When I started the process of getting the ERN, I quickly notice it was going to be a long and arduous process and that other people could benefit from the lessons I was learning the hard way, so I decided to document it all in a long blog post.
This is probably one of my most researched pieces ever. The whole process took about two months from the start, researching this thing called ERN, to getting the app published in the Mac App Store, satisfying that what I did was (more or less) correct.
Crypto Wars Part II
The Empires Strike Back
Kurt Opsahl Deputy Executive Director of the EFF
There is no first part of this specific talk. The talk is only called "Part II" because of the Crypto Wars of the nineties.
If you are interested in the "Part I" history
https://en.wikipedia.org/wiki/Bernstein_v._United_States
is a good starter.
We don't need to bear arms anymore because we don't walk around dueling people at high noon anymore, but being an information based economy and information based society, encryption is the new gun in the wild world web.
Don't try to apply logic here -- "But can't they just compile openssl or just use Linux!? or some library..." -- this is government contracting and security world, regular logic doesn't work here.
[1]: http://stackoverflow.com/questions/2135081/does-my-applicati...
Some people say the paperwork is easy to fill out yourself, but I was a college student and the legalese scared the crap out of me. And there was no way I could afford to consult a lawyer for a hobby project.
My only choice was to use plaintext HTTP for my app (which I wasn't willing to do for this particular app), or to restrict the app to the US and Canada, which doesn't require a government filing. I hated doing it, but I went with option two.
Edit: fixed typo.
With HTTPS, what puts you clearly out of every potential exception, is the fact that you are encrypting the requests. Someone asked about this in the blog and I replied with more information.
* send Apple a paper promising that you will only distribute your app in US and Canada stores, discarding all other markets.
* make your encryption use insecure 64-bit keys.
* make your complete app open source.
* (some other options, such as when using encryption only for authentication)
If you lied to Apple and if US government finds out you export encryption without registration, and if they care enough, they will fine you (http://www.theregister.co.uk/2014/10/17/intel_subsidiary_cry...)
The iTunes Connect FAQ says: “If your app uses, accesses, implements or incorporates industry standard encryption algorithms other than those listed as exemptions under question 2, you need to submit for an ERN authorization. Examples of standard encryption are: AES, SSL, https.”
There are a lot of exemptions, but only using Apple's HTTPS is not one.
The post is a very good guide to navigating that bureaucratic process either way though.
Starting in iOS 9.0 and OS X v10.11, a new security feature
called App Transport Security (ATS) is available to apps and is
enabled by default. It improves the privacy and data integrity
of connections between an app and web services by enforcing
additional security requirements for HTTP-based networking
requests. Specifically, with ATS enabled, HTTP connections must
use HTTPS (RFC 2818). Attempts to connect using insecure HTTP
fail. Furthermore, HTTPS requests must use best practices for
secure communications.
Does that mean that in the future nearly every App will need the ERN?
Given this, it would seem odd that you would need to apply for an ERN (is this true for app outside of the US?)
The TP pool memo[1] in Neal Stephenson Snow Crash seems sane by comparison.
[1] http://soquoted.blogspot.com/2006/03/memo-from-fedland.html
A big part of our app was "sending, receiving, and storing information", so we weren't sure this exemption would apply to us. So, we did the ERN anyway, and it took a couple of days calendar time, and a couple of hours of working time, IIRC.
By the way, nowhere does it say that using HTTPS is fine if you just use Apple's APIs and frameworks. I don't think it's relevant here.
> (a) The primary function or set of functions is not any of the following: [...]
> ...... (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management);
(Emphasis mine.)
Triple negative - now that's something. And DRM and the entertainment industry gets a special case, isn't that great?
1. http://www.tillett.info/2015/06/20/how-to-complete-w-8ben-e-...
2. http://www.tillett.info/2015/12/01/how-to-register-an-austra...
Not sure. This looks like a US-centric, bureaucratic thing. I doubt that F-Droid https://f-droid.org/ requires this kind of nonsense when submitting apps.
Apple is required the ERN to cover their asses, I believe. The ERN is required by the US government, so, if you don't have it, you are breaking the law whether you are using Google Play or Apple. So, you should get it for Google Play too.
https://www.chatmap.io/blog/iPhone-iTunes-ERN-Encryption.php
The second problem was a lot of jargon that was in my opinion unnecessary and was internal US government leaking to the end users and you had to learn it to understand the documentation about what to do. Figuring out what SNAP-R stood for took me way to long and it's nothing more than a website registration (from my point of view).
Am I legally exporting crypto from the US if am not in the US?
Remember when you could distribute software yourself without getting threatened[1]? Remember when platform vendors didn't take a 30% cut of everything you earned just because they wrote an OS? Not even Microsoft was that evil.
I hope you enjoy the world you've built, hipsters.
[1] See the f.lux Apple distribution debacle
https://www.bis.doc.gov/index.php/policy-guidance/encryption
You might say, small companies should be following these rules regardless so this is just as well. And I'd probably agree. But it's still a pretty big difference.