They are bound by Swiss Law, so they have to comply with lawful orders. They are very up front about this even within their marketing that pertains to protection from other government authorities. They are also very good at explaining exactly what is protected and what inherently isn’t. A recovery email isn’t. In order for a recovery email to work by its very nature, Proton has to have a record of it. But at the same time they don’t require you to set one. Proton hasn’t done anything that they’ve promised not to. There comes a point where you need to put a little effort into understanding the product you’re using.
Don’t tell me, tell the guy they gave up . ?
They market to activists and people concerned with the business of protest, not Swiss law experts - and are very much are not up front about what could happen if they are contact by LE. Of course They don’t hide it, but you won’t find it on the front page, where they trumpet about Swiss privacy… You and I know the detail, many users may not.
At the end of the day, they attract a lot of activists and protesters to their service, with the offer of “safe and secure email. “ .
They hold a database of all them, in a jurisdiction that requires them to comply with legal requests for information.
They service some 6000 such requests from their database of every year, or around 30 per day.
You can decide for yourself who this efficient and eminently accessible single source of protesters information helps the most.
This information was just as clearly and easily accessible by the guy who was caught, as it is to you, and to me. If you’re going to commit crimes using a cloud service, the onus is really on you to put in a minimal amount of effort to familiarize yourself with what is protected and what isn’t. Proton is extremely up front about this, and give you all the information you need to be safe.
Proton never advertised to a single user that all your data is safe from the Swiss government. On the contrary, their main selling point is that the Swiss government is the primary driver of their secure offering. They encrypt what they can using zero trust encryption, and that is left over is secured by the Swiss Governments laws regarding businesses sharing information with foreign governments.
Proton promised to not comply with direct requests from foreign governments and they haven’t.
Proton promised to encrypt all the data they feasibly can so it was safe from Proton being able to hand it over to even Swiss authorities and they have.
Proton is not responsible for user error, nor the willful ignorance of its users.
I’ve never sought to absolve the user of responsibility, but nor am I ready to label him a criminal, which you seem to be able to do.
At the same time, my words were quite specifically a mild criticism of Proton who are, for reasons I have explain, not entirely the privacy haven it is perceived to be, because of design decisions, where it choose to host its servers and the fact that it has perhaps unknowingly created a highly functional database for law enforcement to query in demand.
