Shamir's secret-sharing is one of my favourite algorithms, and it would be certainly be useful in an escrow system. But it actually doesn't address the problem brought up by the author, which is the insecurity of having the whole key present in a single location at the moment of encryption. I think it's a fairly minor issue, since the vast majority of users would never have warrants issued for their data and their keys would never be reconstructed (assuming that a critical number of the escrow agencies follows the law).
Far more troubling is the idea that I could be arrested or fined or whatever just for using strong encryption... although I don't think there is an appetite for such unenforceable laws in my country.
EDIT: (from article)
> Threshold crypto refers to a set of techniques for storing secret keys across multiple locations so that decryption can be done in place without recombining the key shares.
Does Shamir's algorithm meet this requirement? My understanding was that the fragments must still be brought together in one place and the key reconstructed, although if there is a way to implement the algorithm without doing this I'd love to know about it.
> the vast majority of users would never have warrants issued for their data and their keys would never be reconstructed (assuming that a critical number of the escrow agencies follows the law).
That would require a unique backdoor key for every device. Somehow these keys would need to be generated, split into parts, and those parts securely distributed to the independent escrow agencies.
