Private E-mail Not Hush Hush

This past September, the U.S. Drug Enforcement Agency launched "Operation Raw Deal," an initiative that targeted people purchasing raw steroid materials through the Internet from China and repackaging the steroids as drugs for domestic sale. Tyler Strumbo, a 23-year-old California resident, was among the 124 people arrested.

The Strumbo case is of particular interest because of an important Canadian connection. The foundation of the DEA's case rested on hundreds of encrypted e-mails stored on the computer servers of Hush Communications, a company based in Vancouver. A British Columbia court ordered the company to decrypt the e-mails and to send them to the U.S. law enforcement officials. Faced with a valid court order, the company complied, shipping 12 CDs filled with unencrypted personal e-mail to investigators in California.

Hush Communications was founded in 1998 and a year later it unveiled hushmail, a free encrypted e-mail service that allows users to blanket their electronic communications with privacy-protective encryption. Given the openness of standard e-mail, encrypted e-mail can serve many legitimate purposes as people use the technology to restore a measure of privacy to their electronic communications. Those same technologies can be misused, however, since criminals can similarly seek to keep their communications under wraps, thereby thwarting police investigations.

Privacy and crooks

Hush Communications has developed corporate policies that seek to balance the privacy interests of their users with the reality that their services may be used for criminal purposes. While the company has a global customer base, it only accepts court orders focused on specific user accounts issued by the British Columbia Supreme Court. Indeed, company officials note that they receive requests from law enforcement around the world, yet many are abandoned after they learn of the need for Canadian court oversight.

In the Strumbo case, U.S. officials relied on the U.S.-Canada Mutual Legal Assistance Treaty, which is used by law enforcement agencies to expedite investigations that run across national borders. Investigators allegedly placed several steroid orders with Strumbo via e-mail and then asked the court to mandate the disclosure of the Strumbo's e-mail correspondence.

Reaction to the case has been sharply divided. Some have criticized the company, arguing that it professes to protect the privacy of its users and that it failed to do so in this instance. Others have expressed support, noting that it has established a reasonable policy that includes notification to users of the potential disclosure risks along with strict court oversight.

Myth of invisible net

More interestingly, the case challenges several myths that have developed about privacy, law enforcement, and the Internet. First, the use of the MLAT serves as a timely reminder that U.S. law enforcement wields a wide range of investigative tools to compel disclosure of private information held in Canada. While the U.S. Patriot Act has garnered the lion share of attention -- including last year's controversial debate over possible access to Canadian census data -- the reality is that there are multiple mechanisms to force organizations to hand over private information.

Second, the case counters law enforcement claims that it requires additional powers in order to conduct online investigations. Canadian law enforcement officials have lobbied for years for new "lawful access" provisions that would require Internet service providers to install new surveillance capabilities and grant the police new powers to compel ISPs to disclose customer information. Notwithstanding those lobbying efforts, the Strumbo case provides a compelling illustration of the effectiveness of the laws already in place.

Third, the case highlights how Canadian companies can navigate the privacy minefield by adhering to two key principles -- insisting on court oversight before disclosing customer information and providing full public disclosure about the privacy protections associated with their services.

Hush Communications has faced some heat from the Strumbo case, yet its approach is a textbook example of how to balance privacy interests with the legitimate needs of law enforcement.

Related Tyee stories:

• The Tyee's Privacy Policy
• The End of Privacy?
  Laws can't keep pace with digital advances.
• Your Privacy: How Safe from U.S. Probes?
  The B.C. government's response to the U.S. Patriot Act pre-empted its own privacy commissioner.