In comparing ProtonMail with the GPG approach, remember the following:
- As noted earlier, it's far harder to compel or steal that metadata from ProtonMail than from typical email providers. The U.S. government can have that info from Google very quickly and silently.
- GPG remains little-used because it is too complicated for most users. It's worth considering why Snowden resorted to Lavabit rather than trying to educate lots of lawyers and activists on how to use GPG. (He did use GPG for his most sensitive correspondence, however.)
- Both approaches are equally vulnerable to a compromised user machine.
- Even if you and your correspondent both host your own private email server, that server can be physically and silently seized if it is located on U.S. soil, or the soil of any country the U.S. can strong-arm, or if it is hosted/colocated by any company with U.S. ties. And you can't count on encrypted filesystems to save you from government forensics.