Many movie and software release groups have been relying on the Canadian email provider Hushmail to communicate with the outside world. Hushmail offers encrypted web-based email, and its web site promises that "not even a Hushmail employee with access to (...) our servers can read your email."

Turns out the feds can, though. Hushmail has been cooperating with US law enforcement requests to hand over specific emails - unencrypted, of course. Wired News just documented a case in which the company turned over 12 CDs with emails of three of its users to the DEA following a local court order that was based on a mutual assistance treaty between the US and Canada.

Hushmails CTO Brian Smith didn't want to comment on this specific case, but he layed out in detail how someone - and that presumably includes the company itself as well, if ordered to do so by a court - could attack and exploit Hushmails webmail system. Says Smith:

"A web-based email service is never going to reach the rigorous level of security of an entirely client-based solution like GnuPG."

Tags: , , , , ,