They claim this is not possible under Swiss law, fwiw. We’ve recently seen that it is possible under German law, with a competitor (Tutanota) building a server-side backdoor for one user.
...but we know it's possible under Swiss law, from this case, for them to be compelled to start logging specific account accesses, that they by default were not previously.
How is that any different from them being compelled to disable or weaken clientside encryption?
In both cases they're being compelled to make changes to their service.
The camel's nose is clearly already under the tent. Everybody needs to start diffing javascript served by them.
> Everybody needs to start diffing javascript served by them.
It would be nice if there were something like Perspectives[0] or Binary Transparency / Sigstore[1] to raise the alarm when something like this happened, but the threat would also be avoided if ProtonMail was available as a SecureBookmark[2].
That's not the claim. The claim is that we don't know if X is possible under Swiss law. You seem to be the one claiming that because they said it's not possible, then it's not possible. If not, I don't know what you're claiming.
The GP says that it's possible under German law. Is it "FUD" to say that it could end up being possible under Swiss law?
Shouldn't there be fear, uncertainty, and doubt about any channel that activists use to communicate with each other?
I'm not totally sure on this, but if you use their mail bridge, I'm pretty sure the decryption happens on your local PC and the keys never have to leave that.
What if authorities ask, serve this user this malicious JacaScript code to obtain their encryption key?
PM has to obey and the result is the same.