Hushmail Turns Out To Not Be Quite So Hush Hush

from the privacy-is-an-illusion dept

Many people are familiar with the company Hushmail, who provides encrypted web-based email that the company claims is completely private. In fact, the company makes it clear: “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.” It turns out that isn’t quite true. Wired reports that Hushmail handed the feds 12 CDs worth of plain text emails from the service following a court order. The Wired piece goes into great detail concerning what happened here — and the folks at Hushmail were quite honest about how their service works. Hushmail has two different versions, one which requires a java app to be downloaded, which handles all the encryption locally. The other, more popular one, is entirely web-based, meaning that your passphrase is stored on the server ever so briefly — and that’s how Hushmail was able to access the accounts required in the court order. So, while it’s true that Hushmail is mostly secure outside of a court order, the marketing material on the site is at least a little misleading, implying that even in such cases, your email will be encrypted.

Filed Under: , , , ,
Companies: fbi, hushmail

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Hushmail Turns Out To Not Be Quite So Hush Hush”

Subscribe: RSS Leave a comment
Prime Minister says:


For those of you too lazy to RTFA:

[Hushmail] is useful for avoiding general Carnivore-type government surveillance, and protecting your data from hackers, but definitely not suitable for protecting your data if you are engaging in illegal activity that could result in a Canadian court order.

That’s also backed up by the fact that all Hushmail users agree to our terms of service, which state that Hushmail is not to be used for illegal activity. However, when using Hushmail, users can be assured that no access to data, including server logs, etc., will be granted without a specific court order.

Smith also says that it only accepts court orders issued by the British Columbia Supreme Court and that non-Canadian cops have to make a formal request to the Canadian government whose Justice Department then applies, with sworn affidavits, for a court order.

Hushmail is a Canadian company. The US government made a request and the CANADIAN company complied when a legit court order was presented.


lar3ry says:

I, for one, think this is GREAT

Hushmail states up front that they do not condone the use of their product for illegal activities, and therefore they will comply to the best of their ability with any valid court order given them. The order needs to come from a court that has power in their jurisdiction (provincial court or possibly the Canadian federal courts), which makes it a bit of a harder hurdle for people from, say, the USA DHS who might just be on a fishing expedition.

They have complied with a legal order, and they are up front in exactly what they did: provided about 12 CDs of emails (without delving in exactly what those CDs contained).

In this day and age, seeing such candor and honesty by a corporation is refreshing and gives me a (small) hope that sometimes there are nice guys out there. Their service makes it clear in what circumstances they will comply, and they also make it clear that they are not able to unencrypt email sent from their Java client (which is a bit more of a hassle to use). They don’t promise a rose garden, but they don’t hide the thorns, either.

The article would make me MORE prone to use their service, as opposed to some other vendor that might cave in to the “nosy neighbor of the week,” or that might have a back door into your supposedly-encrypted email that they are willing to share with the people in black hats.

Hooray for the good guys!

Oh… if you are doing something illegal, I hope you get caught. Just because I don’t want my private life spewed all over the internet doesn’t mean you have the right to get away scot free with your dastardly deeds. If the government asks for your encrypted email and has reason to suspect that it is worth a twenty man-year effort to decrypt it to prove a case, they will do so, and there’s nothing you can do about it except avoid doing illegal things.

Jack o. Trades (user link) says:

Re: I, for one, think this is GREAT

Well, while this poly-anna replies about the great and good are nice, one should as a more basic question. What happens when the Government is wrong? What happens when what you are doing is legal then is ruled illegal. Privacy is a right like the second amendment is for guns. It sets those in power on notice that a normal everyday person is protected. IF “they” deem it bad then is it bad?

You would do well to think about such things before you go off and suggest its ok for the good guys to save us from ourselves.

lar3ry says:

Re: Re: I, for one, think this is GREAT

What happens when the Government is wrong? In a perfect world, you will be found innocent. In the real world, things go sometimes go awry. I’m not a Pollyanna, but I’m also not an alarmist.

What Hushmail is doing does not impact this one iota. They are doing what they advertise they are doing, and when they are asked to give over customer data, they are forthright about it.

I do think of such things. I don’t expect ANYBODY to save me from myself except, perhaps, myself. And I hope that people that would utilize a useful tool for illegal purposes get nailed in the same way that a person that uses a gun to commit a crime.

TheDock22 says:

No problems here

I think Hushmail did the right thing. A court order was given and they complied. It is silly to think that an email service company would really encrypt all your emails so that they can not comply with a court order and leave themselves open to nasty legal battles.

At least they waited for a court order and did not just hand over the information like other companies.

countzero says:

not targeted

So be it, they got the court order, the police should be able to do what they need to to gather information for a case or whatever. However. 12 cd’s of plaintext is what, 1.5 million full pages or so? Even if they were targeting a crime ring or something along those lines, that amount of information is absurd. The fact that the police went through the right channels gives me some hope, but that they just grabbed everybody’s emails disgusts me a bit.

Anonymous Coward says:

Countzero is the only one so far to address the real issue:

That Hushmail handed over 12 CD’s worth of email. I doubt any human being could send or receive enough email in a lifetime to fill twelve CD’s.

If Bill does an illegal act and the courts ask for Bill’s email through the proper channels, then handing over just Bill’s email is one thing. However, it sounds like Hushmail handed over ALL of their users email, not just the evidenciary email. That is the issue at hand. They should not violate all of their customers privacy in that way, nor should any government have the power to demand that ALL the email, even that unconnected to their case, be handed over.

Hushmail IS in the wrong here.

Freedom says:

Re: Re:

You are assuming text based e-mails. E-mails with attachments could very easily consume 12 CDs. For instance, let’s say this person was using the account for child porn or something – would it be that difficult to fill up 12CDs with those types of e-mails?

They could have also included logs which tend to be extremely verbose and can add up quickly.

TheDock22 says:

Re: Re:

Yea, I think your wrong on this one. I just backed up my email the other day and I filled up 5 cds worth of stuff on my own. With attachments I really needed the space.

Plain text email with attachments from a few users could easily fill up 12 cds.

So, you need to not make finite statements like I doubt any human being could send or receive enough email in a lifetime to fill twelve CD’s. It makes you seem like a fool.

Anonymous Coward says:

Re: Re: Re:

I don’t buy it. I have five years worth of mail stored in my email account, including potentially thousands of attachments which mostly constitutes image files.

The total size is just over 1 gigabyte of data, not even enough to fill two CDs. Image files are very small, a few kilobytes worth of data, and most email services have size limits that prevent attachments that are too large, such as video files from being sent.

I stand by what I said that 12 CDs (which averages out to around 8 Gigabytes of data) sounds like more than just 1 or 2 accounts.

TheDock22 says:

Re: Re: Re: Re:

E-mail messages with attachments are not plain text. Plaintext does not mean “plain text” and making statements about “plain text email with attachments” makes you seem like a fool.

Ah well on this forum I assumed most people were astute enough to understand plain text (plaintext) as encrypted. I am either a fool or hopefully optimistic.

Anonymous Coward says:

Re: Re: Re:2 Re:

Ah well on this forum I assumed most people were astute enough to understand plain text (plaintext) as encrypted.

Wow. How dense are you? It’s been explained to you in simple terms and yet you still don’t understand that plaintext isn’t encrypted and that “plaintext” doesn’t mean “plain text”.

I am either a fool or hopefully optimistic.

I don’t know about the latter but you’re certainly showing yourself to be the former.

claire rand says:

if its important enough to care about privacy, then do the blinding obvious.. encrypt it yourself before sending it..

if you let a company encrypt if for you, well you get what you deserve.

can’t blame the company at all for this, at least they are open about what they will do, and waited for a court order.

what exactly do people expect?

if you are serious about sending a ‘secret’ message its not exactly hard

Jamie says:

Thank you, Claire Rand! Finally someone got the point: Hushmail offers Java-based software that will encrypt outgoing data *before* it even gets to Hushmail and then will decrypt it after it leaves Hushmail. When used, Hushmail sees nothing but encrypted gibberish. The people who had their plaintext email passed onto law enforcement were to damned lazy to use the software and instead uploaded plaintext messages for Hushmail to do the encryption on the server end. That’s stupid. It’s like walking into a busy post office and dictating your secrets to the clerk behind the counter so everyone else can hear and then asking that the message be sent in a secure package.

Anonymous Coward says:

Re: Re:

Thank you, Claire Rand! Finally someone got the point:

Yes, Claire got it right.

Hushmail offers Java-based software that will encrypt outgoing data *before* it even gets to Hushmail and then will decrypt it after it leaves Hushmail. When used, Hushmail sees nothing but encrypted gibberish.

Maybe, maybe not. You see the problem with Hushmail’s Java applet is that you can’t verify that it is secure. While Hushmail does publish the source code for an encrypting Java applet you still can’t be sure that it corresponds to what is actually downloaded to and run on your computer each time. That’s why you should use only open-source encryption software that you can verify and install on your own computer if security is really important to you.

The people who had their plaintext email passed onto law enforcement were to damned lazy to use the software and instead uploaded plaintext messages for Hushmail to do the encryption on the server end. That’s stupid.

As explained above, using their Java applet could also be said to be lazy and stupid. Good security usually isn’t easy to implement. That’s why most people don’t do it.

Anonymous Coward says:

Re: Re:

I’m right in my assumption that encrypted email I send to someone is vulnerable to be compromised if the recipient is lax at their end, aren’t I?

Absolutely. Encryption is just a tool and not a substitute for good judgment. You should have the good sense to not send confidential information to unreliable recipients.

In this case, even if the senders were vigilant in their encrypting, the fact that the recipient wasn’t, made all of their emails (to that recipient) readable.

And all of the messages from those recipients back to the sender as well. Encryption only protects the message from those without the key, it doesn’t make the recipient reliable. It’s kind of like having a lock on your house but then giving a key to bad neighbor. The lock may protect your stuff from people without the key but it won’t keep the bad neighbor from ripping you off.

Rick (profile) says:

choosing email providers

If you are concerned about the US government (or the EU now) reading your email, you need to select a service outside those jurisdictions and in a country that can resist pressure from other, more powerful countries. There is a table comparing several secure email providers, including their locations, on the novo-ordo website at There are also pages discussing other aspects of computer security there.

clueless gramibear (profile) says:

new pilgrim exploring

At this point not entirely sure I am totally signed up but I did pay $49.99 and get get an email address, I think. These comments are interesting! Since none of my activities are in the least “interesting” to government agencies I am only glad for thair protection. Yet invasion of trojans, or any other really obnoxious potentiaiiy destructive forces would be untolerable because I just had a wicked experience with such stuff. In case of things like that happening does hushmail hav a way of fixing it? And is this “paid version” safe from suuff?
I don’t have a clue about the technical stuff like the URL. Where do I even find such stuff? I really need help . . . Being “gently seasoned” . . . . . . . most likely way older than you, I am slow, disabled, and my memory is . . . . let’s just say a bit foggy these days sorry to say.

martyn says:

youre all scrapping over nothing!

I’ll spell it out to you in plain text!

there is no difference between “plain text” and “plaintext”
probably just a typo or a misused jargon.
In emails there is only a choice between plain text or HTML
like when you are a technophobe with a crappy slow computer and when you try to read your email your browser asks you if you want to view your email in plaintext because its loading very slowly and cant handle all the HTML formatting! you choose plain text! so I think that 12 cds worth of plain text is in fact overkill and hushmail has something to answer for! However i dont think that 12 cds worth would be all their users! thats just ludcicrous if you you consider that possbily a lot of their users might be business users who both send and recieve thousands if not millions of emails everyday, every hour , every minute, every second! ponder that for a while?? I doubt very much that 12 cds worth of emails even plain text/plaintext would fit all their users emails on! I rest my case!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...