Hushmail
Table of contents
Description
Hushmail is an online mail service that subscribes to the "try before you by" business model. They offer minimal services at no charge that any site member is free to use as long as they like. Stronger service protections, more storage and a wider range of features are available to those who pay a nominal charge.
Additional Info
An astute site visitor recently did a little research on Hushmail rather than just take our word for the viability of Hushmail as a good resource to protect email privacy. (Good for you Greg, and thanks!) We highly encourage that sort of thing. If something isn't as it seems, we want to know about it and if there are misconceptions out there, we need to address that as well.
Our Findings
Below are the researched findings presented to us and what we found when we dug a little deeper.
- Presented Finding
- The Wikipedia article says it scored 1 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard in 2014.
- What We Found
- Our first observation, made while searching for the mentioned review, was an article by the Electronic Frontier Foundation (EFF) using Hushmail as an example for creating a secure anonymous email account. Hushmail was cited as being the best for their needs.
It is also worth pointing out that the TekAdvocates goal is to create Social Normalcy online, not to establish CIA worthy communication strategies far beyond the needs of the typical online participant. Having said this, the EFF review did raise a point of concern for us:
- Provider Cannot Read - We are assuming Hushmail failed this criteria because of an event in 2007 where Hushmail turned over the data of customers to authorities in response to a Canadian court order. The action itself is not of great concern to us because it falls within the realm of Social Normalcy. We are more concerned that marketing statements of "not even a Hushmail employee with access to our servers can read your encrypted e-mail..." could be considered misleading. The Hushmail privacy policy does state that they will turn over information under court order, we would however like to see a bit more congruency between the privacy policy and the marketing materials.
- Presented Finding
- Top Tens review rates it security as 3 out of ten compared to 10 out of 10 for Gmail and 9 out of ten for Outlook and Yahoo mail.
- What We Found
- The referenced review, to be perfectly blunt, is a load of crap. The review is a thinly veiled jab directly at Hushmail as evidenced by numerous discrediting factors:
- False Pretense - This is listed as a "free email service" comparison. Hushmail is not a "free email service" and should not even be on this list. Hushmail is a "try before you buy" email service. To legitimately include Hushmail this should be listed as an "email service" comparison (without the "free" qualifier) with full feature sets available within each product's business model.
- Apples & Oranges - A number of features are given points that have nothing to do with email (the supposed core topic) like "Video Chat" and "Social Media Feeds."
- Concluding Article - The article after the review is no summary at all, but rather reads like an ad for the Google product suite. The opinions presented slant heavily to being a Social Media Dashboard review and not an email specific review as advertised.
- Misleading Terminology - "Security" is used in such a way as to imply "privacy." These terms are not equivalent. Had "Privacy been broken out as a separate criteria the scoring would have looked much different.
In summary, this whole review is in identity crisis without real focus in what is being reviewed and reads suspiciously like Google PR repackaged under an affiliate, or at least sympathetic company name. To consider the Hushmail trial feature set in the review as compared to the full offerings of the other companies is akin to comparing the social merits of CostCo to those of a soup kitchen because CostCo gives away tiny free food samples every Saturday. The CostCo corporation does quite a bit to benefit communities, but looking at the soup kitchen comparison alone one would think they were cold hearted, stingy misers handing out bits of food to people who aren't even in need. This review suffers terribly from the same subject matter categorical inconsistency.
- Presented Finding
- PC Mag seems very impressed with the $30 per year version but not with the free version.
- What We Found
- We agree with PC Magazine in general. The article is however quite old and outdated in some regards. Areas of note are:
- Storage - The storage for a basic paid account is now 1GB.
- Pricing - The pricing has changed to $35.00. An increase of about $5.00 a year.
- Data Accessibility - The article statement of "We love that the encryption engine is also used to store documents in your account." infers that stored data is unreadable by anyone but the intended recipients. As previously stated in the above Wikipedia comments, Hushmail can retrieve stored data in response to a court order. A minor clarification, but worth noting to correctly assess the level of trust you must have with your communication facilitator.
- Presented Finding
- Gmail is free and has 500 times the inbox storage as the $30 hushmail.
- What We Found
- According to Google's own documentation we found on the internet, they provide a 15GB total to "free" users for their use across all Google application offerings, including GMail. Hushmail offer 1GB of email storage for email alone with their basic $35.00 paid plan.
One consideration here is that it is in Google's own best interest to offer plenty of storage. The core Google product offering is data about it's user community being made available to paying customers such as marketing firms, corporations and behavioural scientists. The more data stored by their user base, the greater the offering they have for their paying customers interested in the data products produced from that storage.
Hushmail Feedback
We always strive to provide a realistic blend of the theoretical, born from historical considerations, and the pragmatic steeped in researched facts. If we get this approach right, it all amounts to good common sense discussion. Here for your theoretical consideration against your own value system we present the facts as represented by those most qualified to respond, Hushmail itself. After putting down our own thoughts we corresponded with Hushmail over the findings presented to us to get the their side of the story. The body of their response is below, unaltered except to remove greeting and salutations, for your consideration.
Your comparison between Hushmail and Google is accurate with regards to our business models. We are as friendly to use as any other web-based email, but we add OpenPGP encryption to
users’ emails providing protection for data both in transit and when stored in their mailbox, making Hushmail a more secure option that Google (who only offers SSL encryption in transit, but not
end to end PGP encryption). On top of the security, privacy is Hushmail’s top priority, so all accounts are ad-free (we do not scan users content for marketing purposes) and receive less spam (we
use sophisticated engines to prevent spam from cluttering your inbox and to block viruses and malware). And we have been protecting email privacy since 1999. We are a proven, reliable service.
Another big advantage we have over Google is that customers can always get through to a real human being who will personally answer their questions. We are available over the phone, chat and
email and we aim to respond to paid customers within 1 business day.
The review site you sent is not accurate with regards to our features. It is also important to note they are comparing our free account, which is very limited on storage. Here is a link to our plans, so
you can see the different packages we offer: https://www.hushmail.com/pricing/ If the 10 GB storage we offer is an issue, we can always discuss to add more to suit your needs.
With regards to the EFF review, there are a few things to note:
1) Communication encrypted with a key the provider doesn't have access to
Customers using our Outlook plugin (See: https://www.hushmail.com/services/downloads/) can correspond with end-to-end encryption in all their communications. When using this Outlook
configuration the private key is available to the server only in encrypted form. This will also apply to our iOS app, which we will launch in the near future.
2) Independently verify correspondent's identity
It is possible for the user to retrieve the recipient’s public key from our keyserver via LDAP, use a tool such as GPG to extract the fingerprint, and verify it with the recipient (See:
https://help.hushmail.com/entries/20062368-Send-to-Hushmail-using-GnuPG). However, this interaction operates outside of the application, and so does not guarantee that the same public key is
used by the application.
3) Code open to independent review
The source code for the encryption implementation used by our system is available for download (See: https://www.hushmail.com/services/downloads/). However, this code does not cover the
entire application.
4) We have since started to support Perfect Forward Secrecy. Here is a link to where an independent 3rd party checks the security of our website: https://www.ssllabs.com/ssltest/analyze.html?
d=hushmail.com (Gmail gets a B, we get an A+, which is the highest rating).
And last but not least, here is a link to one recent review of secure email providers on the press: http://www.networkworld.com/article/2948615/security/review-email-encryption-has-gotten-so-
much-better-so-you-d-be-crazy-not-to-use-it.html As you can see, Google is not even considered as a secure provider.
Here is another link on how Hushmail can protect you, which I think you will find very useful:
https://www.hushmail.com/about/technology/security/
Let me know if you have any further questions.
Best regards,