According to Wired Blog, Hushmail, the popular purveyor in secure and encrypted mail, is colluding with the US Federal government, and displays its ability to decrypt your emails and compromise a client's security.
What happened?
Hushmail decided to help US Federal agents bust an alleged Steroid provider.
What does this mean?
If you've ever used Hushmail, all your messages sent and received through them can be decrypted.
How does Hushmail hack into your account?
Hushmail has two techniques. If you access by webmail, they can capture your password to decrypt your messages. If you access by the client-side java, they can feed you a special program which captures your password.
Why did Hushmail cooperate?
The reason they cooperated is they were compelled by a court of law, and they didn't feel like defending the client because it was alleged that they were criminals. They are a Canadian corporation, so their jurisdiction is poor for the point of defense, and it is unclear if they investigated the claim as being legitimate or dubious.
How does this compare to XeroBank?
XeroBank is in a strong jurisdiction, unlike Hushmail. XeroBank also investigates such claims and will not blindly follow a subpoena. However, XeroBank looks forward to busting money scammers and terrorists as well.
What should we learn from this?
If you are doing something illegal by the corp terms of service, jurisdictions won't matter if you use HushMail or XeroBank. If you aren't doing anything illegal according to the terms of service, jurisdictions and court orders will have a very high hurdle, as long as you have XeroBank. In the latter instance, it appears HushMail may sell you out. Honestly, we need to know more about what really happened, because if HushMail found out the steroid claims were true before handing them over, AND it really was a violation of their TOS, they acted with propriety.
Another thing we should learn from this is that HushMails use of client-side encryption is a marketing gimmick, as they can push java code to you that is untrustworthy and can give them access to your emails.
