Create Task
Maniphest T15317

Obtain Documents for Complying with Encryption Export Regulations
Closed, ResolvedPublic
Actions

Description

  • For US
  • For France

https://help.apple.com/app-store-connect/#/dev38f592ac9

Related Objects
Search...

apollozhu created this task.Feb 25 2022, 5:12 AM
apollozhu triaged this task as High priority.
apollozhu moved this task from Ideas to In progress on the KDE Connect board.Feb 28 2022, 4:59 AM
apollozhu added a comment.Mar 4 2022, 12:46 AM

Export Compliance Information
Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?

  • Yes
  • No

Make sure that your app meets the criteria of the exemption listed below. You are responsible for the proper classification of your product. Incorrectly classifying your app may lead to you being in violation of U.S. export laws and could make you subject to penalties, including your app being removed from the App Store.

You can select Yes for this question if the encryption of your app is:
(a) Specially designed for medical end-use
(b) Limited to intellectual property and copyright protection
(c) Limited to authentication, digital signature, or the decryption of data or files
(d) Specially designed and limited for banking use or “money transactions”; or
(e) Limited to “fixed” data compression or coding techniques

You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations.

To my best understanding of relevant information, KDE Connect iOS might be exempt because:

  1. We only use encryption to authenticate with the other pairing device and present a digital signature of the other device for users to confirm, thus qualifying criteria (c).
  2. Or even, not subject to the EAR per "Publicly Available": https://www.bis.doc.gov/index.php/policy-guidance/encryption/1-encryption-items-not-subject-to-the-ear
adridg added a subscriber: adridg.Mar 11 2022, 8:41 PM

I have gone through Flowchart 1 (in the Encryption Links box in the lower-left of https://www.bis.doc.gov/index.php/encryption-and-export-administration-regulations-ear ) and end up in the Publicly available end state. The instructions on https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-742/section-742.15 say "send an email", so that seems like a safe thing to do. Something along the lines of "for authentication (pairing) only, and the source is available at some-KDE-invent-location". I'm counting on the KDE Connect people to accurately characterize the use of crypto in the application. You might have to answer no specifically here, unless you've determined exemption (c) applies, so that you can see if the other not-required cases pop up later in the form.