Interview with MyKolab Email Provider, Freedom Hacker
·

Interview with MyKolab Email Provider

Brandon StoshByBrandon Stosh Hours
Comments 0 Comments

0) Please tell us, what is your role (in the email provider company, where do you stand, owner, marketer, advertiser etc)?

My name is Torsten Grote and I am the Evangelist for Kolab Systems. This is the company that runs MyKolab.com and that develops the Open Source software that powers it.

1) Does MyKolab keep or enforce any logs, IP Addresses, Timestamps, Bandwidth caps, Traffic or other data on users?

We do not enforce any limitations on our users and also take some extra steps to protect their privacy, such as stripping information about your IP address and your mail program from email going through our systems. We need some logging for debugging the service and technical assistance at times, but our administrators will always confirm with the user that it is okay to look at their particular information. Otherwise they are legally bound to protect the privacy of all our users. Beyond that we store the legally defined minimum as per the requirements in Switzerland. [more background]

2) What type of Encryption do you use to secure emails?

All connections to our servers are encrypted with the best possible encryption ciphers. We are also using Perfect Forwarding Secrecy to provide additional protection to our users. Qualys SSL Labs rated our encryption A+. You can check the test results yourself.

We are aware that some providers claim to encrypt your messages on the server, or to somehow use browser storage for keys. In some cases there are also additional pass phrases entered into the browser. All of these cases allow the server provider and third parties to compromise the key in at least two ways: Breaking out of the browser sandbox from another application, or injecting code into the application with or without knowledge and cooperation of the provider.

In our understanding, compromising the key, and creating false security expectations is worse than understanding what level of security to expect. We
do not believe in misleading our users in such ways. [more background] Until there are ways of solving this problem without compromising the key we inform people whatis the technically best level of protection available today. And how to obtain the highest possible protection, i.e. through end to end encryption [more background]with OpenPGP where the key is never disclosed to anybody.

3) Where are your servers located and what jurisdiction do you operate under?

All our servers are located in Switzerland in a rack which we physically control. As a country that places a high value on privacy, Switzerland is extremely reluctant with access to people’s data and even has criminal liability for that. So we are *very* careful to make sure that all of our customers data stays safe and secure.

Our CEO explained very well why at the moment legislation trumps technology and even cryptography [more background]. We have also prepared a overview over the Swiss Legal Framework for those who want to know all the details.

4) How do you generally handle requests from law enforcement?

When such a request comes in, we carefully check whether it is formally correct, valid and approved by a Swiss judge. If one of the formal criteria is not met or if we are not obliged to comply, we deny the request.

All requests that we have to comply with, are published anonymized on our homepage which regularly updated. In 2013 there were only 21 cases of real-time internet wire-tapping in all of Switzerland and so far we only had one request for administrative that we had to comply with.

5) Do you track users in any way with trackers, advertisements, or cookies?

We do not show any advertisements, because our users are our customers and not our products. Because they pay us directly, we do not need to sell their data to finance our service.

We also do not track our users and use only session cookies for the webmail to handle the ongoing user session. Our website uses Piwik a Free Software Web Analytics Software to gather anonymized statistics. It does respect your browser’s “Do Not Track” preference and also offers an opt-out [more information].

6) How much do your encrypted email services cost?

Our service starts at 4.41 CHF for email, but also offers lots of other additional options such as Calendars, Tasks, Files and synchronization of your data and contacts to mobile phones.

Brandon Stosh

Brandon Stosh is the founder of www.freedomhacker.net. Stosh is a cyber security researcher who strives to provide reliable news on cyber-security based topics.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *