Is it necessary to license FSB activities when developing software using software and hardware cryptographic tools (in my case, this is experience with eToken GOST and JaCarta GOST of Aladdin RD company) for authentication purposes and forming a legally significant qualified signature on documents, if this software is meant as commercial product for external use by customers and third parties?
According to clause 3 of the decree of the Russian Federation of April 16, 2012, No. 313, I cannot clearly understand.
There is an embedding of an already licensed solution, it seems not development, but embedding, and distribution is possible. I do not distribute the crypto devices and the plugin for connecting the token and the system. The solution itself works quietly even without this crypto protection, but the interaction code remains.
I also looked for the answer to the question on the forums of aladdin and cryptopro, habr and toaster, and also sent the question to the support service of the specified solution.
Anyway, maybe someone came across this question during development?
Here's what I found out on my own:
If you use crypto devices only for the purpose of two-factor authentication, then a license is not required, since no encryption is performed. (however, there are doubts here and it all depends on the protocol used)
If the formation of an EDS, service, etc. is used for personal needs or internal needs of the company, then we do not fall under the decree.
An FSB license is required when embedding cryptographic means (even certified ones) in software that will be provided as a product / service for other persons.
Accordingly, in case of custom development or to provide others as a service, an FSB license is still needed.
As a result, 6 possibilities remain:
- Independent receipt of an FSB license with all the ensuing consequences;
- The application itself should be delivered without crypto protection. It can be connected as a separate module with the help of a user and / or an intermediary. In this case, the module in this case must be developed and distributed separately by a licensed reseller. The module must be supplied separately from the main application. In other words: use the services of the other party;
- Use a simple signature without cryptography, such as enhanced SMS confirmation. In this case, it is necessary to form an agreement between the parties to the exchange that such a signature is recognized as legally significant. And in court, the fact of the formation of such a signature is carried out by checking the server logs, etc., according to the terms of the agreement.
- Use cryptographic protection tools built into the OS. (does not fall under the law)
- Signature not on the territory of the Russian Federation. (Electronic signatures created in accordance with the law of a foreign state and international standards are recognized as legally significant in accordance with the legislation of the Russian Federation)
- Do not use cryptography and EDS at all.
The absence of this license after the first paid / gratuitous transfer to the other party is a violation of Article 171 "Illegal Business" of the Criminal Code of the Russian Federation as well as the Code of Administrative Offenses of the Russian Federation, Article 13.13. Illegal activity in the field of information protection promises a serious fine and possibly the confiscation of all cryptographic information security devices.