<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><blockquote type="cite" class="">On Feb 13, 2016, at 12:47 , John Gilmore <<a href="mailto:gnu@toad.com" class="">gnu@toad.com</a>> wrote:<br class=""><br class="">The only folks who have to deal with US export controls on crypto these<br class="">days, as I understand it, are those who build custom, proprietary<br class="">software; or those who build hardware custom designed for<br class="">cryptanalysis (like a DES cracker).<br class=""></blockquote><div class=""><br class=""></div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 14, 2016, at 04:55 , Allen <<a href="mailto:allenpmd@gmail.com" class="">allenpmd@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><span style="font-family: Georgia; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">If neither of the above apply, then US persons either have to register or find a registration exemption and comply with the terms of the exemption, which might include notification. That to me qualifies as "dealing with US export controls".</span><br style="font-family: Georgia; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""></div></blockquote></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div>Gentlemen,<div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><span class="Apple-tab-span" style="white-space:pre"> </span>IANAL; I am an iOS developer. Check with you attorney. Yada, yada, yada … <br class=""><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Context:</div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>I recently took my product, Spot marks the taX, a cryptographically private, legally durable location tracking iOS app, link below, through this process. I requested that it be classified as a commodity. It uses AES-256, HMAC-SHA-256, RSA-2048 signature validation (SHA-256). It was granted export authorization in about a week last August with an EAR99. Without obtaining this designation or similar, Apple would not let my app on the international App Store. I could restrict myself to U.S. only sales and avoid BIS.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Commentary:</div><div class=""><br class=""><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>Spot is a sophisticated user of cryptographic technology. Hence, I checked with my attorneys before entering this process. </div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>If we read Mr. Gilmore’s statement “… custom, proprietary software” as intended to mean "custom, proprietary crypto algorithm containing software,” then he is correct and this is largely a non-issue. But that is not how I’ve been advised to read these regulations. Any software that uses crypto, such as Spot, is “custom, proprietary software” and must register. (Before you claim this interpretation is part of the lawyer full employment conspiracy, I filed all of the documents with the government myself. It was quite straightforward. No lawyers were involved after my initial consultation.)</div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>IOW, any app that connects to a secure REST service must declare that use and then secure the above EAR99. Facebook apps or enterprise apps? It doesn’t matter; they must register with BIS. Any app that follows Apple’s guidelines and uses secure URLs (https://) in a web view must also register. All of the above applies to Android devices too.</div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>I was shocked too.</div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>I read the regulations and have to reluctantly agree with my attorneys. This is not some careful parsing of a legal interpretation. I tried looking at the Note 4 Decontrols. While I could squint at the regulations and almost see a way past them, I came to the conclusion that I could not avoid them.</div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>I doubt most any networked mobile app can avoid them either.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div class="">
<div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Anon,<br class="">Andrew<br class="">____________________________________<br class="">Andrew W. Donoho<br class="">Donoho Design Group, L.L.C.<br class=""><a href="mailto:awd@ddg.com" class="">awd@DDG.com</a>, +1 (512) 750-7596, <a href="http://twitter.com/adonoho" class="">twitter.com/adonoho</a><br class=""><br class="">New: Spot marks the taX™ App, <<a href="http://spotmarksthetax.com" class="">http://SpotMarksTheTaX.com</a>><br class="">Retweever Family: <<a href="http://image.retweever.com" class="">http://Image.Retweever.com</a>>, <<a href="http://retweever.com" class="">http://Retweever.com</a>><br class=""></div><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""></div><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">"To take no detours from the high road of reason and social responsibility."<br class=""> -- Marcus Aurelius<br class=""></div></div></div></div>
</div>
<br class=""></div></div></body></html>