[Cryptography] Export controls [was: Re: NSA's FAQs Demystify the Demise of Suite B]

Andrew Donoho awd at ddg.com
Sun Feb 14 11:06:25 EST 2016 

> On Feb 13, 2016, at 12:47 , John Gilmore <gnu at toad.com> wrote:
> 
> The only folks who have to deal with US export controls on crypto these
> days, as I understand it, are those who build custom, proprietary
> software; or those who build hardware custom designed for
> cryptanalysis (like a DES cracker).



> On Feb 14, 2016, at 04:55 , Allen <allenpmd at gmail.com> wrote:
> 
> If neither of the above apply, then US persons either have to register or find a registration exemption and comply with the terms of the exemption, which might include notification.  That to me qualifies as "dealing with US export controls".




Gentlemen,



	IANAL; I am an iOS developer. Check with you attorney. Yada, yada, yada … 



Context:

	I recently took my product, Spot marks the taX, a cryptographically private, legally durable location tracking iOS app, link below, through this process. I requested that it be classified as a commodity. It uses AES-256, HMAC-SHA-256, RSA-2048 signature validation (SHA-256). It was granted export authorization in about a week last August with an EAR99. Without obtaining this designation or similar, Apple would not let my app on the international App Store. I could restrict myself to U.S. only sales and avoid BIS.



Commentary:

	Spot is a sophisticated user of cryptographic technology. Hence, I checked with my attorneys before entering this process. 

	If we read Mr. Gilmore’s statement “… custom, proprietary software” as intended to mean "custom, proprietary crypto algorithm containing software,” then he is correct and this is largely a non-issue. But that is not how I’ve been advised to read these regulations. Any software that uses crypto, such as Spot, is “custom, proprietary software” and must register. (Before you claim this interpretation is part of the lawyer full employment conspiracy, I filed all of the documents with the government myself. It was quite straightforward. No lawyers were involved after my initial consultation.)

	IOW, any app that connects to a secure REST service must declare that use and then secure the above EAR99. Facebook apps or enterprise apps? It doesn’t matter; they must register with BIS. Any app that follows Apple’s guidelines and uses secure URLs (https://) in a web view must also register. All of the above applies to Android devices too.

	I was shocked too.

	I read the regulations and have to reluctantly agree with my attorneys. This is not some careful parsing of a legal interpretation. I tried looking at the Note 4 Decontrols. While I could squint at the regulations and almost see a way past them, I came to the conclusion that I could not avoid them.

	I doubt most any networked mobile app can avoid them either.



Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
awd at DDG.com, +1 (512) 750-7596, twitter.com/adonoho

New: Spot marks the taX™ App, <http://SpotMarksTheTaX.com>
Retweever Family: <http://Image.Retweever.com>, <http://Retweever.com>

"To take no detours from the high road of reason and social responsibility."
   -- Marcus Aurelius

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160214/716f1189/attachment.html>

More information about the cryptography mailing list