Thursday, November 8, 2012

Hushmail provides unencrypted e-mails to feds; practice raises interesting legal questions

In a Second Circuit case (United States v. Gonzalez, 686 F.3d 122 (2d Cir. 2012)) released earlier this year, evidence was presented at trial that had been e-mailed through Hushmail, a secure e-mail service used by "millions of people and thousands of businesses." Hushmail's website claims that they "encrypt your message automatically before it is sent, and then restore it back to its original form when the recipient reads it."

The issue that immediately came to my mind was the fact that Hushmail provided not only the communications but they were able to unencrypt them first. Here's the court's description of the evidence:

The government also introduced into evidence numerous emails sent from the address "" — which Gonzalez admitted was his — through "Hushmail," an encrypted email service provider that encoded email messages, permitting them to be accessed and read only by someone who had the encryption key. The emails introduced at trial by the government, decoded by Hushmail, included the following..."
This isn't the first time Hushmail has done this. In 2007, Threat Level explained the security issues and how Hushmail is able to provide an unencrypted copy of a user's e-mails.

In recent years, several courts have evaluated whether the government can force an individual to provide an encryption key for electronic files. Courts have ruled on both sides of this popular Fifth Amendment issue. Perhaps an interesting extension of that debate is whether a person's agent (that word choice may be a stretch) - their e-mail provider - can be forced to provide an unencrypted copy of e-mails or whether they may only provide the scrambled versions. Another interesting issue is how we would define communications required to be disclosed under provisions of the Stored Communications Act.

Hush Communications' CEO, Ben Cutler, responded to my inquiry about their disclosure policy:
Our policy is to only release user information if we receive an order enforceable in British Columbia Canada requiring that we do so. British Columbia, Canada is the jurisdiction where our servers and operations are located. The order must be for a specific user account. In the case where authorities in the US are seeking information on one of our users they would have to make an MLAT request to the Canadian Department of Justice, which if successful would result in an enforceable order being issued here in Canada.
As may be obvious, I don't really claim to have answers to these issues, but I feel they are interesting to think about. Please feel free to comment below with your thoughts.


  1. It seems data is never safe, ever, unless it is an encrypted server in your possession. Even then, I'm not sure if Carnivore wouldn't pick up on emails. The "stored records", however, would be safe, and in some circuits protected by the fifth amendment.

  2. Hushmail is just a scam. They claim you can get a "free" account, but after a few days they will lock you out of the account claiming you haven't logged in in 3 weeks, and steer you to their "premium signup page" to try and loot $50 - $90 out of your pocket. Well, if you are actually using it expecting to get real email and you're invested in your username choice, they figure they'll pick up a whole bunch of money from desperate people who just gotta get their emails. They pulled this stunt on both of the emails I set up with them, and I've made it a point to log into each of them frequently, because I was using them trying to unload my life on gmail. I'm STILL LOOKING for a free email alternative to the evil GMAIL.

  3. Gmail and Yahoo continue to go down hill, I finally made the choice to switch to paid email provider and came across These guys migrated me over and the support has been terrific. I thought it was quite basic at first but there is a lot more too the email and apps than meets the eye. I highly recommend testing out other paid email providers rather that using free email.