If it sounds as if I am negative then that's not the case. Protonmail make a decent fist of this in a reasonable jurisdiction, however I doubt that it will protect you properly if the NSA/GCHQ are interested in you.
ProtonMail cannot say anything else because they're a tech company, not a law firm. Very few tech companies have a view of the laws that govern their customers, so I would not blame ProtonMail for that other than that they ought to know one thing:
They cannot protect their customers from local law - because that's how law works.
If you're a UK user of ProtonMail, they can protect you against surveillance (well, to a degree, it depends on how the mobile apps works because there's more to privacy than just security) but if you are served with a warrant as UK user you only have one choice: comply. This also applies to UK companies using their email.
What ProtonMail has done right is to create a proper Swiss based company (with some residual leverage risk due to the involvement of a US passport holder) - few people know Swiss privacy laws (235.1 and 235.11) enough to realise that foreign ownership of a Swiss company means that the data they hold is NOT under Swiss privacy law, but under the laws of the country of origin. There are at least 2 "privacy service" companies I know that have that exposure, unbeknownst to their customers.
The final question ProtonMail has to address is the trickiest one to solve of all: how to prevent criminals from flocking to their services, because that WILL happen, especially if you try to hit the volume market. I spent considerable time working with law enforcement and even Europol on this because like it or not, bad people DO exist and although I fully support Apple in its current battle, I also understand the need of proper law enforcement (defined as "people why genuinely try to do a job", not power grabbing political idiots) to be able to put bad guys away.
That last one will always be a balance. Swiss laws are very prescriptive in how they protect your privacy even during an investigation (which is the best way to prevent legal abuse), but I think that if there is something that DOES make it through that filter you ought to pay attention as a company. If you don't have access to the data the answer is simple, but you may have to take that user account down to minimise the risk to all other users. There are no easy answers to the criminal issue.
Biting the hand that feeds IT
