This is non-news, like all tech companies, they are bound by law to do this. It happens more than 6000 times per year for Proton. However, this user just had bad opsec. Proton emails are all encrypted and cannot be read unless law enforcement gets your password, which Proton does not have access to. Even if Proton hands over all data.
Email in transit is not encrypted. At least not encrypted by anything that the government can't compel the company to hand over. Your password as best can only lockdown the mailbox itself. Not the receipt/sending of emails.
Edit: The point being is that if you're a person of interest, the government can just watch your activity until they get what they want. And Proton doesn't really have anything they can do about it other than a canary page I suppose.
Edit2: to make it even more clear, I'm talking about MTAs communicating with each other. Proton being one party would have the keys to their side of the communication which is sufficient to decode the whole lot.
IF TLS is used AND configured optimally on both ends, THEN the in transit message contents should be very secure, in that transient session keys were used.
I would be interested to know how often those two preconditions hold true though.
Of course, this is only one small link in the chain. There aint no magic bullet.
Yeah, OPSEC is really important and over the years many people got caught because of bad OPSEC. PomPomPurin, the guy who ran BreachForums is a pretty good example of this: https://youtu.be/1fZWHeHICws
The name/address of the terrorism suspect was actually given to police by Apple, not Proton. The terror suspect added their real-life Apple email as an optional recovery address in Proton Mail. Proton can't decrypt data, but in terror cases Swiss courts can obtain recovery email.
Got it. So its a persec issue? I guess ist depends on your threat level. the persons they are arresting seem to be activists. The question is how destructive their activism was. Not because they somehow deserve to be arrested. i cant judge that. But because they should consider better persec in that case. Its still sad to read that a privacy oriented email provider gives our your info.