You'd probably be charged with something and punished.

Courts don't take to kindly to people trying to be cute with their demands. It's not like they are going to say "well they are technically right" and give up, they are going to just up the consequences or clarify the request until you comply in the way that everyone knows they want you to.

This. The biggest weakness to encryption systems isn't the math, it's the guy in the uniform who has tied you to a chair and keeps strapping your feet with a rubber hose.

Thus once again revealing -- to those who believed otherwise -- that the police do not exist to "protect" the citizens.

Did Lavabit get additional court punishment for sending SSL keys in 4 pt font?

They were threatened with further charges unless they complied with them in electronic form, which is when the company was famously shuttered.

Edit: And according to the wikipedia page [1] for Lavabit, he was successfully held in contempt of court for the printout move.

[1] https://en.wikipedia.org/wiki/Lavabit

That is incredible. Props to Lavabit. We need more people like that in the tech community.

We absolutely do not need the "not my problem, I don't care, engage in mass surveillance all you want!" engineers.

Well don't be too excited about it, because laws like the one this article is about makes that kind of response impossible (as in you WILL be thrown in jail for the rest of your life if you attempt to do that).

And even in the US it still isn't a sure thing that Lavabit's response would work again if someone else tried it. I don't know the details, but I believe there is still some uncertainty around if the FBI just kind of "allowed" them to close down by not pursuing it any further, or if they got what they needed, or of secret laws were changed because of this instance.

In Lavabit's case, there was a lot of FBI involvement, a lot of secret court orders and gag orders, and a lot of accusations from the owner of Lavabit that he was brought to secret courts without legal representation and no chance to appeal, and even he says that there are things he still can't talk about.

I didn't know the nuances of that timeline. Thanks so much for filling me in!

A colleague and I published a related idea [1] last year: Weaken the encryption just enough so that a government can (barely) afford to do the brute force if they really do care about it that much. (Hint: They almost certainly don't.)

Please note that we're not seriously suggesting that encryption providers should adopt this -- not as long as there are other options. But if you're legally obligated to do something, this is the "f*ck off and leave me alone" approach to compliance.

[1] C.V. Wright and M. Varia. Crypto Crumple Zones: Enabling Limited Access without Mass Surveillance. In Proceedings of IEEE European Symposium on Security & Privacy, 2018. https://www.ieee-security.org/TC/EuroSP2018/program.php#euro... http://web.cecs.pdx.edu/~cvwright/papers/crumplezones.pdf

I've often thought a good solution would be zero-knowledge weak encryption with an additional strong encryption layered on top. When the government comes to ask for data you decrypt with the strong key, but then they still have to do the work to break the weak key.

Thinking like an economist, you want to align the incentives to make it possible but not free to access user data. A weak key (per user) that's breakable with $10k compute cost seems about right to me, but the actual optimal cost may be higher or lower.