This article covers Virtru's approach to government requests and orders (both foreign and domestic) for customer and user data. This includes court-ordered searches, broad surveillance orders, and other types of requests as they pertain to your data.
Before diving into Virtru's stance on these issues, it is important to understand how Virtru protects information. This includes what Virtru does and does not have access to.
Encryption Keys and Your Content
Virtru leverages AES encryption, using 256-bit keys. This encryption has been proven secure. The only way to read encrypted files is to have both the files and the encryption keys. Virtru doesn’t have access to the content of your encrypted emails or files. In most cases, Virtru only has the encryption keys. Virtru won’t be able to read your content because it doesn’t have the content — and others (including the government) will be unable to read your content because they won’t have the keys.
As an encryption provider, Virtru would not be the subject of requests for your content because we do not have it - we never have access to both the encrypted data and the key required to decrypt customer data. This distinction is important when contextualizing any government request or order.
As a U.S.-based company, Virtru believes that the contents of your emails, files, and other data and communications should be and are fully protected by the Fourth Amendment to the United States Constitution. If Virtru receives a request from any Government entity or agency for your encryption keys or other data, we will require the government to go to court. Virtru is prepared to argue our position in court in an appropriate case if necessary.
Virtru will only cooperate with search or surveillance orders provided they are:
- Ordered by a court, based on probable cause under time-honored Fourth Amendment principles.
- Ordered from a court with jurisdiction over Virtru.
- The order is specific to court-ordered directives relative to a specific individual/entity and is not a broad surveillance order.
Virtru will also fight to notify you of any request or orders - unless we are prohibited by law from doing so - so that you may have an opportunity to defend your rights to keep your data confidential.
US Government - Requests and Orders
Virtru believes that the contents of your emails, files, and other data and communications should be and are fully protected by the Fourth Amendment to the United States Constitution, and that this generally should and does mean that the government needs an individualized court order, based on probable cause, to access the data you have chosen to keep private.
If Virtru receives a request from the United States Government (or other governmental organization) for your encryption keys or data, we will require the government to go to court. Virtru will also fight to notify you of any request or orders.
Government Surveillance & Broad Surveillance Orders
Virtru does not think the law requires us to cooperate with broad surveillance orders permitting blanket surveillance by the NSA or other government agencies, and we would fight an order to cooperate.
Changes to FISA under the Patriot Act and the FISA Amendments Act permit some forms of surveillance that are not based on individualized court orders. Virtru would challenge any order to assist in broad surveillance programs by the NSA or other government agencies that are not based on individualized court orders.
However, federal law authorizes the government to require third parties to provide “technical assistance” to facilitate surveillance authorized by statutes such as Title 18 of the United States Code and the Foreign Intelligence Surveillance Act. Virtru may be required to provide technical assistance (and this might include encryption keys) needed to conduct lawful searches or surveillance of email, files or other data. We would do so only in accordance with the principles we have laid out in this policy.
Designing Systems for Lawful Surveillance
Virtru is not obligated to design its systems to facilitate lawful government surveillance. The Communications Assistance to Law Enforcement Act (CALEA) currently requires telecommunications providers to engineer their systems to facilitate lawful surveillance orders from the government. Virtru is not a telecommunications provider and does not have any obligations under CALEA.
Private Party or Foreign Government - Requests and Orders