Crying wolf
The numbers are in the transparency report, 3 requests are claimed to be contested in 2017 and 4 requests in 2018, with the overall number of requests increasing twentyfold in 2018. The transparency report examples clearly state that in certain cases Protonmail assisted the law enforcement agencies without the court order, expecting the court order to be provided retroactively. It did claim for some examples that only limited assistance was possible due to cryptography.
To the best of my judgement, Mr. Steiger is making a point in his article that Switzerland is a surveillance state and that Protonmail is misleading customers about their data being protected by Swiss privacy laws since they do not apply to criminal investigations. He is also claiming that Protonmail is not exempt from SPTA (Swiss federal act on surveillance of telecommunications) requirements and is either acting as Provider of Communication Services or Provider of Derived Communication Services. In the former case (PCS) Protonmail would have to assist with surveillance, remove any encryption applied, provide real-time communication data and metadata, keep and provide metadata for 6 months; in the latter case (PDCS) Protonmail would have to assist with surveillance and provide available metadata.
Mr. Steiger is then speculating about the status of Protonmail under SPTA and concludes that Protonmail would not be obliged to provide real-time metadata; he concludes that providing such real-time metadata is incompatible with claiming to be a trustworthy email service provider with data protection and encryption. I think this is where he is making mistakes.
Protonmail claims that it does not store metadata (" By default, we do not record metadata such as the IP addresses used to log into accounts."), which means that if requested to provide such metadata (e.g. by being PDCS) they will _enable_ recording for the account under surveillance. Since they decided to assist with the request and just enabled the recording, providing the authorities with a real-time metadata stream does not seem to be going too far. Otherwise they could not provide any metadata, at least without delay, and end up like Lavabit (e.g. promoted to PCS, required to remove encryption and keep metadata for 6 months). Protonmail has been clear that they will work with authorities and provide metadata when issued with a valid request.
It's a real world after all. Mr. Steiger did not genuinely seem to mean harm (however somehow he clearly managed to) and and makes some valid points but imho he's crying wolf.