Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Java Development

Reply
BlackBerry Development Advisor
MSohm
Posts: 14,753
Registered: ‎07-09-2008
My Device: BlackBerry Passport

Re: Export control

I'm looking into this one.

Mark Sohm
BlackBerry Development Advisor

Please refrain from posting new questions in solved threads.
Problem solved? Click the Accept As Solution button.
Found a bug? Report it using Issue Tracker
BlackBerry Development Advisor
MSohm
Posts: 14,753
Registered: ‎07-09-2008
My Device: BlackBerry Passport

Re: Export control

Sorry for the delay, but this took a little while to put together...

 

 

WHO/WHEN

We require an ECCN to be provided when the APP CONTAINS ENCRYPTION and you are (1) a US Vendor; OR (2) the app was developed in the US; OR (3) the app was developed with or using US technology. 'Developed' for purposes of this question includes, but is not limited to incorporating software from US companies and code developed by US employees. If you are a US vendor without any encryption in your app, then you should indicate this in your answer to Question 1 and you will not be required to provide an ECCN.

 

We do not consider using code signing keys for API access to be encryption.

 

WHAT

An Export Control Classification Number (ECCN) is an alphanumeric designation (i.e., 5D992 or 5D002) used in the Commerce Control List of the US Export Administration Regulations to identify items for export control purposes. An ECCN categorizes items based on the nature of the product, i.e. type of commodity, technology or software and its respective technical parameters, including the type of encryption contained within an item.

 

You can get an ECCN in one of two ways:

1) Self-Classifying: You can self classify your application by determining the correct ECCN through reading the Bureau of Industry and Security’s  (the “Bureau”) documentation, phoning the Bureau, or consulting an export lawyer (see the “Resources” section).

 

However, not all encryption items are eligible for self-classification. Some encryption items require registration with the Bureau, at which time you will receive an Encryption Registration Number (“ERN”).  Please see other the “Other Rules” section for when we require an ERN.

 

2) Applying for Classification: Alternatively, you can request a classification from the Bureau by applying for a Commodity Classification (“CCATS”) and the CCATS will contain the ECCN.

 

For further information on an ECCN, you can start with the Wikipedia Entry: http://en.wikipedia.org/wiki/ECCN

 

WHY

These export regulations are issued by the US Government, and RIM does not add additional requirements. If you are outside of Canada, and submitting your app to App World, you are making an export, and your app is being considered for re-export from Canada to other destinations.

 

KNOWN BUG

Presently, unfortunately, we do have a known issue in the portal where vendors CANNOT submit the ECCN of EAR99. For these vendors, there is a method to support EAR99 which can be provided through App World’s support team in the following manner:

  • Mark ‘No Encryption’ in the Vendor Portal and continue with your app submission process
  • Contact us for support using this form: https://www.blackberry.com/profile/?eventId=8109 with the following information:
    • Tell us in the form that you marked ‘No Encryption’ in the portal but do indeed have encryption but that you have the ECCN of EAR99 that is not accepted by the form.
    • We will then contact you with the next steps.
    • To ensure this doesn’t slow down the approval process, please submit the support form the same day you submit the app – or even before.

 

RESOURCES FOR VENDORS TO DETERMINE CORRECT ECCN

If vendors need help assessing the appropriate ECCN for their app, the following links may be of help, and it’s highly suggested that you simply call the Bureau (202-482-0707) to get instant live help. Many vendors have been successful with a single phone call.

 

                Resources:

                US Export Administration Regulations: http://www.access.gpo.gov/bis/ear/ear_data.html

                US Regulatory Guidance: http://www.bis.doc.gov/encryption/question1.htm

                US Department of Commerce, Bureau of Industry and Security Contacts: http://www.bis.doc.gov/encryption/technologycontacts.htm

 

                Important Notes:

-    We cannot help determine which ECCN is correct for a given app.

-    Vendors should take notice of Note 4 of Category 5, Part II, of Export Administration Regulations (http://www.bis.doc.gov/encryption/ccl5pt2.pdf) when assessing the app under the US Export Administration Regulations.

-    We cannot accept applications that do not meet Note 3, the Cryptography Note of Category 5, Part II of the Export Administration Regulations (http://www.bis.doc.gov/encryption/ccl5pt2.pdf).  Therefore, ECCNs must also be appropriate and correctly correspond to the requirements of Note 3.

 

OTHER RULES

In question 1, we ask the vendor what the encryption is used for. In many instances encryption is for the overall purpose of data confidentiality, HOWEVER, you can think of choices 1-3 (Authentication, Password Protection, Digital Signature / Copy Protection / Banking and Money Transactions) as subsets of that, and if you are limited to one of those subsets (i.e. you only use encryption for authentication, and/or banking) simply choose those and NOT data confidentiality. Data confidentiality is for instances where you are encryption more than what we outline in the first 3 choices.

 

If your app does provide encryption for more than authentication, password protection, digital signature, copy protection or banking and money transactions, you will be required provide:

1)      An ERN # OR

2)      A CCATS (by applying for a classification) OR

3)      Sufficient detail as to why an ERN or CCATS is not required.

Mark Sohm
BlackBerry Development Advisor

Please refrain from posting new questions in solved threads.
Problem solved? Click the Accept As Solution button.
Found a bug? Report it using Issue Tracker
Contributor
webbasan
Posts: 20
Registered: ‎04-19-2010
My Device: supporting 4.6 upwards

Re: Export control

Does "(3) the app was developed with or using US technology" include using the SSL (HTTPS) implementation provided by the BlackBerry System Software? We are using HTTPS for accessing the REST API of our server, which is required to use the app. There is no user to user communication involved, just arguments for the API calls and the corresponding result.

 

We plan to release our app through the App World. Our company is in Germany and we are targeting only the european market (in particular Germany, Austria, Switzerland).

 

Am I right with the assumption that the App World is hosted in Canada and therefore the export control regulations would not apply in this case ("Re-Export from Canada to Europe")? If not, this point (3) would be the only hit that seem to apply to us.

 

Any help with this would be appreciated! Thanks in advance!

 

Senior Software Engineer
Lindenbaum GmbH
http://www.lindenbaum.eu/