US Export Compliance / encryption

“U.S. export laws require that products containing encryption be properly authorised for export”

Does Unity Analytics use encryption, and therefore developers should be ticking yes to this setting in iTunes Connect?

Seems like quite a headache…

Many thanks

Hi @coshea_1 ,

Unity Analytics does not use encryption so you do not need to worry about this setting!

1 Like

As far as I could see on Android, the Unity Analytics data is sent (at least now) using TLS, probably using the encryption algorithm of the OS (means Android). So as far as I know the U.S. export restriction would apply here as encryption is used somehow, but the changes in the export regulations of late September 2016 (see 404 FILE NOT FOUND) make it a little difficult again to understand, if an encryption registration is still needed or not …

@Izzzo ,

With regards to our Analytics and IAP services, we use HTTPS encryption. We also provide an additional feature with Unity IAP called “Receipt Validation,” which you can choose to implement in order to prevent fraudulent purchases. Receipt Validation uses RSA Certificates for Apple and Google’s RSA key encryption for Google.

While we can’t provide legal advice on whether this violates any of Apple’s Terms and Services, we can provide you with this link to additional information provided by the U.S. Department of Commerce regarding encryption classification.
http://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three

If you remain concerned, we encourage you to consult with your legal counsel.

@ap-unity : Thank you for the clarification and the link. It did help me to understand the changes in the regulations.

If anyone needs even more details of encryption export regulations, I can recommend to do the following (Disclaimer: I am not a lawyer, so this is not a legal advice):

  • Have a look at the actual regulation “Category 5 Part 2 - Information security” at 404 FILE NOT FOUND.
  • Like @ap-unity already suggested, consult with your legal counsel. Also you can directly contact the “Information Technology Controls Division” at BIS.
1 Like

Dear future devs,

I wanted to find the best possible answer for this question and compiled my finds into a video.
I’ll share it here, hopefully it can help you!

(Remember, I am not a lawyer so I am not responsible for anything you do. This is an educational video to point your research in the right direction!)

2 Likes

Are these information still correct? I was wandering for a page on Unity website in which this info are reported in details and updated constantly and in which is explained how developers that use Unity Ads and Unity Analytics can comply with U.S. export laws.

Still accurate.

So from what I understand, if it’s a unity game with iap/analytics and some ads plugins such as applovin/chartboost, then it should be ok? ( uses encryption, but is exempt since the encryption is not a “feature” the user can actually make use of)

We can’t speak for other plugins. I’m not clear on your mention of “feature”. Sounds like if there is encryption occurring the user would be using it?

I meant that if ads plugins encrypt some data they send to/from the server, but the user doesn’t actually encrypt anything himself and just plays a game

so my understanding is that such games would “use encryption” ( at least because of unity analytics) but would be exempt?

Sorry I don’t follow and can’t make a recommendation. Users never encrypt their own data explicitly. If a plugin uses encryption, then so is the game and therefore so is the user if using your broad definition.

Hi! sorry for being confusing - I just think it’s a pretty common thing for a game app to exist that uses unity iap, unityads, unity analytics, applovin/chartboost, I just want to understand what options to select in itunes in regards to encryption ( if it’s exempt, for example)

The question has already been answered, but we can’t speak for applovin/chartboost. You will need to contact them.

ok, so to narrow down the question - if the app just uses unity IAP/analytics/unityads, is the correct answer “yes, uses encryption, but doesn’t apply/is exempt”?

I’m not sure where you are reading this. May I ask, are you familiar with HTTPS and SSL? We have answered here https://discussions.unity.com/t/618769/4 . You will need to check with Apple if they regard the HTTPS protocol as included in their definition of encrypted, I might doubt it. Otherwise we are not using encryption, except as mentioned in the link.

We just want to know what to answer when uploading the app to Apple Store. Maybe you’re unfamiliar with that process but they ask us “Does your app use encryption? Select Yes even if your app only uses the standard encryption within Apple’s operating system.” Then after selecting yes, it says:

Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?

Yes
No
It is your responsibility to comply with export regulations, and you should revisit these questions if your encryption or exemption status changes. If your encryption and exemption eligibility stay the same, specify this in the target properties table in Xcode. Learn More

App Uses Non-Exempt Encryption : No

If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government. Learn More

Make sure that your app meets the criteria of the exemption listed below. You are responsible for the proper classification of your product. Incorrectly classifying your app may lead to you being in violation of U.S. export laws and could make you subject to penalties, including your app being removed from the App Store.

You can select Yes for this question if the encryption of your app is:
(a) Specially designed for medical end-use
(b) Limited to intellectual property and copyright protection
(c) Limited to authentication, digital signature, or the decryption of data or files
(d) Specially designed and limited for banking use or “money transactions”; or
(e) Limited to “fixed” data compression or coding techniques

You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations.

So we want to know what to answer exactly if we use Unity Analytics for example. Or Unity Ads.

Please don’t reference to a previous message which even links to an outdated page and DOES NOT tell us what to answer in this process. Thank you

2 Likes

Hey Adrian,

Appreciate the clarification - I’ll pass this by our team and one of us will let you know the answer.

bump

Hey Spacepluk, thanks for the bump.

For our Legacy Analytics offering (depreciated, but still in use by some developers)

  • Encryption communications protocol(s) used for encryption of data-in-transit is SSL/HTTPS

  • Encryption algorithm(s) used for encryption of data-at-rest is AES256

  • Encryption ciphers permitted:

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_AES_256_GCM_SHA384

Let me know if that’s not sufficient :slight_smile: