As far as I could see on Android, the Unity Analytics data is sent (at least now) using TLS, probably using the encryption algorithm of the OS (means Android). So as far as I know the U.S. export restriction would apply here as encryption is used somehow, but the changes in the export regulations of late September 2016 (see 404 FILE NOT FOUND) make it a little difficult again to understand, if an encryption registration is still needed or not …
With regards to our Analytics and IAP services, we use HTTPS encryption. We also provide an additional feature with Unity IAP called “Receipt Validation,” which you can choose to implement in order to prevent fraudulent purchases. Receipt Validation uses RSA Certificates for Apple and Google’s RSA key encryption for Google.
@ap-unity : Thank you for the clarification and the link. It did help me to understand the changes in the regulations.
If anyone needs even more details of encryption export regulations, I can recommend to do the following (Disclaimer: I am not a lawyer, so this is not a legal advice):
Have a look at the actual regulation “Category 5 Part 2 - Information security” at 404 FILE NOT FOUND.
Like @ap-unity already suggested, consult with your legal counsel. Also you can directly contact the “Information Technology Controls Division” at BIS.
Are these information still correct? I was wandering for a page on Unity website in which this info are reported in details and updated constantly and in which is explained how developers that use Unity Ads and Unity Analytics can comply with U.S. export laws.
So from what I understand, if it’s a unity game with iap/analytics and some ads plugins such as applovin/chartboost, then it should be ok? ( uses encryption, but is exempt since the encryption is not a “feature” the user can actually make use of)
I meant that if ads plugins encrypt some data they send to/from the server, but the user doesn’t actually encrypt anything himself and just plays a game
so my understanding is that such games would “use encryption” ( at least because of unity analytics) but would be exempt?
Sorry I don’t follow and can’t make a recommendation. Users never encrypt their own data explicitly. If a plugin uses encryption, then so is the game and therefore so is the user if using your broad definition.
Hi! sorry for being confusing - I just think it’s a pretty common thing for a game app to exist that uses unity iap, unityads, unity analytics, applovin/chartboost, I just want to understand what options to select in itunes in regards to encryption ( if it’s exempt, for example)
ok, so to narrow down the question - if the app just uses unity IAP/analytics/unityads, is the correct answer “yes, uses encryption, but doesn’t apply/is exempt”?
I’m not sure where you are reading this. May I ask, are you familiar with HTTPS and SSL? We have answered here https://discussions.unity.com/t/618769/4 . You will need to check with Apple if they regard the HTTPS protocol as included in their definition of encrypted, I might doubt it. Otherwise we are not using encryption, except as mentioned in the link.
We just want to know what to answer when uploading the app to Apple Store. Maybe you’re unfamiliar with that process but they ask us “Does your app use encryption? Select Yes even if your app only uses the standard encryption within Apple’s operating system.” Then after selecting yes, it says:
Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?
Yes
No
It is your responsibility to comply with export regulations, and you should revisit these questions if your encryption or exemption status changes. If your encryption and exemption eligibility stay the same, specify this in the target properties table in Xcode. Learn More
App Uses Non-Exempt Encryption : No
If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government. Learn More
Make sure that your app meets the criteria of the exemption listed below. You are responsible for the proper classification of your product. Incorrectly classifying your app may lead to you being in violation of U.S. export laws and could make you subject to penalties, including your app being removed from the App Store.
You can select Yes for this question if the encryption of your app is:
(a) Specially designed for medical end-use
(b) Limited to intellectual property and copyright protection
(c) Limited to authentication, digital signature, or the decryption of data or files
(d) Specially designed and limited for banking use or “money transactions”; or
(e) Limited to “fixed” data compression or coding techniques
You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations.
So we want to know what to answer exactly if we use Unity Analytics for example. Or Unity Ads.
Please don’t reference to a previous message which even links to an outdated page and DOES NOT tell us what to answer in this process. Thank you