also if they want to intercept a few of your high profile users, the fact you're using SSL really isn't going to stop them, when they can issue valid certs for your domain without asking you.

short of SSL pinning being widely deployed: you're powerless to stop them, and while it's an admirable goal, it's ultimately disingenuous to suggest that you can safeguard your user's privacy.

I'm not suggesting that I can safeguard user privacy, but doing something is better than doing nothing, and certainly I can do what I am able to. Ultimately the user is far more likely to give up their privacy by posting identifiable information online, and through graph analysis revealing their associates too.

What I can do though is: Leave the core data in Europe, not store anything that I do not need to offer the service (and I don't need your real identity), educate users and encourage the use of Tor and VPNs, implement what measures I can do protect users (SSL).