Yea, they say as much in the data privacy FAQ. I think my recommendation is that if you're worried about being explicitly targeted by state actors, don't use email. (Not even Protonmail.)
If you're worried about general data hoovering, AWS would probably need to implement very sophisticated introspection into what your machines are doing to break the SSL on SMTPS, and courts might not be sympathetic to that. I expect state actors would find it easier and more convenient to just hoover from big providers like Gmail instead.
> Yea, they say as much in the data privacy FAQ. I think my recommendation is that if you're worried about being explicitly targeted by state actors, don't use email. (Not even Protonmail.)
Protonmail (and Tutanota, which I went with) both offer E2E encrypted email via open-source client apps, so they should be fine even against state actors if you use their encryption. In the case of Tutanota, this has even been tested in court.
Of course, if you use them to send or receive plain ol' unencrypted email, this largely goes out of the window regardless of the provider.
The E2E will help so long as you're sending email to other users of the same service, yeah. For most cases, it's probably not a huge upgrade from stored encrypted; the bulk of damage in email leaks would be from accumulated emails from the past.
The reason I don't recommend using it if you're super paranoid is because it'd be easy to mess up, and it comes with quite significant holes- e.g. subjects aren't E2E in Protonmail. Best to use a protocol designed for E2E from the ground up.
Tutanota went with a different tradeoff so they have E2E encryption of subject lines etc. Downside is that they can't support other clients, which is why I wouldn't have even considered them if the apps hadn't been open source.
They also have a pseudo-workaround for using E2E with external users - if I send a secure message to foo@bar.com, I can encrypt it with a pre-shared password and their mail will get a link to a web "mailbox" where they can enter that password to decrypt the message. Clunky, but I wouldn't know how to do better.
I personally feel that calling Proton Mail or Tutanota end-to-end encrypted is sort of misleading. Sure, they may have the contents of your mailbox encrypted but in transit they can see your email in plain text and so can the recipient's mail server. If you desire E2EE I highly recommend using GPG or Signal.
I don't know about the Protonmail UX, but the Tutanota apps at least make it very clear when sending an email whether you're using E2E or just plain unencrypted mail. (If you leave it on E2E and try to email a non-Tutanota account, it will ask you for a pre-shared password with which to encrypt the message.)
If you're worried about general data hoovering, AWS would probably need to implement very sophisticated introspection into what your machines are doing to break the SSL on SMTPS, and courts might not be sympathetic to that. I expect state actors would find it easier and more convenient to just hoover from big providers like Gmail instead.