Once upon a time I built one of the major providers sensitive data services, and a typical artifact of a warrant for a cloud provider is a stipulation the warrant discovery be done without alerting the customer to the search. By encrypting your data with a key management service and enabling the providers audit services (aka cloudtrail) it is impossible by design to execute the warrant without the customer receiving audit trail information about the providers access of the keys and the data service. In theory the provider could make back doors, but the law actually is on their side in that they are not required to take extraordinary measures that materially impacts their business to circumvent controls.
Further there is no physical seizure possible.
I know most small newspapers this is beyond their technical ability or understanding. I challenge this community, maybe there should be an OSS cloud deployable journalism platform with strong security, information resiliency, and defense in depth and breadth against the state.
I think this is fairly complex though to avoid a potential issue that likely won’t exist. By simply instrumenting audit and using service provider encryption services like aws KMS with CMK with audit trails turned on you generally insulate yourself from most warrants. You can still be compelled to turn over data, but it would have to be done with you being aware of it and often with your direct involvement. More importantly you would retain a copy of everything and all your infrastructure. If they have convincing evidence you’re using your infrastructure to commit crimes the cloud provider may freeze your account, though, but it would have to be more than “we think you have evidence of a crime in your data” and more like “you are using ec2 instances to commit crimes actively”