Tuesday, October 22, 2013

Looking for Secure Email? Check out Runbox!

I'm always looking to increase the security of my online communication. It's why I use Jitsi for encrypted voice and video chat and why I use PGP to encrypt my email so only those I send it to can read it. But there's been one problem that I've not yet overcome and that's the one of finding an email provider that not only values my privacy as much as I do but actually does things to make sure that privacy is protected.

Like most of you, I've used several of the big, free, commercial email providers out there. The problem is, I know there's no such thing as free. We pay for these products, not in cash, but in the abdication of our privacy.  As they say, if you're not paying for a product, there's a good chance you are the product. The free providers, while dumping a lot of goodies in our laps, don't have any incentive to protect our privacy. Sure, they take basic steps to stop hackers from ravaging our email and files, but they will usually turn over pretty easily in the face of a government request. That turnover might be handing over the contents of a single users email or as big of a deal as handing over their SSL keys so that any traffic between a remote PC and their servers can be decrypted.  You just don't know and, from the things Edward J. Snowden has revealed, we can safely assume that privacy, at least with US based services, simply doesn't exist.

So I went shopping. I specifically started looking for email providers outside of the US, in countries that had both a technical and  a legal framework for protecting user privacy. The country I found that fit the legal framework was Norway and the company I found was Runbox.

Runbox is amazing.  First, the company is not a large, multi-national giant. It's largely employee owned and the employees take a direct hand in the business. Second, they are committed to open source principles and actually use open source software to run their business. But that's not the best part. The best part is that these guys believe in protecting the privacy of their users.


Using technology like perfect forward secrecy, the company makes it virtually impossible for anyone to eavesdrop on your connection to their server. Because of the way PFS works, they could literally hand over their private keys to a government and users would STILL be protected.

Next, the way Runbox stores your mail is unique in that they stick it in a giant, semi-anonymous pool with thousands of other messages. Grabbing this pool, which is encrypted, is useless as it's nearly impossible to identify which message belongs to which users.

Finally, and this is a very cool thing, email messages sent between Runbox users never go over the Internet at all. They are simply transferred via their internal network and that's that.

Those are a few of the technical tools that Runbox uses to protect our privacy. But there's also a legal aspect too that is just as important.

Because of the type of service Runbox is, they are not required to log anything about their users. This means that they can choose not to log connections so that there is nothing to turn over should a court request come.

Additionally, Norway, the country that Runbox operates in, has a strong history of erring on the side of privacy. They opposed the European Unions data retention laws and routinely side with users on issues effecting their privacy. They also don't automatically assume that a corporations needs outweigh a users right to privacy and have, in the past, not handed over data on file sharers to courts requesting such data.

All in all, I think I've found the perfect solution to my email needs. And, best of all, it's affordable too. I pay only $39 a year for a decent sized email box and a great web based email client. I can pay slightly more to get a larger box, the ability to send more messages per day, web hosting, and file sharing, but, honestly, the $39 a year plan more than meets my needs.

So I'd like to encourage those of you who are concerned about your privacy or who are fed up with your privacy being raped by providers like Gmail, Yahoo, and others, to take a serious look at Runbox. It's not perfect, but it's as close as we're going to get unless we're willing to host our own email.

Find their site at www.runbox.com




2 comments:

Daniel said...

Actually, Runbox will soon be required under Norwegian law to log emails. The Norwegian government is slooowly trying to push through the EU’s (utterly useless, says the EU countries that have implemented it) Data Retention Directive.

However, I agree that Runbox is one of the least bad alternatives out there.

kimrunbox said...

Yes, Norway will implement our version of the Data Retention Directive. But you are wrong in suggesting that Runbox will be affected by that law.

In Norway it will only affect the large email providers that are also ISPs, such as Telenor, Tele2, Domeneshop, Netcom and TDC.

So Runbox gets the very good privacy protection we have in Norway and we are not affected by the negative bit of legislation. IT is a win-win for our users