Runbox - A Secure Mailbox Protected by Norwegian Law
Runbox is a secure email service provider based in Norway, where personal data is protected by the constitution. It is also one of very few companies that run solely on green power. We sat down with Geir Thomas Andersen, Runbox Managing Director, to hear about their privacy policy, their unique team structure, and where email privacy is heading in the future. Share
Please describe how Runbox can ensure that a customer's email privacy is protected when using your services.
Since our company and our servers are located in Norway under Norwegian jurisdiction, we have a strong legal framework that protects our customers’ data. No domestic or foreign entity will gain access to the data without first acquiring a Norwegian court order. Additionally, Runbox does not scan emails to display ads, will not transmit your data to a third party service without your consent, will not give or sell your email address to a third party service, and does not use external tracking cookies to monitor usage.
What are the strict privacy regulations that your company will enforce in cases of privacy violations ?
In Norway, privacy of communication is guaranteed by the Constitution. This lays the foundation for Norway’s Personal Data Act, which states:
- Personal data must only be collected by private entities when consent from the user has been obtained.
- Personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.
- Personal data must not be stored longer than required by the purpose of collection.
- Personal data must be kept confidential unless required by law or court order.
In accordance with the recommendations from the Data Protection Authority, we have appointed an internal Data Protection Officer (DPO), whose main responsibility is to ensure that the company follows the privacy regulations specified in the Personal Data Act. The DPO oversees our Privacy Policy to ensure that data is stored and processed according to the regulations, as laid out in our privacy policy.
We closely follow the developments in the EU privacy legislation to ensure that Runbox is compliant with both Norwegian and EU regulations.
How does this layer of protection benefit those clients residing in other countries such as the US, Germany or Australia for example?
This is an ongoing discussion in the media especially with regards to cloud services that are transparently provided from different geographic locations around the world. Runbox have deliberately chosen to keep our servers in Norway because the legislation especially in the US and in Europe differs on several important points and is continuously being challenged. By physically staying within Norway’s borders we avoid these complications altogether.
As long as the data is physically stored in Norway, our customers’ privacy is protected by Norwegian law regardless of where they may reside. Any request from foreign agencies or other entities is rejected outright by Runbox, and we refer them to Norwegian regulations and procedures which generally include the Norwegian Ministry of Foreign Affairs, the Ministry of Justice and Public Security, the appropriate police unit, and finally the Norwegian court system. The Norwegian authorities will independently evaluate whether there is probable cause to suspect a crime. Only if presented a Norwegian court order or if required by Norwegian law can Runbox disclose any customer data.
How often (in your opinion) a government will take a look at someone's personal emails and to what resolutions?
I can only speak from our own experience. To date Runbox have received a total of 4 requests for information from Norwegian or foreign authorities, and complied with 1 request from Norwegian authorities after having been presented a Norwegian court order. This was a clear-cut case of fraudulent activity and we were happy to oblige as the account holder violated both the Runbox Terms of Service and Norwegian Penal Code.
Since 2000 – when your company started offering Mail Services, through 2011 when you're Official brand what founded, how would you describe your company's growth in the field of mail service and other services you offer?
Prior to 2011, the Runbox services were operated by a different company with limited success. In 2011, key personnel founded Runbox Solutions and bought out the services and customers from the old company. Since then we have replaced all the infrastructure powering the Runbox email service, focusing on security and privacy, and more than doubled our customer base. Now we are expanding with new services and security features that will make Runbox a brand to be reckoned with.
What can you tell us about the atmosphere at your work space?
Runbox has been run by a loyal group of people for years, and we’ve been through a few ups and downs together. We spent a long time slowly improving and expanding our platform, and when the media started focusing on privacy and security in 2012/2013 we were ready.
Over the past couple of years we’ve expanded both our team, our infrastructure, and our services – and now we are doing better than ever. Since the key personnel are co-owners we all have a say in important matters, we support each other, and we are all invested in the values that form the core of our company.
Our team now includes people on 4 continents and we cover all countries and time zones, so there is non-stop activity. However, we telecommute extensively so as long as there’s a laptop and an Internet connection our staff can work from any location they wish. Although most of our communication is digital we are a close-knit group and Runbox has become more of a lifestyle than a work place for us.
Do you find this beneficial to the success of your business since 2000?
Absolutely – Runbox survived the dot com crash of the early 2000s and was able to overcome a few difficult years because of the team’s loyalty and the flexibility that Runbox provided.
We never quit on our mission, and those experiences gave us a gutsy mentality that never lets us take anything for granted, and which now helps us seize every opportunity that can make Runbox more successful.
What was the impact of the 2013 Surveillance debate on your company at that time and since then?
It had a significant impact as it woke the world up to the extent of online surveillance and its potential impact on anyone who uses the Internet and email in particular. It helped raise awareness of the security aspects of digital communication, security measures such as encryption, and privacy regulations.
However, many who use email and other online services are still a bit naïve about the possibility of their accounts being compromised. Even if you believe you have nothing to hide, someone with unauthorized access to your email account can use it to gain further information or access – or use it to harm others through spamming, phishing, and other types of abuse. Therefore it’s important that we keep talking about these issues, and it’s encouraging that vpnMentor does exactly that.
What can you tell us about the most common email violations conducted around the world today?
The most common is without a doubt spam. But the one that victimizes the most people is phishing, where an attacker forges an email to make it look like it is sent from someone you trust (such as your bank) in order to defraud you.
Many email users are still too trusting and could benefit from awareness of where a suspicious email is sent from, so we see it as our mission to help educate email users about this kind of threat, and have built a large knowledge base for that purpose.
Did the core Runbox e-mail service always consist of open source components?
Yes, we decided very early on to use open source software because they were superior to the alternatives, followed the established technological standards, and because we wanted to support the open source community. So we have always run Linux, Apache, MySQL, Perl, and Exim, and are continuing to expand our services with open source software that are both reliable and easily expandable. The fact that we didn’t have to pay licenses was obviously part of the evaluation, but mostly we wanted to build something that we would own and control while being able to contribute back to the community and support the vision of sharing technologies and code.
What are your main technological achievements?
When we started out, Hotmail was the big player and offered a whopping 2MB storage space per account. We decided to offer 100MB storage for free, and this was an achievement in itself back then – on a server with 80GB storage in total.
Our main achievement is having built a custom, database accelerated system that outperforms most other services that are powered by much more hardware.
Currently we are implementing a state of the art two-step authentication interface that integrates all our email-related services. Additionally, we are building a next-generation webmail that is powered by the user’s browser and that we think will put Runbox in the forefront of our competition.
What is the biggest advantage in using your services, from a technological perspectives?
Runbox is today a very reliable and functional service as we have invested substantially in our infrastructure and the security aspects of our services.
With Runbox you can consolidate all your emails in one place, reliably and securely access your email anywhere, with any device – and we have packed a lot of functionality into our web interface if you prefer that to an email client.
The way we have designed our system allows us to build interfaces that organize data in new ways, and this is something we are using to our advantage as we develop our services further.
Runbox Solutions also provides email hosting, web hosting, and domain hosting services, so you get all your hosting needs met in one place, and we continue to integrate and improve our services to make sure that you don’t have to go anywhere else for anything email, web, or domain related.
What layers of technical security & protection do you provide to your customers?
When you access the Runbox email services, you are met by the latest encryption standards, the best TLS cipher suites, and extra security features such as Perfect Forward Secrecy and Extended Validation. When you use our webmail, there are a number of security policies in place to ensure that no one can tamper with the connection. Together, these security measures give Runbox an A+ rating with both SSL Labs and SecurityHeaders.
Furthermore, we are presently in the process of implementing a range of features that include the ability to toggle services on and off, Two-Step Verification, One-Time Passwords, Trusted Devices, and Application-Specific Passwords. These additions empower our customers to have greater control over accessing their accounts, effectively preventing unauthorized entry and safeguarding their valuable data.
Generally we see it as part of our mission to educate our customers about the security aspects of email, and how to make sure your email is protected all the way from your device to the recipient.
Finally our servers are physically located in a very safe place, namely the data center that was originally built to contain the mainframes for the Norwegian Government, which have since relocated.
What were the main challenges in shifting from standard servers into "green" servers?
Green servers are generally more expensive per CPU cycle than conventional servers, so it’s mostly a question of cost. Since Runbox moved to a data center that is 100% powered by renewable energy, the power consumption of our servers has become less crucial as an environmental factor.
Runbox is fortunate to be located in Norway, which (at least in an environmental sense) enjoys a high level of precipitation that is converted to hydroelectric power. Norway produces enough hydroelectricity to power 98% of the consumption, and our data center Digiplex is 100% powered by renewable power sources such as water and wind.
What are the advantages of your green servers from the client's perspective?
For us, being environmentally conscious is not a choice, it’s an imperative. Ultimately, Runbox’ mission is to contribute in a small way to making the world a better place, and our responsibility towards our environment is ingrained in each of us personally and in our company values. We believe that our success is due in part to our ethical and environmental commitment, and that our customers to some extent choose Runbox because it just “feels right” to host and power their email by clean energy – especially in a world of increasing climate change and other serious environmental challenges.
Can you offer an insight in regards to what the future holds in the field of email security?
We think communications security and encryption will go from being a “special feature” to an integrated property of email and other services. The online world has had a wake-up call and is now maturing with regards to the security aspects of communication. Encryption technologies are becoming built-in and integrated features instead of special functionality only the experts can use. One example of this is Apple’s iMessage service, which encrypts messages whether you want it or not.
Email still has some way to go with its relatively complicated PGP and S/MIME end-to-end encryption technologies, but we are starting to see implementations that are user-friendly enough for the average email user. So in the future, encryption will be expected by email users as an essential part of the service, and a more secure world will increasingly focus on other features and differentiators. However, there will always be some services that are more secure and private than the rest and Runbox intends to remain among these.
Please, comment on how to improve this article. Your feedback matters!