Hushmail will not protect you if a government is after you.
They tell you this plainly, and actually do not want users to do anything illegal no matter how right or wrong it is.
Recently, more than five private and public vendors of illegal drugs that I know of who used hushmail had their accounts deactivated by Hushmail. It is because Hushmail has a policy against using your account on their servers for ?illegal activity?.
Policy on Illegal Activity
Hush Communications has a zero-tolerance policy on the use of its services for illegal activity. Any account involved in illegal activities, including any of the following, will be immediately and permanently deactivated:
* Purchase or sale of substances that are illegal in many jurisdictions. This includes steroids, hormones, narcotics, marijuana and marijuana seeds. This also includes any purchase of prescription drugs not intended for individual use with a prescription.
* Purchase or sale of stolen goods.
* Making threats to person or property.
* Possession or distribution of child pornography.
* Fraud.
Please see our Terms of Service for further information, or contact us if you have any questions. http://www.hushmail.com/terms/
That means that if they think you are doing something illegal, they aren?t going to wait for a government to come to them about it. They will shut your account down like they very recently did to several mail order marijuana and other drugs-by-mail operations. Luckily those vendors are not, to anyone?s knowledge, in legal trouble (except maybe GDS now) ? they just hopefully learned a valuable lesson: HUSHMAIL IS SHIT.
Hushmail will not help you if government agents are after you. Everyone should have already known this from years ago when the Wired article was published.
Hushmail even tells you, as a result of all the media attention surrounding that case, how insecure hushmail?s ?secure? webmail is.
?How secure is Hushmail??
http://www.hushmail.com/about/technology/security/
At the bottom of that page, there is more. Click on the link that says, ?Read more about how security is impacted while using different Hushmail configurations.?
It takes you here: https://www.hushmail.com/hushmail/sh...ava/index.html
And it goes through the threats that Hushmail is going to tell you about when you choose either of your two options: With Java or Without Java.
It matters little however which you choose however (aside from java posing a direct threat of leaking your real IP address to Hushmail even if you are using tor or another proxy). That is because they grab your key (that they issue) and decrypt everything that is encrypted on their servers. That is exactly what they did to a man named Tyler Stumbo who sold steroids in the USA using a hushmail account. The US DOJ made a Mutual Legal Assistance request under their MLAT with Canada?s government who dutifully told Hushmail to obey, and Hushmail is always going to comply with what the Canadian government tells them to do.
The Limitations of Hushmail
Hushmail is the most secure webmail service on the Internet, but it is not a 100% solution for all of your security needs. There are some things that Hushmail cannot do.
Hushmail does not put you above the law
We are committed to the privacy of our users, and will absolutely not release user data without an order that is legally enforceable under the laws of British Columbia, Canada, which is the jurisdiction where our servers are located. In addition, we require that any such order refer specifically to the account for which data is required. However, if we do receive such an order, we are required to do everything in our power to comply with the law. Hushmail will not accept an order from any authority or investigative agency that is not enforceable under the laws of British Columbia, Canada. Other authorities must apply to the Canadian government through an appropriate Mutual Legal Assistance Treaty and request that the Canadian government obtain an order that is legally enforceable in British Columbia, Canada.
But I thought the data was always encrypted
When one Hushmail user sends an email to another Hushmail user, the body and attachments of that email are kept on our server in encrypted form, and under normal circumstances, we would have no access to that data. We can?t just pick an arbitrary encrypted email message off the server and read it. However, since Hushmail is a web-based service, the software that performs the encryption either resides on or is delivered by our servers. That means that there is no guarantee that we will not be compelled, under an order enforceable under the laws of British Columbia, Canada, to treat a user named in an order differently, and compromise that user?s privacy.
So I should not use Hushmail for illegal activity?
If you expect to engage in activity that might result in there being an order that is enforceable under the laws of British Columbia for us to produce information in respect of your account, Hushmail is not the right choice for you. In accepting our Terms of Service, Hushmail users agree not to use Hushmail for illegal purposes.
And guess what? It gets worse! During DEA-involved Operations Raw Deal, Gear Grinder and Greenhouse the US investigators were given access to hushmail accounts at mere request! No formal legal procedures required! (thanks, Fentman, for this info)
Forget the ignorant notion that a addy@hush.ai e-mail is going to be any different! It?s just a domain they bought who?s TLD happens to be owned by the offshore islands of Anguilla where some cryptography conferences are held. It?s nothing special. It doesn?t even matter because all hushmail?s servers are in Canada and none are in Anguilla. Further, they aren?t an Anguillan IBC but a Canadian company, so it wouldn?t even matter if the servers were in Anguilla! The company could still pull any information they want off a server they own no matter where it is if the Canadian government told them to jump! Even if they were an Anguillan IBC, the operators of Hushmail can still do whatever they require, which would probably be to do what their home government tells them. Anyway none of that matters because it is all hypothetical. How do I know this? Hushmail told me.
Hello,
Thank you for your email.
All the Hush servers are located in Vancouver, BC, Canada. This includes
user accounts on the hush.ai domain.
Kind regards
Ben
Hush Communications
By the way, hushmail?s interface is absolute crap. Why would you want to use it? You cannot mark an e-mail in any way. You cannot see what e-mails you have already replied to. They format their e-mails probably intentionally to fuck up PGP encrypted e-mails that are encrypted with private keys they do not have access to. It seems to me that the purpose is just to frustrate real attempts at privacy.
OTHER PROBLEMS
How about this little problem, that is Canada-wide?
http://www.privsecblog.com/archives/...urt-order.html
And let?s not forget the allegations that NSA/US Government agencies have real-time access to Hushmail servers to do whatever they please.
And what of this other documented case of hushmail?s betrayal of privacy?
To communicate covertly with the Sun reporter, Drake opened up a Hushmail account and she apparently did the same. Hushmail is a web service that, as it advertises itself, ?looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes.?
Yet when the prying eyes are federal investigators, it turns out that Hushmail is not quite so secure. The indictment of Drake makes plain that the feds pierced Hushmail?s encryption either via technological or legal means, noting, among other things, that ?defendant DRAKE scanned and emailed Reporter A electronic copies of certain classified and unclassified documents.?
THE SOLUTION
The solution is to ditch hushmail on principle alone because their crimes against privacy, their betrayal of civilization, total hypocrisy and borderline false advertising are absolutely reprehensible and, ultimately, intolerable.
I seriously hesitate to recommend other free-of-cost webmail non-solutions that also have major problems, but in the spirit of hoping hushmail dies the death of a thousand cuts, here are some other free webmail services you can use instead.
https://www.safe-mail.net (Israel)
https://ssl.mailvault.com (Germany)
https://fastmail.fm (Australia?)
https://lavabit.com (USA)
https://anonymousspeech.com (Switzerland / Malaysia)
http://www.bigstring.com (USA?)
http://www.offshorewebmail.com (USA?)
http://www.countermail.com (Sweden) ? I put this last because they require java, which is a MAJOR security risk.
I want to be clear. These are not a real solutions. They suffer from most of the same problems as hushmail, but as someone comfortingly put it, they don?t have the track record of treachery that Hushmail does. Given time they might degrade into utter shit just as hushmail has, so don?t let that lull you into a false sense of security like Hushmail had you mesmerized into for years. It is well past time to throw off hushmail. Do it for your own sake.
They tell you this plainly, and actually do not want users to do anything illegal no matter how right or wrong it is.
Recently, more than five private and public vendors of illegal drugs that I know of who used hushmail had their accounts deactivated by Hushmail. It is because Hushmail has a policy against using your account on their servers for ?illegal activity?.
Policy on Illegal Activity
Hush Communications has a zero-tolerance policy on the use of its services for illegal activity. Any account involved in illegal activities, including any of the following, will be immediately and permanently deactivated:
* Purchase or sale of substances that are illegal in many jurisdictions. This includes steroids, hormones, narcotics, marijuana and marijuana seeds. This also includes any purchase of prescription drugs not intended for individual use with a prescription.
* Purchase or sale of stolen goods.
* Making threats to person or property.
* Possession or distribution of child pornography.
* Fraud.
Please see our Terms of Service for further information, or contact us if you have any questions. http://www.hushmail.com/terms/
That means that if they think you are doing something illegal, they aren?t going to wait for a government to come to them about it. They will shut your account down like they very recently did to several mail order marijuana and other drugs-by-mail operations. Luckily those vendors are not, to anyone?s knowledge, in legal trouble (except maybe GDS now) ? they just hopefully learned a valuable lesson: HUSHMAIL IS SHIT.
Hushmail will not help you if government agents are after you. Everyone should have already known this from years ago when the Wired article was published.
Hushmail even tells you, as a result of all the media attention surrounding that case, how insecure hushmail?s ?secure? webmail is.
?How secure is Hushmail??
http://www.hushmail.com/about/technology/security/
At the bottom of that page, there is more. Click on the link that says, ?Read more about how security is impacted while using different Hushmail configurations.?
It takes you here: https://www.hushmail.com/hushmail/sh...ava/index.html
And it goes through the threats that Hushmail is going to tell you about when you choose either of your two options: With Java or Without Java.
It matters little however which you choose however (aside from java posing a direct threat of leaking your real IP address to Hushmail even if you are using tor or another proxy). That is because they grab your key (that they issue) and decrypt everything that is encrypted on their servers. That is exactly what they did to a man named Tyler Stumbo who sold steroids in the USA using a hushmail account. The US DOJ made a Mutual Legal Assistance request under their MLAT with Canada?s government who dutifully told Hushmail to obey, and Hushmail is always going to comply with what the Canadian government tells them to do.
The Limitations of Hushmail
Hushmail is the most secure webmail service on the Internet, but it is not a 100% solution for all of your security needs. There are some things that Hushmail cannot do.
Hushmail does not put you above the law
We are committed to the privacy of our users, and will absolutely not release user data without an order that is legally enforceable under the laws of British Columbia, Canada, which is the jurisdiction where our servers are located. In addition, we require that any such order refer specifically to the account for which data is required. However, if we do receive such an order, we are required to do everything in our power to comply with the law. Hushmail will not accept an order from any authority or investigative agency that is not enforceable under the laws of British Columbia, Canada. Other authorities must apply to the Canadian government through an appropriate Mutual Legal Assistance Treaty and request that the Canadian government obtain an order that is legally enforceable in British Columbia, Canada.
But I thought the data was always encrypted
When one Hushmail user sends an email to another Hushmail user, the body and attachments of that email are kept on our server in encrypted form, and under normal circumstances, we would have no access to that data. We can?t just pick an arbitrary encrypted email message off the server and read it. However, since Hushmail is a web-based service, the software that performs the encryption either resides on or is delivered by our servers. That means that there is no guarantee that we will not be compelled, under an order enforceable under the laws of British Columbia, Canada, to treat a user named in an order differently, and compromise that user?s privacy.
So I should not use Hushmail for illegal activity?
If you expect to engage in activity that might result in there being an order that is enforceable under the laws of British Columbia for us to produce information in respect of your account, Hushmail is not the right choice for you. In accepting our Terms of Service, Hushmail users agree not to use Hushmail for illegal purposes.
And guess what? It gets worse! During DEA-involved Operations Raw Deal, Gear Grinder and Greenhouse the US investigators were given access to hushmail accounts at mere request! No formal legal procedures required! (thanks, Fentman, for this info)
Forget the ignorant notion that a addy@hush.ai e-mail is going to be any different! It?s just a domain they bought who?s TLD happens to be owned by the offshore islands of Anguilla where some cryptography conferences are held. It?s nothing special. It doesn?t even matter because all hushmail?s servers are in Canada and none are in Anguilla. Further, they aren?t an Anguillan IBC but a Canadian company, so it wouldn?t even matter if the servers were in Anguilla! The company could still pull any information they want off a server they own no matter where it is if the Canadian government told them to jump! Even if they were an Anguillan IBC, the operators of Hushmail can still do whatever they require, which would probably be to do what their home government tells them. Anyway none of that matters because it is all hypothetical. How do I know this? Hushmail told me.
Hello,
Thank you for your email.
All the Hush servers are located in Vancouver, BC, Canada. This includes
user accounts on the hush.ai domain.
Kind regards
Ben
Hush Communications
By the way, hushmail?s interface is absolute crap. Why would you want to use it? You cannot mark an e-mail in any way. You cannot see what e-mails you have already replied to. They format their e-mails probably intentionally to fuck up PGP encrypted e-mails that are encrypted with private keys they do not have access to. It seems to me that the purpose is just to frustrate real attempts at privacy.
OTHER PROBLEMS
How about this little problem, that is Canada-wide?
http://www.privsecblog.com/archives/...urt-order.html
And let?s not forget the allegations that NSA/US Government agencies have real-time access to Hushmail servers to do whatever they please.
And what of this other documented case of hushmail?s betrayal of privacy?
To communicate covertly with the Sun reporter, Drake opened up a Hushmail account and she apparently did the same. Hushmail is a web service that, as it advertises itself, ?looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes.?
Yet when the prying eyes are federal investigators, it turns out that Hushmail is not quite so secure. The indictment of Drake makes plain that the feds pierced Hushmail?s encryption either via technological or legal means, noting, among other things, that ?defendant DRAKE scanned and emailed Reporter A electronic copies of certain classified and unclassified documents.?
THE SOLUTION
The solution is to ditch hushmail on principle alone because their crimes against privacy, their betrayal of civilization, total hypocrisy and borderline false advertising are absolutely reprehensible and, ultimately, intolerable.
I seriously hesitate to recommend other free-of-cost webmail non-solutions that also have major problems, but in the spirit of hoping hushmail dies the death of a thousand cuts, here are some other free webmail services you can use instead.
https://www.safe-mail.net (Israel)
https://ssl.mailvault.com (Germany)
https://fastmail.fm (Australia?)
https://lavabit.com (USA)
https://anonymousspeech.com (Switzerland / Malaysia)
http://www.bigstring.com (USA?)
http://www.offshorewebmail.com (USA?)
http://www.countermail.com (Sweden) ? I put this last because they require java, which is a MAJOR security risk.
I want to be clear. These are not a real solutions. They suffer from most of the same problems as hushmail, but as someone comfortingly put it, they don?t have the track record of treachery that Hushmail does. Given time they might degrade into utter shit just as hushmail has, so don?t let that lull you into a false sense of security like Hushmail had you mesmerized into for years. It is well past time to throw off hushmail. Do it for your own sake.
Comment