A colleague and I published a related idea [1] last year: Weaken the encryption just enough so that a government can (barely) afford to do the brute force if they really do care about it that much. (Hint: They almost certainly don't.)
Please note that we're not seriously suggesting that encryption providers should adopt this -- not as long as there are other options. But if you're legally obligated to do something, this is the "f*ck off and leave me alone" approach to compliance.
I've often thought a good solution would be zero-knowledge weak encryption with an additional strong encryption layered on top. When the government comes to ask for data you decrypt with the strong key, but then they still have to do the work to break the weak key.
Thinking like an economist, you want to align the incentives to make it possible but not free to access user data. A weak key (per user) that's breakable with $10k compute cost seems about right to me, but the actual optimal cost may be higher or lower.
Please note that we're not seriously suggesting that encryption providers should adopt this -- not as long as there are other options. But if you're legally obligated to do something, this is the "f*ck off and leave me alone" approach to compliance.
[1] C.V. Wright and M. Varia. Crypto Crumple Zones: Enabling Limited Access without Mass Surveillance. In Proceedings of IEEE European Symposium on Security & Privacy, 2018. https://www.ieee-security.org/TC/EuroSP2018/program.php#euro... http://web.cecs.pdx.edu/~cvwright/papers/crumplezones.pdf