ProtonMail updated its transparency report to explain its situation with law enforcement. The subject became popular on Reddit & Dread, where users pointed out that ProtonMail—in extreme criminal cases—will perform actions like monitoring the IP addresses of users engaged in criminal activities.
The company reached out to me, and also updated the transparency report, to explain what was going on. First, this isn’t a policy of ProtonMail, it’s a legal requirement under Swiss law. The amount of “help” the company gives Swiss authorities hasn’t changed.
Edit August 28th, 2019: Due to some confusion from the information previously provided below, we are editing to clarify that we only provide information when ordered to do so by Swiss authorities. Previously, there was confusion arising from the fact that we sometimes comply with orders before we have been officially served with the order via registered post, in cases where we are informed in advance that the order has already been approved.
Second, the policy mentions “extreme criminal cases.” Swiss law describes criminal offenses that would require the term “extreme”, but judges have a bit of discretion in assessing these cases. Individuals also have some protections (e.g., the state must demonstrate other forms of investigation have failed and are likely to fail again).