Hushmail Review – Not as Private or Secure as You Think
- Built-in OpenPGP support
- iOS mobile app
- Supports POP, IMAP, SMTP
- Supports encrypted communication with non-Hushmail users
- Strips IP addresses from emails
- Special features for business users
- Hushmail can capture user’s passphrase, allowing them to decrypt OpenPGP messages
- Not open source
- Canadian company, subsidiary of a US company (bad privacy jurisdiction)
- No calendar or file storage
- More expensive than competitors
Hushmail features overviewHushmail lacks several features that the competition has. The “standard” features that Hushmail contains include: This puts them a few steps behind the competition since they do not include: That said, Hushmail does include several benefits:
- Secure forms for various business types
- A detailed Security Analysis
Hushmail company informationLaunched in 1999, Hushmail is a product of Hush Communications, Ltd., a Canadian company. Hush Communications, Ltd. in turn, is a subsidiary of Hush Communications Corporation, which is based in the United States. While the company emphasizes the security they provide for your email messages, they also stress that they comply with Canadian warrants requesting data from users, from both the Canadian and US government. Both the United States and Canada are founding members of the Five Eyes intelligence organization. Both conduct large-scale intelligence operations and are believed to spy on each other’s citizens and share that data, allowing them to circumvent domestic espionage restrictions. They can and do force local companies to help them spy on users, and may use gag orders to prevent those companies from even informing the targets that they are being spied upon. The difficulty of protecting the privacy of users causes most secure email services to locate themselves outside the United States and Canada. The same can also be said of Canada VPN providers, which are also affected by these laws.
Hushmail technical specificationsHushmail uses standard encryption algorithms and protocols to protect your messages. These include:
- PFS (Perfect Forward Secrecy)
- HSTS (HTTP Strict Transport Security)
- Hushmail for Healthcare — HIPAA compliant
- Hushmail for Law — Support for Attorney/Client privilege
Hushmail hands-on testingI’ve based this Hushmail review on the browser-based client and the free trial account. If you decide Hushmail is for you, it will be easy to upgrade to one of the myriad paid plans they offer.
Signing up for HushmailSigning up for Hushmail gave me bad feelings about the service from the very start. To get your “secure” Hushmail account, you are required to give them your current email address. That is annoying in itself, as it results in a link from Hushmail back to you that can easily be hacked or even handed over to anyone who asks for it nicely (or while backed by several big dudes in body armor). But it gets worse. You are also required to give them a phone number, which is the most anti-privacy signup requirement you will normally see. While you could always create a burner email address for the signup process, using a fake telephone number isn’t usually an option. And given a telephone number, you can get a whole lot of information about a person simply by doing a reverse lookup on any of dozens of websites. This is a far cry from email services that allow 100% anonymous signup and payment, such as with Posteo.
The look and feel of HushmailThe Hushmail email interface is an old-style, 2-pane setup as shown here: I say old-style because this isn’t a drag-and-drop interface like you find with services like ProtonMail. Here, you check the box to the left of one or more messages, then select what you want to do to that message (Mark read, Move, Delete, whatever). Note that the client displays buttons for Desktop or Mobile at the bottom of the right pane. Select Mobile to see the Hushmail client as a responsive interface designed for smaller screens. Depending on the characteristics of your device, it will look something like this: This Mobile view should work on any Android or iOS device, but is not a separate app, merely a different form of a browser page. By contrast, a true mobile app, like the iOS app Hushmail also offers, will only work on certain devices. In general, however, it will be more secure than a responsive web page, even if you are using a secure browser.
Composing messagesYou won’t have trouble composing a message in Hushmail. It is virtually the same as composing a message in any other email client. The options you are most likely to need all appear right in the composition window. There are, however, two options you don’t normally see. They are the Form Builder button, and the Attach secure web form link. These allow you to create secure forms and attach either your custom forms or some of the prebuilt forms that Hushmail comes with.
Sending messagesSending messages is also simple. Aside from clicking the Send button, the only thing you need to consider is whether or not to send that message encrypted.
Sending to Hushmail usersBy default, messages sent to another Hushmail user will automatically be sent encrypted.
Sending to non-Hushmail usersIf you are sending to a non-Hushmail user, you can select or clear the Encrypted checkbox to send either encrypted or unencrypted. If you send the message encrypted, Hushmail sends the recipient a link to a secure web page where they can read the message. Things are actually a little more complicated than I just described when you send an encrypted message to a non-Hushmail user. If this is something you think you will be doing, I suggest you go to this page to see the complete details.
Receiving messagesReceiving messages doesn’t require any special actions on your part. Hushmail automatically decrypts any encrypted messages you receive from other Hushmail users, making the encryption transparent to you. If you plan on using Hushmail a lot, you will probably want to disable the Email notification option. With this option active (which it is by default), every time you receive a message in Hushmail, you will also get a notification in your “other email address” – the one you were forced to give them when you signed up for Hushmail. During the course of this Hushmail review, I received dozens of these notifications, clogging up the other email address. If you don’t want this to happen to you, here’s how you disable this option:
- In the top right of the Hushmail window, click the Options icon (three horizontal lines in a box).
- Select Preferences from the menu that appears.
- On the About you tab in Preferences, go to the bottom of the page and disable the Email notification option.
Searching for messagesThe Hushmail Search feature is simple and efficient. Type in the word or phrase you are looking for and Search will find all the messages that contain it, whether in the message header, body, or any other field. Note that the search function searches the current folder, not the entire folder structure.
ContactsHushmail gives you a basic Contacts system that has one particularly useful feature. As you can see in the following image, the Contacts page displays a lot of information about each contact, instead of just a list of names and email addresses. You may well be able to pick out the information you need about a particular contact directly on this page, instead of having to open the contact to find it. While this might get to be clumsy if you have a lot of Contacts, the Search box on the page should take care of that problem. Hushmail can also import contacts from other services that can export their contacts using the CSV format.
Calendar and file storageAs mentioned above, Hushmail doesn’t provide either a Calendar, or a File storage area. I consider this a mark against the service. Most other secure email services, such as Mailfence, Posteo, and more, provide one or both of these features, and typically charge a lower monthly fee to boot.
Hushmail preferencesWe dipped into the Preferences section of Hushmail when I showed you how to turn off email notifications. But there is much more you can do here. I’m not going to attempt to describe all the possibilities in this review, but you’ll get an idea of what’s possible from this list of the tabbed pages included in Preferences:
- About you
- Automatic response
- Email aliases
Hushmail mobile appsHushmail has a mobile app for iOS. It was originally launched in July, 2016 but doesn’t appear to be heavily used, with only 16 reviews so far. The app only gets fair reviews (3.5 out of 5), but with so few reviews posted, that doesn’t necessarily mean anything. It appears to be fully-featured, and something worth trying out if you use both Hushmail and an iPhone.
Integration with other email clientsThanks to its POP, SMTP, and IMAP support, you can use work with your Hushmail email using many non-Hushmail email clients. This gives you a way to use your Hushmail account with a real client app instead of through a web page, whichever computer or mobile device you are using. Hushmail provides instructions for managing your Hushmail account using third-party apps on this page.
Is Hushmail secure? Is it private?Now that you’ve seen what Hushmail looks like, let’s talk specifically about the security and privacy it provides. We’ll start with the Hushmail Logging Policy.
Hushmail logging policyHushmail does a good job of laying out what information it logs, when it does so, and what happens to the data after it is recorded. Unfortunately, there are some things in this policy you probably won’t like. As I grumbled before, the problems start when you create an account. Hushmail records your IP Address, Phone Number, and Email Address. They say,
We use this information to analyze market trends, gather broad demographic information, and to prevent abuse of our services. We will not share this information with third-parties.When you sign in to your account, Hushmail says the information they record may include:
- Your IP address
- Your browser type
- Browser language
- Date and Time of the action
- Account usernames
- Sender and recipient email addresses
- File names of attachments
- Subjects of emails
- URLs in the bodies of unencrypted email
- Any other information that we deem necessary to record for the purposes of maintaining the system and preventing abuse.
Please note, we may be required to store a passphrase for an account identified in an order enforceable in British Columbia, Canada.Because of the way the Hushmail encryption system is built, there is a possibility that the company could see and record the passphrase of an account. In other words, the Canadian government can order them to record information that could be used to read your encrypted messages.
Sharing your data with the government and gag ordersLike most secure email services, Hushmail will respond to a legally enforceable order to turn in information to the local government (in their case, the government of British Columbia, Canada). But companies like Tutanota or ProtonMail log as little information as possible, meaning they have little that they can turn over in response to an order. They also have no way to decrypt your encrypted messages, contacts, files, and so on stored in their systems. This means that even if forced to turn over your data, no one will be able to read it. Hushmail does extensive logging of user activities and personal information and will turn all that information over when commanded to. And in some cases, Hushmail has the ability to decrypt encrypted messages, contacts, and other data, and provide that clear text information to the government as well. Will Hushmail notify you if they are forced to turn over your data? Not a chance. They say (emphasis added),
Because such orders generally state that we are not permitted to disclose the existence of the order to a user, we will not disclose to any user the existence, or nonexistence, of any order we may have received.Well at least Hushmail employees won’t be reading your mail, right? Don’t be so sure. Read these two passages from the policy:
Where there are exigent circumstances, such as where the safety or well-being of an individual or individuals is in imminent danger, and we believe in good faith that the disclosure of personal information and account data is reasonably necessary to protect against such harm, we will disclose the records. This may include but is not limited to the welfare of a child, or an act of terrorism.And also:
We comply with Canadian Bill C-22 as enacted into law in Canada. “An act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service”. This means that should we become aware of a user that is using the Hush service for the transmission or storage of Internet child pornography, we are required to report this to the appropriate authorities and preserve the records in the user’s account. As a result of this notification, we may receive an order enforceable in British Columbia, Canada, requiring the disclosure of personal information or account data.These statements at least open the door to Hushmail employees looking through your stuff to ensure that they comply with these requirements. So…
How secure is Hushmail?Since Hushmail logs lots of information about you, and in some cases can even decrypt your messages when requested to by the government, it is one of the least secure email services I’ve looked at recently. But is Hushmail secure enough for your needs? That of course depends on your threat model. And Hushmail provides some real help here. One of the nice things about the service is that they post a couple of different articles on how they provide security for your account. Their How Hushmail Can Protect You article tackles their security from a layman’s perspective, while their Security Analysis gets into a more detailed, technical discussion. Reviewing these documents should quickly reveal if Hushmail is secure against the threats you are concerned with.
How private is Hushmail?From my perspective, it is hard to claim that your Hushmail account is private. Here are my reasons for saying this:
- The United States and Canada are founding members of the Five Eyes international intelligence organization. Among other things, this means that they share intelligence information about each other’s citizens.
- As a result of a US Supreme Court case and some legislation called the CLOUD Act, under most circumstances, companies like Hush Communications Corporation are required to provide user data to US law enforcement, even when that data resides on servers in another country. See this for more details.
- Most of the computer code that handles your Hushmail account is proprietary. This means that there is no way for outsiders to see whether or not your data is truly protected in the Hushmail system.
- Hushmail’s OpenPGP encryption is implemented on their servers, rather than in your client. This means that you must trust Hushmail to implement the encryption properly, without recording data in unencrypted form or the passphrase used to encrypt your data.
Hushmail business featuresWe’ve already seen that Hushmail has some business-oriented features, such as automatic responses. But the real bonus is its secure forms.
Hush secure formsOne business-y feature that helps Hushmail stand out from the email crowd is Hush Secure Forms. As the name implies, this is a capability to create secure web forms from within Hushmail. While this threw me at first, once I saw some examples of the forms you can create, it made good business sense. Here are a few examples of forms templates that are ready for you to complete and put to use:
- Secure Contact – Your customers can use this form to initiate a secure conversation with you.
- Secure File Transfer – A form that you can use to receive confidential documents and other files from your customers.
- Client Experience Survey – After an appointment, send this survey to your clients to find out what went well, and how they think you can improve.
- Dental Appointment Request Form – You can link to this form from your website, social media, and email signature. Your customers can use the form to request an appointment with you.
Hushmail supportHushmail provides Email and Telephone Support. The telephone support is offered Monday through Friday, 9AM to 5PM Pacific time. Customer Support gets mixed reviews from users. This may well be caused by the fact that there is no telephone support available for people during their free trial of the service. They also post service status updates and other information to their Twitter account: @hushmail.
Hushmail plans and pricingHushmail pricing is complicated. That’s because of all the different options they offer. You can get a personal account, or several flavors of business accounts. Here’s a quick rundown of the options that exist today.
Personal accountsHushmail offers a free trial account with limited storage and a single email address. Hushmail Premium is the full personal account and runs $49.98 per year, with 10GB of storage and unlimited email aliases. However, even with Hushmail Premium, you are limited to Hushmail-provided domain names. If you want to use a custom domain name, you need to use one of their business accounts.
Business accountsThings get complicated here. There are two Small Business plans, three HIPAA-compliant Healthcare plans, as well as plans for Law firms, Nonprofits, and Enterprises. If you fall into any of these categories, you should go to this page and check out the specifics for your situation. Is Hushmail the best email service for you? As always, the answer to this question is influenced by your threat model and personal needs. Here are some factors to consider:
- Jurisdiction – The company that runs Hushmail is based in Canada, but is a subsidiary of a US firm. In at least one case, Hushmail provided data to the United States, apparently decrypting supposedly secure messages at the request of the government.
- PGP support – Uses an audited version of OpenPGP.
- Import feature – Can import Contacts in CSV format.
- Email apps – A web-based client along with iOS app.
- Encryption – Emails and attachments encrypted in transit. Messages that do not have the optional OpenPGP encryption are stored unencrypted on Hushmail servers. Because OpenPGP encryption is applied on the server, it is possible for Hushmail to record your passphrase, giving them access to your supposedly secure messages.
- Features – Offers some unique features for specific types of businesses. Does not include a Calendar or file storage capabilities.
- Open Source Code – Hushmail is not Open Source.
Hushmail alternativesIf you don’t need any of the special features of Hushmail, there are several secure email services that are more secure, more private, and a better value. Here are five other options: Some of these email providers offer free accounts up to a certain storage limit.
Hushmail review conclusionHushmail offers some unique features for businesses like doctor’s and lawyer’s offices. And it appears to be secure against many types of attacks. However, it has a relatively high price and is missing features like a calendar and file storage, which are standard on most of the competition. Beyond that, thanks to OpenPGP encryption being done on their servers instead of the client, Hushmail has the capability to record your passphrase, giving them the ability to decrypt your messages. They have at least once decrypted user messages and provided the decrypted messages to the United States. This makes your messages far less private than on other services which do not have the capability to decrypt those messages. They may also be required by law not to disclose these privacy violations to users. In many ways Hushmail is similar to Fastmail, an email service in Australia that also is not quite as private or secure as other options. In short, if you don’t mind Hushmail employees, along with the United States and Canadian governments reading your encrypted messages, and you don’t mind paying a premium price for the features they offer, Hushmail might work for you. But unless you need their specialized business features, I suggest looking elsewhere.
Final Disclaimer and Instructions from NetTodays
NetTodays is a platform for Best VPN Review and Which VPN Service is Best for you. How to get Best Free VPN Review without the expense. NetTodays suggest how to utilize the most recent VPN and reviews about What is the Best VPN for Netflix. Best VPN built for speed, you can select a server at the country or city level and can favorite a location for future use. NetTodays help you to understand that What is the Best VPN on the Market. NetTodays provide you all these reviews and recondition about Best VPNs for Gaming
A VPN is a service that both encrypts your data and hides your IP address by bouncing your network activity through a secure chain to another server miles away. This obscures your online identity, even on public Wi-Fi networks, so you can browse the internet safely, securely, and anonymously.
NetTodays gives you answers to all questions which are in your mind about VPN.
NetTodays also suggest continually utilizing Best VPN when you are using a newer Wi-Fi Network. Here is a decent dependable guideline: If you’re away from the workplace or home, and you’re utilizing another person’s Wi-Fi (even that of a relative or a companion, since you can’t be sure whether they’ve been compromised), utilize a VPN. It’s especially significant in case you’re getting to help that has specifically distinguishing data. Keep in mind, a great deal goes on in the background, and you never truly know whether at least one of your applications is verifying behind the scenes and putting your data in danger.Check out some of the other best secure email providers here.