[wulfstan]

I'm not sure I follow. Obviously the application itself needs to support the business logic described, in the same way as your web browser needs to notice that a certificate has expired and tell you there's a problem with a website you're visiting. What I'm exploring is why requiring certain applications to support the same sort of thing to decrypt user data in certain circumstances to support law enforcement is a problem.

[benmmurphy]

the closest you can get to what you want is a trusted third party who would help derive the final key. so the key could not be revealed to law enforcement without cooperation of the trusted third party who would verify policies like time, etc. it may also be possible to have the 'trusted third party' be a piece of tamper proof hardware. i think generally people are suspicious of these schemes because it relies on 'trust'.

also, i think apple has a scheme similar to this for protecting the passcode from being brute forced when recovering from iCloud backup. however, if this scheme breaks it doesn't reveal the encryption key i believe it just allows the passcode that protects the encryption key to be brute forced which I guess may or may not result in the encryption key being revealed.

[hansvm]

The problem is that nefarious actors aren't physically barred from the data. If China, Big Balls, Zuckerberg, or anyone else want to access that data then they can just remove that check.

More importantly, the thing you're asking for (law enforcement retroactively snooping without there existing a master key) is always impossible.

For other forms of snooping (like a warrant to tap communications for a single device for a period of time), you have related issues. Suppose you magically make such a thing flawless -- the client can't detect intrusion, a single key is actually time-bound, etc. There still exists a group of people with the power to hand out such keys, and that power, however it's implemented, is still a master key to all future communications over that protocol.

You can partially mitigate the risk in various ways, but you can't eliminate it. Every proposal for weakening cryptography in that way has had glaring flaws, and many known attempts at actually weakening it have later been cracked by nefarious actors. Spying, but only for the "good guys," should be met with extreme skepticism as far as cryptographic protocols are concerned.

For all of these schemes, what happens when the people holding keys and power are physically forced out (DOGE et al)? Even if we assume the thing is implemented flawlessly, the people involved never leak anything, the master keys stay secret, ..., you still have the human problem of transitions in power. Do you want the current US administration, one currently arguing that it can "deport" actual citizens to torture prisons with no recourse or court case, to know that six years ago your daughter confided to her best friend that she got an abortion once? That she doesn't believe Israel should be committing genocide? Or, suppose you approve of the current administration, what about the next one that takes the reins with this new set of powers? It's bad enough without decades of chat history to let 70%-accurate AI comb through and make deportation decisions.