Governments around the world are demanding more access to encrypted data, but it has been difficult to build a system that allows the authorities some access without providing unlimited access in practice. In this paper, we present new techniques for maximizing user privacy in jurisdictions that require support for so-called "exceptional access" to encrypted data. In contrast to previous work on this topic (e.g., key escrow), our approach places most of the responsibility for achieving exceptional access on the government, rather than on the users or developers of cryptographic tools. As a result, our constructions are very simple and lightweight, and they can be easily retrofitted onto existing applications and protocols. Critically, we introduce no new third parties, and we add no new messages beyond a single new Diffie-Hellman key exchange in protocols that already use Diffie-Hellman. We present two constructions that make it possiblealthough arbitrarily expensive-for a government to recover the plaintext for targeted messages. First, our symmetric crumpling technique uses a hash-based proof of work to impose a linear cost on the adversary for each message she wishes to recover. Second, our public key abrasion method uses a novel application of Diffie-Hellman over modular arithmetic groups to create an extremely expensive puzzle that the adversary must solve before she can recover even a single message. Our initial analysis shows that we can impose an upfront cost in the range of $100M to several billion dollars and a linear cost between $1K-$1M per message. We show how our constructions can easily be adapted to common tools including PGP, Signal, SRTP, full-disk encryption, and file-based encryption. Targeted access. Most previous work on enabling exceptional access has focused on key escrow; Abelson et al. summarize and critique this approach [1]. (Many of the same authors outline the risks of exceptional access again in a more recent paper [2].) Of all the previous work on key escrow, the one most similar to ours is Shamir's Partial Key Escrow [89]. There, instead of escrowing the entire symmetric key, the user escrows only a small portion of