When they have a warrant? Absolutely they do. They've always had that power, and every country I know of has warrants of similar power.
If you're hosting encrypted data that focuses on privacy while remaining law abiding, it's just sensible to maintain separate SSL keys so you avoid this very scenario. It's not as if it wasn't foreseeable.
If you have separate server certs per user (as suggested above), then you can tell which user is using the service.
If you have separate client certs per user, then you call tell which user is using the service.
The Lavabit response to the original order was not the best, IMHO. As he was in possession of the certs and private keys, he could have decrypted Snowdon's traffic himself, and handed it to the court.
Instead, he tried to hide behind a BS "it's encrypted" defence. The court called his bluff. He lost.
hmm... is there a way to obfuscate that to the outside? Can you wrap the individual certs? Or use the same cert for everyone, but do a zero knowledge key exchange for people who want to log in, and then have them authenticate with a signed document keyed to a public key they gave when they signed up for the service?
Anyway, at least in the physical security industry, security isn't about preventing intrusions. It is about delaying it and limiting it until a sufficient response can be mobilized. Perfect security is impossible
I disagree, but it depends on what type of warrant we're talking about. I'm speaking of a search warrant. A search warrant is used to find and collect evidence that already exists. If authorities need you to change how your business runs to collect new evidence that doesn't yet exist then that runs into a whole different set of laws. A search warrant doesn't allow, or at least it shouldn't, authorities to walk in and take over your business for their own purposes. Search warrants shouldn't have that level of power because they are so easy to obtain, police just ask a judge to sign a piece of paper. It's easy to obtain because all it should be is a piece of paper that allows law enforcement to enter your property without permission, which would normally be a crime, so that they can search for particular evidence. Search warrants can even be very, very specific as to what exactly law enforcement is really looking for within the property if the judge doesn't want to be overly broad.
What you are describing does happen, but I fail to see how it would happen under a search warrant.
As for your destroying data being against the law if it is requested by the courts. You are correct, except that if your business model is to destroy data in a timely manner then you cannot be held in contempt for destroying data before it was requested. At that point it becomes something different as they have to request you no longer destroy that data so that they can collect it. I don't see how that request falls under a search warrant. I suppose it could happen if a judge likes being overly broad in search warrants (which could cause problems in the criminal case), but it seems unlikely that's how a typical search warrant would be executed.
If you're hosting encrypted data that focuses on privacy while remaining law abiding, it's just sensible to maintain separate SSL keys so you avoid this very scenario. It's not as if it wasn't foreseeable.