So the most likely scenario is that the carriers are cooperating... Are they cooperating only with the US, or are they cooperating with other nations as well? Seems safe to assume they're cooperating with any/all nations that have a significant market for their products (ie leverage).

That's fairly scary though -- I assume the keys / encryption stays the same across similar networks, regardless of nation (given that phones continue to work abroad)? Perhaps the keys / encryption does differ by carrier, I'm not sure, but I'd definitely be curious. As long as they stay undetected, sounds like there is very little stopping COUNTRY_X from deploying these in COUNTRY_Y for their own gain, not to mention 'lower level' criminals / mafia / etc...

And obviously there are plenty of people out there (reverse-engineers, employees/insiders, et al) that have access to the keys...

Any idea if the exceptions that the FCC makes are public information, or obtainable via FOIA or similar? I'm guessing the FCC has a rigid "exception request process" in place and, hopefully, they only provide [super] limited-scope exceptions (without warrants, eh)... I'd love to see what exceptions are actually being made and what limits, if any, they contain.

Anyways, this is definitely pretty far outside of my realm of knowledge but I find the tech incredibly intriguing and very interesting nonetheless (and I agree with commentshere regarding the FCC).