Yes! View the latest report below or click this link for the complete list.
Virtru recognizes that being 100% transparent with our customers is vital to our position as a digital privacy leader. We have taken aggressive measures to protect our users’ information and data from unwanted third parties. You deserve to know what we are doing with your data. Are we fighting requests that we have promised to fight? What has been the outcome? To this end, Virtru is pleased to issue regular transparency reports detailing government demands for user data and how we are handling them.
Virtru never stores the content of user communications or files. However, Virtru does hold and secure encryption keys, which we anticipate could be of interest to government agencies. Encryption keys are generated for each message or file a user protects and are necessary to read the content that you share using your e-mail or other cloud service that you are protecting with Virtru. For customers using our Customer Key Server (CKS), customers maintain exclusive control of their encryption keys. In this case, Virtru never has access to either encryption keys or content. Entities seeking access to customer content will need to request access from the customer.
The United States government may try to seek access to encryption keys with a variety of legal powers. Some of its powers are used in criminal investigations – principally, search warrants and wiretap orders which require probable cause, and subpoenas, pen/trap orders and or similar orders which do not.
Some of the government’s powers are used in foreign intelligence or national security investigations. The government usually tries to impose more secrecy for national security powers than for criminal powers. These powers also can be divided into those that require probable cause – for example, search warrants and traditional wiretap orders under the Foreign Intelligence Surveillance Act – and those that do not, including pen/trap orders, business records orders, and new “section 702” wiretap surveillance orders under FISA, as well as national security letters.
As of the filing of this transparency report, Virtru has not received any government requests for any user data.
Read our quarterly Transparency Reports here.
No, because the law that requires this for telecommunications providers does not apply to us.
The Communications Assistance to Law Enforcement Act (CALEA) currently requires telecommunications providers to engineer their systems to facilitate lawful surveillance orders from the government. Virtru is not a telecommunications provider and does not have any obligations under CALEA.
Virtru will vigorously resist any proposed legislation to mandate that security providers engineer their systems to facilitate government surveillance. Virtru believes that it is a mistake to require security companies to build in backdoors or other methods to facilitate government surveillance, because such requirements could compromise security.
No — we do not think the law requires this, and we would fight an order to cooperate.
Virtru does not believe these orders should apply to encryption providers and would vigorously contest any attempt to extend such orders to us.
Changes to FISA under the Patriot Act and the FISA Amendments Act permit some forms of surveillance that are not based on individualized court orders. Virtru would challenge any order to assist in broad surveillance programs by the NSA or other government agencies that are not based on individualized court orders.
Under the “business records” provision of FISA (as amended by the Patriot Act), any person can be required by the FISA court to provide records or other tangible things in international terrorism and other foreign intelligence investigations. The FISA court has approved the government’s requests under this provision for very broad access to telephone metadata (e.g., phone numbers called and phone numbers received; date, time, and length of call).
Under Section 702 of FISA (as added by the FISA Amendments Act), communications service providers can be required to provide the content of communications and other data under blanket orders pursuant to court-approved procedures where the target of the surveillance is not a US citizen or permanent resident and is reasonably believed to be outside the United States.
Virtru does not believe that these provisions allowing non-targeted surveillance authorize the government to obtain encryption keys or other technical assistance from Virtru. Virtru believes that a court would agree with its legal position if it were asked to cooperate with government requests for encryption keys under these provisions.
If Virtru received an order for encryption keys under either of these provisions of FISA or under any other legal theory that was not based on individualized court orders, it would vigorously contest it.
We would do so if ordered by a court based on probable cause under time-honored Fourth Amendment principles. We will also fight to notify you so you may defend your rights.
Virtru believes that the contents of your emails, files, and other data and communications should be and are fully protected by the Fourth Amendment to the United States Constitution, and that this generally should and does mean that the government needs an individualized court order, based on probable cause, to access the data you have chosen to keep private. This means that we will not comply with blanket requests for access to our encryption keys, only specific court-ordered directives relative to an individual.
In the same way that locking a briefcase or sealing an envelope shows a clear legal expectation of privacy, by protecting your data with Virtru’s encryption services you will have sent a very unambiguous message that you regard your data as private. This will strengthen your legal expectation of privacy under the Constitution.
Some statutes permit the government to obtain content (such as stored emails) on a lesser showing than probable cause. Virtru believes the Fourth Amendment should and does provide greater protection than these statutes for the content of email, files, and other data — particularly when such data is encrypted — and would argue this position in court in an appropriate case if necessary.