Importation of encryption in Russia: exposing the myths
Remember the recent history of the claim to the Russian, who ordered a new Motorola smartphone in a foreign online store? Then there were a lot of notes on this topic and almost all of them could be formulated briefly: “The Russian authorities are tightening the screws and an ordinary Russian cannot even be ordered anything via the Internet — everywhere fisheries and law enforcement agencies put poles into the wheels.” It should be noted that such statements are typical for almost any person who is faced with a non-standard situation for themselves, in which there is a alleged infringement of rights, begins, without understanding, to blame everyone except himself. With the importation of the smartphone, the situation was just from this area. However, this case was not the first. A few years ago, one of the Russians, having bought a Cisco router on eBay, was faced with a similar situation at Russian customs. And before and after there were several similar cases. Let's try to figure it out.
The fact is that in Russia, or rather on the territory of the Customs Union, which includes Russia, Belarus and Kazakhstan, for several years now there are rules for importing cryptographic tools, which many gadgets and other items fall into, about which we don’t even think that they fall under the concept of means of sounding. There are still more rumors and myths about this topic than reliable information. The main misconception is two positions and their derivatives “You can’t import Cisco encryption into Russia” and “I can order anything from an overseas online store or auction and get it in Russia without any problems”. This is incorrect and in this article we would like to answer the most common questions regarding the import of IT products, and in particular, encryption tools.
Documents regulating the issues of importing and exporting encryption tools determine that encryption tools are “hardware, software and hardware / software tools, systems and complexes that implement cryptographic information conversion algorithms and are designed to protect information from unauthorized access during its transmission via communication channels and (or) during its processing and storage ”. On the one hand, it is very capacious, but on the other hand, it is a completely non-specific definition, which can be interpreted differently in different situations. Is encryption encryption? And the electronic signature? And cryptographic authentication?
')
In fact, from the point of view of the customs authorities, not only the encryption tools defined in the paragraph above are subject to control, but also:
The list is quite large, but for the purposes of importation the definition itself is not so important. More importantly, what exactly is controlled by customs. In List 2.19, there is no separately defined group of encryption tools and the corresponding codes of the so-called unified Commodity Nomenclature for Foreign Economic Activities (ETN VED). In List 2.19, the names of the goods and their codes ETN FEA are listed, as belonging to which, the customs authorities may define the imported product as encryption (and it does not matter if there is actually encryption or not). For Cisco products, an excerpt from List 2.19 looks, for example, as follows:
It is not worth much to delve into what is written in the table :-) It is much more important to understand that the customs authorities control everything that we use in one way or another in our normal life or for official purposes - computers, smartphones, laptops, GPS receivers, routers , wireless access points, software, televisions and set-top boxes, etc. That is why the Motorola smartphone in the sensational case recently got “under the distribution” - it is considered a encryption tool in terms of customs. Although it must be admitted that it is considered such not only from the point of view of customs, but common sense also tells us that there is encryption in any modern smartphone. It is in the chip that implements any standard of mobile communication (for example, A5 in GSM). It is in the operating system Android or iOS or Blackberry. It is in the browser Safari or other mobile version of common browsers. It is in the mail client on the smartphone. It is ... But there are few applications or chips on the smartphone, where there is encryption. If you look at the many other devices listed in the table, we will understand that there really is encryption. At a minimum, to protect information on the device itself, to store keys or authentication information, or for secure management (SSH is also encryption).
Put yourself in the place of an ordinary customs officer ... How does he know for what you will use the product transported across the border? Maybe you purchased a smartphone on eBay, hang it in a frame on the wall, or maybe you will be nailing nails with it. Or maybe you are a hidden terrorist or an extremist who plans to use an imported means of communication to interact with his accomplices? But if you put aside the jokes, the position of the authorities is simple - if the product can implement cryptographic information conversion algorithms, it is in any case considered a cryptographic tool, even if encryption is a non-essential or unused function of the product.
In other words, it turns out that almost any IT product that crosses the border of the Russian Federation becomes subject to customs regulation and all rules for the import of encryption tools apply to it. And it does not matter at all whether the customer of such a tool is an individual or a legal entity.
All encryption tools (read almost any IT products) according to the import procedure are divided into two groups:
Ideal if the product falls under the “simplified”. In this case, its import is no different from the importation of any other products, unlimited by any prohibitions. To date, this list includes:
If there is no notification on the goods crossing the border, then they are imported according to the “complex” scheme. Even if formally it could be issued on a simplified version. This situation often arises for completely new products for which the manufacturer has not yet had time (or does not plan at all) to issue a notification.
The Provision contains a number of exceptions, when the encryption tool can be imported without notification, but also without a license from the Ministry of Industry and Trade. This happens in the following cases:
However, in this case, it is still necessary to obtain the appropriate opinion of the Center.
In the case of import by notification, the manufacturer of imported products deals with its design. For example, Cisco fills in notifications for its products in duplicate, after which the relevant information is included in the NTF List, and Cisco sends the notifications themselves for registration with the CRL. After registration, one instance of the notification is returned to Cisco. CLSA also sends information about the registered notification to the EEC for publication on the site www.tsouz.ru/db/entr/notif/Pages/default.aspx (by the way, you can check the legality of the importation of the products you use). On average, the registration procedure for notification takes at least 2-3 weeks. The importation of encryption tools that fall into the List of NTFs is carried out on the basis of information on the registered notification without any other permits.
In the case of importation according to the “complicated” scheme, all work with the authorized state bodies (CRLS and the Ministry of Industry and Trade) is performed by the importer (and not the consumer). The procedure for obtaining a license and all the necessary information is presented in detail on the website of the Ministry of Industry and Trade - www.minpromtorg.gov.ru/services/permission/export-import . At the same time, the Regulation on Importation does not make a distinction between legal entities or individuals, but in practice, an ordinary citizen will hardly be able to go through all the procedures of communication with regulatory authorities.
The general term for obtaining a license from the Ministry of Industry and Trade, taking into account the examination and obtaining the opinion of the Center, shall not exceed 90 days from the date of registration of the importer's application to the Center. The established practice shows that, provided that the documents are properly prepared, obtaining permits takes about 7 to 9 weeks (CLSD - from 4 to 6 weeks, the Ministry of Industry and Trade - no more than 3 weeks). In this case, you can order products immediately after receiving the opinion of the Center. The procedure for obtaining a license from the Ministry of Industry and Trade can be combined with the process of manufacturing and transporting products to Russia.
In the above case with the importation of a smartphone, it should have come under the simplified scheme; but only after the Russian legal entity representing the interests of Motorola would register a notification on this smartphone. Since this model was new and was not delivered to Russia at the time of the order, a “complex” scheme was applied to the smartphone. In this case, the paperwork for the importation of a smartphone was to be dealt with not by the buyer, but by the importer - a courier or logistics company delivering goods across the border. Of course, she didn’t have any special authorization documents for the import of encryption tools, and the customs also did not find any registered notifications in the database of the carried-out smartphone model. As a result, there was a violation of customs legislation.
As it was written in the agenda given by the affected fan of Motorola smartphones, he was charged with violating part 1 of article 16.3 of the Code of Administrative Offenses (“” Failure to comply with restrictions on the importation of goods). In fact, the customs did not quite correctly classify the offense - here you should apply part 2 of this article. In addition to Article 16.3, it is possible to apply (but already to the importer) Articles 16.2 “Non-declaration or inadequate declaration” and 16.7 “Submission of invalid documents upon customs declaration”. All these articles can be applied both to a legal entity importing encryption tools across the customs border of the Russian Federation and to an individual, which has already been demonstrated more than once over the past few years.
But if the encryption tool has crossed the border and is already sold in Russia, then the buyer is not in danger. The fact is that the purchase of encryption tools on the territory of the Russian Federation is currently not regulated at all. The current legislation does not oblige the buyer in Russia to check the conditions of importation of the products he buys. Only in the case of the ordering of encryption tools outside the Russian Federation and their importation across the border of the Customs Union all the rules described above come into force.
Oddly enough, no. The Regulations do not define the procedures that the consumer must carry out. But in accordance with the established practice, the consumer provides support to the importer by providing the Information Center on the use of imported equipment (for the “complex” scheme), since the importer must indicate for whom the encryption means are imported. The letter indicates the minimum necessary information:
The information letter must be identical in content with the application to the CRLS from the importer. The lack of an information letter can be interpreted as the impropriety of the importer and, as a rule, means a one hundred percent refusal to issue a conclusion on the import of the encryption tool.
With the practice of processing such letters from consumers - ordinary citizens we did not have to face.
To move any encryption tool across the customs border, regardless of the country of origin and the name of the manufacturer, the required documents are registered or CRLS conclusion (if necessary, a license from the Ministry of Industry and Trade of Russia is also required). The only way to bypass this procedure is to import equipment illegally.
If, when purchasing products with the encryption function, the buyer cannot receive from the seller information about the registered notification or a copy of the license from the Ministry of Industry and Trade of Russia, then there is a high probability that this product has been imported into Russia in violation of the law.
In the current Russian legislation, actions to change the cryptographic characteristics of devices that are already located and acquired on the territory of Russia are not regulated and no one will undertake to predict the consequences of downloading an upgrade from the Internet with the cryptographic functionality enabled. At the same time, there is currently the practice of obtaining CLCS permits to import products that allow you to change the cryptographic characteristics of existing equipment, such as software on a physical medium (CD / DVD) or downloaded via the Internet. However, this practice operates mainly for legal entities using encryption. They should understand that regulators and inspectors may have questions to an organization that has never acquired cryptographic products imported for it by the CLCP, but uses them in its activities.
With respect to ordinary citizens who download software encryption tools from the Internet, law enforcement practice has not yet been established.
Contrary to popular belief that the customs or the FSB is in charge of regulating the importation of encryption in our country, this is not entirely true, or rather, completely incorrect. These bodies essentially only fulfill the orders of the higher organization - the Eurasian Economic Commission (hereinafter - EEC), created by the decision of the Presidents of the Russian Federation, the Republic of Belarus and the Republic of Kazakhstan at the end of 2011.
The EEC was created as a single permanent regulatory body of the Customs Union and the Common Economic Space. The Commission has the status of a supranational governing body, is not subordinate to any government and the Commission’s decisions are binding on the territory of three countries, including Russia. The main task of the EEC is to ensure the conditions for the functioning and development of the Customs Union and the Common Economic Space, as well as to develop proposals for the further development of integration. The powers of the abolishing Commission of the Customs Union are transferred to the ECE.
In accordance with the decision of the Interstate Council of the Eurasian Economic Community dated November 27, 2009 "On the unified non-tariff regulation of the customs union of the Republic of Belarus, the Republic of Kazakhstan and the Russian Federation" the current Regulation on importation, as amended, has been in effect since January 1, 2010. Russia's accession to the WTO on August 22, 2012, did not change anything in the area of ​​non-tariff regulation of foreign trade.
After the signing of the agreement on the creation of the Eurasian Economic Union, the situation is unlikely to change and the EEC remains the main body that determines the rules for the importation of encryption tools, and the customs only implements these rules in practice. The FSB, or rather its CLCS, determines what will be imported under a simplified scheme, and what will require greater body movements.
As a conclusion, I would like to answer 2 more questions that may arise during the reading of the material.
Not. Despite the similar names, the Minpromtorg licenses for the import of encryption facilities and the FSB licenses for operations with encryption facilities are completely different branches of the law.
Decision of the Board of the Eurasian Economic Commission on August 16, 2012. â„–134 "On regulatory legal acts in the field of non-tariff regulation" approved:
All ECE documents are published on the official website www.tsouz.ru .
The fact is that in Russia, or rather on the territory of the Customs Union, which includes Russia, Belarus and Kazakhstan, for several years now there are rules for importing cryptographic tools, which many gadgets and other items fall into, about which we don’t even think that they fall under the concept of means of sounding. There are still more rumors and myths about this topic than reliable information. The main misconception is two positions and their derivatives “You can’t import Cisco encryption into Russia” and “I can order anything from an overseas online store or auction and get it in Russia without any problems”. This is incorrect and in this article we would like to answer the most common questions regarding the import of IT products, and in particular, encryption tools.
And where does the cryptographic facilities?
Documents regulating the issues of importing and exporting encryption tools determine that encryption tools are “hardware, software and hardware / software tools, systems and complexes that implement cryptographic information conversion algorithms and are designed to protect information from unauthorized access during its transmission via communication channels and (or) during its processing and storage ”. On the one hand, it is very capacious, but on the other hand, it is a completely non-specific definition, which can be interpreted differently in different situations. Is encryption encryption? And the electronic signature? And cryptographic authentication?
')
In fact, from the point of view of the customs authorities, not only the encryption tools defined in the paragraph above are subject to control, but also:
- imitation protection
- digital signature tools
- coding tools
- cryptographic key tools
- cryptographic keys themselves
- systems, equipment and components designed or modified to perform cryptanalytic functions
- Systems, equipment and components designed or modified to apply cryptographic methods for generating spreading code for systems with spreading spectrum, including code hopping for systems with frequency hopping
- systems, equipment, and components designed or modified to apply cryptographic methods for channelization or security codes for time-modulated ultra-wideband systems.
The list is quite large, but for the purposes of importation the definition itself is not so important. More importantly, what exactly is controlled by customs. In List 2.19, there is no separately defined group of encryption tools and the corresponding codes of the so-called unified Commodity Nomenclature for Foreign Economic Activities (ETN VED). In List 2.19, the names of the goods and their codes ETN FEA are listed, as belonging to which, the customs authorities may define the imported product as encryption (and it does not matter if there is actually encryption or not). For Cisco products, an excerpt from List 2.19 looks, for example, as follows:
It is not worth much to delve into what is written in the table :-) It is much more important to understand that the customs authorities control everything that we use in one way or another in our normal life or for official purposes - computers, smartphones, laptops, GPS receivers, routers , wireless access points, software, televisions and set-top boxes, etc. That is why the Motorola smartphone in the sensational case recently got “under the distribution” - it is considered a encryption tool in terms of customs. Although it must be admitted that it is considered such not only from the point of view of customs, but common sense also tells us that there is encryption in any modern smartphone. It is in the chip that implements any standard of mobile communication (for example, A5 in GSM). It is in the operating system Android or iOS or Blackberry. It is in the browser Safari or other mobile version of common browsers. It is in the mail client on the smartphone. It is ... But there are few applications or chips on the smartphone, where there is encryption. If you look at the many other devices listed in the table, we will understand that there really is encryption. At a minimum, to protect information on the device itself, to store keys or authentication information, or for secure management (SSH is also encryption).
If in the product the encryption functionality is not basic or is it not intended to be used as encryption means, will it be considered encryption means or not?
Put yourself in the place of an ordinary customs officer ... How does he know for what you will use the product transported across the border? Maybe you purchased a smartphone on eBay, hang it in a frame on the wall, or maybe you will be nailing nails with it. Or maybe you are a hidden terrorist or an extremist who plans to use an imported means of communication to interact with his accomplices? But if you put aside the jokes, the position of the authorities is simple - if the product can implement cryptographic information conversion algorithms, it is in any case considered a cryptographic tool, even if encryption is a non-essential or unused function of the product.
In other words, it turns out that almost any IT product that crosses the border of the Russian Federation becomes subject to customs regulation and all rules for the import of encryption tools apply to it. And it does not matter at all whether the customer of such a tool is an individual or a legal entity.
Is there a single import procedure for different encryption tools?
All encryption tools (read almost any IT products) according to the import procedure are divided into two groups:
- Simplified import procedure. Means the importation according to the so-called registered notification, which is issued for encryption tools that can be included in the “List of categories of goods (products) that are encryption (cryptographic) means or containing encryption (cryptographic) means whose technical and cryptographic characteristics are subject to notifications ”(annex to the previously mentioned Regulation on import, hereinafter referred to as the NTF List).
- Import by license. Encryption tools that are not listed in the NTV List are imported on the basis of a one-time license from the Ministry of Industry and Trade of Russia issued on the basis of the conclusion of the Center for Licensing, Certification and Protection of State Secrets of the FSB of Russia (CRLS) on the possibility of importing the encryption tool. The license and conclusion are issued to the importer for a specific supply in the direction of a specific customer (consumer).
What is imported under the simplified scheme?
Ideal if the product falls under the “simplified”. In this case, its import is no different from the importation of any other products, unlimited by any prohibitions. To date, this list includes:
- Products containing encryption (cryptographic) tools that have any of the following components:
- a symmetric cryptographic algorithm that uses a cryptographic key of a length not exceeding 56 bits (this is common and where DES is now used in a few); or
- an asymmetric cryptographic algorithm based on any of the following methods (the same RSA in the current implementation does not fall into this exception either):
- on the factorization of integers whose size does not exceed 512 bits;
- on the calculation of discrete logarithms in a multiplicative group of a finite field
size not exceeding 512 bits; or - on a discrete logarithm in a group other than the one named in the above
sub-clause “b” of size not exceeding 112 bits.
- Products containing encryption (cryptographic) tools that have the following limited functions:
- authentication, which includes all aspects of access control, where there is no encryption of files or texts, except for encryption, which is directly related to the protection of passwords, personal identification numbers or similar data to protect against unauthorized access;
- electronic digital signature.
- Encryption (cryptographic) tools that are components of software operating systems whose cryptographic capabilities cannot be changed by users, which are designed to be installed by the user without further substantial support by the supplier and technical documentation (description of cryptographic transformation algorithms, interaction protocols, description of interfaces, etc. .) which is available. This exception is covered by widespread OS - Windows, Linux, etc.
- Encryption (cryptographic) equipment specially designed and limited to use for banking or financial transactions. These are ATMs, SWIFT equipment, etc. Cisco specifically for these purposes releases 800 series routers with PCI code in the product code.
- Personal smart cards (smart cards).
- Receiving equipment for broadcasting, commercial television or similar commercial equipment for broadcasting to a limited audience without encrypting a digital signal, except when using encryption solely to control video or audio channels and send bills or return information related to the program to broadcast providers.
- Equipment whose cryptographic capabilities are not available to the user, specially designed and limited for use by any of the following
- software executed in copy protected form
- access to any of the following:
- copy-protected content stored only on readable storage media;
- information stored in encrypted form on media, when these media are offered for sale to the public in identical sets
- control copying audio and video information protected by copyright.
- Portable or mobile radio electronic equipment for civilian use (for example, for use in commercial civil cellular radio communications systems) that are not capable of end-to-end encryption (i.e., from subscriber to subscriber). It is under this exception that ordinary mobile phones and many models of smartphones fall.
- Wireless electronic equipment that encrypts information only on a radio channel with a maximum wireless range without amplification and retransmission of less than 400 m in accordance with the manufacturer’s specifications. Home access points are completely covered by this exception.
- Encryption (cryptographic) tools used to protect the technological channels of information and telecommunication systems and communication networks.
- Products whose cryptographic function is blocked by the manufacturer. For example, Cisco for many of its product lines produces special versions of equipment with NO PAYLOAD ENCRYPTION software installed - “NPE”. Such software is available for Cisco 800, ISR 1900, ISR 2900, ISR 3900, 2100 CGR, ASR1000, ASR 903 routers, Cisco Catalyst 3560-X switches, Catalyst 3750-X, 2500 CGS, Nexus 7000, equipment for video conferencing systems, unified communications systems . This list of modified products is constantly expanding.
What is imported according to the “complicated” scheme?
If there is no notification on the goods crossing the border, then they are imported according to the “complex” scheme. Even if formally it could be issued on a simplified version. This situation often arises for completely new products for which the manufacturer has not yet had time (or does not plan at all) to issue a notification.
And there are no other options?
The Provision contains a number of exceptions, when the encryption tool can be imported without notification, but also without a license from the Ministry of Industry and Trade. This happens in the following cases:
- when importing and exporting encryption tools for repair or replacement in accordance with the obligations under the contract (contract, agreement);
- during the temporary importation and temporary exportation of the encryption means in order to:
- scientific and technical expertise
- scientific research;
- exhibiting at exhibitions;
- when importing and exporting encryption tools in order to ensure the own needs of organizations without the right to distribute them and provide encryption services to third parties;
- in transit shipments of encryption tools through the territory of the States members of the customs union.
However, in this case, it is still necessary to obtain the appropriate opinion of the Center.
Who should be engaged in paperwork for the importation of encryption?
In the case of import by notification, the manufacturer of imported products deals with its design. For example, Cisco fills in notifications for its products in duplicate, after which the relevant information is included in the NTF List, and Cisco sends the notifications themselves for registration with the CRL. After registration, one instance of the notification is returned to Cisco. CLSA also sends information about the registered notification to the EEC for publication on the site www.tsouz.ru/db/entr/notif/Pages/default.aspx (by the way, you can check the legality of the importation of the products you use). On average, the registration procedure for notification takes at least 2-3 weeks. The importation of encryption tools that fall into the List of NTFs is carried out on the basis of information on the registered notification without any other permits.
In the case of importation according to the “complicated” scheme, all work with the authorized state bodies (CRLS and the Ministry of Industry and Trade) is performed by the importer (and not the consumer). The procedure for obtaining a license and all the necessary information is presented in detail on the website of the Ministry of Industry and Trade - www.minpromtorg.gov.ru/services/permission/export-import . At the same time, the Regulation on Importation does not make a distinction between legal entities or individuals, but in practice, an ordinary citizen will hardly be able to go through all the procedures of communication with regulatory authorities.
The general term for obtaining a license from the Ministry of Industry and Trade, taking into account the examination and obtaining the opinion of the Center, shall not exceed 90 days from the date of registration of the importer's application to the Center. The established practice shows that, provided that the documents are properly prepared, obtaining permits takes about 7 to 9 weeks (CLSD - from 4 to 6 weeks, the Ministry of Industry and Trade - no more than 3 weeks). In this case, you can order products immediately after receiving the opinion of the Center. The procedure for obtaining a license from the Ministry of Industry and Trade can be combined with the process of manufacturing and transporting products to Russia.
In the above case with the importation of a smartphone, it should have come under the simplified scheme; but only after the Russian legal entity representing the interests of Motorola would register a notification on this smartphone. Since this model was new and was not delivered to Russia at the time of the order, a “complex” scheme was applied to the smartphone. In this case, the paperwork for the importation of a smartphone was to be dealt with not by the buyer, but by the importer - a courier or logistics company delivering goods across the border. Of course, she didn’t have any special authorization documents for the import of encryption tools, and the customs also did not find any registered notifications in the database of the carried-out smartphone model. As a result, there was a violation of customs legislation.
What threatens for violation of the rules of importation of encryption?
As it was written in the agenda given by the affected fan of Motorola smartphones, he was charged with violating part 1 of article 16.3 of the Code of Administrative Offenses (“” Failure to comply with restrictions on the importation of goods). In fact, the customs did not quite correctly classify the offense - here you should apply part 2 of this article. In addition to Article 16.3, it is possible to apply (but already to the importer) Articles 16.2 “Non-declaration or inadequate declaration” and 16.7 “Submission of invalid documents upon customs declaration”. All these articles can be applied both to a legal entity importing encryption tools across the customs border of the Russian Federation and to an individual, which has already been demonstrated more than once over the past few years.
But if the encryption tool has crossed the border and is already sold in Russia, then the buyer is not in danger. The fact is that the purchase of encryption tools on the territory of the Russian Federation is currently not regulated at all. The current legislation does not oblige the buyer in Russia to check the conditions of importation of the products he buys. Only in the case of the ordering of encryption tools outside the Russian Federation and their importation across the border of the Customs Union all the rules described above come into force.
Isn't the end user involved in the process of placing your order?
Oddly enough, no. The Regulations do not define the procedures that the consumer must carry out. But in accordance with the established practice, the consumer provides support to the importer by providing the Information Center on the use of imported equipment (for the “complex” scheme), since the importer must indicate for whom the encryption means are imported. The letter indicates the minimum necessary information:
- catalog numbers (P / N), names, the number of imported encryption tools
- import target
- brief description of the functioning environment - localization, users, processed information
- purpose of imported encryption tools, their location (address).
The information letter must be identical in content with the application to the CRLS from the importer. The lack of an information letter can be interpreted as the impropriety of the importer and, as a rule, means a one hundred percent refusal to issue a conclusion on the import of the encryption tool.
With the practice of processing such letters from consumers - ordinary citizens we did not have to face.
But another vendor says that he has no problems with the import. Is that possible?
To move any encryption tool across the customs border, regardless of the country of origin and the name of the manufacturer, the required documents are registered or CRLS conclusion (if necessary, a license from the Ministry of Industry and Trade of Russia is also required). The only way to bypass this procedure is to import equipment illegally.
If, when purchasing products with the encryption function, the buyer cannot receive from the seller information about the registered notification or a copy of the license from the Ministry of Industry and Trade of Russia, then there is a high probability that this product has been imported into Russia in violation of the law.
And if I imported the equipment without encryption, and then updated it over the Internet and got an encryption tool?
In the current Russian legislation, actions to change the cryptographic characteristics of devices that are already located and acquired on the territory of Russia are not regulated and no one will undertake to predict the consequences of downloading an upgrade from the Internet with the cryptographic functionality enabled. At the same time, there is currently the practice of obtaining CLCS permits to import products that allow you to change the cryptographic characteristics of existing equipment, such as software on a physical medium (CD / DVD) or downloaded via the Internet. However, this practice operates mainly for legal entities using encryption. They should understand that regulators and inspectors may have questions to an organization that has never acquired cryptographic products imported for it by the CLCP, but uses them in its activities.
With respect to ordinary citizens who download software encryption tools from the Internet, law enforcement practice has not yet been established.
Who regulates the importation and exportation of encryption tools?
Contrary to popular belief that the customs or the FSB is in charge of regulating the importation of encryption in our country, this is not entirely true, or rather, completely incorrect. These bodies essentially only fulfill the orders of the higher organization - the Eurasian Economic Commission (hereinafter - EEC), created by the decision of the Presidents of the Russian Federation, the Republic of Belarus and the Republic of Kazakhstan at the end of 2011.
The EEC was created as a single permanent regulatory body of the Customs Union and the Common Economic Space. The Commission has the status of a supranational governing body, is not subordinate to any government and the Commission’s decisions are binding on the territory of three countries, including Russia. The main task of the EEC is to ensure the conditions for the functioning and development of the Customs Union and the Common Economic Space, as well as to develop proposals for the further development of integration. The powers of the abolishing Commission of the Customs Union are transferred to the ECE.
In accordance with the decision of the Interstate Council of the Eurasian Economic Community dated November 27, 2009 "On the unified non-tariff regulation of the customs union of the Republic of Belarus, the Republic of Kazakhstan and the Russian Federation" the current Regulation on importation, as amended, has been in effect since January 1, 2010. Russia's accession to the WTO on August 22, 2012, did not change anything in the area of ​​non-tariff regulation of foreign trade.
After the signing of the agreement on the creation of the Eurasian Economic Union, the situation is unlikely to change and the EEC remains the main body that determines the rules for the importation of encryption tools, and the customs only implements these rules in practice. The FSB, or rather its CLCS, determines what will be imported under a simplified scheme, and what will require greater body movements.
As a conclusion, I would like to answer 2 more questions that may arise during the reading of the material.
Do I need an FSB license to import encryption?
Not. Despite the similar names, the Minpromtorg licenses for the import of encryption facilities and the FSB licenses for operations with encryption facilities are completely different branches of the law.
What documents regulate the importation of encryption tools into the territory of the Russian Federation?
Decision of the Board of the Eurasian Economic Commission on August 16, 2012. â„–134 "On regulatory legal acts in the field of non-tariff regulation" approved:
- “A single list of goods subject to prohibitions or restrictions on the importation or exportation by member states of a customs union in the framework of the Eurasian Economic Community in trade with third countries”, including a list of encryption (cryptographic) means, the importation of which into the customs territory of the Customs Union and export from the customs territory of the Customs Union is limited (hereinafter referred to as List 2.19).
- Provisions on the application of restrictions, including the Regulation on the procedure for importation into the customs territory of the Customs Union and export from the customs territory of the Customs Union of encryption (cryptographic) means (hereinafter - the Regulation on Importation).
All ECE documents are published on the official website www.tsouz.ru .
Source: https://habr.com/ru/post/234491/
All Articles