ProtonMail has been fraught with problems for a long time, and it's good that serious issues are being brought to light. Their marketing is very good and critics of them have struggled to communicate to users for a while.
The most important thing a serious privacy-minded service provider can do is be forthright and honest with users about the limitations of their privacy guarantees, particularly with respect to what hinges on math and what hinges on trust. ProtonMail has failed in this respect. It has always been the case, for example, that they could log these IPs, or that any incoming plaintext emails can be recorded before being encrypted at rest - and the fact that they're encrypted at rest is another thing we have to take on faith. Their proprietary components have always been a problem, and we also trust that they won't silently add key exfiltration to their webmail UI on the demands of a court. They don't explain any of this, they just pose themselves as experts on privacy and let vulnerable users stumble into law enforcement's hands because they care about their money more than their security.
Good privacy systems do not rely on trust or faith, they rely on math. Where some trust is required, in the case of a commercial service provider, it is their solemn duty to be honest with users and explain to them what promises they can and cannot make, and to make sure users understand which of these claims are backed up by math, which are backed up by law, and which are backed up with thoughts and prayers, so that these users can make informed decisions about how they use a service they're relying on for their personal liberty.
In my opinion, email is the wrong medium for highly confidential communication. Especially, if someone's personal freedom or safety depends on it. Even if E2E works correctly, you still have to worry about meta data. Maybe Matrix over TOR would be a better alternative?
I would not go so far as to day that email cannot be used privately, but I would say that it is very very difficult to use email privately. I agree that most people with highly confidential needs would be better served by another system, though I don't know what to recommend - Matrix over Tor seems viable, perhaps.
Encrypted email over an onion router (might even be TOR) would be no worse than Matrix over TOR for someone that needed anonymity on top of privacy. Since email can be done entirely offline, chances are that it would be better for the privacy:
Why? What if they're working for a drug manufacturer trying to find a cure for cancer when they discover that one of the other drugs their employer creates is killing people, but that's being covered up because money. Should those people stop trying to cure cancer or just keep quiet about unnecessary deaths?
What happens if your job is to be a watch dog for oil rigs to make sure they're not polluting local waters or covering up spills? Some rough looking men tell you that you should forget some of what you saw in your last inspection? Should these types of jobs not exist?
What happens if you're just out for a walk late at night because you have insomnia? You just happen to see the chief of police up to some less than ideal actions at 3 in the morning in the park. How would changing your job even help in this scenario?
Sometimes people need to communicate something that could be a problem for their personal safety. And the rest of us as a society dearly need them to do it. And personally, I would like them to be able to do it while also costing them as little as possible. Because otherwise people tend to be quiet about things that should be known by all.
Some people try to make the world a better place. Your message is personal freedoms matters more than my beliefs. That is not true for everyone. Many will turn in their own mother to save themselves others will put their lives on the line to save your mother.
That's the fair point among the objections here, re: HK, because you've identified a state actor doing arguably a wrong thing, but would such a state actor be able to satisfy Swiss law to compel the email vendor here to act?
The other objections are about whistleblowing on private parties, discrimination or in one case a corrupt petty politician/magistrate. None of them would generate a safety concern to someone protected by Swiss law.
Seriously, the folks working the privacy angle on this story need to distinguish themselves from gangsters and organized crime syndicates. One person doing the wrong thing is bad; an organization doing it is a serious public concern and everywhere and always will generate a public response.
If you substituted Substack or a public-facing communication medium I'd be more sympathetic to the outrage at an email vendor complying with Swiss law. Here, however, we're talking about discovery of the identity behind private communications of an undetermined nature in compliance with the law of a mature Western democracy. Sorry folks, you've sometimes got to work within the democratic system to achieve your goals.
It's not like corruption and organise crime doesn't exist in Western countries or governments. For example, the Maltese
journalist Daphne Caruana was killed after reporting on government corruption in Malta, an EU member state.
You really live in a marvelous world, where your communications reflect on your safety only due to career choices and not, let's say, gender, religious, political, or ethnicity related problems.
Well, if that matters, nothing stops _any_ email service provider from doing those things. And I would prefer a provider that at least tries to be clear about what to expect. One thing that PM failed to account for is how many people live in an imaginary world where it is possible to run a business that is stable, profitable on one hand, on the other hand fights for other people's freedom at own expense and is constantly in conflict with local authorities.
The most important thing a serious privacy-minded service provider can do is be forthright and honest with users about the limitations of their privacy guarantees, particularly with respect to what hinges on math and what hinges on trust. ProtonMail has failed in this respect. It has always been the case, for example, that they could log these IPs, or that any incoming plaintext emails can be recorded before being encrypted at rest - and the fact that they're encrypted at rest is another thing we have to take on faith. Their proprietary components have always been a problem, and we also trust that they won't silently add key exfiltration to their webmail UI on the demands of a court. They don't explain any of this, they just pose themselves as experts on privacy and let vulnerable users stumble into law enforcement's hands because they care about their money more than their security.
Good privacy systems do not rely on trust or faith, they rely on math. Where some trust is required, in the case of a commercial service provider, it is their solemn duty to be honest with users and explain to them what promises they can and cannot make, and to make sure users understand which of these claims are backed up by math, which are backed up by law, and which are backed up with thoughts and prayers, so that these users can make informed decisions about how they use a service they're relying on for their personal liberty.