Hushmail Turns Out To Not Be Quite So Hush Hush
from the privacy-is-an-illusion dept
Many people are familiar with the company Hushmail, who provides encrypted web-based email that the company claims is completely private. In fact, the company makes it clear: “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.” It turns out that isn’t quite true. Wired reports that Hushmail handed the feds 12 CDs worth of plain text emails from the service following a court order. The Wired piece goes into great detail concerning what happened here — and the folks at Hushmail were quite honest about how their service works. Hushmail has two different versions, one which requires a java app to be downloaded, which handles all the encryption locally. The other, more popular one, is entirely web-based, meaning that your passphrase is stored on the server ever so briefly — and that’s how Hushmail was able to access the accounts required in the court order. So, while it’s true that Hushmail is mostly secure outside of a court order, the marketing material on the site is at least a little misleading, implying that even in such cases, your email will be encrypted.
Filed Under: drug dealers, email, encryption, fbi, privacy
Companies: fbi, hushmail
Comments on “Hushmail Turns Out To Not Be Quite So Hush Hush”
Why am I not suprised….Privacy is slipping away
Warnings
Various security experts have been warning about Hushmail (and similar services)for years. Some people just won’t listen though.
and locally?
What would have happened if the emails were from account owners who encrypted locally?
Would they have still been able to find a way to move encrypted emails into plain text for a court order?
I’m sure a similar reasoning would be used in that case.
Re: and locally?
The Feds have trojans they download to sniff out passwords. If I recall correctly, Techdirt have done posts on this very subject not so long ago.
Re: Re: and locally?
The Feds have trojans they download to sniff out passwords. If I recall correctly, Techdirt have done posts on this very subject not so long ago. They have experts at waterboarding that they can use for password recovery too.
At least there was a court order this time.
Gee! The feds followed the law, got a court order first and nothing blew up. How dare they take such risks with our safety!
(/sarcasm)
RTFA!!
For those of you too lazy to RTFA:
Hushmail is a Canadian company. The US government made a request and the CANADIAN company complied when a legit court order was presented.
READ THE F*CKIN ARTICLE!
Re: RTFA!!
So who did you think didn’t?
Just again – one more reason to be further sure that… computer’s aren’t nearly as secure as they are hyped out to be.
I, for one, think this is GREAT
Hushmail states up front that they do not condone the use of their product for illegal activities, and therefore they will comply to the best of their ability with any valid court order given them. The order needs to come from a court that has power in their jurisdiction (provincial court or possibly the Canadian federal courts), which makes it a bit of a harder hurdle for people from, say, the USA DHS who might just be on a fishing expedition.
They have complied with a legal order, and they are up front in exactly what they did: provided about 12 CDs of emails (without delving in exactly what those CDs contained).
In this day and age, seeing such candor and honesty by a corporation is refreshing and gives me a (small) hope that sometimes there are nice guys out there. Their service makes it clear in what circumstances they will comply, and they also make it clear that they are not able to unencrypt email sent from their Java client (which is a bit more of a hassle to use). They don’t promise a rose garden, but they don’t hide the thorns, either.
The article would make me MORE prone to use their service, as opposed to some other vendor that might cave in to the “nosy neighbor of the week,” or that might have a back door into your supposedly-encrypted email that they are willing to share with the people in black hats.
Hooray for the good guys!
Oh… if you are doing something illegal, I hope you get caught. Just because I don’t want my private life spewed all over the internet doesn’t mean you have the right to get away scot free with your dastardly deeds. If the government asks for your encrypted email and has reason to suspect that it is worth a twenty man-year effort to decrypt it to prove a case, they will do so, and there’s nothing you can do about it except avoid doing illegal things.
Re: I, for one, think this is GREAT
Well, while this poly-anna replies about the great and good are nice, one should as a more basic question. What happens when the Government is wrong? What happens when what you are doing is legal then is ruled illegal. Privacy is a right like the second amendment is for guns. It sets those in power on notice that a normal everyday person is protected. IF “they” deem it bad then is it bad?
You would do well to think about such things before you go off and suggest its ok for the good guys to save us from ourselves.
Re: Re: I, for one, think this is GREAT
What happens when the Government is wrong? In a perfect world, you will be found innocent. In the real world, things go sometimes go awry. I’m not a Pollyanna, but I’m also not an alarmist.
What Hushmail is doing does not impact this one iota. They are doing what they advertise they are doing, and when they are asked to give over customer data, they are forthright about it.
I do think of such things. I don’t expect ANYBODY to save me from myself except, perhaps, myself. And I hope that people that would utilize a useful tool for illegal purposes get nailed in the same way that a person that uses a gun to commit a crime.
No problems here
I think Hushmail did the right thing. A court order was given and they complied. It is silly to think that an email service company would really encrypt all your emails so that they can not comply with a court order and leave themselves open to nasty legal battles.
At least they waited for a court order and did not just hand over the information like other companies.
Everything can be seen
It seems to me that anything ever written on a computer can be read, regardless of the protections you think you might have. As I have stated before, I would never type anything on a computer that I wouldn’t want to be seen.
not targeted
So be it, they got the court order, the police should be able to do what they need to to gather information for a case or whatever. However. 12 cd’s of plaintext is what, 1.5 million full pages or so? Even if they were targeting a crime ring or something along those lines, that amount of information is absurd. The fact that the police went through the right channels gives me some hope, but that they just grabbed everybody’s emails disgusts me a bit.
Countzero is the only one so far to address the real issue:
That Hushmail handed over 12 CD’s worth of email. I doubt any human being could send or receive enough email in a lifetime to fill twelve CD’s.
If Bill does an illegal act and the courts ask for Bill’s email through the proper channels, then handing over just Bill’s email is one thing. However, it sounds like Hushmail handed over ALL of their users email, not just the evidenciary email. That is the issue at hand. They should not violate all of their customers privacy in that way, nor should any government have the power to demand that ALL the email, even that unconnected to their case, be handed over.
Hushmail IS in the wrong here.
Re: Re:
You are assuming text based e-mails. E-mails with attachments could very easily consume 12 CDs. For instance, let’s say this person was using the account for child porn or something – would it be that difficult to fill up 12CDs with those types of e-mails?
They could have also included logs which tend to be extremely verbose and can add up quickly.
Re: Re:
Yea, I think your wrong on this one. I just backed up my email the other day and I filled up 5 cds worth of stuff on my own. With attachments I really needed the space.
Plain text email with attachments from a few users could easily fill up 12 cds.
So, you need to not make finite statements like I doubt any human being could send or receive enough email in a lifetime to fill twelve CD’s. It makes you seem like a fool.
Re: Re: Re:
I don’t buy it. I have five years worth of mail stored in my email account, including potentially thousands of attachments which mostly constitutes image files.
The total size is just over 1 gigabyte of data, not even enough to fill two CDs. Image files are very small, a few kilobytes worth of data, and most email services have size limits that prevent attachments that are too large, such as video files from being sent.
I stand by what I said that 12 CDs (which averages out to around 8 Gigabytes of data) sounds like more than just 1 or 2 accounts.
Re: Re: Re:
Plain text email with attachments from a few users could easily fill up 12 cds.
E-mail messages with attachments are not plain text. Plaintext does not mean “plain text” and making statements about “plain text email with attachments” makes you seem like a fool.
Re: Re: Re: Re:
E-mail messages with attachments are not plain text. Plaintext does not mean “plain text” and making statements about “plain text email with attachments” makes you seem like a fool.
Ah well on this forum I assumed most people were astute enough to understand plain text (plaintext) as encrypted. I am either a fool or hopefully optimistic.
Re: Re: Re:2 Re:
Ah well on this forum I assumed most people were astute enough to understand plain text (plaintext) as encrypted.
Wow. How dense are you? It’s been explained to you in simple terms and yet you still don’t understand that plaintext isn’t encrypted and that “plaintext” doesn’t mean “plain text”.
I am either a fool or hopefully optimistic.
I don’t know about the latter but you’re certainly showing yourself to be the former.
Mike says plain text, but i dont see that in the e-mail. Also the article says “turned over 12 CDs worth of e-mails from three Hushmail accounts” not the whole enchilada
Re: Re:
Plain text as in not encripted
Re: Re:
I suspect Mike should have written ‘plaintext’ rather than ‘plain text’. ‘Plaintext’ just means ‘unencrypted’ and can include attachments and stuff other than just plain text.
if its important enough to care about privacy, then do the blinding obvious.. encrypt it yourself before sending it..
if you let a company encrypt if for you, well you get what you deserve.
can’t blame the company at all for this, at least they are open about what they will do, and waited for a court order.
what exactly do people expect?
if you are serious about sending a ‘secret’ message its not exactly hard
Thank you, Claire Rand! Finally someone got the point: Hushmail offers Java-based software that will encrypt outgoing data *before* it even gets to Hushmail and then will decrypt it after it leaves Hushmail. When used, Hushmail sees nothing but encrypted gibberish. The people who had their plaintext email passed onto law enforcement were to damned lazy to use the software and instead uploaded plaintext messages for Hushmail to do the encryption on the server end. That’s stupid. It’s like walking into a busy post office and dictating your secrets to the clerk behind the counter so everyone else can hear and then asking that the message be sent in a secure package.
Re: Re:
Yes, Claire got it right.
Maybe, maybe not. You see the problem with Hushmail’s Java applet is that you can’t verify that it is secure. While Hushmail does publish the source code for an encrypting Java applet you still can’t be sure that it corresponds to what is actually downloaded to and run on your computer each time. That’s why you should use only open-source encryption software that you can verify and install on your own computer if security is really important to you.
As explained above, using their Java applet could also be said to be lazy and stupid. Good security usually isn’t easy to implement. That’s why most people don’t do it.
I’m right in my assumption that encrypted email I send to someone is vulnerable to be compromised if the recipient is lax at their end, aren’t I? In this case, even if the senders were vigilant in their encrypting, the fact that the recipient wasn’t, made all of their emails (to that recipient) readable.
Re: Re:
Absolutely. Encryption is just a tool and not a substitute for good judgment. You should have the good sense to not send confidential information to unreliable recipients.
And all of the messages from those recipients back to the sender as well. Encryption only protects the message from those without the key, it doesn’t make the recipient reliable. It’s kind of like having a lock on your house but then giving a key to bad neighbor. The lock may protect your stuff from people without the key but it won’t keep the bad neighbor from ripping you off.
Think Twice!
Hushmail isn’t offshore enough. If you think that you are protected just over the border then you are completely wrong. Choose your secure email provider wisely!
Data Locking
Check out http://www.datalocking.com as I would love to hear any thoughts on their idea! It appears that the data/text info is owned by a third party and the server is off shore in Costa Rica (who does not extradite info to the USA–hence that is where off-shore gambling and off-shore banking are flourishing.)
hmm
what i don’t get is why the feds aren’t burning emails on dvds. come one get with the times.
choosing email providers
If you are concerned about the US government (or the EU now) reading your email, you need to select a service outside those jurisdictions and in a country that can resist pressure from other, more powerful countries. There is a table comparing several secure email providers, including their locations, on the novo-ordo website at http://www.novo-ordo.com. There are also pages discussing other aspects of computer security there.
oh my god use megabytes not cds
new pilgrim exploring
At this point not entirely sure I am totally signed up but I did pay $49.99 and get get an email address, I think. These comments are interesting! Since none of my activities are in the least “interesting” to government agencies I am only glad for thair protection. Yet invasion of trojans, or any other really obnoxious potentiaiiy destructive forces would be untolerable because I just had a wicked experience with such stuff. In case of things like that happening does hushmail hav a way of fixing it? And is this “paid version” safe from suuff?
I don’t have a clue about the technical stuff like the URL. Where do I even find such stuff? I really need help . . . Being “gently seasoned” . . . . . . . most likely way older than you, I am slow, disabled, and my memory is . . . . let’s just say a bit foggy these days sorry to say.
youre all scrapping over nothing!
I’ll spell it out to you in plain text!
there is no difference between “plain text” and “plaintext”
probably just a typo or a misused jargon.
In emails there is only a choice between plain text or HTML
like when you are a technophobe with a crappy slow computer and when you try to read your email your browser asks you if you want to view your email in plaintext because its loading very slowly and cant handle all the HTML formatting! you choose plain text! so I think that 12 cds worth of plain text is in fact overkill and hushmail has something to answer for! However i dont think that 12 cds worth would be all their users! thats just ludcicrous if you you consider that possbily a lot of their users might be business users who both send and recieve thousands if not millions of emails everyday, every hour , every minute, every second! ponder that for a while?? I doubt very much that 12 cds worth of emails even plain text/plaintext would fit all their users emails on! I rest my case!
HushMail "not so secure" article
Really??? And whar=t exactly would you do if the Feds sent you a court order to provide them with information? What do you expect HushMail to do on their marketing material – state that your emails are secure” short of a federal government court order”?
You obviously have way too much spare time on your hands!
I, for one, think this is GREAT
Define "illegal"!
PS: I can do whatever I want even if it p*sses you off.