This article covers Virtru's approach to government requests and orders (both foreign and domestic) for customer and user data. This includes court-ordered searches, broad surveillance orders, and other types of requests as they pertain to your data.
Before diving into Virtru's stance on these issues, it is important to understand how Virtru protects information. This includes what Virtru does and does not have access to.
Encryption Keys and Your Content
Virtru leverages AES encryption, using 256-bit keys, a method that has been proven secure. The only way to read Virtru-encrypted content is to have both the encrypted content and the appropriate keys for decryption. At no point in time does Virtru ever have access to both the encrypted content and all of the required decryption keys. Similarly, others, (including the government), will be unable to read your content because they won’t have both.
As we never have access to both the encrypted data and the key required to decrypt customer data, we would be unable to fulfill requests for your decrypted content. This distinction is important when contextualizing any government request or order.
For more information on our technology, visit our Architectural Overview.
As a U.S.-based company, Virtru believes that the contents of your emails, files, and other data and communications should be and are fully protected by the Fourth Amendment to the United States Constitution. If Virtru receives a request from any Government entity or agency for your encryption keys or other data, we will require the government to go to court. Virtru is prepared to argue our position in court in an appropriate case, if necessary.
Virtru will only cooperate with search or surveillance orders provided they are:
- Ordered by a court, based on probable cause under time-honored Fourth Amendment principles.
- Ordered from a court with jurisdiction over Virtru.
- The order is specific to court-ordered directives relative to a specific individual/entity and is not a broad surveillance order.
Virtru will also fight to notify you of any request or orders - unless we are prohibited by law from doing so - so that you may have an opportunity to defend your rights to keep your data confidential.
US Government - Requests and Orders
Virtru believes that the contents of your emails, files, and other data and communications should be and are fully protected by the Fourth Amendment to the United States Constitution, and that this generally should and does mean that the government needs an individualized court order, based on probable cause, to access the data you have chosen to keep private.
If Virtru receives a request from the United States Government (or other governmental organization) for your encryption keys or data, we will require the government to go to court. Virtru will also fight to notify you of any request or orders.
Government Surveillance & Broad Surveillance Orders
Virtru does not think the law requires us to cooperate with broad surveillance orders permitting blanket surveillance by the NSA or other government agencies, and we would fight an order to cooperate.
Changes to FISA under the Patriot Act and the FISA Amendments Act permit some forms of surveillance that are not based on individualized court orders. Virtru would challenge any order to assist in broad surveillance programs by the NSA or other government agencies that are not based on individualized court orders.
However, federal law authorizes the government to require third parties to provide “technical assistance” to facilitate surveillance authorized by statutes, such as Title 18 of the United States Code and the Foreign Intelligence Surveillance Act. Virtru may be required to provide technical assistance (and this might include encryption keys) needed to conduct lawful searches or surveillance of email, files or other data. We would do so only in accordance with the principles we have laid out in this policy.
Designing Systems for Lawful Surveillance
Virtru is not obligated to design its systems to facilitate lawful government surveillance. The Communications Assistance to Law Enforcement Act (CALEA) currently requires telecommunications providers to engineer their systems to facilitate lawful surveillance orders from the government. Virtru is not a telecommunications provider and does not have any obligations under CALEA.