Export compliance documentation for encryption

I am building iOS apps that use Bluetooth LE via CoreBluetooth and make calls over ATS/HTTPS, both of which make use of encryption, which requires a declaration in AppStoreConnect.


AppStoreConect then links to this document:

https://help.apple.com/app-store-connect/#/devc3f64248f

which states that for ATS/HTTPS or "encryption limited to that within the Apple operating system" (the latter should be applicable for Bluetooth), "No documentation required in App Store Connect.", but I should "Submit a Self Classification Report to the U.S. Bureau of Industry and Security (BIS) directly."


So I end up with "App Uses Non-Exempt Encryption : No" and tried to create such a report, which basically consists of a simple spreadsheet listing some product details, but now I am totally lost trying to figure out what to use for these three colums, in particular the first one:


ECCNAUTHORIZATION TYPEITEM TYPE


There are documents that discuss possible values for these entries, but they are harder to decypher than the crypto in question here...😕


Is there a simple table or official statement which tells what to use for the very basic case of an app that is exclusively using HTTPS and other built-in crypto, such as Bluetooth, Wifi, etc.?


Has anyone ever figured out the proper entries for this common case?

Up vote post of LPG Down vote post of LPG
3k views
Posted by
LPG
Reply
Add a Comment

Replies

I researched this question and concluded that my app (which like yours, uses iOS Bluetooth and HTTPS/TLS, both directly and via Firebase's underlying BoringSSL library) should be classified "Mass Market" and ECCN = 5D992 (some say 5D992.c, but others say the report should not include the trailing letter).

The references I used include:
  official government site regarding the annual report from bis.doc.gov/index.php:
/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification

  official government site regarding “mass market” from bis.doc.gov/index.php:
/policy-guidance/encryption/3-license-exception-enc-and-mass-market/a-mass-market

  from SuperTop.co's blog (blog.supertop.co):
/post/162562874252/reporting-app-encryption-use-to-the-us-government 
(use Authorization Type = MMKT, ECCN = 5D992.c)

  stack overflow discussion: https://stackoverflow.com/questions/48462206/annual-self-classification-report 
(suggests using ECCN = 5D992)

  government explanation of report fields, from ecfr.gov:
/cgi-bin/retrieveECFR?gp=1&SID=4150cfbf028e9a85574385383a581f47&h=L&mc=true&n=pt15.2.742&r=PART&ty=HTML#ap15.2.742_119.6 

Docebo.com's guidance page:
/knowledge-base/export-compliance-and-self-classification-report-for-encryption-items/

(sorry the forum won't let me paste complete URLs, but they should be reconstructable from the above)
Posted by
Musical Steve
Up vote reply of Musical Steve Down vote reply of Musical Steve
Add a Comment