"I've been ordered not to tell the details, but I know you will publish them, so I'm going to tell you the details" is not going to be taken as "obeyed the order" by law enforcement or courts.

Sorry but I think I do not understand (English is not my first language). Who would be in trouble?

In case anything happens with the content of the service, the detail of the changes would be made clear by someone outside the jurisdiction.

A typical example is TrueCrypt that, one day, changed their page to say to use something else instead of their product.

If the code was shared between several countries, the others could simply publish that this and that was changes out of band, and that it means that the code is now positively unsafe.

We're not talking code changes here, but purely a data request. For code changes the trail is more obvious and it being noticed is easier to explain - but you are still in a situation that anything that can be read as you publishing it in an indirect way (e.g. by giving details to a connected organization which you know won't keep it private) will be taken as such and get you in trouble. I think it'd be quite hard construct that in a truly "safe" way.

> We're not talking code changes here, but purely a data request

You are right. My comment was a bit offroad, I could have made that clearer (about how to deal with "data" (code, ...) in international context)

> I think it'd be quite hard construct that in a truly "safe" way.

For open source code it is easy - everyone sees teh chnages and why they've been promoted.

For closed source, having your source at a third party (or synchronized), build from only the identical code (between the two repositories), and enforce a two-eyes kind of code promotion (merge) will make it so that any change in the code that is not vetted by both parties (or multiple parties) will not get built.

I gave the example of Truecrypt that was unfortunately US-only and they had to revert to allusions in order to inform that it was tempered with.