Hushmail Turns Out To Not Be Quite So Hush Hush

from the privacy-is-an-illusion dept

Many people are familiar with the company Hushmail, who provides encrypted web-based email that the company claims is completely private. In fact, the company makes it clear: "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." It turns out that isn't quite true. Wired reports that Hushmail handed the feds 12 CDs worth of plain text emails from the service following a court order. The Wired piece goes into great detail concerning what happened here -- and the folks at Hushmail were quite honest about how their service works. Hushmail has two different versions, one which requires a java app to be downloaded, which handles all the encryption locally. The other, more popular one, is entirely web-based, meaning that your passphrase is stored on the server ever so briefly -- and that's how Hushmail was able to access the accounts required in the court order. So, while it's true that Hushmail is mostly secure outside of a court order, the marketing material on the site is at least a little misleading, implying that even in such cases, your email will be encrypted.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: drug dealers, email, encryption, fbi, privacy
Companies: fbi, hushmail


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Pesti, 9 Nov 2007 @ 1:27am

    Why am I not suprised....Privacy is slipping away

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 9 Nov 2007 @ 1:29am

    Warnings

    Various security experts have been warning about Hushmail (and similar services)for years. Some people just won't listen though.

    link to this | view in thread ]

  3. identicon
    Anon, 9 Nov 2007 @ 2:23am

    and locally?

    What would have happened if the emails were from account owners who encrypted locally?

    Would they have still been able to find a way to move encrypted emails into plain text for a court order?

    I'm sure a similar reasoning would be used in that case.

    link to this | view in thread ]

  4. identicon
    Sean, 9 Nov 2007 @ 3:02am

    Re: and locally?

    The Feds have trojans they download to sniff out passwords. If I recall correctly, Techdirt have done posts on this very subject not so long ago.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 9 Nov 2007 @ 3:29am

    Re: Re: and locally?

    The Feds have trojans they download to sniff out passwords. If I recall correctly, Techdirt have done posts on this very subject not so long ago. They have experts at waterboarding that they can use for password recovery too.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 9 Nov 2007 @ 3:56am

    At least there was a court order this time.

    Gee! The feds followed the law, got a court order first and nothing blew up. How dare they take such risks with our safety!
    (/sarcasm)

    link to this | view in thread ]

  7. identicon
    Prime Minister, 9 Nov 2007 @ 5:35am

    RTFA!!

    For those of you too lazy to RTFA:

    [Hushmail] is useful for avoiding general Carnivore-type government surveillance, and protecting your data from hackers, but definitely not suitable for protecting your data if you are engaging in illegal activity that could result in a Canadian court order.

    That's also backed up by the fact that all Hushmail users agree to our terms of service, which state that Hushmail is not to be used for illegal activity. However, when using Hushmail, users can be assured that no access to data, including server logs, etc., will be granted without a specific court order. Smith also says that it only accepts court orders issued by the British Columbia Supreme Court and that non-Canadian cops have to make a formal request to the Canadian government whose Justice Department then applies, with sworn affidavits, for a court order.

    Hushmail is a Canadian company. The US government made a request and the CANADIAN company complied when a legit court order was presented.

    READ THE F*CKIN ARTICLE!

    link to this | view in thread ]

  8. identicon
    Overcast, 9 Nov 2007 @ 6:17am

    Just again - one more reason to be further sure that... computer's aren't nearly as secure as they are hyped out to be.

    link to this | view in thread ]

  9. identicon
    lar3ry, 9 Nov 2007 @ 6:47am

    I, for one, think this is GREAT

    Hushmail states up front that they do not condone the use of their product for illegal activities, and therefore they will comply to the best of their ability with any valid court order given them. The order needs to come from a court that has power in their jurisdiction (provincial court or possibly the Canadian federal courts), which makes it a bit of a harder hurdle for people from, say, the USA DHS who might just be on a fishing expedition.

    They have complied with a legal order, and they are up front in exactly what they did: provided about 12 CDs of emails (without delving in exactly what those CDs contained).

    In this day and age, seeing such candor and honesty by a corporation is refreshing and gives me a (small) hope that sometimes there are nice guys out there. Their service makes it clear in what circumstances they will comply, and they also make it clear that they are not able to unencrypt email sent from their Java client (which is a bit more of a hassle to use). They don't promise a rose garden, but they don't hide the thorns, either.

    The article would make me MORE prone to use their service, as opposed to some other vendor that might cave in to the "nosy neighbor of the week," or that might have a back door into your supposedly-encrypted email that they are willing to share with the people in black hats.

    Hooray for the good guys!

    Oh... if you are doing something illegal, I hope you get caught. Just because I don't want my private life spewed all over the internet doesn't mean you have the right to get away scot free with your dastardly deeds. If the government asks for your encrypted email and has reason to suspect that it is worth a twenty man-year effort to decrypt it to prove a case, they will do so, and there's nothing you can do about it except avoid doing illegal things.

    link to this | view in thread ]

  10. identicon
    Jack o. Trades, 9 Nov 2007 @ 6:55am

    Re: I, for one, think this is GREAT

    Well, while this poly-anna replies about the great and good are nice, one should as a more basic question. What happens when the Government is wrong? What happens when what you are doing is legal then is ruled illegal. Privacy is a right like the second amendment is for guns. It sets those in power on notice that a normal everyday person is protected. IF "they" deem it bad then is it bad?

    You would do well to think about such things before you go off and suggest its ok for the good guys to save us from ourselves.

    link to this | view in thread ]

  11. identicon
    TheDock22, 9 Nov 2007 @ 6:57am

    No problems here

    I think Hushmail did the right thing. A court order was given and they complied. It is silly to think that an email service company would really encrypt all your emails so that they can not comply with a court order and leave themselves open to nasty legal battles.

    At least they waited for a court order and did not just hand over the information like other companies.

    link to this | view in thread ]

  12. Everything can be seen

    It seems to me that anything ever written on a computer can be read, regardless of the protections you think you might have. As I have stated before, I would never type anything on a computer that I wouldn't want to be seen.

    link to this | view in thread ]

  13. identicon
    countzero, 9 Nov 2007 @ 8:32am

    not targeted

    So be it, they got the court order, the police should be able to do what they need to to gather information for a case or whatever. However. 12 cd's of plaintext is what, 1.5 million full pages or so? Even if they were targeting a crime ring or something along those lines, that amount of information is absurd. The fact that the police went through the right channels gives me some hope, but that they just grabbed everybody's emails disgusts me a bit.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 9 Nov 2007 @ 9:01am

    Countzero is the only one so far to address the real issue:

    That Hushmail handed over 12 CD's worth of email. I doubt any human being could send or receive enough email in a lifetime to fill twelve CD's.

    If Bill does an illegal act and the courts ask for Bill's email through the proper channels, then handing over just Bill's email is one thing. However, it sounds like Hushmail handed over ALL of their users email, not just the evidenciary email. That is the issue at hand. They should not violate all of their customers privacy in that way, nor should any government have the power to demand that ALL the email, even that unconnected to their case, be handed over.

    Hushmail IS in the wrong here.

    link to this | view in thread ]

  15. identicon
    Freedom, 9 Nov 2007 @ 9:29am

    Re:

    You are assuming text based e-mails. E-mails with attachments could very easily consume 12 CDs. For instance, let's say this person was using the account for child porn or something - would it be that difficult to fill up 12CDs with those types of e-mails?

    They could have also included logs which tend to be extremely verbose and can add up quickly.

    link to this | view in thread ]

  16. identicon
    nipseyrussell, 9 Nov 2007 @ 9:46am

    Mike says plain text, but i dont see that in the e-mail. Also the article says "turned over 12 CDs worth of e-mails from three Hushmail accounts" not the whole enchilada

    link to this | view in thread ]

  17. identicon
    TheDock22, 9 Nov 2007 @ 9:54am

    Re:

    Yea, I think your wrong on this one. I just backed up my email the other day and I filled up 5 cds worth of stuff on my own. With attachments I really needed the space.

    Plain text email with attachments from a few users could easily fill up 12 cds.

    So, you need to not make finite statements like I doubt any human being could send or receive enough email in a lifetime to fill twelve CD's. It makes you seem like a fool.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 9 Nov 2007 @ 12:30pm

    Re: Re:

    I don't buy it. I have five years worth of mail stored in my email account, including potentially thousands of attachments which mostly constitutes image files.

    The total size is just over 1 gigabyte of data, not even enough to fill two CDs. Image files are very small, a few kilobytes worth of data, and most email services have size limits that prevent attachments that are too large, such as video files from being sent.

    I stand by what I said that 12 CDs (which averages out to around 8 Gigabytes of data) sounds like more than just 1 or 2 accounts.

    link to this | view in thread ]

  19. identicon
    Sean, 9 Nov 2007 @ 12:35pm

    Re:

    Plain text as in not encripted

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 9 Nov 2007 @ 12:42pm

    Re: RTFA!!

    READ THE F*CKIN ARTICLE!
    So who did you think didn't?

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 9 Nov 2007 @ 1:05pm

    Re:

    Mike says plain text, but i dont see that in the e-mail.
    I suspect Mike should have written 'plaintext' rather than 'plain text'. 'Plaintext' just means 'unencrypted' and can include attachments and stuff other than just plain text.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 9 Nov 2007 @ 1:15pm

    Re: Re:

    Plain text email with attachments from a few users could easily fill up 12 cds.

    E-mail messages with attachments are not plain text. Plaintext does not mean "plain text" and making statements about "plain text email with attachments" makes you seem like a fool.

    link to this | view in thread ]

  23. identicon
    TheDock22, 9 Nov 2007 @ 1:53pm

    Re: Re: Re:

    E-mail messages with attachments are not plain text. Plaintext does not mean "plain text" and making statements about "plain text email with attachments" makes you seem like a fool.

    Ah well on this forum I assumed most people were astute enough to understand plain text (plaintext) as encrypted. I am either a fool or hopefully optimistic.

    link to this | view in thread ]

  24. identicon
    claire rand, 9 Nov 2007 @ 2:46pm

    if its important enough to care about privacy, then do the blinding obvious.. encrypt it yourself before sending it..

    if you let a company encrypt if for you, well you get what you deserve.

    can't blame the company at all for this, at least they are open about what they will do, and waited for a court order.

    what exactly do people expect?

    if you are serious about sending a 'secret' message its not exactly hard

    link to this | view in thread ]

  25. identicon
    lar3ry, 9 Nov 2007 @ 2:59pm

    Re: Re: I, for one, think this is GREAT

    What happens when the Government is wrong? In a perfect world, you will be found innocent. In the real world, things go sometimes go awry. I'm not a Pollyanna, but I'm also not an alarmist.

    What Hushmail is doing does not impact this one iota. They are doing what they advertise they are doing, and when they are asked to give over customer data, they are forthright about it.

    I do think of such things. I don't expect ANYBODY to save me from myself except, perhaps, myself. And I hope that people that would utilize a useful tool for illegal purposes get nailed in the same way that a person that uses a gun to commit a crime.

    link to this | view in thread ]

  26. identicon
    Jamie, 9 Nov 2007 @ 3:09pm

    Thank you, Claire Rand! Finally someone got the point: Hushmail offers Java-based software that will encrypt outgoing data *before* it even gets to Hushmail and then will decrypt it after it leaves Hushmail. When used, Hushmail sees nothing but encrypted gibberish. The people who had their plaintext email passed onto law enforcement were to damned lazy to use the software and instead uploaded plaintext messages for Hushmail to do the encryption on the server end. That's stupid. It's like walking into a busy post office and dictating your secrets to the clerk behind the counter so everyone else can hear and then asking that the message be sent in a secure package.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 9 Nov 2007 @ 3:56pm

    Re: Re: Re: Re:

    Ah well on this forum I assumed most people were astute enough to understand plain text (plaintext) as encrypted.

    Wow. How dense are you? It's been explained to you in simple terms and yet you still don't understand that plaintext isn't encrypted and that "plaintext" doesn't mean "plain text".

    I am either a fool or hopefully optimistic.

    I don't know about the latter but you're certainly showing yourself to be the former.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 9 Nov 2007 @ 4:26pm

    Re:

    Thank you, Claire Rand! Finally someone got the point:
    Yes, Claire got it right.

    Hushmail offers Java-based software that will encrypt outgoing data *before* it even gets to Hushmail and then will decrypt it after it leaves Hushmail. When used, Hushmail sees nothing but encrypted gibberish.
    Maybe, maybe not. You see the problem with Hushmail's Java applet is that you can't verify that it is secure. While Hushmail does publish the source code for an encrypting Java applet you still can't be sure that it corresponds to what is actually downloaded to and run on your computer each time. That's why you should use only open-source encryption software that you can verify and install on your own computer if security is really important to you.

    The people who had their plaintext email passed onto law enforcement were to damned lazy to use the software and instead uploaded plaintext messages for Hushmail to do the encryption on the server end. That's stupid.
    As explained above, using their Java applet could also be said to be lazy and stupid. Good security usually isn't easy to implement. That's why most people don't do it.

    link to this | view in thread ]

  29. identicon
    Billy Boy, 9 Nov 2007 @ 5:44pm

    I'm right in my assumption that encrypted email I send to someone is vulnerable to be compromised if the recipient is lax at their end, aren't I? In this case, even if the senders were vigilant in their encrypting, the fact that the recipient wasn't, made all of their emails (to that recipient) readable.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 9 Nov 2007 @ 6:45pm

    Re:

    I'm right in my assumption that encrypted email I send to someone is vulnerable to be compromised if the recipient is lax at their end, aren't I?
    Absolutely. Encryption is just a tool and not a substitute for good judgment. You should have the good sense to not send confidential information to unreliable recipients.

    In this case, even if the senders were vigilant in their encrypting, the fact that the recipient wasn't, made all of their emails (to that recipient) readable.
    And all of the messages from those recipients back to the sender as well. Encryption only protects the message from those without the key, it doesn't make the recipient reliable. It's kind of like having a lock on your house but then giving a key to bad neighbor. The lock may protect your stuff from people without the key but it won't keep the bad neighbor from ripping you off.

    link to this | view in thread ]

  31. identicon
    anonymous email, 8 Dec 2007 @ 7:15pm

    Think Twice!

    Hushmail isn't offshore enough. If you think that you are protected just over the border then you are completely wrong. Choose your secure email provider wisely!

    link to this | view in thread ]

  32. identicon
    barbiedoll, 24 Mar 2008 @ 5:49pm

    Data Locking

    Check out www.datalocking.com as I would love to hear any thoughts on their idea! It appears that the data/text info is owned by a third party and the server is off shore in Costa Rica (who does not extradite info to the USA--hence that is where off-shore gambling and off-shore banking are flourishing.)

    link to this | view in thread ]

  33. identicon
    bogus boghart, 2 Dec 2009 @ 6:42pm

    hmm

    what i don't get is why the feds aren't burning emails on dvds. come one get with the times.

    link to this | view in thread ]

  34. identicon
    Rick, 12 Dec 2009 @ 9:47am

    choosing email providers

    If you are concerned about the US government (or the EU now) reading your email, you need to select a service outside those jurisdictions and in a country that can resist pressure from other, more powerful countries. There is a table comparing several secure email providers, including their locations, on the novo-ordo website at http://www.novo-ordo.com. There are also pages discussing other aspects of computer security there.

    link to this | view in thread ]

  35. identicon
    harry potter, 21 Oct 2013 @ 8:21pm

    oh my god use megabytes not cds

    link to this | view in thread ]

  36. identicon
    clueless gramibear, 8 May 2016 @ 2:00pm

    new pilgrim exploring

    At this point not entirely sure I am totally signed up but I did pay $49.99 and get get an email address, I think. These comments are interesting! Since none of my activities are in the least "interesting" to government agencies I am only glad for thair protection. Yet invasion of trojans, or any other really obnoxious potentiaiiy destructive forces would be untolerable because I just had a wicked experience with such stuff. In case of things like that happening does hushmail hav a way of fixing it? And is this "paid version" safe from suuff?
    I don't have a clue about the technical stuff like the URL. Where do I even find such stuff? I really need help . . . Being "gently seasoned" . . . . . . . most likely way older than you, I am slow, disabled, and my memory is . . . . let's just say a bit foggy these days sorry to say.

    link to this | view in thread ]

  37. identicon
    martyn, 8 Jun 2017 @ 7:20am

    youre all scrapping over nothing!

    I'll spell it out to you in plain text!

    there is no difference between "plain text" and "plaintext"
    probably just a typo or a misused jargon.
    In emails there is only a choice between plain text or HTML
    like when you are a technophobe with a crappy slow computer and when you try to read your email your browser asks you if you want to view your email in plaintext because its loading very slowly and cant handle all the HTML formatting! you choose plain text! so I think that 12 cds worth of plain text is in fact overkill and hushmail has something to answer for! However i dont think that 12 cds worth would be all their users! thats just ludcicrous if you you consider that possbily a lot of their users might be business users who both send and recieve thousands if not millions of emails everyday, every hour , every minute, every second! ponder that for a while?? I doubt very much that 12 cds worth of emails even plain text/plaintext would fit all their users emails on! I rest my case!

    link to this | view in thread ]

  38. identicon
    M N, 19 Nov 2018 @ 10:30am

    HushMail "not so secure" article

    Really??? And whar=t exactly would you do if the Feds sent you a court order to provide them with information? What do you expect HushMail to do on their marketing material - state that your emails are secure" short of a federal government court order"?

    You obviously have way too much spare time on your hands!

    link to this | view in thread ]

  39. identicon
    At idiot above me, 23 Jun 2019 @ 12:27am

    Re: I, for one, think this is GREAT

    Define "illegal"!
    PS: I can do whatever I want even if it p*sses you off.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.