Thursday, November 22, 2007

Shhh...

I assume most of my many readers, being as discerning and intelligent as they are, realize that email is not private. But it may be even less private than you think.

Is anyone familiar with a service called Hushmail? They bill themselves as offering private, secure, free e-mail accounts.

Hush uses industry standard algorithms as specified by the Open PGP standard (RFC 2440) to ensure the security, privacy and authenticity of your email. With Hushmail, users need only create and remember their own passphrases, and the secure Hushmail server does the rest. Encryption and decryption are transparent to the user, making Hushmail the most user-friendly secure mail solution available. Through the Hush Encryption Engine™, the Hush key servers take care of public/Private key exchange in a completely seamless fashion. When a user wishes to encrypt/decrypt data or verify/sign a signature, a connection is automatically made to a Hush Key Server to retrieve the necessary Public/Private Key. It's that simple! Only Hush's solution provides such a high level of security combined with total ease of use. The descriptions below will give you an overview of how the Hush system secures email.
But maybe not so much.
A court document in a drug smuggling case has shown that the private email service Hushmail has been cooperating with police in handing over user emails. Hushmail claims to offer unreadable email as it uses PGP encryption technology and a company specific key management system that it says will ensure only the sender and recipient can read the emails. However it seems the Canadian company has been divulging keys to the American authorities.
Do you remember that sage advice about being careful as to what you say? Something about eating your words or something like that...
The news will be embarrassing to the company, which has made much of its ability to ensure that emails are not read by the authorise, including the FBI's Carnivore email monitoring software."Hushmail's security cannot be broken or weakened by this government sponsored snooping software," the company states.
Uh huh. A morale for the company (what do you think the chances are that they will be sued ... or of them being able to rely on the protection afforded by US legislation?) and to all those who traverse the internet.

Shhh ... if you don't want anyone to 'hear' you, it might just be better to not to 'say' it all.


H/T to Business Lawyer Blog

No comments: