misunderstood hushmail hands over mail records

I’m still playing news catch-up, but I was drawn to this Wired blog post about Hushmail handing over mail records. This is a confusing article, quite honestly.

First, I will swear that Hushmail has been offering webmail service far prior to 2006 as mentioned in the article. I’ve been using them off and on for many years (both free and pay accounts), and definitely prior to 2006.

Second, I’ve never been aware of any sort Java applets or encryption when doing mail with Hushmail. Maybe this is just in the commercial version, but I suspect it really only works with email sent to other Hushmail users or recipients forced to log into Hushmail to retrieve the mail.* I can also attest to never, ever having to supply any passphrases, only the password to my login. So this whole encryption thing with Hushmail is a niche that I would be willing to bet few people truly use or were even aware of.

Still, Hushmail seems a very misunderstood service, as they market to security conscious people as being anonymous and private, when in fact it really is no less private than Gmail, unless you use their annoying and “non-solution” tools (and as the article demonstrates, even that isn’t solid). I personally just liked having the anonymity, as opposed to the privacy.

If someone were truly paranoid enough about their email privacy and anonymity, they are much better off scouring the net for open mail relays, using pgp, and then sending through an ever-rotating list of relays to their recipients. This protects the message in transit, spreads out your mail to such a degree that no one can form a profile of you, and hides your own originating information. And even that doesn’t protect your address unless you use rotating and/or disposable mail addresses…

* I really don’t agree with that approach to email security, and most people who use it really hate the annoyance of having yet another web site to get mail, rather than it coming to their own mailboxes. And yes, we have a secure mail solution that does this, but users both internal and external either don’t understand how to use it or actively hate it and try their damnedest to work around it…it’s just a terribly lame approach. What really sucks is marketing who then tries to say they secure email with encryption when I damn well know they can’t unless it never leaves their servers. Such misleading garbage that sucks in less-technical purchasers..