[metafunctor]

Not everything that "just uses HTTPS" necessarily needs ERN. Here's "note 4" which exempts a lot of apps: http://www.bis.doc.gov/index.php/policy-guidance/encryption/...

A big part of our app was "sending, receiving, and storing information", so we weren't sure this exemption would apply to us. So, we did the ERN anyway, and it took a couple of days calendar time, and a couple of hours of working time, IIRC.

By the way, nowhere does it say that using HTTPS is fine if you just use Apple's APIs and frameworks. I don't think it's relevant here.

[comex]

> Note 4: Category 5, Part 2 does not apply to items [...] meeting all of the following:

> (a) The primary function or set of functions is not any of the following: [...]

> ...... (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management);

(Emphasis mine.)

Triple negative - now that's something. And DRM and the entertainment industry gets a special case, isn't that great?

[danieltillett]

I would have thought that DRM is a loophole you can drive a truck through. As long as any of your data is of value, you can claim the reason for encryption is DRM. Even if you let the end user have access to all data, you could always send some sort of DRM heartbeat.

[_up]

No loophole! It only count's if you exclusively need encryption for DRM. Not for other stuff like, to protect your users chat communication for example.

[danieltillett]

I don't see the word exclusively. If you had a chat application you could protect the user content by sending along a DRMed ping.