>(e.g., they presumably would not sign a CSP developed outside the US that implements strong cryptography);<p>They sign the VeraCrypt drivers though. Does that mean this statement is false or does that mean VeraCrypt is sufficently compromised?<p>We may never know.