Hushmail review 2022: Secure but not as privacy-friendly as many think

Ruheni Mathenge Last updated: January 1, 2022
Disclosure

This unbiased review looks at features, security, and ease of use to see how Hushmail compares to other secure email providers out there.

Hushmail is a Canadian-based email service that has been in the industry for more than twenty years. It uses standard encryption algorithms such as TLA/SSL and OpenPGP to secure your email messages. Moreover, the service boasts packages ideal for personal use, small business, and healthcare professionals.

Is it the best secure email provider for your needs? In this extensive Hushmail review, we will provide you with everything you need to know about it.

Hushmail strengths and weaknesses at a glance

Pros:

  • Compliant with HIPAA
  • Built-in OpenPGP support
  • Unlimited email aliases
  • Supports SMTP, IMAP, POP
  • Removes IP addresses from emails
  • Enables encrypted communication with non-Hushmail users
  • Native iOS app

Cons:

  • Slightly pricier
  • Does not offer calendar and file storage
  • It is not open-source
  • Based in Canada

Hushmail background information

Hushmail was launched in 1999 by Hush Communication Limited. It is a Canadian-based company, a subsidiary of Hush Communication Corporation headquartered in the US.

The company guarantees to protect your email messages. However, the privacy policy complies with warrants that request users’ data from the US and Canadian governments.

Remember that both countries are members of the 5/9/14 Eyes Alliance. They perform widespread surveillance on their citizens and share the intelligence data, which helps them avoid domestic espionage restrictions.

More importantly, these countries can compel local companies to spy on their users. In fact, they may use legal orders to make the companies not notify the targets that they are snooped. Post 9/11, the US government adopted large-scale surveillance on its population, including checking everyone’s email.

However, there are concerns that the additional compromise on your privacy will only provide ‘temporary’ solutions. 

Maintaining user privacy has caused many secure mail services to move out of Canada and the United States. Unfortunately, these anti-privacy laws are also affecting Canadian VPN providers.

The technical specifications

 Hushmail uses several encryption algorithms and protocols to secure your messages that include:

  • Transport Layer Security/ Secure Sockets Layer (TLS/SSL)
  • OpenPGP
  • HTTP Strict Transport Security (HSTS)
  • Perfect Forward Secrecy (PFS)

Moreover, the specialized business accounts meet appropriate industry standards such as:

  • Hushmail for Law – Support for Attorney/Client privilege
  • Hushmail for Healthcare – HIPAA compliant

Subscribing to it and the pricing

Hushmail pricing

The first time you get on Hushmail, you’ll see it’s not as privacy-friendly as other services such as Postea and Tutanota. Actually, before you get a secure Hushmail account, you’ll be required to provide your current email address. As a result, there will be a link back to you. This is a threat to your privacy as the link can be easily intercepted by hackers and other malicious third parties.

Making matters even worse, the company requires you to submit a phone number, one of the worst anti-privacy requirements. While you can use a burner email address, it is impossible to get a fake phone number. The problem is that anybody can do a reverse lookup and access your data.

That aside, Hushmail comes with a single personal package and several business plans. Unfortunately, it doesn’t offer a free tier but the Hushmail Premium account at $49.98/year has a 14-day trial. It includes two secure email forms, 10GB storage, two-step authentication, and unlimited email aliases.

The Small Business plan is available at $5.99 plus a setup fee of $9.99. This package is designed for small businesses, nonprofits, startups, and any type of organization. It has web forms with e-signatures and encrypted emails that will secure and anonymize your communications. Its features are similar to the Premium package, but there is an extra $2/ month for email archiving.

Furthermore, the Hushmail for Healthcare plan is a perfect option for sending HIPAA-compliant emails and web forms. Fortunately, it allows you to send protected messages to traditional services such as Hotmail and Gmail.

A single email account and two secure web forms plus 10GB storage are priced at $9.99 per month. Conversely, five email accounts and web forms, electronic signature support, and 10GB storage costs $19.99/month. In addition, a bigger plan with up to 10 email accounts and web forms is also available at $39.99/month.

It’s perfect for many healthcare professionals, including dentists, psychologists, therapists, optometrists, physical therapists, chiropractors, etc.

Finally, the Hushmail for Law plan costs $9.99/month. This is an excellent solution for attorneys and legal professionals. The encrypted emails and web forms with e-signatures help to retain the attorney-client privilege. Remarkably, it includes a signed Business Associate Agreement applicable in the UK, the US, and Canada.

Hushmail interface and use

The Hushmail interface is a bit dated with only a 2-pane setup. Also, it doesn’t have a drag and drop feature as you get with other top services such as ProtonMail. Instead, you’ll have to check the box and decide what to do with the messages – Mark read, Mark unread, Move, Delete and Report spam. 

There are client display buttons for mobile and desktop at the bottom right of the home screen. In addition, an interface for smaller screens will appear if you select the mobile option. Notably, it is just a different version of the web page and not a separate app.

Hushmail launched the iOS app in 2016, but it isn’t widely used. The app has only received 49 reviews up to now. Also, it has been rated with 3 out 5 stars, which raises red flags. However, I found it to be fully functional, and it’s worth a try.

Composing messages

Hushmail makes it very easy to compose a message. The composition window contains everything you’ll need, as shown below.

Hushmail messages composing

Unlike other email clients, it has an ‘Attach secure web form’ link and ‘Form Builder’ button. These options enable you to create secure forms and input your custom forms or use the prebuilt forms provided.

Sending messages

After composing a message, sending it is also effortless. However, besides tapping on the ‘Send’ button, you also need to decide whether to encrypt the message or not.

People on Hushmail network

The messages you send to other Hushmail users are encrypted with OpenPGP by default, a reliable security option. However, it’s important to note that the encryption only applies to the servers and not your device. As a result, the company can still read your messages, which threatens your privacy.

Non-Hushmail users

When sending non-Hushmail users, you can consider checking or unchecking the encryption checkbox to send encrypted or unencrypted messages. Hushmail will refer the recipient to a secure web page if you decide to send an encrypted message.

Receiving messages

There are no special actions required to receive messages. Hushmail will automatically decipher the encrypted messages you get from Hushmail users to make it easy for you to read them.

It is good to deactivate the email notification feature if you intend to use Hushmail frequently. That is because you’ll be getting a notification in the other email address you provided when signing up every time you receive a message, which is very annoying.

In fact, I received numerous notifications that were clogging my other email accounts when writing this review. This is how you can deactivate the feature.

  1. Click the ‘Options’ icon at the top right of the home screen
  2. Choose ‘Preferences’ from the menu
  3. Go to ‘About your tab’ and scroll down to disable Email notification

Searching for messages

Remarkably, the search function is modest and efficient. All you need to do is type in a keyword to get the messages containing the word.

Contacts

Hushmail has a Contact system with a particularly convenient feature. Rather than just a list of names, the contact page shows a load of information, as you can see in the image below. This means you’ll get all the data you need about a person without the need to open their contact.

Hushmail contacts screenshot

It might seem a lot of work if you have many contacts. However, the search function on the home page will address the problem. Hushmail also allows you to import contacts from other email services that support CSV format.

The preference section

We lightly touched on Hushmail’s preference section when talking about how to disable email notifications. But the segment has much more to offer. Although I cannot describe all the possibilities, I’ll try to show you some of the things you can do here. These are some of the tabbed pages available:

  • Composing
  • About you
  • Reading
  • Automatic response
  • Spam
  • Email aliases
  • Billing
  • Security

Integration with other email services

Due to its IMAP, POP, and SMTP support, you can send messages to non-Hushmail users. So, this enables you to access your Hushmail account with the client app rather than going through a web page. Fortunately, it provides instructions on how to manage your account with third-party apps.

How private is Hushmail?

Husmail privacy and security

After seeing how Hushmail works and looks like, let’s now look at whether it will maintain your privacy as it claims.

Hushmail logging policy

Hushmail is transparent of the data it retains, when, and what happens to the logged information. However, certain parts of its policy are not pleasant.

As I mentioned earlier, it requires you to provide identifiable information like your Phone number, IP address, and email address.

Husmail logging policy screenshot
A screenshot of an excerpt from the Hushmail logging policy.

Hushmail indicates that it logs the following information when you sign in to your account:

  • Browser type
  • IP address
  • Date and time of the action
  • Browser language
  • Account usernames
  • File names of attachments
  • Account usernames
  • Subjects of emails
  • Sender and recipient email addresses
  • URLs the bodies of encrypted email
  • And any other data that it considers necessary for preventing abuse and maintaining the system

Even though Hushmail uses encryption to protect your emails, it can see and record your account’s passphrases. Unfortunately, this is how it can read your protected messages.

Sharing your data with the government and gag orders

As you have seen above, Hushmail does massive logging of personal data. Also, it has a way of deciphering encrypted messages, contacts, and other information. So, there’ll be a lot of data to hand over to government authorities if forced to do so. However, companies like ProtonMail and Tutanota store little data, so revelation about you will be minimal.

In addition, most secure email services don’t have the mechanism to decrypt encrypted messages like Hushmail. As a result, nobody will be able to read your data even if your data falls into the wrong hands.

Worse, the company will not notify you if it is compelled to provide your data to authorities. This is what it has to say:

Hushmail data sharing policy screenshot

Do Hushmail employees read users’ mails? Don’t be certain. Check out the following two excerpts from the privacy policy:

Hushmail privacy policy screenshot 1
Hushmail privacy policy screenshot 2

The above statements show that Husmail employees can look into your stuff under certain circumstances and not inform you.

From my experience, it is difficult to say that Hushmail will keep you completely secure. Here are my reasons why:

  1. Both Canada and the United States are members of the Five Eyes Alliance. This is a group of countries that conduct surveillance on their citizens and share intelligence data.
  2. Legislation known as Cloud Act in the US forces local companies such as Hushmail Communication Corporation to provide users’ data to law enforcement. This includes even data on servers in other countries.
  3. Hushmail uses a proprietary computer code to handle your account. As a result, outsiders cannot see if the system truly protects your data. 
  4. The OpenPGP encryption is only available on the server’s side instead of the user’s client. Also, it keeps passphrases that can be used to decrypt your information.

Is Hushmail safe?

Like we have shown severally in this honest review of Hushmail, the company retains a lot of your information and even decrypts your messages. This makes it one of the most unsecured email services we have reviewed recently.

The question of whether it is secure for your needs depends on the threat model. Fortunately, the company provides some real help in this regard.

One of the best things about Hushmail is that it provides articles on how to secure your account. For example, ‘How Hushmail Can Protect You’ talks about security from a layman’s perspective. On the other hand, the ‘Security Analysis’ article is detailed, handling more technical specifications.

Note:

I recommend using a reliable virtual private network (VPN) like ExpressVPN to secure your data and anonymize your activities. It will mask your IP address, making it difficult for anyone to identify or snoop on what you are doing online. Nonetheless, this may not be enough as Hushmail still keeps pertinent identifiable information such as your phone number.

Hushmail business package

The Hushmail business plan comes with helpful features for businesses, such as automatic responses. But the best of them all is the secure forms.

Hush secure forms

One feature that differentiates Hushmail from its competitors is the Hush Secure Forms. It enables you to create secure web forms inside your account. Here are some ready templates that you can use:

  • Secure file transfer – This form is helpful to obtain confidential documents and other files from your customers.
  • Secure contact – Your customers can start a secure conversation with you using this form.
  • Dental appointment request form – You can link this form with your website, email signature, and social media accounts for your customers to book appointments.
  • Client experience survey – After offering services to your clients, you can use this form to enquire what went well and where to improve.

Hushmail customer support

Hushmails allows you to get in touch with customer support through telephone and email. The phone support is available from Monday to Friday between 9 AM to 5 PM Pacific time. Unfortunately, you won’t be able to contact the support if you are on a free trial.

On top of that, the Hushmail website contains several articles that address common issues. Most probably, you will find answers to your questions here.

Hushmail alternatives

Hushmail’s primary focus is emailing. However, if you need a comprehensive office suite, you can opt for Mailbox.org. Besides secure private email, it also offers an address book, calendar, spreadsheet, word processor, and cloud storage.

Moreover, choose Tutanota if you need more security and privacy. It doesn’t require you to provide too much personal information when signing up and observes a no-logs policy. In addition, the service encrypts the email subject lines, unlike Hushmail.

Bottom line

From this Hushmail extensive review, you can see that it is a reliable email service with competent security features. In fact, secure forms make it an excellent option for companies that require a secure communication channel. Also, HIPAA compliance will come in handy for healthcare professionals to handle sensitive medical data.

However, the provider is headquartered in Canada and is a subsidiary of a US company. These are not privacy-friendly jurisdictions, and your information can be handed over to the government if requested.

Also, because the encryption applies on the servers instead of on your device, Hushmail can decrypt your messages. Therefore, unless you require to utilize the specific business features it offers, we suggest you look for alternatives such as ProtonMail to maintain your privacy.