Apple email about France encryption law
2,960 views
Skip to first unread message
BrendanD
Jul 7, 2011, 2:19:14 PM7/7/11
to SQLCipher Users
Hi,
I got an email from Apple telling me that if I want to sell my app in
France then I need to get export compliance certification again, just
like I did for the US.
Does anyone know how to do that? They provided some links in the
email, but they're mostly in French and there's no "click here to get
export compliance" link or something like that.
Here's the email:
-----------------------------------------------------------
Starting in the first week of July, apps that meet the following
criteria are required to comply with French Encryption Laws/
Regulations if you intend to distribute your app in France.
This requirement applies to apps that use, access, implement, or
incorporate:
(a) any encryption algorithm that is yet to be standardized by
international standard bodies such as IEEE, IETF, ISO, ITU, ETSI,
3GPP, TIA, etc. or not otherwise published; or
(b) standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s)
instead of or in addition to accessing or using the encryption in iOS
and/or Mac OS X
Apple will require you to upload a copy of your approved French
declaration when you submit your app to the App Store.
Relevant French encryption regulations can be found at:
http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEXT000005789847&dateTexte=#LEGIARTI000006421577
http://www.ssi.gouv.fr/archive/fr/reglementation/regl_crypto.html
http://www.ssi.gouv.fr/site_article195.html
http://www.ssi.gouv.fr/site_article197.html
Regards,
Apple Export Compliance
-------------------------------------------------------------
Since I'm using SQLCipher and not the built-in encryption, I'm
guessing that I need to get the "approved French declaration"
document.
Any help would be greatly appreciated. If I can't figure it out, when
I submit my next update I'll have to remove my app from sale in
France.
Thanks,
Brendan
I got an email from Apple telling me that if I want to sell my app in
France then I need to get export compliance certification again, just
like I did for the US.
Does anyone know how to do that? They provided some links in the
email, but they're mostly in French and there's no "click here to get
export compliance" link or something like that.
Here's the email:
-----------------------------------------------------------
Starting in the first week of July, apps that meet the following
criteria are required to comply with French Encryption Laws/
Regulations if you intend to distribute your app in France.
This requirement applies to apps that use, access, implement, or
incorporate:
(a) any encryption algorithm that is yet to be standardized by
international standard bodies such as IEEE, IETF, ISO, ITU, ETSI,
3GPP, TIA, etc. or not otherwise published; or
(b) standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s)
instead of or in addition to accessing or using the encryption in iOS
and/or Mac OS X
Apple will require you to upload a copy of your approved French
declaration when you submit your app to the App Store.
Relevant French encryption regulations can be found at:
http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEXT000005789847&dateTexte=#LEGIARTI000006421577
http://www.ssi.gouv.fr/archive/fr/reglementation/regl_crypto.html
http://www.ssi.gouv.fr/site_article195.html
http://www.ssi.gouv.fr/site_article197.html
Regards,
Apple Export Compliance
-------------------------------------------------------------
Since I'm using SQLCipher and not the built-in encryption, I'm
guessing that I need to get the "approved French declaration"
document.
Any help would be greatly appreciated. If I can't figure it out, when
I submit my next update I'll have to remove my app from sale in
France.
Thanks,
Brendan
Billy Gray
Jul 7, 2011, 2:39:35 PM7/7/11
to sqlc...@googlegroups.com
On Thu, Jul 7, 2011 at 2:19 PM, BrendanD <bren...@gmail.com> wrote:
Does anyone know how to do that? They provided some links in the
email, but they're mostly in French and there's no "click here to get
export compliance" link or something like that.
Nope. We got one, too. Google Translate is no help, either. For now we're going to have to pull our apps from the French store. It's a shame we were given such late notice.
Since I'm using SQLCipher and not the built-in encryption, I'm
guessing that I need to get the "approved French declaration"
document.
You will have to get it, but not because you are using SQLCipher; you have to get it because you are using encryption. Software using Apple's system-supplied crypto is not exempt from export compliance in the US or with regard to this new French law, it appears. Contrary to popular belief, Apple Legal and US BIS have made it clear to us that we need to apply for crypto export compliance even when we are using only Apple's system-supplied crypto.
For anyone else who has been under that impression:
We were informed recently by BIS that we also had to apply for export compliance for SQLCipher just for publishing it on Github, despite the fact that it's open source. Same for the the binaries that we distribute. Once you publish software without being in compliance with export controls, you have to go through a process of informing BIS, and a minor investigation ensues before you can be granted license to "export" (i.e. distribute the software on the Internet). SQLCipher's source and the binaries we distribute are now within export control compliance.
I wonder what that means for forks on Github?
Regards,
Billy
--
Team Zetetic
http://zetetic.net
Brendan Duddridge
Jul 7, 2011, 3:56:35 PM7/7/11
to sqlc...@googlegroups.com
Thanks for the response Billy.
Someone on the Apple developer forums said they contacted Apple about it and they said you don't have to worry about it if you're just using Apple's built-in encryption in iOS or MacOS.
Anyway, I'll just turn off France for my next update. Kinda sucks though since I'll be losing sales.
By the way, when I tried to view my message on the group, Google told me it has expired or has been deleted. Odd.
Thanks,
Brendan
Stephen Lombardo
Jul 7, 2011, 5:37:11 PM7/7/11
to sqlc...@googlegroups.com
Hi Brendan,
We just migrated the group as part of the whole google apps transition today. Could you try logging in / out and see if that fixes the issue with viewing the message online?
We just migrated the group as part of the whole google apps transition today. Could you try logging in / out and see if that fixes the issue with viewing the message online?
With regard to the French declarations, today we were internally discussing the possibility of a future SQLCipher release that would take advantage of built in crypto on iOS. We haven't fully decided to pursue this so we can't make any promises, but this would have the potential to bypass these French requirements (though they would have no impact on US export registration).
Cheers,
Stephen
BrendanD
Jul 7, 2011, 5:42:13 PM7/7/11
to SQLCipher Users
Hi Stephen,
Ok, logging out and logging back in corrected the Google Groups issue.
I'm all for using the built-in iOS / MacOS encryption services. As
long as it would be compatible with existing encrypted database files.
Thanks!
Brendan
On Jul 7, 3:37 pm, Stephen Lombardo <sjlomba...@zetetic.net> wrote:
> Hi Brendan,
>
> We just migrated the group as part of the whole google apps transition
> today. Could you try logging in / out and see if that fixes the issue with
> viewing the message online?
>
> With regard to the French declarations, today we were internally discussing
> the possibility of a future SQLCipher release that would take advantage of
> built in crypto on iOS. We haven't fully decided to pursue this so we can't
> make any promises, but this would have the potential to bypass these French
> requirements (though they would have no impact on US export registration).
>
> Cheers,
> Stephen
>
Ok, logging out and logging back in corrected the Google Groups issue.
I'm all for using the built-in iOS / MacOS encryption services. As
long as it would be compatible with existing encrypted database files.
Thanks!
Brendan
On Jul 7, 3:37 pm, Stephen Lombardo <sjlomba...@zetetic.net> wrote:
> Hi Brendan,
>
> We just migrated the group as part of the whole google apps transition
> today. Could you try logging in / out and see if that fixes the issue with
> viewing the message online?
>
> With regard to the French declarations, today we were internally discussing
> the possibility of a future SQLCipher release that would take advantage of
> built in crypto on iOS. We haven't fully decided to pursue this so we can't
> make any promises, but this would have the potential to bypass these French
> requirements (though they would have no impact on US export registration).
>
> Cheers,
> Stephen
>
> On Thu, Jul 7, 2011 at 3:56 PM, Brendan Duddridge <brend...@gmail.com>wrote:
>
>
>
> > Thanks for the response Billy.
>
> > Someone on the Apple developer forums said they contacted Apple about it
> > and they said you don't have to worry about it if you're just using Apple's
> > built-in encryption in iOS or MacOS.
>
> >https://devforums.apple.com/message/479168
>
> > Anyway, I'll just turn off France for my next update. Kinda sucks though
> > since I'll be losing sales.
>
> > By the way, when I tried to view my message on the group, Google told me it
> > has expired or has been deleted. Odd.
>
> > Thanks,
>
> > Brendan
>
> > On Thu, Jul 7, 2011 at 12:39 PM, Billy Gray <wg...@zetetic.net> wrote:
>
>
>
>
> > Thanks for the response Billy.
>
> > Someone on the Apple developer forums said they contacted Apple about it
> > and they said you don't have to worry about it if you're just using Apple's
> > built-in encryption in iOS or MacOS.
>
> >https://devforums.apple.com/message/479168
>
> > Anyway, I'll just turn off France for my next update. Kinda sucks though
> > since I'll be losing sales.
>
> > By the way, when I tried to view my message on the group, Google told me it
> > has expired or has been deleted. Odd.
>
> > Thanks,
>
> > Brendan
>
> > On Thu, Jul 7, 2011 at 12:39 PM, Billy Gray <wg...@zetetic.net> wrote:
>
BrendanD
Jul 16, 2011, 6:16:41 PM7/16/11
to SQLCipher Users
I was reading the FAQ Apple has in iTunes Connect about export
compliance for products that use encryption and I came across these
scenarios:
Sample Scenarios
Scenario 1: An app uses or accesses only encryption algorithms
provided in iOS or Mac OS for its security features
-- Only US Encryption Registration (ERN) will be required (even if the
app is distributed in France)
Scenario 2: An app uses or accesses encryption algorithms provided in
iOS or Mac OS and implements a industry standard algorithm not yet
implemented in iOS for its security features
-- US Encryption Registration (ERN) and French Import Declaration
approval are required
Scenario 3: A developer implements his own proprietary encryption
algorithm(s) for security features in an app
-- Both US CCATS and French Import Declaration approval are required
Scenario 4: A developer chooses to release app, that uses only
encryption provided in iOS or Mac OS, only in France.
-- Only US Encryption Registration (ERN) is required
Scenario 5: A developer chooses to release his app, that has
proprietary encryption, only in France.
-- Both US CCATS and French Import Declaration Approval are required
Scenario 6: A developer chooses to release his app, that has
proprietary encryption, all other countries except France.
-- Only US CCATS is required
Scenario 7: A developer chooses to release his app in the U.S. and
Canada only.
-- No U.S. CCATS or ERN is required. No France Import Declaration is
required.
Well, I don't have a US Encryption Registration (ERN) for my app, but
I do have a CCATS and went through all that rigamarole a long time
ago. SQLCipher I believe implements industry standard algorithms does
it not? So I would see an 8th scenario: "An app uses or accesses
encryption algorithms provided in iOS or Mac OS and implements an
industry standard algorithm ALREADY implemented in iOS for its
security features.
Since SQLCipher uses industry standard AES encryption and iOS has AES
encryption built-in, does that mean that I don't need to get the
French Import Declaration Approval document? I know I should be asking
Apple about that. But I thought since there is great knowledge about
this stuff here that I would ask here first.
Thanks,
Brendan
compliance for products that use encryption and I came across these
scenarios:
Sample Scenarios
Scenario 1: An app uses or accesses only encryption algorithms
provided in iOS or Mac OS for its security features
-- Only US Encryption Registration (ERN) will be required (even if the
app is distributed in France)
Scenario 2: An app uses or accesses encryption algorithms provided in
iOS or Mac OS and implements a industry standard algorithm not yet
implemented in iOS for its security features
-- US Encryption Registration (ERN) and French Import Declaration
approval are required
Scenario 3: A developer implements his own proprietary encryption
algorithm(s) for security features in an app
-- Both US CCATS and French Import Declaration approval are required
Scenario 4: A developer chooses to release app, that uses only
encryption provided in iOS or Mac OS, only in France.
-- Only US Encryption Registration (ERN) is required
Scenario 5: A developer chooses to release his app, that has
proprietary encryption, only in France.
-- Both US CCATS and French Import Declaration Approval are required
Scenario 6: A developer chooses to release his app, that has
proprietary encryption, all other countries except France.
-- Only US CCATS is required
Scenario 7: A developer chooses to release his app in the U.S. and
Canada only.
-- No U.S. CCATS or ERN is required. No France Import Declaration is
required.
Well, I don't have a US Encryption Registration (ERN) for my app, but
I do have a CCATS and went through all that rigamarole a long time
ago. SQLCipher I believe implements industry standard algorithms does
it not? So I would see an 8th scenario: "An app uses or accesses
encryption algorithms provided in iOS or Mac OS and implements an
industry standard algorithm ALREADY implemented in iOS for its
security features.
Since SQLCipher uses industry standard AES encryption and iOS has AES
encryption built-in, does that mean that I don't need to get the
French Import Declaration Approval document? I know I should be asking
Apple about that. But I thought since there is great knowledge about
this stuff here that I would ask here first.
Thanks,
Brendan
Brendan Duddridge
Sep 8, 2012, 1:16:38 PM9/8/12
to sqlc...@googlegroups.com
Has anyone on the SQLCipher team filled out the French encryption laws documents?
I found an English translation for them here:
I don't know how to answer all the questions as I'm no expert on how the encryption algorithms work with SQLCipher.
Thanks!
Brendan
Stephen Lombardo
Sep 10, 2012, 2:35:37 PM9/10/12
to sqlc...@googlegroups.com
Hi Brendan,
We haven't filled out these forms yet for our own apps, mainly because of the issues involved with the language. The English translations are a good find though. Even in English though, some of the required information is still quite opaque (e.g. SIRET number, category 3 of annex 2 of Decree No 663 of 2 May 2007, where / who / how to file it, etc).
We haven't filled out these forms yet for our own apps, mainly because of the issues involved with the language. The English translations are a good find though. Even in English though, some of the required information is still quite opaque (e.g. SIRET number, category 3 of annex 2 of Decree No 663 of 2 May 2007, where / who / how to file it, etc).
Have you found any complimentary english resources that actually explain the process from start to finish?
Thanks!
Thanks!
Cheers,
Stephen
Brendan Duddridge
Sep 10, 2012, 4:53:07 PM9/10/12
to sqlc...@googlegroups.com
Hi Stephen,
No I haven't. But perhaps if you guys could fill out the technical aspects of the form, then I could fill in the specifics for my app and company info, then submit it to them and see what happens. Then I could report back.
Thanks!
Brendan
Brendan Duddridge
Sep 18, 2012, 12:52:30 PM9/18/12
to sqlc...@googlegroups.com
Hi Stephen,
Any chance you guys have filled out the technical part of that French document?
Thanks,
Brendan
Stephen Lombardo
Sep 20, 2012, 4:03:47 PM9/20/12
to sqlc...@googlegroups.com
Hi Brendan,
We haven't had a chance yet, but it's still on our radar / to-do list. We'll respond back as soon as we've had a chance to review and comment. Thanks for your patience!
Cheers,
Stephen
Brendan Duddridge
Oct 24, 2012, 2:36:50 PM10/24/12
to sqlc...@googlegroups.com
Hello Stephen,
Any news on this front? I'm getting at least one email a day now requesting my app to be available in the Mac App Store in France. I am really at a loss with filling out the form because I don't know anything about how the AES encryption works to be able to answer any of the questions. I was hoping you guys would know and would be able to publish something that all developers who use SQLCipher could use. Kind of like how you did that tutorial for the US government export approval.
Thanks!
Brendan
Stephen Lombardo
Oct 25, 2012, 5:25:14 PM10/25/12
to sqlc...@googlegroups.com
Hi Brendan,
On 2012-10-24, Brendan Duddridge wrote:
> Any news on this front?
There is no status update here; we haven't had a chance to put any serious time into this yet. The high level overview of SQLCipher's design and security features is already fairly well documented [1], but the forms don't lend themselves to exact mapping from existing documentation, and they have a bunch of other requirements.
[1] http://sqlcipher.net/design/
> I'm getting at least one email a day now requesting
> my app to be available in the Mac App Store in France. I am really at a
> loss with filling out the form because I don't know anything about how the
> AES encryption works to be able to answer any of the questions. I was
> hoping you guys would know and would be able to publish something that all
> developers who use SQLCipher could use. Kind of like how you did that
> tutorial for the US government export approval.
We're definitely not adverse to working this up and sharing with the community as we have in the past. However, this just hasn't made it to the top of our priority list. I know it seems "simple" in retrospect, but that tutorial for US government export approval took weeks to complete, not to mention the months of back and forth with the DOC, export councilors, etc (and that was all with an English speaking government organization in the same time zone). While we are more than willing to share resources we've generated, we have to balance this with other responsibilities. Thus, this will have to wait a bit longer, at least until we have a reasonable block of free time, or additional commercial interest will support it, e.g. (sponsored development / support).
Cheers,
Stephen
On 2012-10-24, Brendan Duddridge wrote:
> Any news on this front?
[1] http://sqlcipher.net/design/
> I'm getting at least one email a day now requesting
> my app to be available in the Mac App Store in France. I am really at a
> loss with filling out the form because I don't know anything about how the
> AES encryption works to be able to answer any of the questions. I was
> hoping you guys would know and would be able to publish something that all
> developers who use SQLCipher could use. Kind of like how you did that
> tutorial for the US government export approval.
Cheers,
Stephen
Brendan Duddridge
Oct 29, 2012, 4:46:26 PM10/29/12
to sqlc...@googlegroups.com
Hi Stephen,
I understand your time constraints. There's so much to do and so little time to do it.
I took a crack at it anyway and submitted the documentation. I used your design page as a guide and also referred them to it. I have no idea if it will qualify as acceptable, but I sent it off anyway so we'll see what happens. The post office said it would take about 2 weeks just to get to France. Then who knows how long it will take them to process the document or have a good laugh reading it :-)
Thanks!
Brendan
Reply all
Reply to author
Forward
0 new messages