Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

US Export Compliance / encryption

Discussion in 'Unity Analytics' started by coshea, Mar 1, 2016.

  1. coshea

    coshea

    Joined:
    Dec 20, 2012
    Posts:
    319
    “U.S. export laws require that products containing encryption be properly authorised for export”

    https://developer.apple.com/library...sConnect_Guide/Chapters/SubmittingTheApp.html

    Does Unity Analytics use encryption, and therefore developers should be ticking yes to this setting in iTunes Connect?

    Seems like quite a headache…

    https://carouselapps.com/2015/12/09/mac-ios-applications-breaking-rules-removed/

    https://carouselapps.com/2015/12/15/legally-submit-app-apples-app-store-uses-encryption-obtain-ern/

    Many thanks
     
  2. mpinol

    mpinol

    Joined:
    Jul 29, 2015
    Posts:
    317
    Hi @coshea,

    Unity Analytics does not use encryption so you do not need to worry about this setting!
     
    coshea likes this.
  3. Izzzo

    Izzzo

    Joined:
    Jun 12, 2015
    Posts:
    5
    As far as I could see on Android, the Unity Analytics data is sent (at least now) using TLS, probably using the encryption algorithm of the OS (means Android). So as far as I know the U.S. export restriction would apply here as encryption is used somehow, but the changes in the export regulations of late September 2016 (see https://www.bis.doc.gov/index.php/informationsecurity2016-updates) make it a little difficult again to understand, if an encryption registration is still needed or not ...
     
  4. ap-unity

    ap-unity

    Unity Technologies

    Joined:
    Aug 3, 2016
    Posts:
    1,519
    @Izzzo,

    With regards to our Analytics and IAP services, we use HTTPS encryption. We also provide an additional feature with Unity IAP called “Receipt Validation,” which you can choose to implement in order to prevent fraudulent purchases. Receipt Validation uses RSA Certificates for Apple and Google’s RSA key encryption for Google.

    While we can’t provide legal advice on whether this violates any of Apple’s Terms and Services, we can provide you with this link to additional information provided by the U.S. Department of Commerce regarding encryption classification.
    http://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three

    If you remain concerned, we encourage you to consult with your legal counsel.
     
  5. Izzzo

    Izzzo

    Joined:
    Jun 12, 2015
    Posts:
    5
    @ap-unity: Thank you for the clarification and the link. It did help me to understand the changes in the regulations.

    If anyone needs even more details of encryption export regulations, I can recommend to do the following (Disclaimer: I am not a lawyer, so this is not a legal advice):
     
    ap-unity likes this.
  6. KeyBoredStudios

    KeyBoredStudios

    Joined:
    Nov 6, 2018
    Posts:
    1
    Dear future devs,

    I wanted to find the best possible answer for this question and compiled my finds into a video.
    I'll share it here, hopefully it can help you!

    (Remember, I am not a lawyer so I am not responsible for anything you do. This is an educational video to point your research in the right direction!)

     
    Deleted User and yyylny like this.
  7. DanielJack23

    DanielJack23

    Joined:
    Mar 21, 2015
    Posts:
    2
    Are these information still correct? I was wandering for a page on Unity website in which this info are reported in details and updated constantly and in which is explained how developers that use Unity Ads and Unity Analytics can comply with U.S. export laws.
     
  8. JeffDUnity3D

    JeffDUnity3D

    Joined:
    May 2, 2017
    Posts:
    14,446
    Still accurate.
     
  9. yuriythebest

    yuriythebest

    Joined:
    Nov 21, 2009
    Posts:
    1,121
    So from what I understand, if it's a unity game with iap/analytics and some ads plugins such as applovin/chartboost, then it should be ok? ( uses encryption, but is exempt since the encryption is not a "feature" the user can actually make use of)
     
  10. JeffDUnity3D

    JeffDUnity3D

    Joined:
    May 2, 2017
    Posts:
    14,446
    We can't speak for other plugins. I'm not clear on your mention of "feature". Sounds like if there is encryption occurring the user would be using it?
     
  11. yuriythebest

    yuriythebest

    Joined:
    Nov 21, 2009
    Posts:
    1,121
    I meant that if ads plugins encrypt some data they send to/from the server, but the user doesn't actually encrypt anything himself and just plays a game

    so my understanding is that such games would "use encryption" ( at least because of unity analytics) but would be exempt?
     
  12. JeffDUnity3D

    JeffDUnity3D

    Joined:
    May 2, 2017
    Posts:
    14,446
    Sorry I don't follow and can't make a recommendation. Users never encrypt their own data explicitly. If a plugin uses encryption, then so is the game and therefore so is the user if using your broad definition.
     
  13. yuriythebest

    yuriythebest

    Joined:
    Nov 21, 2009
    Posts:
    1,121
    Hi! sorry for being confusing - I just think it's a pretty common thing for a game app to exist that uses unity iap, unityads, unity analytics, applovin/chartboost, I just want to understand what options to select in itunes in regards to encryption ( if it's exempt, for example)
     
  14. JeffDUnity3D

    JeffDUnity3D

    Joined:
    May 2, 2017
    Posts:
    14,446
    The question has already been answered, but we can't speak for applovin/chartboost. You will need to contact them.
     
  15. yuriythebest

    yuriythebest

    Joined:
    Nov 21, 2009
    Posts:
    1,121
    ok, so to narrow down the question - if the app just uses unity IAP/analytics/unityads, is the correct answer "yes, uses encryption, but doesn't apply/is exempt"?
     
  16. JeffDUnity3D

    JeffDUnity3D

    Joined:
    May 2, 2017
    Posts:
    14,446
    I'm not sure where you are reading this. May I ask, are you familiar with HTTPS and SSL? We have answered here https://forum.unity.com/threads/us-export-compliance-encryption.389208/#post-2893835 . You will need to check with Apple if they regard the HTTPS protocol as included in their definition of encrypted, I might doubt it. Otherwise we are not using encryption, except as mentioned in the link.
     
  17. adrianfrancisco

    adrianfrancisco

    Joined:
    Jul 29, 2021
    Posts:
    14
    We just want to know what to answer when uploading the app to Apple Store. Maybe you're unfamiliar with that process but they ask us "Does your app use encryption? Select Yes even if your app only uses the standard encryption within Apple’s operating system." Then after selecting yes, it says:
    Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?

    Yes
    No
    It is your responsibility to comply with export regulations, and you should revisit these questions if your encryption or exemption status changes. If your encryption and exemption eligibility stay the same, specify this in the target properties table in Xcode. Learn More

    App Uses Non-Exempt Encryption : No

    If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government. Learn More

    Make sure that your app meets the criteria of the exemption listed below. You are responsible for the proper classification of your product. Incorrectly classifying your app may lead to you being in violation of U.S. export laws and could make you subject to penalties, including your app being removed from the App Store.

    You can select Yes for this question if the encryption of your app is:
    (a) Specially designed for medical end-use
    (b) Limited to intellectual property and copyright protection
    (c) Limited to authentication, digital signature, or the decryption of data or files
    (d) Specially designed and limited for banking use or “money transactions”; or
    (e) Limited to “fixed” data compression or coding techniques

    You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations.

    So we want to know what to answer exactly if we use Unity Analytics for example. Or Unity Ads.

    Please don't reference to a previous message which even links to an outdated page and DOES NOT tell us what to answer in this process. Thank you
     
    GuirieSanchez and ARondon like this.
  18. unity_Ctri

    unity_Ctri

    Unity Technologies

    Joined:
    Oct 20, 2020
    Posts:
    81
    Hey Adrian,

    Appreciate the clarification - I'll pass this by our team and one of us will let you know the answer.
     
  19. spacepluk

    spacepluk

    Joined:
    Aug 26, 2015
    Posts:
    243
  20. unity_Ctri

    unity_Ctri

    Unity Technologies

    Joined:
    Oct 20, 2020
    Posts:
    81
    Hey Spacepluk, thanks for the bump.

    For our Legacy Analytics offering (depreciated, but still in use by some developers)
    • Encryption communications protocol(s) used for encryption of data-in-transit is SSL/HTTPS
    • Encryption algorithm(s) used for encryption of data-at-rest is AES256
    • Encryption ciphers permitted:
      • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_128_GCM_SHA256
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_256_GCM_SHA384
    Let me know if that's not sufficient :)
     
  21. ChrisAmstutz

    ChrisAmstutz

    Joined:
    Aug 16, 2020
    Posts:
    1
    This is going to sound like a pretty naïve question, but if I'm serializing or even encrypting data to save my player data, this wouldnt count in regards to these export laws because the user isnt performing it? and its also only used locally?