For those criticising ProtonMail, what else could they have done? When the law for the country the company is based in says they must do a thing, they can't just say "no".
It's unfortunate that it happened, but the fact that this could happen shouldn't come as a surprise.
Shut down(sabotage) the entire service immediately. No working service, no new log. They still can implement IP logging to comply with the government, but alas, service is not working right now.
At least, Lavabit did that when they were demanded by US government for the TLS private key to spy on Edward Snowden.
Destroy the server equipment, then seek political asylum to the Non-EU countries.
Their selling point is they never log IP address. Fulfill that promise or they lose the trust. They chose break the promise. The only unique selling point they have compared to the competitors.
That's not true at all? Their selling point is also that they have end-to-end encryption that they can't breach - so your emails can't be grabbed by a government actor.
> Their selling point is also that they have end-to-end encryption that they can't breach
They technically could, by serving you malicious JavaScript. And they have proven that they are willing to do that in order to get cozy with law enforcement, even for a very obvious case of unfair political repression.
That's a fair statement - I think it then comes down to: Can you by law in Switzerland order someone to serve malicious JavaScript, or only to e.g. deliver information you already have?
In the present case, ProtonMail was compelled to backdoor its system to log an IP it did not log previously, so it's arguably closer to the former situation you presented.
Thanks for the clarification, and for making your homepage much more honest in regards to your privacy policy.
May i ask what's the difference in regards to the law between being compelled to modify your systems to record an IP address (which i heard was the fact in this case) and to backdoor OpenPGPJS? From my technical perspective it sounds exactly the same, but i'm unfamiliar with swiss law.
I know nothing about this case. But it seems to me, the content of the mails are successfully protected by the encryption. The authority seized the IP addresses of the user of that mail address by ordering the ProtonMail to implement the IP logging.
If they were shutting down their service every time police requests logs then their servers wouldn't have time to even boot properly. In their "clarification" they claim they received 700 orders in 2020. It is ~2 orders/day.
I really don't know the situation but it sounds like for these 700 orders in 2020, they can legally challenge the validity of order in the court. But this one particular order, their excuse sounds like it comes from other channel, something akin to the order of Roman dictator so they have no veto power.
Sabotaging and seek political asylum to Non-EU countries is the best action they could take in order to keep their face, and resist the dictator.
So you suggest them to drop their business (which took years to build), abandon their families and run because their local court (or police) issued an order, one of several hundreds they have to process each year? Also - in which country could they seek political asylum exactly? Surely not the Commonwealth, not EU, not Russia (PM is banned there because they did not comply with Russian FSB orders), not China, not Saudi Arabia... Not so many places left, it seems.
Whether you like it or not, ProtonMail's business model conflict with most of the jurisdictions. In that sense, they are no better than PirateBay, Wikileaks or Sci-Hub.
It's unfortunate that it happened, but the fact that this could happen shouldn't come as a surprise.