Miranda – Page 14 – DoGoodSoft's Official Blog

Your self-encrypting hard drive isn’t nearly as secure as you thought

If you want to keep your information away from hackers and snoops, whether it’s your Internet use, email, hard drive data or your backup, the best thing you can do is use encryption. Encryption scrambles your data and, in theory, the only way to unscramble it is to know the password. That’s why choosing a strong password no one can guess is important.

This is also what makes a ransomware virus that encrypts your files so dangerous. Without paying for the decryption password, you can’t get your files back. Learn three steps you can take to beat ransomware. Unfortunately for your security, encryption isn’t always a secure as you’d hope.

Without going into too much technical detail, there are a lot of ways that encryption can happen, from the method it uses to encrypt the data to how many bits it uses. For example, you’ll see 128-bit AES and 256-bit AES show up a lot in programs and Web encryption. There’s SHA-1 and SHA-2 from the NSA. For your router, you’ll see options like WEP, WPA TKIP, WPA2 AES and more.

Unfortunately, not all encryption is created equal. For centuries, mathematicians and cryptographers have been coming up with and breaking encryption schemes. As computers have gotten more powerful, encryption that should have taken centuries to crack can fail in seconds.

That’s why you don’t see much 64-bit AES anymore, why using WEP on your router is the same has having no encryption, and why large organizations are moving from SHA-1 to SHA-2 encryption.

Of course, this is way more than the average person should have to think about. You should be able to trust that every company is using the best encryption possible in the products you buy and use. Unfortunately, that often isn’t the case, and we just got a fresh reminder.

Western Digital’s hard drive encryption is useless. Totally useless

The encryption systems used in Western Digital’s portable hard drives are pretty pointless, according to new research.

WD’s My Passport boxes automatically encrypt data as it is written to disk and decrypt the data as it is read back to the computer. The devices use 256-bit AES encryption, and can be password-protected: giving the correct password enables the data to be successfully accessed.

Now, a trio of infosec folks – Gunnar Alendal, Christian Kison and “modg” – have tried out six models in the WD My Passport family, and found blunders in the software designs.

For example, on some models, the drive’s encryption key can be trivially brute-forced, which is bad news if someone steals the drive: decrypting it is child’s play. And the firmware on some devices can be easily altered, allowing an attacker to silently compromise the drive and its file systems.

“We developed several different attacks to recover user data from these password-protected and fully encrypted external hard disks,” the trio’s paper [PDF] [slides PDF] states.

“In addition to this, other security threats are discovered, such as easy modification of firmware and on-board software that is executed on the user’s PC, facilitating evil maid and badUSB attack scenarios, logging user credentials, and spreading of malicious code.”

My Passport models using a JMicron JMS538S micro-controller have a pseudorandom number generator that is not cryptographically safe, and only cycles through a series of 255 32-bit values. This generator is used to create the data encryption key, and the drive firmware leaks enough information about the random number generator for this key to be recreated by brute-force, we’re told.

“An attacker can regenerate any DEK [data encryption key] generated from this vulnerable setup with a worst-case complexity of close to 240,” the paper states.

“Once the DEK [data encryption key] is recovered, an attacker can read and decrypt any raw disk sector, revealing decrypted user data. Note that this attack does not need, nor reveals, the user password.”

Drive models using a JMicron JMS569 controller – which is present in newer My Passport products – can be forcibly unlocked using commercial forensic tools that access the unencrypted system area of the drive, we’re told.

Drives using a Symwave 6316 controller store their encryption keys on the disk, encrypted with a known hardcoded AES-256 key stored in the firmware, so recovery of the data is trivial.

Meanwhile, Western Digital says it is on the case.

“WD has been in a dialogue with independent security researchers relating to their security observations in certain models of our My Passport hard drives,” spokeswoman Heather Skinner told The Register in a statement.

“We continue to evaluate the observations. We highly value and encourage this kind of responsible community engagement because it ultimately benefits our customers by making our products better. We encourage all security researchers to responsibly report potential security vulnerabilities or concerns to WD Customer Service.

NSA, Apple Chiefs Decode Encryption Views

LAGUNA BEACH, Calif.—The heads of the National Security Agency and the world’s most valuable company appeared to try to make nice Monday night over their contrasting views on encryption—to a point.

NSA Director Adm. Michael Rogers and Apple Inc. Chief Executive Tim Cook, appearing at The Wall Street Journal’s technology conference, WSJDLive, spoke in broad terms about encryption in back-to-back interviews.

Asked about efforts by Apple and other tech firms to build products that protect user data and communications from law enforcement, Mr. Rogers said, “Strong encryption is in our nation’s best interest.”

But asked if that included impenetrable encryption, he quickly interrupted, “That’s not what I said.”

Mr. Cook, appearing later, disagreed on the latter point. “I don’t know a way to protect people without encrypting,” he said. “You can’t have a backdoor that’s only for the good guys.”

Apple and federal officials have been at odds for more than a year, since Apple issued a new version of its mobile-operating system that it said safeguards user information, even from law enforcement. But the White House signaled recently that it won’t seek new laws to force tech companies to make products that allow law enforcement to eavesdrop.

Messrs. Cook and Rogers said both sides in the encryption debate need to turn down the vitriol. “Reasonable people can have discussions and figure out how to move forward,” Mr. Cook said.

On other subjects, Mr. Cook said, Apple has 15 million users on its streaming music service, including 6.5 million paying subscribers.

Apple launched Apple Music on June 30, offering every user a three-month trial period. Once the trial period ends, customers pay $9.99 a month for individual users and $14.99 for families. The first batch of customers came off the trial period at the end of September.

Mr. Cook also spoke unusually frankly about the automobile industry, although he declined to address Apple’s interest in building an electric car. The Apple CEO said he sees a “massive change” coming in the automobile industry as major technologies shift the sector away from today’s combustion-engine focus.

He said he sees software, electrification and autonomous driving technologies playing a crucial role in the cars of the future. “That industry is at an inflection point for massive change, not just evolutionary change,” he said.

The NSA may have been able to crack so much encryption thanks to a simple mistake

The NSA could have gained a significant amount of its access to the world’s encrypted communications thanks to the high-tech version of reusing passwords, according to a report from two US academics.

Computer scientists J Alex Halderman and Nadia Heninger argue that a common mistake made with a regularly used encryption protocol leaves much encrypted traffic open to eavesdropping from a well-resourced and determined attacker such as the US national security agency.

The information about the NSA leaked by Edward Snowden in the summer of 2013 revealed that the NSA broke one sort of encrypted communication, virtual private networks (VPN), by intercepting connections and passing some data to the agency’s supercomputers, which would then return the key shortly after. Until now, it was not known what those supercomputers might be doing, or how they could be returning a valid key so quickly, when attacking VPN head-on should take centuries, even with the fastest computers.

The researchers say the flaw exists in the way much encryption software applies an algorithm called Diffie-Hellman key exchange, which lets two parties efficiently communicate through encrypted channels.

A form of public key cryptography, Diffie-Hellman lets users communicate by swapping “keys” and running them through an algorithm which results in a secret key that both users know, but no-one else can guess. All the future communications between the pair are then encrypted using that secret key, and would take hundreds or thousands of years to decrypt directly.

But the researchers say an attacker may not need to target it directly. Instead, the flaw lies in the exchange at the start of the process. Each person generates a public key – which they tell to their interlocutor – and a private key, which they keep secret. But they also generate a common public key, a (very) large prime number which is agreed upon at the start of the process.

Since those prime numbers are public anyway, and since it is computationally expensive to generate new ones, many encryption systems reuse them to save effort. In fact, the researchers note, one single prime is used to encrypt two-thirds of all VPNs and a quarter of SSH servers globally, two major security protocols used by a number of businesses. A second is used to encrypt “nearly 20% of the top million HTTPS websites”.

The problem is that, while there’s no need to keep the chosen prime number secret, once a given proportion of conversations are using it as the basis of their encryption, it becomes an appealing target. And it turns out that, with enough money and time, those commonly used primes can become a weak point through which encrypted communications can be attacked.

In their paper, the two researchers, along with a further 12 co-authors, describe their process: a single, extremely computationally intensive “pre-calculation” which “cracks” the chosen prime, letting them break communications encrypted using it in a matter of minutes.

How intensive? For “shorter” primes (512 bits long, about 150 decimal digits), the precalcuation takes around a week – crippling enough that, after it was disclosed with the catchy name of “Logjam”, major browsers were changed to reject shorter primes in their entirety. But even for the gold standard of the protocol, using a 1024-bit prime, a precalculation is possible, for a price.

The researchers write that “it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.”

“Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation.”

There are ways around the problem. Simply using a unique common prime for each connection, or even for each application, would likely reduce the reward for the year-long computation time so that it was uneconomical to do so. Similarly, switching to a newer cryptography standard (“elliptic curve cryptography”, which uses the properties of a particular type of algebraic curve instead of large prime numbers to encrypt connections) would render the attack ineffective.

But that’s unlikely to happen fast. Some occurrences of Diffie-Hellman literally hard-code the prime in, making it difficult to change overnight. As a result, “it will be many years before the problems go away, even given existing security recommendations and our new findings”.

“In the meantime, other large governments potentially can implement similar attacks, if they haven’t already.”

The next steps for the White House on encryption

THE OBAMA administration’s decision not to seek legislation requiring technology companies to give law enforcement access to encrypted communications on smartphones has a certain logic. In this age of hacking and cyberintrusion, encryption can keep most people safer. But the decision also carries risks. Encryption can give a tiny band of criminals and terrorists a safe haven. The United States must now make the most of the useful side of encryption, but without losing sight of the risks.

FBI Director James B. Comey warned last year that law enforcement might be “going dark” because technology companies, including Apple and Google, are introducing ways for users to send encrypted messages by smartphones that can be unlocked only by the users, not by the companies. Mr. Comey was alarmed this would give criminals and terrorists a place to communicate that was beyond reach even of law enforcement with a court order. Mr. Comey suggested Congress require tech companies to provide what is known as extraordinary access to encrypted information, a “lawful intercept” capability, sometimes referred to as a backdoor, or a special key for the government. We sympathized with Mr. Comey’s appeal and urged all sides to look for a compromise.

No compromise was forthcoming. The reaction to Mr. Comey’s suggestion in the technology world was a strong protest that any weakening of encryption — even a tiny bit, for a good reason — creates a vulnerability for all. The firms also made the argument that encryption can be a positive force in today’s chaotic world of cyberattacks; their customers want absolute privacy, too, for the digital lives held on the smartphones in their pockets. They also pointed out that if backdoor access is granted to the U.S. government, it will provide cover for authoritarian governments such as China and Russia to demand the same or worse.

Mr. Comey said last week that private talks with the tech companies have been “increasingly productive.” That is promising. There are methods the FBI might use to crack encryption case by case or to find the information elsewhere. The FBI and state and local law enforcement are most in need; the National Security Agency has much stronger tools for breaking encryption overseas.

Having stood up to Mr. Comey, Silicon Valley should demonstrate the same fortitude when it comes to China and Russia and absolutely refuse to allow intrusions by these and other police states. It would help, too, if President Obama articulated the principle loud and clear.

That leaves a nagging worry. The United States is a rule-of-law nation, and encryption technology is creating a space that is in some ways beyond the reach of the law. Encryption may indeed be valuable to society if it protects the majority. But what if it enables or protects the 1 percent who are engaged in criminality or terrorism? That threat has to be taken into account, and so far it remains unresolved. It will not go away.

Aadhaar encryption protects privacy, will take eons to crack

The Aadhaar system’s data collection and storage is strongly protected by sophisticated encryption processes to ensure biometric data does not leak either through private contractors running enrollment centres or at the central data servers that store the details.

The unique identity authority of India’s processes are intended to allay fears that biometric data collected by private contractors might be vulnerable to falling in unauthorized hands as the biometric detail is encrypted using the highest available public key cryptography encryption.

Even if the data is stolen or lost the encryption prevents access to the biometrics as it will require the most powerful computers literally eons to crack the code. Similarly at the central data centre, the encryption processes are repeated while storing the details, making attempts to access and use the data very difficult.

The government hopes that the lack of human interface in storing the data and procedures such as data collectors being required to authenticate every entry though their own biometric verification will help convince the Supreme Court that privacy concerns have been addressed by the UIDAI.

The UIDAI programme’s success is indicated by lack of any credible complaints or proof of misuse of data since it started the ambitious scheme almost five year ago. This is partly due to the processes that make even loss of a recording machine or copying on a flash drive a futile exercise.

The data are being collected on software-Enrollment Client (EC) Software-written, maintained and provided by the UIDAI and is encrypted to prevent leaks at the enrollment centres managed by private vendors and in transit. The private agencies on ground use the EC Software which ensures that only authentic and approved person can sign-in for the purpose of enrolling people.

The enrollment client software used by private vendors strongly encrypts individual electronic files containing demographic and biometric details (enrollment data packets) of residents at the time of enrollment and even before the data is saved in any hard disk.

The encryption uses highest available public key cryptography encryption (PKI-2048 and AES-256) with each data record having a built-in mechanism to detect any tampering.

The e-data packages are always stored on disk in PKI encrypted form and is never decrypted or modified during transit making it completely inaccessible to any system or person.

Among other security measures, UIDAI has ensured that the Aadhaar database is not linked to any other databases., or to information held in other databases and its only purpose is to verify a person’s identity at the point of receiving a service, and that too with the consent of the Aadhaar number holder.

Encrypted Smartphones Challenge Investigators

Law-enforcement officials are running up against a new hurdle in their investigations: the encrypted smartphone.

Officials say they have been unable to unlock the phones of two homicide victims in recent months, hindering their ability to learn whom those victims contacted in their final hours. Even more common, say prosecutors from New York, Boston and elsewhere, are locked phones owned by suspects, who refuse to turn over passcodes.

Manhattan District Attorney Cyrus Vance says his office had 101 iPhones that it couldn’t access as of the end of August, the latest data available.

The disclosures are the latest twist in a continuing dispute between law-enforcement officials and Apple Inc. and Google Inc., after the two tech companies released software last year that encrypted more data on new smartphones. The clash highlights the challenge of balancing the privacy of phone users with law enforcement’s ability to solve crimes.

“Law enforcement is already feeling the effects of these changes,” Hillar Moore, the district attorney in Baton Rouge, La., wrote to the Senate Judiciary Committee in July. Mr. Moore is investigating a homicide where the victim’s phone is locked. He is one of 16 prosecutors to send letters to the committee calling for back doors into encrypted devices for law enforcement.

The comments are significant because, until now, the debate over encrypted smartphones has been carried by federal officials. But local police and prosecutors handle the overwhelming share of crimes in the U.S., and district attorneys say encryption gives bad guys an edge.

Encrypted phones belonging to victims further complicate the issue, because some families want investigators to have access to the phones.

“Even if people are not terribly sympathetic to law-enforcement arguments, this situation might cause them to think differently,” said Paul Ohm, a Georgetown University Law Center professor and former prosecutor.

Last week, Federal Bureau of Investigation Director James Comey told a Senate hearing that the administration doesn’t want Congress to force companies to rewrite their encryption code. “The administration is not seeking legislation at this time,” White House National Security Council spokesman Mark Stroh said in a written statement Monday.

Some independent experts say the handful of cases that have emerged so far isn’t enough to prove that phone encryption has altered the balance between law enforcement and privacy. In many cases, they say, investigators can obtain the encrypted information elsewhere, from telephone companies, or because the data was backed up on corporate computers.

—————————————————————————————————————————————————–

‘In the past this would have been easy for us. We would have an avenue for this information, we’d get a subpoena, obtain a record, further our investigation.’

—Evanston Police Commander Joseph Dugan

—————————————————————————————————————————————————–
“It depends on what the success rate is of getting around this technology,” said Orin Kerr, a George Washington Law professor.

Apple encrypted phones by default beginning with iOS 8, the version of its mobile-operating system released last fall. The decision came amid public pressure following former national-security contractor Edward Snowden’s revelations of tech-company cooperation with government surveillance.

With iOS 8, and the newly released iOS 9, Apple says it cannot unlock a device with a passcode. That means Apple cannot provide information to the government on users’ text messages, photos, contacts and phone calls that don’t go over a telephone network. Data that isn’t backed up elsewhere is accessible only on the password-protected phone.

“We have the greatest respect for law enforcement and by following the appropriate legal process, we provide the relevant information we have available to help,” Apple wrote in a statement to The Wall Street Journal.

Apple Chief Executive Tim Cook is an advocate of encryption. “Let me be crystal clear: Weakening encryption, or taking it away, harms good people that are using it for the right reasons,” he said at a conference earlier this year.

Only some phones, such as the Nexus 6 and the Nexus 9, running Google’s Android Lollipop system are encrypted by default. Google declined to comment about the role of encryption in police investigations.

Three of the 16 district attorneys who wrote to the Senate—from Boston, Baton Rouge and Brooklyn—told the Journal they were aware of cases where encrypted phones had hindered investigations. Investigators in Manhattan and Cook County in Illinois also have cases dealing with encrypted phones. Investigators say, however, they have no way of knowing whether or not the locked phones contain valuable evidence.

Mr. Moore, of Baton Rouge, thinks there might be important information on a victim’s phone. But he can’t access it.

Brittany Mills of Baton Rouge used her iPhone 5s for everything from sending iMessages to writing a diary, and she didn’t own a computer, her mother said. Ms. Mills, a 28-year-old patient caregiver, was shot to death at her door in April when she was eight months pregnant.

Police submitted a device and account information subpoena to Apple, which responded that it couldn’t access anything from the device because it was running iOS 8.2. Mr. Moore thinks the iCloud data Apple turned over won’t be helpful because the most recent backup was in February, two months before her death. The records he obtained of her phone calls yielded nothing.

“When something as horrible as this happens to a person, there should be no roadblock in the way for law enforcement to get in there and catch the person as quickly as possible,” said Barbara Mills, Brittany Mills’s mother.

Investigators in Evanston, Ill., are equally stumped by the death of Ray C. Owens, 27. Mr. Owens was found shot to death in June with two phones police say belonged to him, an encrypted iPhone 6 and a Samsung Galaxy S6 running Android. A police spokesman said the Samsung phone is at a forensics lab, where they are trying to determine if it is encrypted.

The records that police obtained from Apple and service providers had no useful information, he added. Now the investigation is at a standstill.

“In the past this would have been easy for us,” said Evanston Police Commander Joseph Dugan. “We would have an avenue for this information, we’d get a subpoena, obtain a record, further our investigation.”

Barbara Mills is committed to making sure more families don’t have to see cases go unsolved because of phone encryption. “Any time you have a situation of this magnitude, if you can’t depend on law enforcement, who can you depend on?”

US Government Will No Longer Push For User’s Encrypted Data

Last year Google and Apple (and other companies) made some changes to the way encryption was handled. Instead of Google and Apple holding the keys to the encryption, they gave the keys to their customers. What this meant is that law enforcement agencies can no longer ask these companies to turn over user encrypted data.

If they want the data, they will have to convince those users to give it up themselves, something which the FBI was not too happy about. However for a while the government did not give up their quest to make it so that tech companies could be forced to turn over encrypted user data, but all of that has since changed.

According to reports, the Obama administration has finally backed down in their battle against the tech companies over encrypted data. This means that if you were worried that these tech companies would one day be forced to install back doors which are supposedly only for government access, you won’t have to worry about that anymore.

The argument made by the tech companies basically stated that by installing back doors, even if it was just for the “good guys”, could leave their products and services open to hacks. While this is no doubt a big victory, there are some who are skeptical that this is the end of that.

According to Peter G. Neumann, one of the nation’s leading computer scientists, “This looks promising, but there’s still going to be tremendous pressure from law enforcement. The NSA is capable of dealing with the cryptography for now, but law enforcement is going to have real difficulty with this. This is never a done deal.”

Obama administration has decided not to seek a legislative remedy now

FBI Director James Comey told a congressional panel that the Obama administration won’t ask Congress for legislation requiring the tech sector to install backdoors into their products so the authorities can access encrypted data.

Comey said the administration for now will continue lobbying private industry to create backdoors to allow the authorities to open up locked devices to investigate criminal cases and terrorism.

“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” Comey told a Senate panel of the Homeland Security and Governmental Affairs Committee on Thursday.

Comey’s comments come as many in the privacy community were awaiting a decision by the administration over whether it would seek such legislation. Many government officials, including Comey himself, have called for backdoors. All the while, there’s been intense lobbying by the White House to guilt the tech sector for a backdoor. And Congress has remained virtually silent on the issue that resembles the so-called Crypto Wars.

The president’s public position on the topic, meanwhile, has been mixed. Obama had said he is a supporter and “believer in strong encryption” but also “sympathetic” to law enforcement’s need to prevent terror attacks.

The government’s lobbying efforts, at least publicly, appear to be failing to convince tech companies to build backdoors into their products. Some of the biggest names in tech, like Apple, Google, and Microsoft, have publicly opposed allowing the government a key to access their consumers’ encrypted products. All the while, some government officials, including Comey, have railed against Apple and Google for selling encrypted products where only the end-user has the decryption passcode.

According to a letter to Obama from the tech sector:

The government cannot force the tech sector to build encryption end-arounds. The closest law on the books is the Communications Assistance for Law Enforcement Act of 1994, known as CALEA. The measure generally demands that telecommunication companies make their phone networks available to wiretaps.

Obama administration opts not to force firms to decrypt data — for now

After months of deliberation, the Obama administration has made a long-awaited decision on the thorny issue of how to deal with encrypted communications: It will not — for now — call for legislation requiring companies to decode messages for law enforcement.

Rather, the administration will continue trying to persuade companies that have moved to encrypt their customers’ data to create a way for the government to still peer into people’s data when needed for criminal or terrorism investigations.

“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” FBI Director James Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.

The decision, which essentially maintains the status quo, underscores the bind the administration is in — between resolving competing pressures to help law enforcement and protecting consumer privacy.

The FBI says it is facing an increasing challenge posed by the encryption of communications of criminals, terrorists and spies. A growing number of companies have begun to offer encryption in which the only people who can read a message, for instance, are the person who sent it and the person who received it. Or, in the case of a device, only the device owner has access to the data. In such cases, the companies themselves lack “backdoors” or keys to decrypt the data for government investigators, even when served with search warrants or intercept orders.

The decision was made at a Cabinet meeting Oct. 1.

“As the president has said, the United States will work to ensure that malicious actors can be held to account – without weakening our commitment to strong encryption,” National Security Council spokesman Mark Stroh said. “As part of those efforts, we are actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors’ use of their encrypted products and services.”

But privacy advocates are concerned that the administration’s definition of strong encryption also could include a system in which a company holds a decryption key or can retrieve unencrypted communications from its servers for law enforcement.

“The government should not erode the security of our devices or applications, pressure companies to keep and allow government access to our data, mandate implementation of vulnerabilities or backdoors into products, or have disproportionate access to the keys to private data,” said Savecrypto.org, a coalition of industry and privacy groups that has launched a campaign to petition the Obama administration.

To Amie Stepanovich, the U.S. policy manager for Access, one of the groups signing the petition, the status quo isn’t good enough. “It’s really crucial that even if the government is not pursuing legislation, it’s also not pursuing policies that will weaken security through other methods,” she said.

The FBI and Justice Department have been talking with tech companies for months. On Thursday, Comey said the conversations have been “increasingly productive.” He added: “People have stripped out a lot of the venom.”

He said the tech executives “are all people who care about the safety of America and also care about privacy and civil liberties.”

Comey said the issue afflicts not just federal law enforcement but also state and local agencies investigating child kidnappings and car crashes— “cops and sheriffs … [who are] increasingly encountering devices they can’t open with a search warrant.”

One senior administration official said the administration thinks it’s making enough progress with companies that seeking legislation now is unnecessary. “We feel optimistic,” said the official, who spoke on the condition of anonymity to describe internal discussions. “We don’t think it’s a lost cause at this point.”

Legislation, said Rep. Adam Schiff (D-Calif.), is not a realistic option given the current political climate. He said he made a recent trip to Silicon Valley to talk to Twitter, Facebook and Google. “They quite uniformly are opposed to any mandate or pressure — and more than that, they don’t want to be asked to come up with a solution,” Schiff said.

Law enforcement officials know that legislation is a tough sell now. But, one senior official stressed, “it’s still going to be in the mix.”

On the other side of the debate, technology, diplomatic and commerce agencies were pressing for an outright statement by Obama to disavow a legislative mandate on companies. But their position did not prevail.

Daniel Castro, vice president of the Information Technology & Innovation Foundation, said absent any new laws, either in the United States or abroad, “companies are in the driver’s seat.” He said that if another country tried to require companies to retain an ability to decrypt communications, “I suspect many tech companies would try to pull out.”