This morning, I saw a tweet in my timeline pointing out an iTunes Connect warning about encryption usage. I decided to spend some time making sure that our app Castro was properly registered.

The last time I payed attention to the encryption export requirements, the US had relaxed the requirements to register usage of encryption and get an “Encryption Registration Number”, so I assumed we didn’t need to do anything else. It now appears that app makers need to annually submit a self-classification report.

This page on iTunes Connect is a detailed FAQ that’s worth reading to make sure you understand what’s going on.

Regarding ERN requirements:

Encryption Registrations (ERN) are no longer required prior to exporting. In lieu of obtaining an ERN prior to export, BIS now requires a year-end Self Classification Report. Consistent with these regulatory changes, Apple has simplified the export compliance review process and will no longer require developers to upload an ERN.

The Self-Classification report:

An annual Self Classification Report is a requirement for exports of certain encryption items. For example, if your app is making use of standard encryption algorithms available in Apple’s iOS or macOS, or simply making calls over HTTPS, you may be required to submit an annual Self Classification Report to two U.S. Government agencies with information about your app every January. For more detailed information, see the following encryption reporting guidance policy.

Unfortunately, the links in this document lead to pages on the bis.doc.gov website that are missing. I was eventually able to find this page though: Annual Self-Classification

After reading through that, I understood that the “report” is simply a CSV file that you create and email to two email address. There’s a sample report linked, and the fields are all pretty straightforward, with the exception of ECCN and Authorization Type:

• For Authorization Type, I chose MMKT… which I think means mass-market.
• After some searching around various documents on the BIS website and elsewhere, I eventually determined that 5D992.c is the appropriate ECCN for our app. This blog post was helpful when tracking it down.

Once I had those, the other fields were obvious. I emailed it off to the two addresses, one BIS, one NSA (!), in the self-classification document. I haven’t had a reply yet, but I think that’s it. We’re supposed to resubmit this every year or email to say it hasn’t changed.

This is obviously not legal advice. Please let me know if you think I’ve missed anything, or made any mistakes here.