[bigiain]

Yeah, but "stealing" them isn;t the NSA's only avenue to acquire them. With Lavabit they just said "give us the keys so we can snoop all we want" - I suspect very few of us would be able to resist like Levinson did (as in, shut your company and livelihood down, and hope they don't throw you in jail for doing so). (Fortunately, most of us won't have users with as much heat coming down on them as Snowden, but if you're building _anything_ privacy related you owe it to yourself to consider how far you'd go to protect your users if one of them turned out to be another Snowden...)

[uncletaco]

"stealing" is the only path the NSA can take in the case of ProtonMail, due to their servers being hosted in Switzerland and not within the borders of a nation that has a strong relationship with the US intelligence community.

[bigiain]

I'd bet good money that the NSA can outsource this to their friends/counterparts/lackeys in any of five eyes, nine eyes, and fourteen eyes countries - and through less official channels involving local or flown-in thugs, pretty much everywhere else. They probably can't easily get Huawei's or Baidu's private keys, but I bet there's tens or hundreds of thousands of Protonmail sized companies in China/Russia/everywhere else that they _can_ strongarm the owners or sysadmin staff into handing keys over.

Or maybe I'm just in a way too "the whole world is fucked" mood today...