This document contains information related to Import / Export requirements for applications that utilize SQLCipher, which includes strong cryptography.
When using SQLCipher you are responsible for compliance with all export, re-export and import restrictions and regulations in all applicable countries.
United States Export Controls
Any application using strong cryptography, including those using SQLCipher, and that will be exported from the United States, must ensure compliance with the BIS / DOC export requirements.
In practice this means that all applications distributed through commercial “App Stores” (i.e. iTunes, Google Play, Windows Store, etc) should go through the export compliance process, even if the applications are authored by developers outside of the US.
Export counselors at the BIS and Apple legal have both advised that, at least for mass market products, each party marketing and exporting an application that includes encryption is responsible for their own classification and reporting. Thus the application developer has a responsibility for filing annual self-classification reports that list every product that uses encryption. Note that an Encryption Registration Number (ERN) previously needed to be assigned prior to self-classification, however, that requirement has been removed in the latest versions of the EAR effective in 2017.
Note that if you communicate with the BIS coordinators or other counsel, you may wish to mention that your application will be distributed commercially and that the underlying encryption library (SQLCipher) that was previously classified as mass market under ECCN 5D992c.
French Import / Export Controls
French law limits importing and exporting applications with strong cryptography. A declaration or approval from the French Agence nationale de la sécurité des systèmes d’information (ANSSI) is required. Zetetic has filed a declaration in France with the ANSSI to allow us to provide SQLCipher to the French market.
However, like in the US, declarations and approvals are not transitive. In other words, each company that include encryption in a product is responsible for their own declaration in France. Thus, while our declaration for SQLCipher allows us to provide the library in France, it does not extend to third party applications that use SQLCipher as a library.
As a result, your company is responsible for submitting a declaration for each application/product to the French ANSSI. You may reference our declaration number, 16060359, and indicate that you use SQLCipher when you file your own declaration. This may accelerate review and minimize the amount of technical information you need to provide in the declaration.
As noted here, SQLCipher is an export restricted product. These restrictions and the terms of the SQLCipher License agreement specific prohibit export to restricted, embargoed, or sanctioned destinations (e.g Cuba, Iran, North Korea, Sudan, or Syria), Denied Persons, Unverified Parties, and Restricted Entities.
We aren’t attorneys or export control experts. This information is not intended as legal advice. Use this information at your own discretion and consult an expert or legal council if you need guidance. In the US, the BIS export counselors can be very helpful and they have some people that specialize on the crypto requirements. In France, the ANSSI is the primary organization to contact for cryptography import / export requirements.