Hushmail, the web’s leading provider of encrypted web mail, updated its explanation of its security model, confirming a THREAT LEVEL report that the company can and will eavesdrop on its users when presented with a court order, even if the targets uses the company’s vaunted Java applet that does all the encryption and decryption in a browser.

According to Mashable, Hushmail, the Canadian web mail that has built its brand on being safe, has given up, and will continue to give up, information on its users to any hot young thing waving a warrant.

Hushmail “has turned over 12 CDs (full of information on ) three Hushmail accounts to US Federal authorities.”

On their website, they say “not even a Hushmail employee with access to our servers can read your encrypted e-mail.” . . . Hushmail uses OpenPGP and AES 256 to encrypt the contents of messages server-side. Theoretically, with the contents of one’s emails encrypted on the server, even if Hushmail were compelled to turn over the contents of one email, brute-force decryption routines should make the cracking process time-prohibitive.

“To date,” said Brian Smith, the company’s CTO in an email exchange with Wired, “we have not challenged a court order in court.”

So, if you use Hushmail to avoid a security service’s scrutiny, trusting the manifold claims that it makes to being safe, think again. Any government, with enough time and money, can figure out who you are if you’re online. Any government that has the help of Yahoo or Google, or Hushmail, doesn’t need as much time, or as much money.

Thanks, Hushmail, for lowering the bar.

Read more on Wired’s Threat Level blog.