Android app license question

[Envy Android]

Hi there!

I want to create a note taking app, for android, that encrypts the users note 
contents using sqlcipher.

Just to make sure I understand your license properly (http://sqlcipher.net/license),

can I use the "sqlcipher for android" library in my app,

as long as I include the sqlcipher license text in the app (for example visible in the settings menu)?

Am I also allowed to publish the app as a paid application?

And another question:
I understand that there are some rules and laws in the united states, about 
export and cryptography, which you have to agree upon, when you are publishing 
apps to google play, 

have you had any questions about this before? 

Does using sqlcipher in an app, fall under these export laws? 

Thanks! :)

[Nick Parker]

Hello,

With regard to the SQLCipher for Android licensing, you must comply with
the SQLCipher license, Android license, OpenSSL license, and ICU license.

If you will export any application containing strong encryption
(including one that uses SQLCipher) you must ensure that you are
complying with the BIS / DOC export requirements.

We've discussed this with export counselors at the BIS and they have
advised that, at least for mass market products, each party marketing
and exporting an application that includes encryption is responsible for
their own classification and reporting, and thus the application
developer has a responsibility to obtain an ERN. In addition, the
developer would be responsible for filing yearly self-classification
reports [1] that list every product that uses encryption. In terms of
the process, there is a good overview of how to get an ERN using the
SNAP-R system on the BIS website that includes explicit screenshots [2].

That said, we aren’t attorneys or export control experts. Use this
information at your own discretion and consult an expert if you need
guidance. For instance, the BIS export counselors can be very helpful
[3] and they even have some folks that specialize on the crypto
requirements. It might be worth a call. If you do chat with the BIS
coordinators or other counsel, you could mention that your application
would be distributed commercially and that the underlying encryption
library was previously classified as mass market under ECCN 5D992c.

[1] http://www.bis.doc.gov/index.php/policy-guidance/encryption/reporting
[2] http://www.bis.doc.gov/index.php/policy-guidance/encryption/registration
[3] http://www.bis.doc.gov/forms/formslist.html

> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "SQLCipher Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to sqlcipher+...@googlegroups.com
> <mailto:sqlcipher+...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

--
Nick Parker

[Envy Android]

Thanks for your reply!

I was not aware that it would be such a comprehensive process.

I did email ECD...@bis.doc.gov about a month ago, without getting any answer.

Guess I should give them a call.

Thanks again!

[Mark Carter]

Any updates on this?

Is the ERN supposed to be for when user data is being encrypted. What if the app is just reading a decrypted database and not encrypting anything?

I'm still not clear what exactly needs to go in the Copyright/Settings screen.

[Nick Parker]

Hello Mark,

We've codified our understanding of the export requirements as it
relates to SQLCipher here:

https://discuss.zetetic.net/t/export-requirements-for-applications-using-sqlcipher/47

On 8/24/14 10:22 AM, Mark Carter wrote:
> Any updates on this?
>
> Is the ERN supposed to be for when user data is being encrypted. What if
> the app is just reading a decrypted database and not encrypting anything?
>
> I'm still not clear what exactly needs to go in the Copyright/Settings
> screen.
>
> On Saturday, 22 March 2014 03:38:47 UTC+7, Envy Android wrote:
>
> Thanks for your reply!
>
> I was not aware that it would be such a comprehensive process.
>

> I did email ECD...@bis.doc.gov <javascript:> about a month ago,

> <https://groups.google.com/d/optout>.
>
> --
> Nick Parker

[Mark Carter]

Thanks Nick. It looks like using strong encryption to protect copyrighted data excludes this ERN requirement, which has me covered I think.

"Is the encryption functionality limited to intellectual property or copyright protection functions?

The former regulatory language explicitly identified certain products as not controlled under ECCN 5A002 if the encryption functionality was limited to certain intellectual property or copyright protection functions. Note 4 of this rule completely removes the identified products from Category 5, Part 2. See “What items are removed from encryption controls? ” for additional guidance."

[Stephen Lombardo]

Hi Mark,

We really can't provide any guidance on whether your application is, or is not, compliant with the regulations. We merely state that SQLCipher includes strong encryption, that the primary intended uses of the library are not exempt, and that individual developers are responsible for compliance with the regulations. 

It is our strong recommendation that you contact the BIS Export Councilors (http://www.bis.doc.gov/index.php/about-bis/contact-bis) to determine whether you have a valid exemption under the ERN or not. The penalties for non-compliance are significant, so it would be prudent to verify (better safe than sorry).

Cheers,

Stephen

--

Stephen Lombardo | Zetetic LLC | +1-908-229-7312 | sjlom...@zetetic.net

To unsubscribe from this group and stop receiving emails from it, send an email to sqlcipher+...@googlegroups.com.

[Mark Carter]

Thanks Stephen - I will be safer than sorrier!