They could always keep the keys in multiple different companies, across multiple jurisdictions. Imagine all Microsoft cloud data is encrypted under a threshold cryptosystem, requiring the cooperation of 5 parties to authenticate users and jointly generate user keys. Now, each of those parties is a fully independent company, with its own CEO, own board, own employees and own counter-espionage division. In order to decrypt the data of any Microsoft user, anywhere in the world, they will need to simultaneously authenticate with:

* Microsoft Corp, U.S.A.

* Microsoft AG, Germany

* Microsoft, China

* Microsoft, Russia

* Microsoft, India

And have each one of those independently generate key material that, when combined, can be used by the user to generate their decryption/signing keys, which are used to secure their data.

In order to compel this system to give the user's data to a third party, all five governments involved must compel all five entities involved to release the key materials.

Of course, even better than 5 "Microsofts" would be a general distributed protocol in which users trust X companies in Y countries with their data, such that no less than Z < X companies are required to approve any re-construction of the user's key. The protocol can further be designed to make it as hard as possible to re-construct any keys without simultaneously announcing publicly that a key has been re-constructed (e.g. via a block-chain based protocol).

Is this a huge pain to implement? Yes, yes it is. But, is there any viable alternative for a globally trusted internet/cloud in the era of internet militarization?

This reads like a strong case of: http://xkcd.com/538/

> Now, each of those parties is a fully independent company, with its own CEO, own board, own employees and own counter-espionage division. [...]

Do you remember that US judges didn't even give a fuck about other _countries_ having different privacy laws? I can't imagine that they will respect that "this company which actually isn't one, but five"-move.

Being in a different jurisdiction makes the wrench crypto-analysis pretty hard as well ;). Not impossible, sure, but politically and economically costly. Remember, this is about trusting some sort of global cloud without everyone in the world having to trust a single third-party government. If the user lives within the country of the government seeking to compel them, and the laws of said country are such that torture is a permitted method of interrogation (specifically, by monkey wrench), well... nothing your cloud provider can do for you, except perhaps try to help you fly under the radar (stenography, anonymous logins, etc.). Keep in mind, that in the case of mass surveillance, even if every user is vulnerable to wrench crypto-analysis, the fact that the cloud provider isn't still raises the costs of widespread surveillance enormously.

As for US judges not caring about the five companies thing. Well, so what? They can, assuming their local laws and political climate lets them get away with it, jail everyone working for their local company. This should not compel the other four companies, in four other countries, to give them the extra four components of the key. Note that I selected USA/EU/China/Russia/India for a reason, and not, say... USA/Mexico/Colombia/Afghanistan/Iraq. If this sort of system were the accepted global standard, any nation that tries to "brute force" their own local company, instead of using whatever legitimate procedure becomes available for internationally agreed law enforcement, would just be basically marginalizing itself out of the internet.

I'll be the first to admit that what I am describing is not very likely. It would probably require a significant number of governments to be basically OK with not having access to certain data about people, so long as other governments don't have access either, which is not what most political leaders are clamoring for right now. But the problem is, the alternative is not business as usual either, the alternative is every country basically building their own silo-ed internet over time (China is there, Russia is heading there, the EU is strongly considering it, etc). Reasonably powerful non-U.S. countries will eventually see using U.S.-company run cloud services as equivalent to what Americans would think of say, having their energy grid directly connected to power plants in Russia over Alaska and running no plants within their own territory.

"if you're a multi-national trying to rollout Office 365" ...if you're competent, you already issue your own certificates for other purposes and install them on the computers you own. Therefore maintaining additional keys would not even cause adding more manpower than what you already have.

If you are multi-national and not having your own certificates, I'd be happy to do some consulting for you.

That's not the issue. The issue is that now you have to maintain a solution for key distribution across thousands of laptops, tablets, and phones. For some orgs it isn't too hard and can be part of their existing solutions (as you note), for others it is. Remember that a lot of the reason that orgs are using solutions like Office 365 is remote working, BYOD, and explicity not having to maintain all that supporting infrastructure (I don't disagree with you through, and best practice is often different from widely-used practice)

Owning your own encryption keys also has other issues: Do you issue per-user keys, or an org-wide key? If you issue per-user keys, how do you share documents between users? If you have an org-wide key that gets compromised, how quickly can you re-key every device and re-encrypt every document (how do you even detect that it's been compromised?)? If you encrypt using your own keys, how does that impact any processing that happens 'in the cloud' (eg. search indexing, batch processing)? Do you need to run encryption endpoints locally that users can access all the data through?

All of these problems are solvable. All of these problems can become a nightmare depending on your org, rollout, users, existing environment, etc.

I guess the point I'm making is that 'encrypt all the things' is rarely the {best,easiest,possible} way to do things.