What do you mean I have to be “properly authorized” to use encryption in my apps?

09-08-2014

This took me by surprise. I remember seeing something while submitting previous apps to iTunes asking if I used encryption in my app but I had not noticed it on Google Play or the Amazon App Store (which there is a checkbox for it, it just hadn’t registered with me since I wasn’t using encryption). I hadn’t needed any sort of encryption until now and that got me asking questions about WHY Apple would want to know this. After digging a bit, I discovered that you have to be “properly authorized” by the  Department of Commerce (DOC) Bureau of Industry and Security (BIS) to use encryption in your app. Personally, I think it just needs to be shortened to BS. It’s only my controlled data and it does not contain any personally identifiable information, so why does the government need to be involved? So, anything that uses technology like HTTPS, DES, AES, etc. falls into this category. However, one way hashes like an MD5 don’t appear to fall into this category because it isn’t meant to be decrypted…I need to get verification on that one. So began my journey of trying to figure out what kind of paperwork was needed to get this going so we could be legit and I could use encryption in my app. I had found some resources online but they were a few years old and a lot of the links were broken. I was seeing acronyms like “SNAP-R”, “ERN” and “CCATS” but had no idea what exactly they meant. So I hit Google with the few leads I had and discovered that I needed to start with the “SNAP-R” system. No idea what that acronym meant so I looked it up; it stands for the “Simplified Network Application Process – Redesign” system…yeah, that really cleared things up. So I started there to try and get registered.

https://snapr.bis.doc.gov/registration/Register.do

Filled out all the information on the page (which wasn’t that much) and submitted it. It then told me that instructions would be sent to the email I specified and I MUST follow them. About 5 minutes later, I got my email and it said they were processing my information and should have it done within 5 business days. Not too horribly bad so far. I still don’t know what “CCATS” is exactly, but it sounds like it’s a more in depth process of getting “properly authorized”. From what I’ve read so far, I should only need to get approved to get into this “SNAP-R” system so I can apply for an “ERN” (Encryption Registration Number) so then I can submit the “ERN” to Apple to prove that we are “properly authorized” by the DOC. My head hurts now, maybe by the time they approve our “SNAP-R” application, I’ll be ready to tackle the next step…whatever that is.

09-09-2014

Woke up this morning to see an email about our “SNAP-R” registration. They sent me an “Applicant ID” in the email and a link I could use to verify my “SNAP-R” user account. Once I clicked on that link, it said I was verified once I entered in some information (don’t forget your password here) and then it then directed me to the following link so I could log in.

https://snapr.bis.doc.gov/snapr/exp/UserLoginLoad

Looking at this page, it asks for a “Login ID”, a “Password” and a “CIN”. It appears that both the “Login ID” AND the “CIN” are the same as the “Applicant ID” you received in the email. I believe at one point there was an older system in which the “Login ID” and the “CIN” were two separating things, it doesn’t appear that way anymore. So once you enter that info and log in, you are able to create a “work item” in this system. So, what does access to this “SNAP-R” system and these “work items” give us? Here is a definition from the site:

An important note in SNAP-R is that the term Work Item is used to refer to any of the BIS work related transactions that can be submitted online. These include: 
  * Export License applications 
  * Re-Export License applications 
  * Commodity Classification requests 
  * Encryption Registrations 
  * Agriculture License Exception notices

It is that “Encryption Registrations” part we need to register for to get an “ERN”. So after clicking on the “Create Work Item” link from the left part of the screen, it asks what we want to create and to give it a reference number. Select “Encryption Registration” from the drop down box and for a reference number, it has to follow the format of AAA9999. Since we are trying to get an “ERN”, I chose to use ERN as the alpha part and a random number for the number part. Then click on create…to fill out more paperwork. Filling out the next page isn’t too bad either, but I did have to find and fill out a “Supplement No. 5 to Part 742“, so off to Google to find out what that was. Clicked on a link I found on www.bis.doc.gov, and was greeted with the following message.

Does this seem ironic?
Does this seem ironic?

So a copy of the document for encryption registration is on an HTTPS server that appears to be self-signed. That just seems rather odd.

 

 

 

 

 

After locating the section we needed, I began filling it out. Again, it wasn’t too bad but it took a little while to do. Now that this paperwork is done, we have to export it in .PDF format and attach it to our work item at the bottom of the form. After giving everything a once over again, I clicked the “Check for Errors” button and it didn’t seem to find any issues. Then I spent the next 30 minutes trying to figure out HOW to submit the form as it wasn’t very clear to me since there was nothing like a visible “Submit” button on the page. When all else fails, start clicking other buttons to see what happens. I discovered you have to click the “Verify Address in Work Item to Submit” button at the bottom of the page right beside the “Check for Errors” button first. Then click the “Preview Work Item to Submit” button on the next page, and finally the “Submit” button shows up at the bottom of the next page. Once you click that button, it asks you to acknowledge that you won’t be able to make any more changes to the document once submitted. Okay, done and done.  When I looked back at my list of work items, the status was already “Accepted” for that particular “work item”. Not sure exactly what that means, I guess I’ll just wait on correspondence on how to get my “ERN”.

10 Minutes Later

Well, that didn’t take too long, only 2 days. Received an email saying I had a message in the “SNAP-R” system waiting for me. So I go to my messages and in there it has my new “ERN”. The process as a whole wasn’t horribly painful, just frustrating in trying to figure out everything that you need while reading all the legalese as I’m not very fluent in that language. Hopefully this is all Apple will need to verify we are now “properly authorized” to export or reexport encryption products. Guess we’ll find out when we are done with our app!