clarify export compliance information for ios #515
Conversation
docs/en/manuals/ios.md
Outdated
|
|
||
| * Making calls over secure channels (i.e. HTTPS and SSL) | ||
| * Copyright protection of Lua code | ||
| Some users have reported being asked to upload a French Encryption Delaration when uploading to the App Store in France. Despite your app being exempt, Apple may still require you to submit a form to the French Cybersecurity Agency and upload their response. The form and directions are available directly from the [French Cybersecurity Agency](https://cyber.gouv.fr/controle-reglementaire-sur-la-cryptographie-les-formulaires). |
There was a problem hiding this comment.
I don't recall seeing anyone mention this on the forum or Discord. Do you have a source?
There was a problem hiding this comment.
Apple's Export page mentions they might make you do it, in Defold's forum there's a topic asking about it. It was briefly brought up in an issue: defold/defold#3451 (comment) with no resolution.
But most reports come from unanswered Unity forum posts: 1 2 3
|
|
||
| The Defold game engine use encryption for the following purposes: | ||
| These uses of encyption in the Defold engine are exempt from export compliance document requirements under United States and European Union law. Most Defold projects will remain exempt, but the addition of other cryptographic methods may change this status. It is your responsiblity to ensure that your project meets the requirements of these laws and the App Store's rules. See Apple's [Export Compliance Overview](https://help.apple.com/app-store-connect/#/dev88f5c7bf9) for more information. |
I'm not so sure this is something we should provide. I do not feel that the Defold Foundation should provide legal advice or this type of guidance. Are other game engines doing this? |
|
As far as I can tell, the cause of the issue is that setting ITSAppUsesNonExemptEncryption to I thought changing the info.plist was more complicated previously, but I'm glad to find out it isn't! I think the new commit is a better way of putting it, while avoiding being legal advice - which is hard when dealing with legal requirements. |
I think something like this should address the ios issues. Defold-engine only code meets the exemption requirements for the US, EU, and France. It's unlikely but possible that someone creates a project that would change that.
As for the French declaration - an in-depth look of the requirements are in the details below. But it is a mistake on Apple's part to be requiring the document for all apps with cryptography in France.
I included the link to the form, because it's more than Apple provides, but I didn't feel instructions for filling it out were appropriate for the manual - where would it go best?
Closes #322
Analysis of each country's law
US Rules
Per https://www.bis.doc.gov/index.php/all-articles/15-policy-guidance/encryption/560-encryption-faqs#15
Additionally, the use of industry standard algorithms means US export requirements do not apply to Defold.
French Rules
Per https://cyber.gouv.fr/controle-reglementaire-sur-la-cryptographie-demarches-accomplir
Use in France requires no declaration to ANSSI (Utilisation en France). Import might (Importation en France).
Either way, the table of exceptions specifies that Protection against duplication is exempt for any operation (Protection contre la duplication - Exemption pour toute opération).
For confirmation: Décret n°2007-663 du 2 mai 2007
Chapter 1 Article 1 states that usage of cryptology in Annex 1 is exempt from the processes of the law.
Annex 1, Category 6: Equipment designed to limit the protection of software or computer data against copying or illegal use and the cryptography is not accessible to the user.
French law is of course also compliant to EU law:
Delegated Regulation (EU) No 1382/2014