Hushmail Turns Out To Not Be Quite So Hush Hush
from the privacy-is-an-illusion dept
Many people are familiar with the company Hushmail, who provides encrypted web-based email that the company claims is completely private. In fact, the company makes it clear: "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." It turns out that isn't quite true. Wired reports that Hushmail handed the feds 12 CDs worth of plain text emails from the service following a court order. The Wired piece goes into great detail concerning what happened here -- and the folks at Hushmail were quite honest about how their service works. Hushmail has two different versions, one which requires a java app to be downloaded, which handles all the encryption locally. The other, more popular one, is entirely web-based, meaning that your passphrase is stored on the server ever so briefly -- and that's how Hushmail was able to access the accounts required in the court order. So, while it's true that Hushmail is mostly secure outside of a court order, the marketing material on the site is at least a little misleading, implying that even in such cases, your email will be encrypted.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: drug dealers, email, encryption, fbi, privacy
Companies: fbi, hushmail
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Warnings
[ link to this | view in chronology ]
and locally?
Would they have still been able to find a way to move encrypted emails into plain text for a court order?
I'm sure a similar reasoning would be used in that case.
[ link to this | view in chronology ]
Re: and locally?
[ link to this | view in chronology ]
Re: Re: and locally?
[ link to this | view in chronology ]
Gee! The feds followed the law, got a court order first and nothing blew up. How dare they take such risks with our safety!
(/sarcasm)
[ link to this | view in chronology ]
RTFA!!
READ THE F*CKIN ARTICLE!
[ link to this | view in chronology ]
Re: RTFA!!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I, for one, think this is GREAT
They have complied with a legal order, and they are up front in exactly what they did: provided about 12 CDs of emails (without delving in exactly what those CDs contained).
In this day and age, seeing such candor and honesty by a corporation is refreshing and gives me a (small) hope that sometimes there are nice guys out there. Their service makes it clear in what circumstances they will comply, and they also make it clear that they are not able to unencrypt email sent from their Java client (which is a bit more of a hassle to use). They don't promise a rose garden, but they don't hide the thorns, either.
The article would make me MORE prone to use their service, as opposed to some other vendor that might cave in to the "nosy neighbor of the week," or that might have a back door into your supposedly-encrypted email that they are willing to share with the people in black hats.
Hooray for the good guys!
Oh... if you are doing something illegal, I hope you get caught. Just because I don't want my private life spewed all over the internet doesn't mean you have the right to get away scot free with your dastardly deeds. If the government asks for your encrypted email and has reason to suspect that it is worth a twenty man-year effort to decrypt it to prove a case, they will do so, and there's nothing you can do about it except avoid doing illegal things.
[ link to this | view in chronology ]
Re: I, for one, think this is GREAT
You would do well to think about such things before you go off and suggest its ok for the good guys to save us from ourselves.
[ link to this | view in chronology ]
Re: Re: I, for one, think this is GREAT
What Hushmail is doing does not impact this one iota. They are doing what they advertise they are doing, and when they are asked to give over customer data, they are forthright about it.
I do think of such things. I don't expect ANYBODY to save me from myself except, perhaps, myself. And I hope that people that would utilize a useful tool for illegal purposes get nailed in the same way that a person that uses a gun to commit a crime.
[ link to this | view in chronology ]
Re: I, for one, think this is GREAT
Define "illegal"!
PS: I can do whatever I want even if it p*sses you off.
[ link to this | view in chronology ]
No problems here
At least they waited for a court order and did not just hand over the information like other companies.
[ link to this | view in chronology ]
Everything can be seen
[ link to this | view in chronology ]
not targeted
[ link to this | view in chronology ]
That Hushmail handed over 12 CD's worth of email. I doubt any human being could send or receive enough email in a lifetime to fill twelve CD's.
If Bill does an illegal act and the courts ask for Bill's email through the proper channels, then handing over just Bill's email is one thing. However, it sounds like Hushmail handed over ALL of their users email, not just the evidenciary email. That is the issue at hand. They should not violate all of their customers privacy in that way, nor should any government have the power to demand that ALL the email, even that unconnected to their case, be handed over.
Hushmail IS in the wrong here.
[ link to this | view in chronology ]
Re:
They could have also included logs which tend to be extremely verbose and can add up quickly.
[ link to this | view in chronology ]
Re:
Plain text email with attachments from a few users could easily fill up 12 cds.
So, you need to not make finite statements like I doubt any human being could send or receive enough email in a lifetime to fill twelve CD's. It makes you seem like a fool.
[ link to this | view in chronology ]
Re: Re:
The total size is just over 1 gigabyte of data, not even enough to fill two CDs. Image files are very small, a few kilobytes worth of data, and most email services have size limits that prevent attachments that are too large, such as video files from being sent.
I stand by what I said that 12 CDs (which averages out to around 8 Gigabytes of data) sounds like more than just 1 or 2 accounts.
[ link to this | view in chronology ]
Re: Re:
E-mail messages with attachments are not plain text. Plaintext does not mean "plain text" and making statements about "plain text email with attachments" makes you seem like a fool.
[ link to this | view in chronology ]
Re: Re: Re:
Ah well on this forum I assumed most people were astute enough to understand plain text (plaintext) as encrypted. I am either a fool or hopefully optimistic.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Wow. How dense are you? It's been explained to you in simple terms and yet you still don't understand that plaintext isn't encrypted and that "plaintext" doesn't mean "plain text".
I am either a fool or hopefully optimistic.
I don't know about the latter but you're certainly showing yourself to be the former.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
if you let a company encrypt if for you, well you get what you deserve.
can't blame the company at all for this, at least they are open about what they will do, and waited for a court order.
what exactly do people expect?
if you are serious about sending a 'secret' message its not exactly hard
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Maybe, maybe not. You see the problem with Hushmail's Java applet is that you can't verify that it is secure. While Hushmail does publish the source code for an encrypting Java applet you still can't be sure that it corresponds to what is actually downloaded to and run on your computer each time. That's why you should use only open-source encryption software that you can verify and install on your own computer if security is really important to you.
As explained above, using their Java applet could also be said to be lazy and stupid. Good security usually isn't easy to implement. That's why most people don't do it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
And all of the messages from those recipients back to the sender as well. Encryption only protects the message from those without the key, it doesn't make the recipient reliable. It's kind of like having a lock on your house but then giving a key to bad neighbor. The lock may protect your stuff from people without the key but it won't keep the bad neighbor from ripping you off.
[ link to this | view in chronology ]
Think Twice!
[ link to this | view in chronology ]
Data Locking
[ link to this | view in chronology ]
hmm
[ link to this | view in chronology ]
choosing email providers
[ link to this | view in chronology ]
[ link to this | view in chronology ]
new pilgrim exploring
I don't have a clue about the technical stuff like the URL. Where do I even find such stuff? I really need help . . . Being "gently seasoned" . . . . . . . most likely way older than you, I am slow, disabled, and my memory is . . . . let's just say a bit foggy these days sorry to say.
[ link to this | view in chronology ]
youre all scrapping over nothing!
there is no difference between "plain text" and "plaintext"
probably just a typo or a misused jargon.
In emails there is only a choice between plain text or HTML
like when you are a technophobe with a crappy slow computer and when you try to read your email your browser asks you if you want to view your email in plaintext because its loading very slowly and cant handle all the HTML formatting! you choose plain text! so I think that 12 cds worth of plain text is in fact overkill and hushmail has something to answer for! However i dont think that 12 cds worth would be all their users! thats just ludcicrous if you you consider that possbily a lot of their users might be business users who both send and recieve thousands if not millions of emails everyday, every hour , every minute, every second! ponder that for a while?? I doubt very much that 12 cds worth of emails even plain text/plaintext would fit all their users emails on! I rest my case!
[ link to this | view in chronology ]
HushMail "not so secure" article
You obviously have way too much spare time on your hands!
[ link to this | view in chronology ]