The other problem is that even within one government there isn’t really “the” government. There’s office A and task group X and the prosecutor for this area and that special envoy and this law enforcement agency and that law enforcement agency and various courts, etc, etc, etc.
If you haven’t worked much with a large government, you don’t tend to realize just how fractured it all is.
And as someone that consulted for large government organization, the key will be emailed to anyone who needs access. I had access to ssh keys from the project owner for a government contract and the person did not even ask me to delete the keys after the project was over.
You probably signed a form saying you would. As long as they have a signed form and you have the keys, everyone is happy. Nothing is really secure anyway, except the stuff that matters.
> Nothing is really secure anyway, except the stuff that matters.
This is the key, I feel. Just enough CYA while still doing BAU (which includes security agencies snooping on people). Governments think they will be able to secure their important stuff. Everyone else can have the illusion of security, without actual security. When there is a master key leak, it will be someone else's problem, and can be blamed on bad actors.
If you haven’t worked much with a large government, you don’t tend to realize just how fractured it all is.