Encryption and export license for an App Store or Google Play app

Question

My iOS app uses crypto++ as a static library for confidentiality. Since this library is open-sourced, and thus visible to any would-be wrong-doers as it is, common sense implies that there should be no hassle. However, based on Category 5, Part 2 of the US Export Administration Regulations, my app does NOT seem to be exempt explicitly, but I cannot tell for sure as law tends to be a convoluted mess of exceptions and random hair-splitting, so I wish to ask those of you with actual experience with including an open-source encryption library in your apps (Android advice is OK, too):

Do I need to go through all that hassle of getting an EAR approval?

Answer 1

My iOS app uses crypto++ as a static library for confidentiality...
However, based on Category 5, Part 2 of the US Export Administration Regulations, my app does NOT seem to be exempt explicitly...

Correct. Export regulations apply to encryption technologies.

There are some exemptions. For example, you don't need an export license if they key size is 63-bits or less because a License Exemption is provided . You are also allowed to build test systems and ship the test systems without a license.

If you fall into this category, you still have to self-classify. You just don't need a license. When you fill out paperwork, you write "NLR - No License Required" . But this probably isn't you...

If you were using cryptography for authentication only (and not encryption), then you would not need an export license. Or if you are distributing your app to beta tests through TestFlight , then you don't need an export license. However, Apple still requires the license because they do not take the time to differentiate between encryption and authentication; or beta testing versus release...

---

Since this library is open-sourced, and thus visible to any would-be wrong-doers as it is, common sense implies that there should be no hassle...

Your app has different requirements than the underlying crypto library it uses. What the underlying library is required to do and what you are required to do are two different things.

For example, OpenSSL and Crypto++ fall under EAR 734 and 740, and they only need to send a email to the BIS and Encryption Coordinator with a link to their website and source code. You have to do more...

---

Do I need to go through all that hassle of getting an EAR approval?

Yes. In the end, all you need to do is sign up for a SNAP-R account and self-classify. When you self-classify, you look up some codes, fill out some paperwork, assembly some additional documentation, and then submit it to BIS and the Encryption Coordinator.

After submission, the BIS waits for the Encryption Coordinator to object or reject the application. After 30 days of silence from the Encryption Coordinator, the BIS issues the license.

By the way, the Encryption Coordinator is the NSA. That's their Fort Meade mailing address.

---

... I wish to ask those of you with actual experience with including an open-source encryption library in your apps

I've shepherded 3 libraries and 1 app through the process. Of the libraries, one library was OpenSSL-based and one library was Crypto++-based. None of them were rejected.

---

... I cannot tell for sure as law tends to be a convoluted mess of exceptions and random hair-splitting...

Off-topic, but the ladies at the BIS are very good. You call the number and a real person answers. And they are quite knowledgeable. They are the ones who told me about the testing exemptions.

To speak with those knowledgeable ladies, here's the name of the office you are looking for: Office of Exporter Services, Encryption Division . Their phone number shows up on Google searches (its easy once you know the office name).

---

Related, this is probably the information you seek: how to do it. Zetetic has a good set of instructions to do it at Mass Market Encryption CCATS Commodity Classification for iPhone Applications in 8 Easy Steps . Its what I used for my first one years ago.

---

(comment) and if I want to publish an Android version of the same app on Google Play, can I reuse the license, or do I need to do it over?

Yes. The license is issued for the application, not the play store.

---

(comment) What about updates that do not touch crypto++, but expose an additional algorithm for the user to choose from in the UI, ie first I want to use only RSA for dig. signatures, but in the next version I want to add ECDSA as choice?

I don't recall. Call the ladies at Office of Exporter Services, Encryption Division . They really are very helpful.

If you are adding or modifying core encryption routines (which is what this stuff covers), then you will likely need to update to the existing application or reclassify.

If you are just changing signing algorithms, then its just entity authentication and it likely will not require an update to the existing application or a reclassification.

I asked a similar question: its was about naming a product and (re)branding with no crpyto changes. In my case, renaming did not require a reclassification.