[gerard]

Having no cleartext to hand over in individual cases is one form of plausable deniability. Cleverly, it also appears to offer plausable deniability of your service's "primary purpose", since there are few conclusions that can be drawn from the encrypted data in aggregate. So some protection, yes, but there are certainly other ways to get yourself indicted, or your customers blocked, under such general tests.

The example in the article shows the decryption key as a URL fragment, which never hits the wire. A subpoena on Mega's own servers is one thing, but a court compelling them to collect keys from client machines? I would hope not.

[granos]

It feels likely they could claim that any court order to transmit and log the keys would be "unduly burdensome" and would in fact fly in the face of their carefully considered business practices.

[DanBC]

We've seen court orders that caused Hushmail to create malformed Java apps which were then silenty delivered to target machines in order to break encryption.

http://www.wired.com/2007/11/hushmail-to-war/

People pretty much have no option but to comply with court orders. Most people are not going to go to jail so that other people can continue distributing stuff.

This should be a worry with Mega and its current owners.

[amatix]

They were talking about making offline & alternative OSS clients (via an open API) so that if they were legally forced to change the Javascript (which currently does the encryption) that it wouldn't affect the integrity of the service for those users.