Hushmail Turns Over Email To Feds
I had a discussion yesterday with a client about security and trusted third parties. The point I am always trying to make is that when you trust a company, you not only trust them, but every employee they have. Think about that before trusting.
Related in a different way is an article in Wired titled Encrypted E-Mail Company Hushmail Spills to Feds. Hushmail provides secure web based email in that it normally is encrypted with a Java client on your PC and decrypted at reader’s PC. Hushmail servers only see encrypted data.
But that method is slightly inconvenient, so Hushmail offers another option. With the other option, the encryption key is known to the Hushmail server for a short time. You really need to read the article to understand the full details, but the bottom line is this: convenience will cost you security.
Is anyone surprised by this?
I was at a conference recently where I was discussing secure communications with a person who has ties in high places. He assured me that no level of encryption is more than a slight inconvenience to the Feds. This article, to me, indicates otherwise.
But just sending encrypted data is a red flag that says “look here”. So weigh those options before encrypting anything. Unless of course you have a high volume of junk you can encrypt to act as red herrings.
