Hushmail betrays trust of users

Hushmail betrays trust of users

Summary: One likes to think that a secure web based email provider would be able to secure your email. It is becoming more and more evident that there truly is a threat against your private communications.

TOPICS: Collaboration

One likes to think that a secure web based email provider would be able to secure your email. It is becoming more and more evident that there truly is a threat against your private communications. Governments are really eavesdropping on you. That threat translates into demand for secure communication products one of which is web based email. But, apparently any prosecutor that is on a fishing expedition for evidence can subpoena HushMail who will intercept a user's pass phrase and deliver complete records of decrypted email communications to help in an investigation. Great recounting of the events by Ryan Singel over at Wired.

My advice to anyone designing a secure communication service: make it impossible to comply with government requests. You don't have to risk going to jail. Sure, give up the encrypted data if required. But don't hand over the keys. Do that by not storing the keys.

My advice to anyone who truly wants to maintain their privacy: don't trust service providers. Control your keys. Encrypt on your desktop. If you still need to use web based email services go with providers that have cumbersome legal systems for your country to deal with. One of HushMail's advantages is that they are in Canada. That slows down the rate of spurious fishing expeditions on the part of US prosecutors.

Topic: Collaboration

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Of even greater concern to me ...

    is telephone call communication.

    Let's face it, even with Hushmail or its ilk, any email you send outside their system is unencrypted for half the trip, so chances are most of your email is snoopable -- and most people should know that and act accordingly.

    But most people haven't caught on to the implications of the recent Bushite initiative the Congress rubber-stamped. This allows federal bureaucrats to snoop anywhere, any time, even just throw a dragnet out across all phone traffic between points in the US and overseas.

    "So what?" say the naive, "I never call overseas." Wrong! Practically all order fulfillment call centers are now located overseas, which means every time you recite your credit card number, expiration date, verification # and name of cardholder to that order taker, that private financial information is potentially passing through the federal snoops' dragnet.

    Now imagine you're a low-level security IT clerk working this thing. You're doing OK with your cushy federal job and all its perks, but know you're never going to get rich either. Then it dawns on you that there's a huge, lucrative marketplace for all this data that's passing across your screen every day.

    Cobble together some voice recognition software with a filter that looks for the number pattern characteristic of credit cards. Slip it into the computer that's watching for words like "Al Qaeda", sit back for a while, and then harvest the results to a USB stick you can take home at night. Get into the on-line underworld community, peddle your data to them, collect your "private retirement bonus", quit your federal job, and go live out your life on a beach in South America.

    It isn't a matter of If, it's a matter of When. Unless Congress gets some backbone and cleans up this mess, which doesn't appear likely.
  • RE: Hushmail betrays trust of users

    The worst part is the LIE from HushMail. They advertise the fact that "even Hushmail employees do not have access to your key." Obviously, with this development, that is a LIE. For that very provider to circumvent their own system to get the information and hand it over - for any reason, is a gross violation of trust. I would encourage all HushMail users to cancel their accounts and say, "Thanks anyway."
    • Well here is a good case of deceptive advertising...

      Maybe someone should charge them for that.
  • RE: Hushmail betrays trust of users

    The soviet union didn't collapse, they just all emmigrated to North America. Are there really email privacy companies that have not been set up or taken over by the secret police of various countries?
  • RE: Hushmail betrays trust of users

    This is why users should try MailCloak.
  • RE: Hushmail betrays trust of users

    If you fell for hushmail's claim that you were safe then you were foolish. If you are doing something illegal online you have to be an idiot to not think it can be tracked. period.
    There is no such thing as total anonymity. The problem with other methods described here is that they requre software to be installed on the computer in order to work. If you own a business (Like myself) and you require people to send you sensitive data but its only once ina while you cant expect them to install software. We had a big issue with this. Recently we found the best solution. Private Information Exchange (im sure there are many others like this, this just happens to be the one we use) offers a simple solution. You initiate a request for info which is sent via email. However, the recipient gets the email with a link. they click the link and are asked for the info. The info isnt emailed back, its sent back to the requestor via SSL to their private information exchange account. The requestor simply gets an email that the request has been fulfilled. They log in and can see the info. If you want to find out more about it the website is

    No system is fool proof, but this seems to be the most efficient that we have found.

  • RE: Hushmail betrays trust of users

    the while concept of HUSHMAIL is presented as some handy tool for respectable businessmen,the obvious has beem overlooked,,that being its also a tool for those who thrive on harassing others without the possibility of being caught,I now have some clown who most likely,after being shunned by the woman I am involved with,has taken it upon himself to not only hack into both of our emails as well as her Facebook, but also, to send tastely altered or created "chats"/inbox messages to both our Gmail accounts via Hushmail.We no longer take the poisonous emails seriously ,but it IS un-nerving to know that the wrong person can use this "secure email" for ill purposes-Law
  • Court Order

    If the government got a court order, all they would need would be the encrypted files. They don't need the key. It's the government, they have the computational power to crack the encryption.