Hushmail provides unencrypted e-mails to feds; practice raises interesting legal questions

In a Second Circuit case (United States v. Gonzalez, 686 F.3d 122 (2d Cir. 2012)) released earlier this year, evidence was presented at trial that had been e-mailed through Hushmail, a secure e-mail service used by “millions of people and thousands of businesses.” Hushmail’s website claims that they “encrypt your message automatically before it is sent, and then restore it back to its original form when the recipient reads it.”

The issue that immediately came to my mind was the fact that Hushmail provided not only the communications but they were able to unencrypt them first. Here’s the court’s description of the evidence:

The government also introduced into evidence numerous emails sent from the address “biotechresearch@hush.com” — which Gonzalez admitted was his — through “Hushmail,” an encrypted email service provider that encoded email messages, permitting them to be accessed and read only by someone who had the encryption key. The emails introduced at trial by the government, decoded by Hushmail, included the following…”

This isn’t the first time Hushmail has done this. In 2007, Threat Level explained the security issues and how Hushmail is able to provide an unencrypted copy of a user’s e-mails.

In recent years, several courts have evaluated whether the government can force an individual to provide an encryption key for electronic files. Courts have ruled on both sides of this popular Fifth Amendment issue. Perhaps an interesting extension of that debate is whether a person’s agent (that word choice may be a stretch) – their e-mail provider – can be forced to provide an unencrypted copy of e-mails or whether they may only provide the scrambled versions. Another interesting issue is how we would define communications required to be disclosed under provisions of the Stored Communications Act.

Hush Communications’ CEO, Ben Cutler, responded to my inquiry about their disclosure policy:

Our policy is to only release user information if we receive an order enforceable in British Columbia Canada requiring that we do so. British Columbia, Canada is the jurisdiction where our servers and operations are located. The order must be for a specific user account. In the case where authorities in the US are seeking information on one of our users they would have to make an MLAT request to the Canadian Department of Justice, which if successful would result in an enforceable order being issued here in Canada.

As may be obvious, I don’t really claim to have answers to these issues, but I feel they are interesting to think about. Please feel free to comment below with your thoughts.