Full disclosure - I’ve been using Proton as my primary email provider for more than a year at this point, so I am going to be biased in their favor. Having said that, this seems like an issue of bad OPSEC and someone not fully understanding what their threat model actually is. Not even getting into the whole “morality vs legality” angle, but this person knew well enough that their government would find their actions to be objectionable that they willingly chose an email provider that markets itself as being a private solution, but took no additional measures to actually preserve their privacy past that.
First of all, the fact that they’re choosing email of all things to communicate about things their government considers terrorism is an awful choice. There’s already an excellent article in the Privacy Guides knowledgebase that explains this much more eloquently than I ever could, but email is an inherently insecure medium, and something like Signal would’ve been a much better choice for secure E2EE communications. In this vein, I am fully confident that any other private email provider, such as Tuta or Mailbox.org, would provide similar information if given a lawful court order. But let’s say that the people this person was communicating with just refused to use anything other than email for some reason, and a secure email platform like Proton was the best choice.
Issue two: this person set a recovery email that linked directly to an Apple ID that was linked to their actual identity. Realistically, this is a mic drop moment. For someone giving correspondence to an organization that their government considers terrorists, this is inexcusably negligent. Even for the mandatory verification email upon account signup, which is not the same as an optional recovery email, there are temporary mail services such as 10 minute mail that could be used for this purpose. Of course, we could easily make the argument that Proton should encrypt this information, but realistically this shouldn’t have been an issue at all because the recovery email is voluntary additional information. This person’s email should’ve been treated like a burner account, and linking PII to a burner account is, again, inexcusably negligent.
We could get even more granular, talking about the importance of using a trusted VPN or Tor, using the email itself on burner devices, etc. But in the end this is really just a massive OPSEC failure. In a perfect world Proton wouldn’t be legally obligated to give out information to potentially hostile governments, but Proton is a business at the end of the day, one that is primarily designed for people who want a privacy-respecting Gmail alternative that doesn’t scrape their personal emails for information to sell to advertisers. They won’t go out of their way to protect you if the Swiss courts decide that you’ve done something illegal.