Hushmail Can Read Your Encrypted Mail

Jim Verard · Nov 8, 2007

Read the whole Wired article/story here

According to Wired Blog, Hushmail, the popular purveyor in secure and encrypted mail, is colluding with the US Federal government, and displays its ability to decrypt your emails and compromise a client's security.

What happened?

Hushmail decided to help US Federal agents bust an alleged Steroid provider.

What does this mean?

If you've ever used Hushmail, all your messages sent and received through them can be decrypted.

How does Hushmail hack into your account?

Hushmail has two techniques. If you access by webmail, they can capture your password to decrypt your messages. If you access by the client-side java, they can feed you a special program which captures your password.

Why did Hushmail cooperate?

The reason they cooperated is they were compelled by a court of law, and they didn't feel like defending the client because it was alleged that they were criminals. They are a Canadian corporation, so their jurisdiction is poor for the point of defense, and it is unclear if they investigated the claim as being legitimate or dubious.

How does this compare to XeroBank?

XeroBank is in a strong jurisdiction, unlike Hushmail. XeroBank also investigates such claims and will not blindly follow a subpoena. However, XeroBank looks forward to busting money scammers and terrorists as well.

What should we learn from this?

If you are doing something illegal by the corp terms of service, jurisdictions won't matter if you use HushMail or XeroBank. If you aren't doing anything illegal according to the terms of service, jurisdictions and court orders will have a very high hurdle, as long as you have XeroBank.

In the latter instance, it appears HushMail may sell you out. Honestly, we need to know more about what really happened, because if HushMail found out the steroid claims were true before handing them over, AND it really was a violation of their TOS, they acted with propriety.

Another thing we should learn from this is that HushMails use of client-side encryption is a marketing gimmick, as they can push java code to you that is untrustworthy and can give them access to your emails.
Click to expand...

Source: - Steve Topletz - Portable Privacy blog

LockBox · Nov 9, 2007

Not U.S. agents, but Canadian (at least not diirectly).

Still, I cancelled my HushMail account yesterday. Inexcusable.

Jim Verard · Nov 10, 2007

I never heard of such email provider before, but one thing I know for sure.

There's no such service who are committed with anyone's privacy out there.

Most of these services have bad privacy policies, which states that they are perfectly ready to disclose your informations if required by government authorities, by any applicable law (which one? there are good and bad laws out there...) and to defend their own property, and in case of any "violations of rights" of any third (and interested) parties.

Someday I even found a TOS which states "we will disclose your data in order to defend our property, dignity and innocence or to enforce these terms". Good lord.

I find all of those privacy policies very disgusting. Email providers may sell us out in exchange of a nickel, using surveillance practices, data retention, fishing expedition, whatever. How I loathe these people! A bunch of bastards and traitors who deserves nothing less than burn in hell.

Even if some company is required by laws of their country, the most logical situation should not place these warnings on any terms of service, or privacy policy. If I was the owner of a email provider, my privacy policy should be exactly like this:

- We don't log, we don't monitor what users do;

- We destroy every possible logs who might identify any users and their activities after 30 days;

- Users can remove their own accounts, and any data related to them is destroyed for good;

That's it. No traces of any information about how the company complies with authorities, and even if they are required by some jurisdiction, no data will ever be found. Ever.

They might even remove every information regarding their policy, and work the same way. To be less specific, they can explain how they protect everyone's privacy, and not mention how they proceed to such claims.

Xerobank's way of dealing with such requests (see this explanation) may be followed as well.

Dogbiscuit · Nov 10, 2007

Jim Verard said:

I find all of those privacy policies very disgusting. Email providers may sell us out in exchange of a nickel, using surveillance practices, data retention, fishing expedition, whatever. How I loathe these people! A bunch of bastards and traitors who deserves nothing less than burn in hell.
Click to expand...

Why did Hushmail cooperate?

The reason they cooperated is they were compelled by a court of law, and they didn't feel like defending the client because it was alleged that they were criminals.
Click to expand...

I suppose the rule of law is overrated.

Log in or Sign up

Hushmail Can Read Your Encrypted Mail

Jim Verard Registered Member

LockBox Registered Member

Jim Verard Registered Member

Dogbiscuit Guest

Log in or Sign up

Hushmail Can Read Your Encrypted Mail

Jim Verard Registered Member

LockBox Registered Member

Jim Verard Registered Member

Dogbiscuit Guest

Useful Searches