Edit: Sorry. Not Switzerland. Sweden. For some reason thought Switzerland.
> The mail service that handed over data of a customer to a foreign government
First, ProtonMail can only hand over meta-data, because data is encrypted.
Second, "ProtonMail does not give data to foreign governments; that’s illegal under Article 271 of the Swiss Criminal code. We only comply with legally binding orders from Swiss authorities."
> and changed the privacy statement on their site
The privacy policy was not misleading if you read it carefully. It was not "changed" as in removing a lie from the statement. At best, it was clarified to ensure *everyone* would correctly understand it in the future. It is accessible at https://protonmail.com/privacy-policy
What may have been misleading was the marketing message on the homepage. If you pondered each word of the one-sentence marketing message, you could have guessed that the expression "by default" was there for a purpose. Companies do not add useless words for marketing, they do it to avoid false advertisement. However, this is not the same thing as the privacy policy. And ProtonMail stated that they would fix that: "we will be making updates to our website to better clarify ProtonMail’s obligations in cases of criminal prosecution".
Quotes are taken from: https://protonmail.com/blog/climate-activist-arrest/
Not a fiasco as they're required by law to keep IP logs. You can disable the logging of IP sessions in the PM dashboard, but you can't guarantee that PM will not keep logs, since their servers are all Public Internet Facing. The only way Protonmail is 100% zero knowledge is to be a 100% a dark-net/Tor service, which immediately turns off 99% of their users.
I don't understand how we should trust a company we know nothing about other than the text they put on their website which basically means nothing.
As for why to trust Mullvad in particular, you can't trust them completely but they list all their employees and their ownership structure publicly, they have a good track record, they have documentation which seems like it's written by people who know about security and their customers' potential threat models, and they don't have a suspiciously large advertising budget.
However, I wouldn't trust any VPN if you have to withstand targeted scrutiny from governments.
Gotcha
> Plus setting up a DO droplet VPN sounds like a PITA
It's actually very easy using https://getoutline.org/ - can highly recommend it if you need a fixed IP. And you can buy DO droplets with cryptocurrency through Bithost
In English they are similar as well but spelling and pronunciation are different enough that there should be less confusion, at least on paper. Not sure why there is such confusion in practice.
___
[1]: Kind of a sub-genre of alternate history and/or history-simulation-game AI timelapse videos.
