Eight pieces seems too few to me. It's too easy for gov't agencies to "lean on" eight individuals or organizations (someone else suggested "watchdog" groups as fragment holding agencies, but that doesn't seem very good. Groups can change over time, respond to pressure. Putting a lot of fragments in a few hands seems fairly fundamentally flawed). I'd rather see thousands. That way, if Richard Nixon II launched a secret intimidation campaign against a group of enemies (e.g., the Democrats, or the Republicans, or the Libertarians, or the ACLU, or Sierra Club, or people opposed to the Haitian operation, or ...) --- well, it couldn't be secret, because a lot of people would have to know about it. This also requires that key fragment holders know what their fragments are for (the current Capstone architecture associates keys with devices, not people; whether that should be so is another discussion). Of course, this also diminishes the secrecy of the wiretap: if a wiretap is warranted on The Godfather's office phone, what are the odds that someone the FBI doesn't know is working (indirectly) for him will hold a fragment? Maybe that's just a price that has to be paid. What incentive can be given to the fragment holders to get them to take strong measures to protect the secrecy of those fragments? Also, if a key is split into N fragments, and there are k keys per capita (how many telephones do we have today per capita?), each person needs to hold kN fragments (even more if we restrict holders to, say, adult citizens). Can we expect everybody to spend what it takes to hold kN fragments securely? I've also wondered about another way to protect against abuse. There's been some discussion on this list about cryptographically strong time locks: a way to reveal something at a predetermined time in the future. I didn't follow it closely at the time, and don't know how feasible they are (in general, or for this application). But if they could be implemented, how about requiring the fact of a wiretap to be published M months after it's started? Again, I mean in a cryptographically strong way: you couldn't get the key you need for the wiretap without committing to revealing, M months hence, the fact that you've done so. I've also tried to pursue the analogy to current mechanisms with regard to physical searches. This analogy breaks down in a fairly important way: physical searches generally reveal to the searchee the fact that they've taken place; this means Nixon can't conduct a secret campaign against a group of people --- they'd notice they're all subjects. But a good feature of the current system that *could* be carried over to cyberspace is that the physical privacy of my house is under the jurisdiction of a local court --- and the physical privacy of *your* house is under the jurisdiction of a *different* court. We don't have just a few "escrow agencies" that protect everybody; we have lots of agencies, each of which protects a small fraction of us. This also works against being able to keep widespread abuse secret.