Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hushmail Passing PGP Keys to the US Government

Posted by Zonk on from the this-would-be-nonoptimal dept.

teknopurge writes "Apparently Hushmail has been providing information to law enforcement behind the backs of their clients. Billed as secure email because of their use of PGP, Hushmail has been turning over private keys of users to the authorities on request. 'DEA agents received three CDs which contained decrypted emails for the targets of the investigation that had been decrypted as part of a mutual legal assistance treaty between the United States and Canada. The news will be embarrassing to the company, which has made much of its ability to ensure that emails are not read by the authorities, including the FBI's Carnivore email monitoring software.'"

12 of 303 comments (clear)

  1. Missing from the article by WK2 · · Score: 5, Interesting

    There are several facts missing from the article:

    1) Was there a court order? Or Canadian equivalent?
    2) Did hushmail lie? The obviously commited willful deception, but did they outright lie?
    3) Did hushmail violate it's TOS?
    4) Did hushmail do anything illegal?

    Of course, what the article did mention is important, especially to hushmail, and potential hushmail users. However, it would have been nice if they had dug a little bit to answer these obvious questions.

    --
    Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
  2. Re:By the authorise? by Anonymous Coward · · Score: 2, Interesting

    'DEA agents received three CDs of decrypted emails which contained decrypted emails for the targets of the investigation that had been decrypted as part of a mutual legal assistance treaty between the United States and Canada. I received three decrypted cds of decrypted emails that were once encrypted but are now decrypted so the encrypted emails are now decrypted. I've now reading through for formerly encrypted decrypted emails and by reading the decrypted emails that were encrypted but now decrypted I will find out what was so important that it had to be encrypted and now decrypted.

    --
    Qrpelcgvat guvf rapelcgrq pbagrag vf n ivbyngvba bs gur Qvtvgny Zvyyraavhz Pbclevtug Npg.
  3. Re:Alternatives? by Zonk+(troll) · · Score: 2, Interesting

    FireGPG?. Quoting the website:

    "FireGPG is a Firefox extension under GPL which brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG. FireGPG adds an contextual menu to access to some useful functions. We will support some webmails. Currently, only Gmail is supported (some useful buttons are added in the interface of this webmail!)."

    I haven't used it or Hushmail*, but it looks interesting. It does lack the portability, though. Maybe it could be made to work with Portable Firefox.

    * I trust no one with my private keys.

    --
    "The Federal Reserve is a fraudulent system."--Lew Rockwell
    End The FED. -
  4. Re:Embarrassing?? by samantha · · Score: 2, Interesting

    OK, I am embarrassed. They really didn't have much choice except to go out of business given both a fully legal (though it shouldn't be) court order and the fact that the users in question were foolish enough to make their private keys available. I should have read more before firing off. Mea culpa.

  5. Re:Hushmail did NOTHING WRONG by julesh · · Score: 2, Interesting

    Of course, with the applet they could give you a new one that sends them the decrypted key - I'm not sure of the legality of them doing so, even with a court order.

    If I were them, I'd wipe the private key that's used to sign the applet. That way, if they're ever forced to do this, they'd have to use a different signing certificate, and the users (at least those who had checked the 'always trust applets from Hush Communications' checkbox the first time they signed in) would get an unexpected security dialog. Those of us who are paranoid could then choose not to use the fishy version.

  6. Re:So? Google and Yahoo do the same by CaptainTux · · Score: 5, Interesting

    The difference, I would think, would is fairly obvious to most people. GMail and Yahoo don't give you a promise of "unbreakable encryption for your emails" that even the government can't break. There's no question that Google will share your information when properly ask to do so by law enforcement. It's in their Terms of Service. You know what to expect and you use your GMail or Yahoo accordingly.

    On the same token, while I am appalled at HushMail's actions, it's for a different reason than most here I suspect. I don't have a problem with HushMail sharing information about customers engaging in illegal behavior with the authorities. Those people don't deserve their activities to be protected - they're illegal. But I DO have a problem with HushMail not disclosing that they're doing it right up front. Now, I've not fully read their ToS so maybe they do but their statements on the website would lead you to believe they aren't.

    Really though, why would anyone use a PUBLIC service to conduct illicit activities? Setting up a private mail system complete with encryption is trivial and MUCH more secure.

    --
    Anthony Papillion
    Advanced Data Concepts, Inc.
    "Quality Custom Software and IT Services"
  7. Re:So? Google and Yahoo do the same by Scrameustache · · Score: 2, Interesting

    I don't have a problem with HushMail sharing information about customers engaging in illegal behavior with the authorities. Those people don't deserve their activities to be protected - they're illegal. Things can be made illegal at a whim or your masters. Be wary of allowing them to dictate what is and is not right.
    --

    You can't take the sky from me...

  8. Re:So? Google and Yahoo do the same by TempeTerra · · Score: 3, Interesting

    In principle I agree with you, but I think there is the same problem with focussing on immorality as there is on illegality. Standards of morality differ, and what's worse is that when something is 'immoral' people get much angrier than when something is illegal.

    Prostitution, for example, varies widely in whether it is considered illegal or immoral. I would be appalled if supposedly secure communications could be seized because they contained evidence of consensual sex for money.

    The only position I find tenable is that secure communication must be considered a right of free people. Yes, that means that the murderers, child molesters and terrorists will have it too, but the alternative is that nobody has secure communication.

    Certainly there are technological solutions, such as proper use of encryption. But because of cases like this I would like to legal and social support for the right, such as laws making communications that were 'reasonably believed to be secure' inadmissable as evidence. I would also love to hear a group like the NRA saying that the right to secure communication is as essential as the right to bear arms. It certainly is in my mind.

    --
    .evom ton seod gis eht
  9. Re:So? Google and Yahoo do the same by Deanalator · · Score: 2, Interesting

    Calm down. No need to be appalled. If you look into it, you will see that the account owners intentionally disabled the "troublesome" secure interface (enabled by default), which hushmail discourages. They also inform you of exactly what that means when you do it. This article is FUD designed to scare people away from using a really good free service.

  10. Re:Alternatives? by buzzdecafe · · Score: 2, Interesting

    >> the Feds doesn't possess some magical method of factoring enormous primes

    Hmmm. I have a method for factoring any prime, enormous or not. Here it is:

    For any prime p, the factorization of p = p * 1

    Now excuse me while I run to the patent office.

  11. You can expect them to FIGHT it. by Valdrax · · Score: 2, Interesting

    No mater how secure a company claims to be, you can't expect them to not fallow the law.

    I'll assume you meant "follow." This is true. However, we have absolutely no evidence that HushMail attempted to FIGHT this order. This should have made a big stink about it and tried to come up with ways to protect their users both technically and legally, but instead they just rolled over and tried to keep it quiet to avoid letting it hurt their bottom line.

    They lied to their customers by pretending to offer them a security that was as ephemeral as their own spine.

    --
    If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  12. Re:Alternatives? by instarx · · Score: 2, Interesting

    BTW as rummy as this story is, it's also a good sign that the Feds doesn't possess some magical method of factoring enormous primes that they're not telling anyone about.

    Ha ha, the more things change the more they stay the same. Say what you will about them, but the NSA is *very* good at keeping secrets. Sure, because they've asked for the keys it might make you think they don't have the ability to read the emails without them, but asking for the keys is exactly what they would do to keep the secret. If the government never asked for anyone's encryption keys we would know they didn't need them. On the other hand, asking for them imparts NO information to the public about whether or not they are really needed.