In our recent review of the Hushmail Privacy Policy we have to report it is lacking in full and frank disclosure and does not alert users to potential risks users face in using a Hushmail account.
In 2007 Hushmail, headquartered in Canada, turned over private emails to U.S. law enforcement under the “Mutual Assistance” pact the two countries enjoy as a means of combating cross-border.
Wired magazine did a pretty thorough job of covering the debacle.
The heart of the matter was that U.S. law enforcement believed that the suspects were manufacturing steroids without the proper authorities and that they were using Hushmail to conduct business. Hushmail engaged in undisclosed actions to decrypt the three user accounts involved and turned 12 CDs worth private, apparently securely encrypted e-mail to U.S. authorities.
First, it must be recognized that Hushmail turned over these records under court order. They did not just wake up and decide to compromise their users voluntarily. But nor did they do much to fight the action. Mutual Assitance orders cannot trump fundamental constitutional guarantees and this action arguably did exactly that.
In the end, the main rason the Secure Surfing Organization feels it necessary to issue an Alert is the weakness of its published privacy policy and its complete failure to alert users that there are circumstances under which Hushmail will disclose the contents of their e-mail to government.
It may be fine and dandy if the breach of rights is being done to close down some rogue steroid factory that is stealing profit from the pharmaceutical industry. But what if it’s being done so they can detain someone without trial for a decade because he was exchanging e-mail with an uncle in Egypt who was dating a women who had a brother that once knew a cousin of Osama Bin Laden?
Hushmail has an obligation to advise users that the users cannot have complete confidence that the contents of their e-mail will remain secure and its Privacy Policy should clearly acknowledge the 2007 event and the possibility of similar events in the future.
Until it does that, users should either avoid Hushmail altogether or use it only as a supplementary junk account.
If the company would simply move some of the language from its “about security” page directly into the privacy policy, we would remove our censure, but probably still need to recommend more secure alternatives. We see no reason why the entire “about security” page is not incorporated into the privacy policy other than a wsih to avoid have=ing users ask hard questions before signing up.
