Banks seeking to use more powerful cryptography for financial transactions are now saying the government may be taking a step in the wrong direction.
Last fall, when the Clinton administration announced that it planned to liberalize controls on the export of strong cryptography, banks praised the idea.
Banks have had to get special permission-first from the National Security Agency, now from the Commerce Department-to use strong cryptography. They had hoped the liberalization would give blanket approval, making case-by-case applications unnecessary.
But Visa International and the American Bankers Association, as well as Citibank and other financial institutions, are unhappy that the regulations proposed Dec. 30 in preliminary form omit any specific exemption for banks.
In fact, they say, the proposed rules would give banks even less power than they now have.
The proposal fails "to codify more favorable treatment for financial institutions' export of cryptography, and falls well short of effectively meeting the needs of financial institutions," wrote Citibank senior technology counsel James A. Button in a comment letter to the administration.
The Commerce Department's Bureau of Export Administration issued the regulations Dec. 30. They were intended to start the process of relaxing export controls for the computer hardware and software industry.
Commerce Department officials downplayed any differences from previous regulations. "There is no change in policy for financial institutions," said James Lewis, director of strategic trade for the Bureau of Export Administration. "We very much want to make sure that banks can get the strong encryption they need."
Enforcement of restrictions on using commercial-grade cryptography, which includes bank use of strong encryption, shifted to the State Department as part of the initiative announced in October by Vice President Gore.
In return for industry's help in developing a "key recovery" system allowing law-enforcement officials to gain access to certain encrypted documents, the Clinton administration agreed to permit the export of products with 56-bit "keys" for two years. Until the policy change, exports for nonfinancial products were limited to 40-bits.
But many financial institutions find the key recovery scheme outlined by the administration impractical and costly. And while banks have been permitted to use 56-bit encryption without implementing key recovery, many are worried that policy will soon come to an end.
The proposed regulations "do not reflect the flexibility of the prior ... export process as previously practiced," wrote James D. McLaughlin, the ABA's director of agency relations, in response to the draft regulations. Nor do the proposed rules reflect "the administration's prior public statements promising to continue the favorable treatment of financial institutions' cryptographic export applications, or other understandings regarding additional liberalization arrived upon over a three-year period," Mr. McLaughlin wrote.
Moreover, banks point out that they have a well-established track record of meeting law enforcement demands without the need to store and retain the codes that encrypt their financial data.
"Key recovery is not necessary in the context of financial communications," stated attorney Peter Lichtenbaum, on behalf of Visa USA Inc. and Visa International.
"After decrypting the transmission, financial institutions verify the authenticity and integrity of the send and data and then store the data securely in a clear-text form," an unencoded document which can made available without the need to archive user keys, he said.
While banks have never been happy about having to submit to export restrictions, observers note that they are loath to trade in the comfortable relationships that many developed in dealing with national security officials for an uncertain new regime.
"There is a mandatory nature to these guidelines which was not the case before," said Sandra M. Lambert, a Los Angeles information security consultant who worked for Citibank.
"Before, it was not specified how you provided the data in response to a duly authorized warrant. Now, they are specifying that you have to have a key recovery mechanism, a term which has not been defined."
The uncertainties about the regulations, which will be finalized over the next several months, leave many of the bankers uneasy that enforcement will be subject to whoever is administering them.
Commerce Department officials would not confirm that specific exemptions for financial institutions will be attached to the regulations. But the officials said that in any case, they new rules would not hurt banks.
As they continue to apply for approval to use strong encryption, and continue to get it, "their concerns will go away," Mr. Lewis said.
