.
Two-Factor Authentication
Two-Factor Authentication (2FA) is a log in procedure where an additional piece of information is required in addition to your username and account password.
This additional factor is a code that can only be used once, or for a limited period of time.
Runbox Two-Factor Authentication
Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.
Manage Services
The new Account Security interface lets you disable various services such as IMAP, POP, and SMTP. These are the services you use when using an email app/program to access your mail.
By disabling services you are not using, you prevent attempts at unauthorized access to your account via those services.
App Passwords
You can also set up unique passwords for each of your apps or devices, giving you complete control over the access to your account.
If you then happen to lose a device you can simply delete the corresponding app password, effectively disabling access from that device.
Last Logins
This section shows a list of the most recent login attempts to your account from each service such as web, IMAP, POP, and SMTP.
If you suspect that there have been unauthorized login attempts to your account, you can review this list and take appropriate action.
How to set up Account Security features
To get started, just go to the Account Security screen to set up 2FA and the other security features.
We encourage you to review our Account Security help page for details about the new functionality first. This will ensure that you understand how 2FA works and prevent you from getting locked out of your account.
We welcome any questions or feedback you might have, either as comments to this blog post or via our contact form or support system.
Much has been said and written in the media recently regarding email, and here at Runbox we’d like to take the opportunity to help make it all a bit more understandable.
What is email, anyway?
Email, or electronic mail, is the most common method of exchanging digital messages.
It is easily the most flexible online messaging service available, because it lets users send and receive unlimited text, multimedia, and other files to anyone with an email address anywhere in the world.
Email was invented in the 1960s and is still one of the most popular services currently available via the Internet, with over 90% of US Internet users actively using email.
How does email work?
Email systems consist of computers and devices that are connected via the Internet. These computers and devices can be servers that process and store electronic mail, or clients such as laptops and smartphones that are used to send and receive email.
Email clients connected to a server
When someone sends an email, the message is transferred from his or her device to a server that processes the message.
Based on the recipient email address, the server finds out where to send the message next.
This is usually to another server associated with the recipient’s address, and often via a number of other servers that act as dispatchers.
There are many different types of email software that can send, receive, and store email. If you use a computer or a smartphone, you might be familiar with software such as Outlook, Apple Mail, or Thunderbird.
Where is my email actually stored?
Because the volume of email is so large, email clients typically let servers store all the email that is received and sent and only download messages when they are opened.
This is very convenient because the server can then do resource intensive things like filtering out spam and viruses, and other kinds of sorting and processing.
Another important reason for keeping emails stored on a server is that it lets more than one client access the same messages.
For instance, you can set up your laptop, your tablet, and your smartphone to access all the email that is stored in your account on the server. You can also use a webmail in your web browser, which essentially works as an email client.
This means that your email will be synchronized across all your devices, without you having to do anything manually.
How can I be sure that no one else can access my email?
When you sign up for an email account, you select a username and a password that only you know. This ensures that only you can access the email that is stored in your account on the server.
As you can imagine, it is important that you choose a strong password to make sure that no one else can guess it. It’s also important to be aware of scams that may try to trick you into revealing information that could let someone gain access to your account.
End-To-End Encryption
However, to be certain no one can read your email even if they were to gain access to it, you can use encryption.
Email encryption can protect your messages all the way from your device to the recipient’s, by encoding them in such a way that it’s virtually impossible for someone unauthorized to unscramble them.
In the recent past, some high profile companies have had user account details stolen by criminals. In some cases these details have been made public. Many people use the same usernames and passwords across different services, which means that their other accounts may also be at risk.
Use a Strong Password
Runbox has not had a data breach. However, if you use one of the affected services and have used the same login with Runbox then your Runbox account could also be at risk.
We would suggest you update your Runbox password if you feel it might be necessary. What would have been a strong password a few years ago, might not be strong now. This is because criminals have an increasing ability to try large numbers of known passwords against accounts.
For useful tips about choosing strong passwords we recommend our Account Security help page. It is easier than you might think to create good passwords that are easy to remember.
Two-Factor Authentication
To improve account security further, Runbox will be launching two-factor authentication (2FA) in the near future.
With 2FA turned on you will need to provide both your username, password, and an additional piece of information to access Runbox and your account settings. And if you choose to use IMAP, POP, or SMTP, you will be given strong passwords to use.
In the meantime, if you have any questions about account security, please contact us at Runbox Support.
At Runbox we are very pleased to be able to offer personalized support to our customers, and we do this 7 days/week, every week of the year.
If you need to contact Runbox Support, we would advise you to read our help page on Contacting Runbox Support. In particular we would like to draw your attention to the sections regarding how we will use information to identify you as the account holder.
It is very important that we protect your privacy and security of your account, and there are elements of that process that require you to keep account information up to date so that we can ensure we are talking to the correct person.
The most commonly used piece of information we use to identify you when you can’t contact us from your Runbox account is your alternative email address, and it is very important that you keep this up to date. Being unable to verify you as the account holder is very frustrating for customers and also for us as we can’t offer you the support you are expecting.
We realize there are some customers who prefer their Runbox account not be linked to other email accounts or methods of communication, but this does limit the support we can offer in those cases. We will always try to help as best we can, but ultimately we would rather deny access to an account than to provide that access to the wrong person.
If you have any questions about this, please contact Runbox Support 🙂
We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.
The policies we have implemented are the following:
X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.
HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).
Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.
HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.
X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.
X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.
These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.
Today we have upgraded the TLS (Transport Layer Security) of our incoming email servers to support version 1.2, which is the most recent. This means that when email is sent to Runbox from other services, the highest level of encryption will be used if the other service supports it.
This also means that all communication between your email program and Runbox now uses TLS 1.2 (if supported by your email program).
The GDPR is a set of regulations declaring that the individual should have control over their personal data by specifying how such data may be collected, processed, and stored.
