Columns Archive

Private Email Not Always Hush Hush

Appeared in the Toronto Star on November 26, 2007 as Private Email Is Not Always Hush Hush
Appeared in the Tyee on November 27, 2007 as Private E-mail Not Hush Hush

This past September, the U.S. Drug Enforcement Agency launched "Operation Raw Deal", an initiative that targeted people purchasing raw steroid materials through the Internet from China and repackaging the steroids as drugs for domestic sale.  Tyler Strumbo, a 23-year old California resident, was among the 124 people arrested.  

The Strumbo case is of particular interest because of an important Canadian connection. The foundation of the DEA's case rested on hundreds of encrypted emails stored on the computer servers of Hush Communications, a company based in Vancouver.  A British Columbia court ordered the company to decrypt the emails and to send them to the U.S. law enforcement officials.  Faced with a valid court order, the company complied, shipping 12 CDs filled with unencrypted personal email to investigators in California.

Hush Communications was founded in 1998 and a year later it unveiled hushmail, a free encrypted email service that allows users to blanket their electronic communications with privacy-protective encryption. Given the openness of standard email, encrypted email can serve many legitimate purposes as people use the technology to restore a measure of privacy to their electronic communications.  Those same technologies can be misused, however, since criminals can similarly seek to keep their communications under wraps, thereby thwarting police investigations.

Hush Communications has developed corporate policies that seek to balance the privacy interests of their users with the reality that their services may be used for criminal purposes.  While the company has a global customer base, it only accepts court orders focused on specific user accounts issued by the British Columbia Supreme Court.  Indeed, company officials note that they receive requests from law enforcement around the world, yet many are abandoned after they learn of the need for Canadian court oversight.

In the Strumbo case, U.S. officials relied on the U.S.-Canada Mutual Legal Assistance Treaty, which is used by law enforcement agencies to expedite investigations that run across national borders.  Investigators allegedly placed several steroid orders with Strumbo via email and then asked the court to mandate the disclosure of the Strumbo's email correspondence.  

Reaction to the case has been sharply divided.  Some have criticized the company, arguing that it professes to protect the privacy of its users and that it failed to do so in this instance. Others have expressed support, noting that it has established a reasonable policy that includes notification to users of the potential disclosure risks along with strict court oversight.

More interestingly, the case challenges several myths that have developed about privacy, law enforcement, and the Internet.  First, the use of the MLAT serves as a timely reminder that U.S. law enforcement wields a wide range of investigative tools to compel disclosure of private information held in Canada.  While the USA Patriot Act has garnered the lion share of attention – including last year's controversial debate over possible access to Canadian census data – the reality is that there are multiple mechanisms to force organizations to hand over private information.

Second, the case counters law enforcement claims that it requires additional powers in order to conduct online investigations.  Canadian law enforcement officials have lobbied for years for new "lawful access" provisions that would require Internet service providers to install new surveillance capabilities and grant the police new powers to compel ISPs to disclose customer information.  Notwithstanding those lobbying efforts, the Strumbo case provides a compelling illustration of the effectiveness of the laws already in place.

Third, the case highlights how Canadian companies can navigate the privacy minefield by adhering to two key principles – insisting on court oversight before disclosing customer information and providing full public disclosure about the privacy protections associated with their services.  

Hush Communications has faced some heat from the Strumbo case, yet its approach is a textbook example of how to balance privacy interests with the legitimate needs of law enforcement.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

Comments are closed.