Number of requests from authorities

[jl66]

Many companies offering email services with privacy in mind are posting in their websites the number of requests they have received from authorities.

Is Runbox going to do the same?. You should do it.

Is it true that if you receive some of these requests then you inform the clients involved about it?
I am asking this because when some company can be destroyed if they don't do what some authorities request, then it's always easier and convenient to do what they ask in private.
Yes, I know about Norway laws but there are countries who can do some extra "pressure" to get what they want.

[FredOnline]

Quote:

Originally Posted by jl66

Many companies offering email services with privacy in mind are posting in their websites the number of requests they have received from authorities.

Is Runbox going to do the same?. You should do it.

Have a read of this, from August 2014:

https://blog.runbox.com/2014/08/why-...-is-important/

Since Runbox Solutions was founded in 2011 we have received 0 court orders for disclosure of account details or user data. We have received 3 requests directly from attorneys in the United States, all of which have been rejected outright.

[17pm]

I'll leave this here. http://www.aftenposten.no/nyheter/ir...l#.U0QILPmSwW8

That was in march 2011 AFAIK. The interesting thing about it? Look at the date of the news. "25.jun. 2013".. More than 2 years after they supposedly granted FBI access to the e-mails. If it had not been for Hans Jørgen Lysglimt saying that FBI had access to the e-mails (2 YEARS AFTER IT HAPPENED!!! I want to stress this), none would have known.

[smithmb001]

Quote:

Originally Posted by 17pm

I'll leave this here. http://www.aftenposten.no/nyheter/ir...l#.U0QILPmSwW8

That was in march 2011 AFAIK. The interesting thing about it? Look at the date of the news. "25.jun. 2013".. More than 2 years after they supposedly granted FBI access to the e-mails. If it had not been for Hans Jørgen Lysglimt saying that FBI had access to the e-mails (2 YEARS AFTER IT HAPPENED!!! I want to stress this), none would have known.

I would like additional feedback from RunBox staff regarding this incident.

This is why I think it is important that electronic correspondence be encrypted on the server using a key that only the customer has in their possession.

[Geir]

There is nothing mysterious here.

Runbox is a law abiding company and will protect the privacy of our customers as far as Norwegian law allows. Any request for information from foreign authorities has to go through the proper channels and be independently processed by Norwegian police authorities and court system, as outlined here: https://runbox.com/why-runbox/email-...way-important/

Hence, Runbox would only disclose information upon receiving a Norwegian court order. If a crime is being investigated and the court order says we are not allowed to tell the account owner, we will not tell the account owner. It would be in no one's interest for Runbox to protect criminals, and our own Terms of Service clearly state that we, and our customers, must adhere to Norwegian law.

Runbox does not relate to or comply with any foreign authority, only Norwegian authorities, and that was also the case in March 2011 when the Runbox services were owned by another company. The news item actually misrepresented the facts -- I was there at the time and the request was from Norwegian police.

Since that time we have had no further requests from Norwegian authorities, and as stated in the page linked above we would not comply with anything less than a Norwegian court order.

- Geir

[jl66]

Thank you all for the answers.

Geir: so, is it possible to post in some place of the RB website a continue update about these requests?. I think it would be great, something like:

Requests from authorities until now: x
Requests from authorities this year: x
Requests from authorities this current month: x
(Or something like that)

Thanks!

[17pm]

Quote:

Originally Posted by jl66

Thank you all for the answers.

Geir: so, is it possible to post in some place of the RB website a continue update about these requests?. I think it would be great, something like:

Requests from authorities until now: x
Requests from authorities this year: x
Requests from authorities this current month: x
(Or something like that)

Thanks!

Will that mean much though? According to Geir, they were not allowed to divulge the information of the court order. To me, saying "Since that time we have had no further requests from Norwegian authorities" means that they have had no requests that they can talk about.

[jl66]

Quote:

Originally Posted by 17pm

Will that mean much though? According to Geir, they were not allowed to divulge the information of the court order. To me, saying "Since that time we have had no further requests from Norwegian authorities" means that they have had no requests that they can talk about.

That's only the case about the Norwegian court order and I don't think it's always the same. But they could receive requests from USA and other countries (answering negative) and we could know it.

[smithmb001]

RunBox was not supportive of this feature request, but I think it is clear that all data stored on a system should be encrypted with a user's personal encryption key. I thought this would be a nice privacy feature, similar to the no backup option, to offer customers who desire additional privacy protections.

Ladar Levison/DarkMail Interview: http://www.popularmechanics.com/tech...email-17162499

If Norwegian law requires RunBox to turn over data for a particular user and that data is encrypted with the customer's personal key then all authorities would get would be the encrypted files. Tough luck if they cannot decrypt them or it takes months to do so. RunBox is not providing a service for law enforcement, but for its customers. That's something collaborating companies in the US have forgotten.

[jl66]

Quote:

Originally Posted by smithmb001

RunBox was not supportive of this feature request, but I think it is clear that all data stored on a system should be encrypted with a user's personal encryption key. I thought this would be a nice privacy feature, similar to the no backup option, to offer customers who desire additional privacy protections.

Ladar Levison/DarkMail Interview: http://www.popularmechanics.com/tech...email-17162499

If Norwegian law requires RunBox to turn over data for a particular user and that data is encrypted with the customer's personal key then all authorities would get would be the encrypted files. Tough luck if they cannot decrypt them or it takes months to do so. RunBox is not providing a service for law enforcement, but for its customers. That's something collaborating companies in the US have forgotten.

Of course the hard disks should be encrypted, I miss this feature in Runbox (but I should trust RB in this...), but the problem is the same: someone (not only you) will be able to get the keys, don't think it can be only you (remember hushmail?). In this case it only works encrypting your emails in your computer and the hardest problem: communicating with your friends/family this way.

[Liz]

We haven't had any further requests from Norwegian authorities period; there aren't any secret ones either. If we did get any, nothing prevents us from saying how many, just without disclosing any details.

Liz

[jl66]

Thank you Liz ☺

[smithmb001]

I think RunBox reps have been both open and honest about what happened and I think they acted as they were required to do so under the law and that's good enough for me.

I would still suggest that a feature add-on be considered that would allow customers to encrypt their data at rest on RunBox servers (with no backdoor decryption) using a user supplied pass phrase. For the record, I don't have any issues with government/law enforcement collecting data legally on an individual using the public court system. I do take issue with government/law enforcement agencies using "secret" courts and "secret" laws as we now have in the US to perform mass surveillance, to collect data on an individual(s), to subvert technology, to coerce cooperation from companies (e.g. LavaBit), ect.

[jl66]

Surprised about this news:

http://www.spiegel.de/international/...a-1010361.html

So?...

[smithmb001]

Not surprised. The collaborators are getting exactly what they deserve and more will be served up as alternatives become available, see below.

http://www.bloomberg.com/news/2014-1...gy-to-own.html

http://www.cnet.com/news/spy-fears-l...it-not-huawei/

http://www.itnews.com.au/News/368562...g-program.aspx