I assumed it would be a unique 3rd key per user/transaction. It increases the burden of the escrow-holder (by vastly increasing the number of keys to manage), but has the benefit of allowing granular access to data, rather than compromising all of one service if a warrant is served for a single user's information.