12-09-2010 01:01 PM
I'm looking into this one.
12-21-2010 02:55 PM
Sorry for the delay, but this took a little while to put together...
We require an ECCN to be provided when the APP CONTAINS ENCRYPTION and you are (1) a US Vendor; OR (2) the app was developed in the US; OR (3) the app was developed with or using US technology. 'Developed' for purposes of this question includes, but is not limited to incorporating software from US companies and code developed by US employees. If you are a US vendor without any encryption in your app, then you should indicate this in your answer to Question 1 and you will not be required to provide an ECCN.
We do not consider using code signing keys for API access to be encryption.
An Export Control Classification Number (ECCN) is an alphanumeric designation (i.e., 5D992 or 5D002) used in the Commerce Control List of the US Export Administration Regulations to identify items for export control purposes. An ECCN categorizes items based on the nature of the product, i.e. type of commodity, technology or software and its respective technical parameters, including the type of encryption contained within an item.
You can get an ECCN in one of two ways:
1) Self-Classifying: You can self classify your application by determining the correct ECCN through reading the Bureau of Industry and Security’s (the “Bureau”) documentation, phoning the Bureau, or consulting an export lawyer (see the “Resources” section).
However, not all encryption items are eligible for self-classification. Some encryption items require registration with the Bureau, at which time you will receive an Encryption Registration Number (“ERN”). Please see other the “Other Rules” section for when we require an ERN.
2) Applying for Classification: Alternatively, you can request a classification from the Bureau by applying for a Commodity Classification (“CCATS”) and the CCATS will contain the ECCN.
For further information on an ECCN, you can start with the Wikipedia Entry: http://en.wikipedia.org/wiki/ECCN
These export regulations are issued by the US Government, and RIM does not add additional requirements. If you are outside of Canada, and submitting your app to App World, you are making an export, and your app is being considered for re-export from Canada to other destinations.
Presently, unfortunately, we do have a known issue in the portal where vendors CANNOT submit the ECCN of EAR99. For these vendors, there is a method to support EAR99 which can be provided through App World’s support team in the following manner:
RESOURCES FOR VENDORS TO DETERMINE CORRECT ECCN
If vendors need help assessing the appropriate ECCN for their app, the following links may be of help, and it’s highly suggested that you simply call the Bureau (202-482-0707) to get instant live help. Many vendors have been successful with a single phone call.
US Export Administration Regulations: http://www.access.gpo.gov/bis/ear/ear_data.html
US Regulatory Guidance: http://www.bis.doc.gov/encryption/question1.htm
US Department of Commerce, Bureau of Industry and Security Contacts: http://www.bis.doc.gov/encryption/technologycontac
- We cannot help determine which ECCN is correct for a given app.
- Vendors should take notice of Note 4 of Category 5, Part II, of Export Administration Regulations (http://www.bis.doc.gov/encryption/ccl5pt2.pdf) when assessing the app under the US Export Administration Regulations.
- We cannot accept applications that do not meet Note 3, the Cryptography Note of Category 5, Part II of the Export Administration Regulations (http://www.bis.doc.gov/encryption/ccl5pt2.pdf). Therefore, ECCNs must also be appropriate and correctly correspond to the requirements of Note 3.
In question 1, we ask the vendor what the encryption is used for. In many instances encryption is for the overall purpose of data confidentiality, HOWEVER, you can think of choices 1-3 (Authentication, Password Protection, Digital Signature / Copy Protection / Banking and Money Transactions) as subsets of that, and if you are limited to one of those subsets (i.e. you only use encryption for authentication, and/or banking) simply choose those and NOT data confidentiality. Data confidentiality is for instances where you are encryption more than what we outline in the first 3 choices.
If your app does provide encryption for more than authentication, password protection, digital signature, copy protection or banking and money transactions, you will be required provide:
1) An ERN # OR
2) A CCATS (by applying for a classification) OR
3) Sufficient detail as to why an ERN or CCATS is not required.
09-19-2011 11:12 AM
Does "(3) the app was developed with or using US technology" include using the SSL (HTTPS) implementation provided by the BlackBerry System Software? We are using HTTPS for accessing the REST API of our server, which is required to use the app. There is no user to user communication involved, just arguments for the API calls and the corresponding result.
We plan to release our app through the App World. Our company is in Germany and we are targeting only the european market (in particular Germany, Austria, Switzerland).
Am I right with the assumption that the App World is hosted in Canada and therefore the export control regulations would not apply in this case ("Re-Export from Canada to Europe")? If not, this point (3) would be the only hit that seem to apply to us.
Any help with this would be appreciated! Thanks in advance!