[Kimmono]

Well, what you say is not correct. First of all the Data Retention Directive have to be valid for you. I work for the Norwegian email provider Runbox and the EU Data Retention Directive is not applicable for us. It is only valid for carriers that own their own infrastructure down to the data center, called "communication providers". We even have it confirmed by both Kripos (FBI-ish) and Post- og Teletilsynet (Norwegian Post and Telecommunication Authority). We have tried to explain a bit why here: http://www.runbox.com/why-runbox/email-privacy-offshore-emai...

[vidarh]

And you don't believe your data passes through a "communications provider"?

By the argumentation on your page, almost none of the electronic data targeted by the data retention directive would in fact be retained if the directive is not also applied to data that merely transit a providers network, given that the vast majority of e-mail addresses in use today are not hosted by "communications providers". If that is indeed an actual loophole, it will be closed quickly if/when everyone realizes that they're not getting the data they expect.

This is in any case a minor point, as in terms of dealing with backup data, it's the two first points of my message that are by far the most serious. And I don't think they're that serious, in that I don't really believe there are any suitable alternatives that are safe enough that you can prevent surveillance based on location, so you'll depend on the crypto, and the combination of the two makes the location of the data rather moot.

[Kimmono]

It does, but they dont offer email or phone services. So they are also exempt. We use Blix: https://www.blix.com/

What you call a loophole, was no secret in the hearings about the new law. The government wanted this implemented mainly for the phone providers. They understood that foreign email providers like Gmail and Hotmail that most use in Norway, could not be under the law in any practical way, so they restricted who this is applicable to.

[tombrossman]

I read your website and tried your service for a few days this past April. I cancelled immediately after you emailed both my web hosting and support account credentials. In plain text. That is egregious.

I mention this only to point out that without proper security procedures your data privacy policy is irrelevant. Not one-way hashing and salting passwords negates everything else you do.

I'm happy to try again some day but you really have to have airtight security at a minimum to appeal to privacy-conscious users. Password reset is one of the first things we test for any new service.

[mpyne]

If you're worried about the NSA or other nation-states then I wouldn't stop with hashing+salting. You need to be using something like scrypt/bcrypt/PBKDF2. cperciva has a paper about scrypt, bcrypt is at least widely known for this use case, and PBKDF2 is even a "certified" way to do that.

[Kimmono]

Both your web hosting and support account credentials are encrypted. I see you point not sending them to you when you setup the services, but you have to understand that we do offer services for a wide range of people. Some really want a copy of their login in their email that they have locally.

But I take your point about this and we will try to make that optional. It is optional when you setup email sub-accounts for the administrator.

[e12e]

This sounds strange, as far as I understand it:

http://www.lovdata.no/ltavd1/filer/sf-20130514-0484.html#1-2 http://www.lovdata.no/ltavd1/filer/sf-20130514-0484.html#2-6

together states that if you provide email services, you are required to store metadata (which is what the Data Retention Directive is all about).

On a side note, if the secret services cooperate to do massive ingress/egress storage of data on the network level (say for 6 months) -- having easily passable meta-data would help turn that massive data dump into useful information (assuming index and organization around ip/date or something similar).

As for being safe from NSA outside of the US (even with an ally) -- that makes no sense. While it is against Norwegian law to hack into Norwegian businesses - the NSA isn't subject to Norwegian laws, their subject to US law. The secret services are explicitly set up to preform illegal actions in foreign territories (which is why the NSA story is about spying on Americans, rather than on spying in general).

[Kimmono]

If you are a layman, it does. But this quote is very restrictive in the interpretation by Post og Teletilsynet: "Tilbyder av elektronisk kommunikasjonsnett som anvendes til offentlig elektronisk kommunikasjonstjeneste og tilbyder av offentlig elektronisk kommunikasjonstjeneste er lagringspliktig."

What we dont do is offer "Tilbyder av elektronisk kommunikasjonsnett". That means we are outside. Then the rest is not relevant.

We have been in the courts about this and both Kripos (they wanted information) and the judge found that we are outside the scope of this.

[e12e]

Ok, it wasn't entirely clear to me that you'd been in court over this after the law was enacted. That certainly is good news.

Does indeed sound like the directive is tailor made to make ingress/egress snooping on data useful. The kind of snooping we saw with NSA's "secret rooms". Such illegal wire tapping would fit very well with meta data stored at the ISP level -- and could also explain why anyone not at that level are not required to store meta data (it would be redundant).