Virtru FAQ: Government Surveillance

Will the government be able to read my protected emails and files?

No, the government cannot read your protected emails and files unless it has both the files and the encryption key.

Virtru uses the most advanced encryption available, AES, using 256-bit keys. This encryption has been proven secure. The only way to read encrypted files is to have the encryption keys. Virtru doesn’t have access to the content of your emails, files, or other data — it only has the keys. Virtru won’t be able to read your content because it doesn’t have content — and others (including the government) will be unable to read your content because they won’t have the keys.

What would Virtru do if it received a request from the United States Government for your encryption keys?

If Virtru receives a request from the United States Government for your encryption keys we will require the government to go to court, and if we can, we will notify you.

If we receive a request from the United States government, we will respond by saying that we will not comply with any request other than a court order from a court with jurisdiction over us. We will then notify you that we have received such a request unless we are prohibited by law from doing so, so that you may have an opportunity to defend your rights to keep your data confidential.

Would Virtru cooperate with court-ordered searches or surveillance of email, files, or other data?

We would do so if ordered by a court based on probable cause under time-honored Fourth Amendment principles. We will also fight to notify you so you may defend your rights.

Virtru believes that the contents of your emails, files, and other data and communications should be and are fully protected by the Fourth Amendment to the United States Constitution, and that this generally should and does mean that the government needs an individualized court order, based on probable cause, to access the data you have chosen to keep private. This means that we will not comply with blanket requests for access to our encryption keys, only specific court-ordered directives relative to an individual.

In the same way that locking a briefcase or sealing an envelope shows a clear legal expectation of privacy, by protecting your data with Virtru’s encryption services you will have sent a very unambiguous message that you regard your data as private. This will strengthen your legal expectation of privacy under the Constitution.

Some statutes permit the government to obtain content (such as stored emails) on a lesser showing than probable cause. Virtru believes the Fourth Amendment should and does provide greater protection than these statutes for the content of email, files, and other data — particularly when such data is encrypted — and would argue this position in court in an appropriate case if necessary.

Why would Virtru receive a court order, if it doesn’t have my content?

We may be ordered to provide assistance to facilitate an order that is primarily directed at the holder of your encrypted data.

As an encryption provider, Virtru would not be the subject of requests for your content because it does not have it. However, federal law authorizes the government to require third parties to provide “technical assistance” to facilitate surveillance authorized by statutes such as Title 18 of the United States Code and the Foreign Intelligence Surveillance Act. Virtru may be required to provide technical assistance (and this might include encryption keys) needed to conduct lawful searches or surveillance of email, files or other data.  We would do so only in accordance with the principles we have laid out in this policy.

Can I see Virtru’s transparency reports?

Yes! Virtru recognizes that being 100% transparent with our customers is vital to our position as a digital privacy leader. We have taken aggressive measures to protect our users’ information and data from unwanted third parties. You deserve to know what we are doing with your data. Are we fighting requests that we have promised to fight? What has been the outcome? To this end, Virtru is pleased to issue regular transparency reports detailing government demands for user data and how we are handling them.

View the latest transparency report here.

Does Virtru have an obligation to design its systems to facilitate lawful government surveillance?

No, Virtru does not have an obligation to design its systems to facilitate lawful government surveillance because the law that requires this for telecommunications providers does not apply to us.

What would Virtru do if it received a request for your keys from any private party or foreign government?

If Virtru receives a request for your keys from any private party or foreign government we will refuse this request and notify you immediately.

Would Virtru comply with any voluntary government program of searches or surveillance of email, files, or other data?

No. Virtru would not comply with any voluntary government program of searches or surveillance of email, files, or other data.

Would Virtru cooperate with broad surveillance orders permitting blanket surveillance by the NSA or other government agencies?

 No — we do not think the law requires this, and we would fight an order to cooperate.

Virtru does not believe these orders should apply to encryption providers and would vigorously contest any attempt to extend such orders to us.

Changes to FISA under the Patriot Act and the FISA Amendments Act permit some forms of surveillance that are not based on individualized court orders. Virtru would challenge any order to assist in broad surveillance programs by the NSA or other government agencies that are not based on individualized court orders. 

More information is provided here.

Could the government outlaw the kind of encryption solution that Virtru is offering?

Virtru believes the use of encryption is protected by the First Amendment, both because encryption is a way of “speaking” and because, in a digital age, encryption is integral to private communication. Virtru would vigorously oppose any attempt to outlaw encryption or require that encryption be compromised through back doors or other mechanisms such as key escrow with the government.