How about having one employee in each of those jurisdictions and setting up a way so that nothing can be done such as deploys and code changes, etc. without one employee from each jurisdiction using their key together. There is no way that a government is going to be able to compel like four citizens from four different countries from complying if it is possible. A US admin could give up their key to the US government and it would still be useless if they can't get the an admin from Iceland, Switzerland, New Zealand and Hong Kong to also participate in the change. It would allow people to comply with the letter of the law to avoid comtempt of court since they gave up their key as asked.
Wouldn't that require N principals, one for each jurisdiction, which is an unusual organizational structure, and requires a lot of trust and shared vision even if it's an n-of-m authorization system?
Sort of. Just because N people from different countries and time zones each need to enter their password in order to make a production change doesn't mean that the organizational structure needs to follow that. For all we care, only the subteam that does production deployments would need to be set up this way.
They would, however, need highly trusted agents in several legal jurisdictions. Agents who they trusted with the ability to bring the company down. Still... I think I might pay for a service like that, if some of the principle participants were people I trusted so I was sure it wasn't a honeypot.
