Private Email Not Always Hush Hush

My weekly technology law column (Toronto Star version, The Tyee version, Ottawa Citizen version, homepage version) begins by recounting that this past September, the U.S. Drug Enforcement Agency launched "Operation Raw Deal", an initiative that targeted people purchasing raw steroid materials through the Internet from China and repackaging the steroids as drugs for domestic sale.  Tyler Strumbo, a 23-year old California resident, was among the 124 people arrested. The Strumbo case is of particular interest because of an important Canadian connection. The foundation of the DEA's case rested on hundreds of encrypted emails stored on the computer servers of Hush Communications, a company based in Vancouver.  A British Columbia court ordered the company to decrypt the emails and to send them to the U.S. law enforcement officials.  Faced with a valid court order, the company complied, shipping 12 CDs filled with unencrypted personal email to investigators in California.

Hush Communications has developed corporate policies that seek to balance the privacy interests of their users with the reality that their services may be used for criminal purposes.  While the company has a global customer base, it only accepts court orders focused on specific user accounts issued by the British Columbia Supreme Court.  Indeed, company officials note that they receive requests from law enforcement around the world, yet many are abandoned after they learn of the need for Canadian court oversight. In the Strumbo case, U.S. officials relied on the U.S.-Canada Mutual Legal Assistance Treaty, which is used by law enforcement agencies to expedite investigations that run across national borders.  Investigators allegedly placed several steroid orders with Strumbo via email and then asked the court to mandate the disclosure of the Strumbo's email correspondence.  

Reaction to the case has been sharply divided.  Some have criticized the company, arguing that it professes to protect the privacy of its users and that it failed to do so in this instance. Others have expressed support, noting that it has established a reasonable policy that includes notification to users of the potential disclosure risks along with strict court oversight.

More interestingly, the case challenges several myths that have developed about privacy, law enforcement, and the Internet.  First, the use of the MLAT serves as a timely reminder that U.S. law enforcement wields a wide range of investigative tools to compel disclosure of private information held in Canada.  While the USA Patriot Act has garnered the lion share of attention – including last year's controversial debate over possible access to Canadian census data – the reality is that there are multiple mechanisms to force organizations to hand over private information.

Second, the case counters law enforcement claims that it requires additional powers in order to conduct online investigations.  Canadian law enforcement officials have lobbied for years for new "lawful access" provisions that would require Internet service providers to install new surveillance capabilities and grant the police new powers to compel ISPs to disclose customer information.  Notwithstanding those lobbying efforts, the Strumbo case provides a compelling illustration of the effectiveness of the laws already in place.

Third, the case highlights how Canadian companies can navigate the privacy minefield by adhering to two key principles – insisting on court oversight before disclosing customer information and providing full public disclosure about the privacy protections associated with their services.  Hush Communications has faced some heat from the Strumbo case, yet its approach is a textbook example of how to balance privacy interests with the legitimate needs of law enforcement.


  1. With a tiny bit of education, anyone can use any email service to send unbreakably encrypted messages. No warrent from any court in the world can break encryption. I understand that the original Hushmail service used the same practices to make it impossible for them to decrypt their user’s email. Obviously that changed at some point, making me wonder if there is more downside than your article goes into.

  2. In this particular case, it appears that the emails were not sent using Hushmail\’s Java application; instead, they were sent via the JacaScript implementation.

    While more convenient, the JavaScript implementation is such that Hushmail must have the private keys (as opposed to the Java implementation where the private keys do not leave the client machines). As they had the private keys, they were able to, on request, provide a clear-text of the encrypted messages to the enforcement.

    As MP writes above, “anyone can use any email service to send unbreakably encrypted messages.”

  3. Palonek
    There also many other options, think like gnu PGP and so on. Like Michel points out the existing laws in place demonstrate an already existing balance of privacy and security, yet the government’s need to remove that balance seems to be their number one agenda, why?
    [ link ]

  4. Palonek
    \”shipping 12 CDs filled with unencrypted personal email to investigators…\”
    For a company that does specialize in protecting data, it find it somewhat ironic that hushmail shipped the emails unsecured and unsealed, just a regular mail shipment.
    [ link ]

  5. Wired had a good article on this [ link ]

    It includes an email interview with Hushmail’s CTO. As Marko Z pointed out, this was accomplished using the Web-mail interface not the Java application, but since Hushmail provides the Java application, it would still be possible for them to send you a modified version that would capture your encryption key and send it back to Hushmail.

  6. Convenience
    It’s the whole “convenience” thing that I don’t buy. No one uses Hushmail because it’s convenient. At some point, they made a decision (or were strongly encouraged to come to the decision) that the security of their services should be compromised. Were they threatened with obstruction or something similar if they didn’t make their service snoopable?