Android app with encryption regulated by the EAR

Question

I'm developing and Android app. As a completely secondary feature, it will allow users to encrypt some strings.

I know AES (256 bits) is much more recommended to use than DES (56 bits). However, if I use AES-256 and publish my app in Android Market, will my app be regulated by the Export Administration Regulations (EAR)?

http://www.bis.doc.gov/encryption/

I've read it regulates software which encrypts with a key longer than 56 bits.

My app won't really manage top-secret information. It'll allow users to send each other encrypted messages. It's intended almost only as a game, although some users could use it for confidential information.

So, would you recommend me to use AES-256 or DES-56? If somebody can confirm I won't have any problems with EAR by using AES-256 I will definitely use this algorithm.

I'm not an U.S. citizen and I don't live in the U.S. But I've read in Android Market that because I'll publish my app in Google's servers, my app must follow U.S.'s export laws.

Answer 1

According to http://www.bis.doc.gov/encryption/question2.htm

May I self-classify my encryption item and export it WITHOUT encryption registration?

Flow Chart 2 provides an overview of how to determine whether your product can be self-classified and exported without an encryption registration.

If you have a product that is controlled under Category 5, Part 2, certain products and transactions do not require any encryption registration, classification, or post-export reporting. This includes:

• Products classified under 5x992, including:

  • Products with key lengths not exceeding 56 bits symmetric, 512 bits asymmetric and/or 112 bit elliptic curve.

  • Mass market products with key lengths not exceeding 64 bits symmetric, or if no symmetric algorithms, not exceeding 768 bits asymmetric and/or 128 bits elliptic curve.

  • Certain mass market products listed under 742.15(b)(4)

  • Products with limited cryptographic functionality as described in the Note to 5A002.

  • Products that use encryption for authentication only.

• Certain 5x002 products/transactions, including:

  • Certain products/transactions are eligible for license exception ENC without any registration, classification, or reporting, including:

    • Exports and reexports to ‘private sector end-users’ as described in 740.17(a)(1);

    • Exports and reexports to a “U.S. Subisidary” as described in 740.17(a)(2).

    • Certain products listed under 740.17(b)(4):

  • Certain products that require only a notification before export:

    • “Publicly available” encryption software and source code under license exception TSU (740.13);

    • Beta Test software under license exception TMP (740.9).

Answer 2

From Google's help page: "Under US export laws, Android Market applications may be prohibited from transfers to embargoed countries. Accordingly, Google blocks downloads to these countries."

Whilst it may be difficult to strictly comply, you can display intent to comply with the law this issue by forcing the user to accept a EULA before the application starts for the first time. Within the EULA, you should require the user to accept that they are not within any country that the US restricts exportation of crypto to. If you were ever pulled into court (ludicrously unlikely) you can link them this question and show your EULA to prove that you made a reasonable effort to comply.

As a bit of a side note, keep in mind that the Android phone itself contains implementations of many cryptographic algorithms (SSL requires a whole host of them) and as such there will probably be a very low volume of users in those countries.