A key management system includes a hierarchy (10) of independent key arbitration centers (KAC) for providing access to a user's session keys through key management centers (KMC). When a court order is issued for a user's session keys, a message requesting the keys is transferred down through hierarchy until a terminal KAC (16,36) is reached. Each KAC in the hierarchy adds its ID and signs (116) the message, verifying prior signatures (114). The user's ID is encrypted with the terminal KAC's public key. The terminal KAC engages in a blind key access procedure (129) with the KMC (18,38) to receive the user's session key. The key is provided encrypted with the requesting party's or agency's public key. Accordingly, privacy is assured because only the KMC and the requesting agency have access to the actual key value, and only the terminal KAC and requesting agency have access to the user's ID. No other KACs in the hierarchy have access to the user ID or key value, and the KMC does not know which user's key has been provided.