Legal Basis for Using Personal Cryptography
Returning to the issue of confidentiality of personal information when using the services of telecom operators, I conducted a small monitoring of the legal aspects. I monitored the legislation of Ukraine , I do not think that it is significantly different from the Russian one.
Questions I wondered:
- Are communication operators required to ensure confidentiality when using communication services?
- What is their responsibility for breach of confidentiality?
- Is it legal to use technical and cryptographic protection of information (TZI and CPI) for personal use?
- What is the procedure for the use of CPI and TZI for personal use?
- what is the responsibility for the violation of the procedure for the use of CPI and TZI for personal purposes?
Important points:
- we are talking about individuals;
- we are talking about information that does not fall under the definition of “information with limited access” (ISOD)
')
Substantially updated.
Let's start with the simple - the duties and responsibilities of telecom operators.
Thus, we see that, in spite of the declaration of responsibility for protecting information in the processing system, the law does not have a direct operator’s liability standard for breach of confidentiality when using communication services, but the judicial personnel can be held accountable for operator’s personnel (which is very convenient for telecom operator). Let me remind you that ISOD and information owned by the state is a separate topic.
Further on the use of cryptography for personal use.
Thus, even the use (!) Of any kind of cryptography requires a license for CRIs, in CRI systems it is allowed to use only those means that were imported in accordance with the requirements of the legislation and for which the corresponding expert opinion was issued. Unlike cryptographic protection (cryptographic protection), TZI (antivirus, antispam, access control, protection against leakage, etc.) can be used without a license, but keep households. The implementation of the TZI is also subject to licensing.
Summarizing all the above, I can say that my shallow analysis of this topic showed that the rights of individuals to the confidentiality of personal communication are not only not protected, but are also significantly limited by law. The use of CPI for personal use is fraught with responsibility. Telecom operators shift the responsibility for breach of confidentiality to their employees.
Immediately I give an amendment that I didn’t get into the depths of the regulatory documentation, where there could be relaxation of the ban on unlicensed use of CPI tools, which still does not protect the rights of individuals in networks where the use of such funds is difficult (telephone, SMS).
If I have made a blunder somewhere, please correct me and I will include the amendments in the text.
PS We must pay tribute to the State Service for Special Communication and Information Protection - they have all the necessary laws and regulations on their website easily found .
DOWN: As I mentioned, my research was superficial. I was told that an individual is not a “business entity”, which changes the picture. Then it turns out that the right of an individual to use cryptographic protection for personal purposes, not related to economic activity, is in fact clearly not regulated by law (with the exception of the norm for importing cryptographic protection).
The above licensing restrictions on the use of CRPs are related to business entities. Thus, individuals have the opportunity to use cryptographic protection for personal purposes. but should be aware that if their activities fall under the definition of “economic activity”, the restrictions will apply to them.
A more detailed study of the legislative base did not reveal the procedure for using cryptographic protection for individuals. I apologize for misleading readers
Thanks Rustam.
Questions I wondered:
- Are communication operators required to ensure confidentiality when using communication services?
- What is their responsibility for breach of confidentiality?
- Is it legal to use technical and cryptographic protection of information (TZI and CPI) for personal use?
- What is the procedure for the use of CPI and TZI for personal use?
- what is the responsibility for the violation of the procedure for the use of CPI and TZI for personal purposes?
Important points:
- we are talking about individuals;
- we are talking about information that does not fall under the definition of “information with limited access” (ISOD)
')
Substantially updated.
Telecom operators
Let's start with the simple - the duties and responsibilities of telecom operators.
Law of Ukraine "On Telecomunication"
...
Statte 32. Rights of the telecomunicultural services
1. SporzyvachŃ– pŃ–d hour of submission of a / abo otrimannya telekomunŃ–katsŃ–ynyh servluzhayut right to:
1) the sovereign of their own rights;
...
3) bezpeku telekomunŃ–katsŃ–ynyh services; ( Information security bezelka telekomunŃ–katsŃ–ynyh mezhzh - zdatnŃ–st telekomunŃ–katsŃ–ynykh mezh zabepepeuvati zahist vŃ–d znyschennya, twisting, blocking informatsŃ–y, Ń—Ń— unauthorized vitoka oto vydnu nyfuteni zi zi zi zii zii zii zi i zii za Ă©nĂ©nĂ©nĂ©nĂkto ryo za nĂ©cĂ©rĂ©nĂ©nĂ©nĂ, Ă®n unauthorized vitoko uto vydnĂ© znĂ© zĂ©nĂ©rĂ©nĂ©nĂ, ry unto vydnĂ© ziĂłn zĂnĂ© ryt ziĂłn zĂnĂ© ry, ryt zĂnĂ© rynĂ© zánĂ©nĂ©nĂ, i ryo znasheni znĂn ĂnĂn nu e
...
12) ad hoc zbitkŃ–v, zapodŃ–yanih unaslŃ–dok nevikonannya chi non-nalezhnogo vikonannya operator, provider telekomunŃ–katsŃ–y obov'yazkŃ–v, peredbachenih contract Ń–z with the law chi;
13) oskarzhennya non-licensed dey operators, providers telekomunŃ–katsi by the number of animals that are brought before the courts and state authorities;
...
Stattea 39. Obov'kazki operators_v i providers telekomunŃ–katsŃ–y
1. Telecommunications operator zyov'yazanŃ–:
...
17) implant access to prevent unauthorized access to telecommunications services and information, must be transmitted by means of services;
...
4. Operators telekomunŃ–katsŃ–y zobov'yazanŃ– for vlasnŃ– Costa vstanovlyuvati on svoŃ—h telekomunŃ–katsŃ–ynih trammel tehnŃ–chnŃ– zasobi, neobhŃ–dnŃ– for zdŃ–ysnennya upovnovazhenimi bodies operational rozshukovih zahodŃ–v, i zabezpechuvati funktsŃ–onuvannya Tsikh tehnŃ–chnih zasobŃ–v and takozh in furrows svoŃ—h povnovazhen spriyati carrying out of operatively-rozshukovih zahodŃ–v that prevent rozgoloshennya Organizational and tactical actions were held. Telecommunications operator zobov'yazanŃ– zazhepechuvah zahist zanazhenich tehnichnyh zobobŃ–v v_d unauthorized access.
...
Stattya 40. VŃ–dpovŃ–dalŃ–st operators_v, providers_v telekomunŃ–katsŃ–y
3. Nutritional awareness of people living in a church, sitting at a gymnasium, listening to a meeting, and meeting at a meeting with a non-depositary visitor, an operator, and a telecomunication provider under the agreement on a telecomunication with an operator, a telecomunication provider under the agreement on a telecommution, an operator, and a member of the public
4. Operators, telecomunication providers do not carry out vŃ–dpovŃ–dalnosti for the information system, it must be transmitted to you by means of a leszha.
Stattya 41. Staff operators, providers telekomunŃ–katsŃ–y
...
2. The operator, the telecom, In the interests of national security, defend and protect the rule of law.
Law of Ukraine "On the Security Information System in Information and Telecommunication Systems"
Article 5. Vdnosini mіzh vlasnik Іnformatsії that vlasnikom sistemy
Vlasnik Sistemy Zabpepechuhukh Іnformatsії і sistemі in order of that on the minds of the contract, which was laid down by him under the control of the información, which is not under the law.
Vlasnik sistemi vimogu vlasnika Іnformatsії nadaє vіdomostі schodo zakhistu іnformatsіі in sistemy.
...
Statte 9. Undertaking to the Informatism in Systems
Vidpovіdalnist for zahepuchennya zakhistu Іnformatsії in sistemі deposit on vlasnik system.
...
Thus, we see that, in spite of the declaration of responsibility for protecting information in the processing system, the law does not have a direct operator’s liability standard for breach of confidentiality when using communication services, but the judicial personnel can be held accountable for operator’s personnel (which is very convenient for telecom operator). Let me remind you that ISOD and information owned by the state is a separate topic.
Cryptographic Information Security
Further on the use of cryptography for personal use.
The Law of Ukraine "On the licensing of singing views of the state of war"
Article 2. Scope of Law
Childhood Law expand to all sub'єkt gospodaryuvannya.
...
Statte 9. See gospodarsko dŃ–yalnostŃ–, scho pŃ–dlyagayut lŃ–tsenzuvannyu
...
14) rozroblennya, virobnitstvo, vikoristannya, ekspluatatsіya, sertifіkatsіynі viprobuvannya, tematichnі doslіdzhennya, determination of price imported, vivezennya cryptosystems i zasobіv kriptografіchnogo Zakhyst Informácie, nadannya poslug in the Branch kriptografіchnogo Zakhyst Informácie (krіm poslug Electron digital pіdpisu) torgіvlya cryptosystems i zasobami kriptografіchnogo Zakhyst Informácie ;
...
16) selling, entering, entering, servicing, improving the efficiency of systems and functions of technical information, on the basis of technical knowledge of technical information;
...
Stattea 22. VidovŃ–dalŃ–st for the violation of the norms of the Law
PosadovŃ– individuals organisation lŃ–tzuvuvnya that specifically ovnovnadozhennogo body of food lŃ–tzuvuvnya at times of underdevelopment of legislation in the sphere of l_tsenzuvannya carry out Ń–dpovŃ–dalŃ–st zgŃ–dno Ń–z law.
Before sub'єktіv gospodaryuvannya for the provision of gospodarskoy dyyalnost without licensing і zasovovuyvtsya іnansov sanktsі y viglyadі finitіv rosmіrah, established by law.
Zaznachen_ penalties to direct to the state power of Ukraine.
The decision about the penalties of the penalties is taken by the body, which is based on the laws of law and control over the enforcement of licenses.
...
REGULATIONS on the order of the cryptographic secretary to the information in Ukraine
1. It is necessary to determine the order of building a cryptographic secretary with access by means of access, a wide range of licenses, which can be carried out by individuals.
...
4. Licentiousness
5. DerzhavnŃ– organizations, organizations, establish Ń– organizatsŃ–Ń— add, bring to a .......................... page page page page page page 5. page page 5. page page page Ń– Ń– page page Ń– page Ń– Ń– page page Ń– page Ń– app page 15
...
8. For a cryptographic secretary to a confidential information, a cryptographic system, and a cryptographic secretary, they are certified certified.
9. The order of production of the
...
The Law of Ukraine “On the State Service to Special Services Link to the Official of Ukraine”
...
Article 16. Obov'yazki Derzhavnoi sluzhby specialŃ–l'nyy z'yazku zahistu information of Ukraine:
...
16) setting up a vikhorax power, or information with access, vimoga scooped by law;
17) Vydacha vŃ–dpovŃ–dno to vimog legislation of licensed on the provision of state-of-the-art ot yalnost in the spheres of the cryptographic and technical zahistu Ń–nformatsŃ–Ń–, as well as permitting the authorities of the state of the state to carry out the work of the technical power of the state to carry out the work of the technical power of the state for the work of
18) Organizational Coordination of Human Rights
...
Thus, even the use (!) Of any kind of cryptography requires a license for CRIs, in CRI systems it is allowed to use only those means that were imported in accordance with the requirements of the legislation and for which the corresponding expert opinion was issued. Unlike cryptographic protection (cryptographic protection), TZI (antivirus, antispam, access control, protection against leakage, etc.) can be used without a license, but keep households. The implementation of the TZI is also subject to licensing.
Conclusion
Summarizing all the above, I can say that my shallow analysis of this topic showed that the rights of individuals to the confidentiality of personal communication are not only not protected, but are also significantly limited by law. The use of CPI for personal use is fraught with responsibility. Telecom operators shift the responsibility for breach of confidentiality to their employees.
Immediately I give an amendment that I didn’t get into the depths of the regulatory documentation, where there could be relaxation of the ban on unlicensed use of CPI tools, which still does not protect the rights of individuals in networks where the use of such funds is difficult (telephone, SMS).
If I have made a blunder somewhere, please correct me and I will include the amendments in the text.
PS We must pay tribute to the State Service for Special Communication and Information Protection - they have all the necessary laws and regulations on their website easily found .
DOWN: As I mentioned, my research was superficial. I was told that an individual is not a “business entity”, which changes the picture. Then it turns out that the right of an individual to use cryptographic protection for personal purposes, not related to economic activity, is in fact clearly not regulated by law (with the exception of the norm for importing cryptographic protection).
The above licensing restrictions on the use of CRPs are related to business entities. Thus, individuals have the opportunity to use cryptographic protection for personal purposes. but should be aware that if their activities fall under the definition of “economic activity”, the restrictions will apply to them.
A more detailed study of the legislative base did not reveal the procedure for using cryptographic protection for individuals. I apologize for misleading readers
Thanks Rustam.
Source: https://habr.com/ru/post/96386/
All Articles