My weekly technology law column (Toronto Star version, The Tyee version, Ottawa Citizen version, homepage version) begins by recounting that this past September, the U.S. Drug Enforcement Agency launched "Operation Raw Deal", an initiative that targeted people purchasing raw steroid materials through the Internet from China and repackaging the steroids as drugs for domestic sale. Tyler Strumbo, a 23-year old California resident, was among the 124 people arrested. The Strumbo case is of particular interest because of an important Canadian connection. The foundation of the DEA's case rested on hundreds of encrypted emails stored on the computer servers of Hush Communications, a company based in Vancouver. A British Columbia court ordered the company to decrypt the emails and to send them to the U.S. law enforcement officials. Faced with a valid court order, the company complied, shipping 12 CDs filled with unencrypted personal email to investigators in California.
Hush Communications has developed corporate policies that seek to balance the privacy interests of their users with the reality that their services may be used for criminal purposes. While the company has a global customer base, it only accepts court orders focused on specific user accounts issued by the British Columbia Supreme Court. Indeed, company officials note that they receive requests from law enforcement around the world, yet many are abandoned after they learn of the need for Canadian court oversight. In the Strumbo case, U.S. officials relied on the U.S.-Canada Mutual Legal Assistance Treaty, which is used by law enforcement agencies to expedite investigations that run across national borders. Investigators allegedly placed several steroid orders with Strumbo via email and then asked the court to mandate the disclosure of the Strumbo's email correspondence.
Reaction to the case has been sharply divided. Some have criticized the company, arguing that it professes to protect the privacy of its users and that it failed to do so in this instance. Others have expressed support, noting that it has established a reasonable policy that includes notification to users of the potential disclosure risks along with strict court oversight.
More interestingly, the case challenges several myths that have developed about privacy, law enforcement, and the Internet. First, the use of the MLAT serves as a timely reminder that U.S. law enforcement wields a wide range of investigative tools to compel disclosure of private information held in Canada. While the USA Patriot Act has garnered the lion share of attention – including last year's controversial debate over possible access to Canadian census data – the reality is that there are multiple mechanisms to force organizations to hand over private information.
Second, the case counters law enforcement claims that it requires additional powers in order to conduct online investigations. Canadian law enforcement officials have lobbied for years for new "lawful access" provisions that would require Internet service providers to install new surveillance capabilities and grant the police new powers to compel ISPs to disclose customer information. Notwithstanding those lobbying efforts, the Strumbo case provides a compelling illustration of the effectiveness of the laws already in place.
Third, the case highlights how Canadian companies can navigate the privacy minefield by adhering to two key principles – insisting on court oversight before disclosing customer information and providing full public disclosure about the privacy protections associated with their services. Hush Communications has faced some heat from the Strumbo case, yet its approach is a textbook example of how to balance privacy interests with the legitimate needs of law enforcement.