Much has already been said about the danger of introducing selfies with passports to anyone, both in the media and on various Internet resources. But, nevertheless, the problem not only remains, but also gets worse.
On October 1 of last year, the certifying center of JSC "Kaluga Astral" announced the introduction of new Regulations on document verification. This was already written about in October last year.
The main change in the new Regulation of JSC "Kaluga Astral" is the mandatory provision of selfies with the passport of the General Director of any company (except for budget organizations), which receives or has received an electronic signature and certificate in the Certification Center (TC). It is impossible to get an electronic signature without such a photo.
Providing one's own passport photo is a very serious risk for the subject of personal data to become an object of fraud. Selfish with a passport is actively used for fraudulent activities, first of all - for obtaining online loans in microfinance organizations, but not only. There is also a black market in the darn Internet with such selfies, and their professional buyers, for example, the "Sellers' Union" or "Vilochnikov Forum". The recent story of a killer driver on a cartwheeled Mercedes received by a front man, or obtaining loans from banks are illustrative. There is a lot written about it, it is enough to google and read, for example, this or this.
Unfortunately, the "provision of selfies with a passport" has directly affected our agency. I honestly tried to solve the problem in a good way, having addressed in technical support, and then - to the head of the center of competence of UC JSC "Kaluga Astral", but it did not work out in a good way. Therefore, by publishing this post and, apparently, further, we will send complaints to various authorities - the Ministry of Communications, Roskomnadzor and the Prosecutor's Office.
So... It's impossible to get a signature and a certificate without selfies. As an argument the head of the Center of competence of UC refers to article 18 of the Federal law No. 63-FZ "About the electronic signature". We read. "When applying to an accredited certification center the applicant ... presents the following documents or their duly certified copies and information:
1) the main identity document;
2) number of insurance certificate of the state pension insurance of the applicant - natural person;
3) identification number of the taxpayer of the applicant - natural person;
4) main state registration number of the applicant - legal entity;
5) main state registration number of the entry on state registration of an individual entrepreneur of an individual applicant - individual entrepreneur;
6) number of the certificate of registration with the tax authority of the applicant - foreign organization (including branches, representative offices and other separate subdivisions of the foreign organization) or the taxpayer identification number of the applicant - foreign organization;
7) power of attorney or other document confirming the applicant's right to act on behalf of other persons".
This is all. Point. The list is closed. The law does not provide for the BYGCA rights to request any additional documents. The BYGCA must obtain a part of documents independently from state information resources. Information about the issued qualified certificate is forwarded to the Unified Identification and Authentication System (UIIA). The procedure finishes here.
But in the BYGCA "Kaluga Astral" I was rather aggressively informed that in part 2 of article 18 of the law No. 63-FZ obligatory documents are specified, the list of documents necessary for release of the electronic signature is open, and the BYGCA at own discretion has the right to request additional documents (such as a photo with the passport). It is a very interesting understanding of the law norms, or rather an obvious violation thereof.
My question about the legality of the BYGCA request in such a case, for example, certificates from psycho- and drug dispensaries, information about the payment card number from CVV2 and other documents was simply ignored.
Such substantiation of the possibility of reclaiming selfies as the availability of a license of the Federal Service for Technical and Export Control of the Russian Federation for the development and/or production of confidential information protection means was especially touching. Here we will make a pause for comprehension of such interesting idea. The argument about necessity of presentation of selfi rather interesting, it is stated in an explanation on a site of the BYGCA partner, the reference to which is given above: "in connection with the increasing cases of fraud at delivery of electronic signatures and for minimization of risks of BYGCA and Partner employees". The company considers as a basis for such actions (attention!) the offer of the Ministry of Communications to supplement the Criminal Code with the article establishing criminal responsibility for deliberate infringement of obligations provided by the legislation in the sphere of electronic signatures, in particular, introduction in the Criminal Code of the Russian Federation of new article 200.6 "Intentional infringement of obligations provided by the legislation of the Russian Federation in the sphere of electronic signatures". The draft law has such a provision (not at all where the reference in the publication leads), but it mainly concerns the law 63-FZ, including the specification of the procedure of identification of the applicant (and there is no word about selfies there, of course), and criminal liability is provided for officials of the accredited certification centre and officials of the authorized representative of the accredited CA for intentional violation of the procedure of issuing (delivering) a qualified electronic signature verification key certificate.
That is, we don't want to get under criminal responsibility, so we will violate your rights, illegally demand documents that pose a real threat for you. Iron logic.
Meanwhile, the bill has not only not been passed, but even introduced to the Duma and stuck at the stage of posting on the portal https://regulation.gov.ru/, not even reaching the stage of regulatory impact assessment. And it does not matter in this case, it is not about selfies anyway.
Those who require an electronic signature will be able to choose another BYGCA in which it is not necessary to send selfies with a passport and expose themselves to unnecessary risks.
The exit with identification is very simple - use of ESPIA. For biometric identification of bank clients it was decided almost instantly. There would be will and desire. And there would be no need to break the law.