It was my understanding Hushmail would not be divulging encryption keys to other entities, including the US Government, for its users. Apparently, I was wrong.

This is very depressing, for multiple reasons. In an era where Yahoo sends personal information about its users to the Chinese government upon demand, one should be greatly cautious about how companies use the information we entrust with them. As my prior post about Facebook noted, people in the IT field do not approach their internal policies and administration in quite the same way as they might proclaim in their privacy policy.

I naively thought Hushmail might be different, because the wording of their services suggests they themselves might be unable to decrypt your data. Perhaps they wouldn’t know what your password as their set-up system would only work upon your independent entry of the keys. That’s how some online backup services claim to work, and I had thought Hushmail might have been the same system.

When I was traveling around in China, I wanted a method for sending pictures and messages without exposing my normal email accounts to potential hackers. Most of my internet access would be through internet cafes, so I needed a separate, secured account, ideally with encryption since it was always how I send my messages (Why? Because plain text email is the equivalent of sending letters on a postcard. I don’t want admins at network hubs reading about my romances, do you?). Hushmail seemed to fit the bill.

But now it seems Hushmail is no different from Yahoo. Upon notice, perhaps legitimate court orders, Hushmail is able to share your decrypting keys with the requesting agent. And while this possibility was something that was hinted at in the terms of service, it didn’t occur to me the keys would be proactively provided to the government.

Advertisements