Certification and Licensing of encryption software in the Russian Federation

This summary of certification and licensing of encryption software in the Russian Federation is based on legal research, on shared experience of the members of the working group "Regulatory Framework" in the EBC IT & E-Commerce Committee and on the presentation given by Mr. Bezzubzev, Head of the Licensing and Certification Center at FAPSI, organized by the EBC IT & E-Commerce Committee on June 25, 2001. In practice, many companies both Russian and foreign, still operate encryption means without any certification or licenses, and so far, we are not aware of any legal steps taken against this practice. However, there is a growing awareness for the need to comply with certification and licensing requirements.

The safety of Internet traffic relies on encryption. Therefore, the increasing importance of Internet traffic within businesses and with clients, especially in e-banking and e-commerce requires businesses operating in Russia to be aware of certification and licensing requirements when using encryption software. The authorization for the use of encryption means in the Russian Federation is controlled by FAPSI, the Federal Agency for Governmental Communications and Information. In many cases, to legally use encryption means in the Russian Federation one must obtain a certificate as well as a license. Certification means approval of the software itself, whereas the license authorizes the act of actually using encryption means.

1. Definition

The term "encryption means" in Russian legislation refers to software and hardware used for the modification of information through mathematical algorithms for the purpose of ensuring the safety of such information while it is processing, during storage or transfer of such information for communication, as well as it's protection from falsification through digital electronic signatures. Also included in the term are software and hardware used for protection from unwanted information.

Generally, pursuant to the Federal Law "On Certification of Products and Services" of June 10, 1993, products and services require certification, if they are enumerated in a catalogue brought into legal force by the Order of Gosstandart of the Russian Federation of February 23, 1998 No.5 (Nomenclature of products and services (work), subject to obligatory certification). Software is not mentioned in this catalogue. There are, however, several other legislative acts requiring the certification of encryption software. Certification is granted either by GosTechKommissia or FAPSI.

Software requiring certification includes:

• Software encrypting business contacts conducted via the Internet
  
• Encryption software used in the exchange with the Russian Central Bank
  
• Software for the generation of private and public keys

In theory, certificates will only be given to products manufactured in Russia by licensed manufacturers because only the Russian encryption standards are intended for certification. Currently, there are three standards: GOST 28147-89, GOST 34.10-94 and GOST 34.11-94. The American standard DES or any other private algorithms are prohibited from being imported into Russia without a formal approval by FAPSI. In practice, FAPSI takes a cooperative approach and allows the use of foreign encryption means in Russia (e.g. for the use of electronic payment systems / foreign credit cards).

If a parent company outside the Russian Federation requires its subsidiary located within the Russian Federation to use the parent company's standard encryption software, the software should be certified (otherwise a cooperative solution with FAPSI should be reached) and the subsidiary needs a license for importing encryption means. Certificates can be obtained through GosTechKommissia and FAPSI.

2. Licensing

Licenses are given out solely by FAPSI. Activities requiring a license are enumerated in the Federal Law "On licensing" of September 25, 1998. However, activities listed in prior federal laws and presidential decrees still require licensing, provided the law "On licensing" is not contradicted.

The law "On Licensing" requires licensing for:

• Generating encryption means
  
• Providing encryption services
  
• Providing maintenance services for existing encryption means, or developing encryption means

Under the new Federal Law "On Licensing" of August 8, 2001, effective as of February 10, 2002, these activities will also require a license.

In practice this requirement leads to a mandatory license for:

• E-banking
  
• Providing telecommunications services
  
• Using digital electronic signatures
  
• Internet markets (open and closed) using encryption software for traffic with their customers

When reviewing the application for a license, FAPSI checks whether the applicant possesses the required expertise for handling encryption means. This is determined by evaluating the educational standard of the employees as well as the internal organization of the applicant with regards to the use of encryption means. Provided the applicant possesses the required expertise, FAPSI reaches a decision on granting a license within 30 days of receiving the application.

3. Conclusion and Consequences

Although frequent in practice, the use of uncertified encryption software is not permitted and can result in liability for damages caused by such use. Under the Russian Civil Code, a transaction concluded without the necessary licenses may be declared invalid by a court upon petition of the legal person operating without a license, its participant (shareholder) or by FAPSI if it is proven that the other party in the transaction knew or should clearly have known of its illegality (Art. 173 Russian Civil Code). In the worst of cases, a company operating without the necessary licenses runs the risk of being liquidated (Art. 61 Russian Civil Code).

However, regulations that are targeting the use of encryption means are a fairly new legal field, and there is little established practice. Business so far operating without any license and engaged in activities or planning activities that require licensing (see above 3.) should bring their activities in line with the legislation and contact FAPSI.

© Dr. Christian von Wistinghausen