"The Stanford Center for Internet and Society's Jennifer Granick, director of civil liberties, and Riana Pfefferkorn, cryptography fellow, said at Black Hat 2016 that companies are often under no legal obligation to comply with law enforcement data requests, because data requests are not orders and even court orders are not the law.
Granick said that under most of the legal statutes cited by law enforcement in data requests companies have the right to fight back over "issues of appropriateness, necessity, burden [and] security." Although she warned that even these issues can have murky definitions.
A meaningful burden could include the amount of work required to comply with the data request, potential damage to customers or financial or competitive damages to a company.
Granick and Pfefferkorn said many data requests fall under just a few statutes like CALEA, the Pen Register Act, the Wiretap Act and the All Writs Act. However, each of these statutes has limitations that should be understood.
CALEA only applies to companies that aim to replace phone lines, Granick said, like VoIP services but it does not apply to internet services in general. The Pen Register and Wiretap Acts only apply if the technical assistance requested is "unobtrusive and necessary." The All Writs Act was written in 1789 and predates the Fourth Amendment, so it is still unclear if that act can be extended to modern technologies.
Additionally, Pfefferkorn said, these statutes stipulate companies should decrypt data if the provider has both the data and the decryption keys, but doesn't extend much further than that."