I think Hushmail are pretty up front about being no protection if the person who wants access has a court order. I would not go so far as to say 'snake oil'.
From wikipedia:
"The issue originally revolved around the use of the non-Java version of the Hush system. It performed the encrypt and decrypt steps on Hush's servers and then used SSL to transmit the data to the user. The data is available as cleartext during this small window; additionally the passphrase can be captured at this point. This facilitates the decryption of all stored messages and future messages using this passphrase."
"Hushmail has stated that the Java version is also vulnerable in that they may be compelled to deliver a compromised java applet to a user.[5][7]"
In [7] "Brian" working for hushmail responds to a wired journalist agreeing that the applet was an attack vector and Brian even points to a schneier.com article stating the same[2].
He did weasel around a bit about "viewing applet/HTML source" which he admits is no use for determining the validity of the applet as it is compiled.
"I think Hushmail are pretty up front about being no protection if the person who wants access has a court order"
It is not just about having a court order. The court order is not some kind of secret key that decrypts messages, it is just a way to compel Hushmail to decrypt those messages. Pointing a gun at a sysadmin would work just as well. Paying a sysadmin would also work. Getting a spy to work for Hushmail would also work.
Let's say you are trying to protect the names of activists in China. There is no reason to think that the Chinese government could not find a sympathetic Chinese immigrant / national with an IT background who is willing to pass on some messages every so often. You can imagine other scenarios -- maybe you have highly valuable business secrets, maybe you are running a political campaign, etc.
Snake oil is the right term for Hushmail, because that is what they deliver. The only term that is more polite than snake oil is "key escrow," but why should we be polite here?
For sure, but can I fault idiots for inability to read the documentation and caveats? Maybe, but not really lest most on this site could not "do computers" professionally.
Unfortunately, the trust problem you mention is pervasive. It was a signed applet IIRC, but we both requires you trust the original and modified applets from the developer. I am wishing someone released an auto-encrypting PGP service and client, open-sourced on purpose.
We all know only four people would read the source of that, and two of those would verify the dev key given with the release. :-)
The correct way to do a signed applet or signed extension is to give the signing key to a third party who has responsibility for auditing it, or at least being "out of the subpoena chain" so when bad stuff happens, they suddenly stop signing new versions.
I kind of wish there were a (well armed) organization which did this for other projects.
Unfortunately, I cannot find a clip of this from the movie Ronin. One of my favorites with Robert DeNiro as a criminal or spy, and not even his own gang of crooks are trusting of him. Among my many favorite quotes (I am reviewing all of them and laughing; the movie is a goldmine [0]):
Spence: You think too hard.
Sam (DeNiro): Nobody ever told me that before.
Which is equally insecure, as the company could easily insert a back door the next time you load the applet. Hushmail was and is snake oil.