Hushmail is a Canadian-based email service that has been in the industry for more than twenty years. It uses standard encryption algorithms such as TLA/SSL and OpenPGP to secure email messages. Moreover, the service boasts packages ideal for personal use, small business, and healthcare professionals.
Is it the best secure email provider for your needs? This extensive Hushmail review will give you everything you need to know about it.
Hushmail strengths and weaknesses at a glance
- Compliant with HIPAA
- Built-in OpenPGP support
- Unlimited email aliases
- Supports SMTP, IMAP, POP
- Removes IP addresses from emails
- Enables encrypted communication with non-Hushmail users
- Native iOS app
- Slightly pricier
- Does not offer calendar and file storage
- It is not open-source
- Based in Canada (privacy-unfriendly region)
Hushmail background information
Hushmail was launched in 1999 by Hush Communication Limited. It is a Canadian-based company, a subsidiary of Hush Communication Corporation headquartered in the US.
The company guarantees to protect your email messages. However, the privacy policy complies with warrants requesting user data from the US and Canadian governments.
Remember that both countries are members of the 5/9/14 Eyes Alliance. They perform widespread surveillance on their citizens and share intelligence data, which helps them avoid domestic espionage restrictions.
More importantly, these countries can compel local companies to spy on their users. In fact, they may use legal orders to make the companies not notify the targets that they are snooped on. Post 9/11, the US government adopted large-scale surveillance of its population, including checking everyone’s email.
However, there are concerns that the additional compromise on your privacy will only provide ‘temporary’ solutions.
Maintaining user privacy has caused many secure mail services to move out of Canada and the United States. Unfortunately, these anti-privacy laws are also affecting Canadian VPN providers.
The technical specifications
Hushmail uses several encryption algorithms and protocols to secure your messages that include:
- Transport Layer Security/ Secure Sockets Layer (TLS/SSL)
- OpenPGP
- HTTP Strict Transport Security (HSTS)
- Perfect Forward Secrecy (PFS)
Moreover, the specialized business accounts meet appropriate industry standards such as:
- Hushmail for Law – Support for Attorney/Client privilege
- Hushmail for Healthcare – HIPAA compliant
Subscribing to it and the pricing
The first time you get on Hushmail, you’ll see it’s not as privacy-friendly as other services such as Postea and Tutanota. Actually, before you get a secure Hushmail account, you’ll be required to provide your current email address. As a result, there will be a link back to you. This threatens your privacy as hackers and other malicious third parties can easily intercept the link.
Making matters even worse, the company requires you to submit a phone number, one of the worst anti-privacy requirements. While you can use a burner email address, getting a fake phone number is impossible. The problem is that anybody can do a reverse lookup and access your data.
That aside, Hushmail comes with a single personal package and several business plans. Unfortunately, it doesn’t offer a free tier, but the Hushmail Premium account at $49.98/year has a 14-day trial. It includes two secure email forms, 10GB storage, two-step authentication, and unlimited email aliases.
The Small Business plan is available at $5.99 plus a setup fee of $9.99. This package is designed for small businesses, nonprofits, startups, and any type of organization. It has web forms with e-signatures and encrypted emails that will secure and anonymize your communications. Its features are similar to the Premium package, but an extra $2/ month is for email archiving.
Furthermore, the Hushmail for Healthcare plan is perfect for sending HIPAA-compliant emails and web forms. Fortunately, it allows you to send protected messages to traditional services such as Hotmail and Gmail.
A single email account, two secure web forms, and 10GB storage are priced at $9.99 per month. Conversely, five email accounts and web forms, electronic signature support, and 10GB storage cost $19.99/month. In addition, a bigger plan with up to 10 email accounts and web forms is also available at $39.99/month.
It’s perfect for many healthcare professionals, including dentists, psychologists, therapists, optometrists, physical therapists, chiropractors, etc.
Finally, the Hushmail for Law plan costs $9.99/month. This is an excellent solution for attorneys and legal professionals. The encrypted emails and web forms with e-signatures help to retain the attorney-client privilege. Remarkably, it includes a signed Business Associate Agreement applicable in the UK, the US, and Canada.
Hushmail interface and use
The Hushmail interface is a bit dated, with only a 2-pane setup. Also, it doesn’t have a drag-and-drop feature like other top services such as ProtonMail. Instead, you’ll have to check the box and decide what to do with the messages – Mark read, Mark unread, Move, Delete, and Report spam.
There are client display buttons for mobile and desktop at the bottom right of the home screen. In addition, an interface for smaller screens will appear if you select the mobile option. Notably, it is just a different version of the web page and not a separate app.
Hushmail launched the iOS app in 2016, but it isn’t widely used. The app has only received 49 reviews up to now. Also, it has been rated with 3 out of 5 stars, which raises red flags. However, I found it to be fully functional, and it’s worth a try.
Composing messages
Hushmail makes it very easy to compose a message. The composition window contains everything you’ll need, as shown below.
Unlike other email clients, it has an ‘Attach secure web form’ link and a ‘Form Builder’ button. These options enable you to create secure forms, input your custom forms, or use the provided prebuilt forms.
Sending messages
After composing a message, sending it is also effortless. However, besides tapping on the ‘Send’ button, you also need to decide whether to encrypt the message or not.
People on the Hushmail network
The messages you send to other Hushmail users are encrypted with OpenPGP by default, a reliable security option. However, it’s important to note that the encryption only applies to the servers and not your device. As a result, the company can still read your messages, which threatens your privacy.
Non-Hushmail users
When sending non-Hushmail users, you can consider checking or unchecking the encryption checkbox to send encrypted or unencrypted messages. Hushmail will refer the recipient to a secure web page if you decide to send an encrypted message.
Receiving messages
There are no special actions required to receive messages. Hushmail will automatically decipher the encrypted messages you get from Hushmail users to make it easy for you to read them.
Deactivating the email notification feature is good if you intend to use Hushmail frequently. That is because you’ll get a notification in the other email address you provided when signing up every time you receive a message, which is very annoying.
In fact, I received numerous notifications that were clogging my other email accounts when writing this review. This is how you can deactivate the feature.
- Click the ‘Options’ icon at the top right of the home screen
- Choose ‘Preferences’ from the menu
- Go to ‘About your tab’ and scroll down to disable Email notification
Searching for messages
Remarkably, the search function is modest and efficient. All you need to do is type in a keyword to get the messages containing the word.
Contacts
Hushmail has a Contact system with a particularly convenient feature. Rather than just a list of names, the contact page shows a load of information, as you can see in the image below. This means you’ll get all the data you need about a person without opening their contact.
It might seem like a lot of work if you have many contacts. However, the search function on the home page will address the problem. Hushmail also imports contacts from other email services that support CSV format.
The preference section
We touched on Hushmail’s preference section when discussing disabling email notifications. But the segment has much more to offer. Although I cannot describe all the possibilities, I’ll try to show you some of the things you can do here. These are some of the tabbed pages available:
- Composing
- About you
- Reading
- Automatic response
- Spam
- Email aliases
- Billing
- Security
Integration with other email services
Due to its IMAP, POP, and SMTP support, you can send messages to non-Hushmail users. So this enables you to access your Hushmail account with the client app rather than going through a web page. Fortunately, it provides instructions on how to manage your account with third-party apps.
How private is Hushmail?
After seeing how Hushmail works and looks like, let’s now look at whether it will maintain your privacy as it claims.
Hushmail logging policy
Hushmail is transparent about the data it retains, when, and what happens to the logged information. However, certain parts of its policy are not pleasant.
As I mentioned earlier, it requires you to provide identifiable information like your Phone number, IP address, and email address.
Hushmail indicates that it logs the following information when you sign in to your account:
- Browser type
- IP address
- Date and time of the action
- Browser language
- Account usernames
- File names of attachments
- Account usernames
- Subjects of emails
- Sender and recipient email addresses
- URLs are the bodies of encrypted email
- And any other data that it considers necessary for preventing abuse and maintaining the system
Even though Hushmail uses encryption to protect your emails, it can see and record your account’s passphrases. Unfortunately, this is how it can read your protected messages.
Sharing your data with the government and gag orders
As you have seen above, Hushmail does massive logging of personal data. Also, it can decipher encrypted messages, contacts, and other information. So, there’ll be a lot of data to hand over to government authorities if forced to do so. However, companies like ProtonMail and Tutanota store little data, so revelation about you will be minimal.
In addition, most secure email services don’t have the mechanism to decrypt encrypted messages like Hushmail. As a result, nobody will be able to read your data even if your data falls into the wrong hands.
Worse, the company will not notify you if it is compelled to provide your data to authorities. This is what it has to say:
Do Hushmail employees read users’ emails? Don’t be certain. Check out the following two excerpts from the privacy policy:
The above statements show that Husmail employees can look into your stuff under certain circumstances and not inform you.
From my experience, it is difficult to say that Hushmail will keep you completely secure. Here are my reasons why:
- Both Canada and the United States are members of the Five Eyes Alliance. This is a group of countries that conduct surveillance on their citizens and share intelligence data.
- Legislation known as Cloud Act in the US forces local companies such as Hushmail Communication Corporation to provide users’ data to law enforcement. This includes even data on servers in other countries.
- Hushmail uses a proprietary computer code to handle your account. As a result, outsiders cannot see if the system truly protects your data.
- The OpenPGP encryption is only available on the server’s side instead of the user’s client. Also, it keeps passphrases that can be used to decrypt your information.
Is Hushmail safe?
Hushmail uses cutting-edge security systems to secure your data in transit and at rest. Firstly, it encrypts the email body and attachments using OpenPGP-based end-to-end encryption. The email’s recipient has a unique key that must be matched with the sender to decrypt the email.
However, the email subject and recipients are not encrypted, at least not in the same way as the body. So, Hushmail uses a secure SSL/TSL tunnel to encrypt your mail in transit, and OpenPGP encrypts it at rest. In addition to encryption, the service employs other advanced security features like certificate pinning and forward secrecy. Also, it uses HTTP Strict Transport Security (HSTS) to protect you against Man-in-the-middle attacks.
Additionally, Hushmail uses a zero-knowledge data management model that protects you against fraud. Of course, you need a password to log into your account. The password is stored as a hash, a unique string of characters representing your password. Hushmail should do more in this case since hashing a password is not enough to secure your account.
Note:
I recommend using a reliable virtual private network (VPN) like ExpressVPN to secure your data and anonymize your activities. It will mask your IP address, making it difficult for anyone to identify or snoop on what you are doing online. Nonetheless, this may not be enough as Hushmail still keeps pertinent identifiable information such as your phone number.
How does Hushmail work with non-Hushmail accounts?
Hushmail’s security architecture works perfectly in communications between Hushmail servers, but it’s a bit different for data transmissions between Hushmail and third-party email services. For instance, when sending an email to a third-party email service, the email is not sent directly. First, it is sent to the Hushmail servers, then Hushmail takes charge of the authentication process.
The recipients will then receive an email bearing a link. The link leads to Hushmail servers; they must set a password upon clicking it. Upon setting the password, users can then decrypt the sent message. This means that the message never leaves the Hushmail servers and is always protected by OpenPGP encryption, whether sent to Hushmail servers or an external email account.
Hushmail business package
The Hushmail business plan has helpful business features, such as automatic responses. But the best of them all is the secure forms.
Hush secure forms
One feature that differentiates Hushmail from its competitors is the Hush Secure Forms. It enables you to create secure web forms inside your account. Here are some ready templates that you can use:
- Secure file transfer – This form helps obtain confidential documents and other customer files.
- Secure contact – Your customers can start a secure conversation with you using this form.
- Dental appointment request form – You can link this form with your website, email signature, and social media accounts for your customers to book appointments.
- Client experience survey – After offering services to your clients, you can use this form to enquire about what went well and where to improve.
Hushmail customer support
Hushmails allows you to contact customer support through telephone and email. The Phone support is available Monday to Friday between 9 AM and 5 PM Pacific time. Unfortunately, you won’t be able to contact the support if you are on a free trial.
On top of that, the Hushmail website contains several articles that address common issues. Most probably, you will find answers to your questions here.
Hushmail alternatives
Hushmail’s primary focus is emailing. However, if you need a comprehensive office suite, you can opt for Mailbox.org. Besides, secure private email offers an address book, calendar, spreadsheet, word processor, and cloud storage.
Moreover, choose Tutanota if you need more security and privacy. It doesn’t require you to provide too much personal information when signing up and observes a no-logs policy. In addition, the service encrypts the email subject lines, unlike Hushmail.
Conclusion
This Hushmail extensive review shows that it is a reliable email service with competent security features. In fact, secure forms make it an excellent option for companies that require a secure communication channel. Also, HIPAA compliance will come in handy for healthcare professionals to handle sensitive medical data.
However, the provider is headquartered in Canada and is a subsidiary of a US company. These are not privacy-friendly jurisdictions; your information can be handed over to the government if requested.
Also, because the encryption applies on the servers instead of on your device, Hushmail can decrypt your messages. Therefore, unless you require to utilize the specific business features it offers, we suggest you look for alternatives such as ProtonMail to maintain your privacy.
FAQs
Hushmail is one of the best services to send encrypted emails and secure forms. The service protects your messages through OpenPGP encryption, ensuring only the intended recipients can view the contents and attachments.
There is no free version of Hushmail. It is a paid service that comes with a 60-day money-back guarantee.
Hushmail has a personal and business package. A personal subscription package costs $49.99 annually, while business plans range between $3.99 to $9.99 per month per user.
Hushmail has a 60-day money-back guarantee that helps you risk-free test their services. The refund applies to both personal and business plans.
Hushmail has a stylish, easy-to-use application for iOS devices that comes with all Hushmail features. However, Android users have to set up a Hushmail account with the support of IMAP and POP accounts.
Hushmail complies with HIPAA standards for the protection of healthcare data. It offers secure email services that enable safe communication between patients and healthcare professionals.
