Isn't Electron subject to US Export Control laws?


#1

We are building an electron app in the US. My understanding is that Electron uses / requires Node.js. Node.js has their Crypto library (https://nodejs.org/api/crypto.html).

Wouldn’t that immediately mean that any Electron apps developed in the US are subject to US Export Control laws because of the Node.js Crypto library regardless of whether it is used or not since it is bundled with the Electron app?

I spent some time poking around the Electron site, and the Node.js site looking for anything on US Export Law restrictions and found nothing.

What is Electron’s ECCN?


#2

I’m curious: which document states that OpenSSL’s cryptography functions are legally subject to the export laws of the country the application was developed within? What happens if development happened in more than one country, or no country?

That said, you should be able to compile a version of Node that doesn’t include that module, if you’re worried.


#3

You should contact a legal professional for legal advice. There are far, far too many variables for anyone other than a legal professional to give you accurate information. And legal compliance is just too important to rely on some layperson’s offhand speculation.


#4

@leedohm it is the software vendor / creator’s responsibility to provide info about whether they are or are not subject to US Export laws.

If someone uses our software, we tell them what ECCN classification our software falls under. That’s our responsibility. We don’t tell them to go hire lawyers and figure it out.

Likewise it doesn’t really make sense for me to have our lawyers try to figure out what classification your software is. That’s your responsibility as the creator of the software.

Let’s use an example. Microsoft. They create a lot of software / services. They have rightfully provided the Export status of their software: https://www.microsoft.com/en-us/exporting/eccn.aspx

Likewise, it is incumbent upon Electron to do the same. What is Electron’s ECCN?


#5

@DamnedScholar I have not seen anywhere where SSL is excluded.

Here’s the official source (new user can only post two links, so trimmed out other bis links):
http://www.bis.doc.gov/index.php/forms-documents/cat_view/1-encryption

For something less dense, you can read Apple’s app store submittal requirements with relation to US Export control:
https://itunespartner.apple.com/en/apps/faq/Managing%20Your%20Apps_Trade%20Compliance#56254694

Does my app require ERN approval?
If your app uses, accesses, implements or incorporates industry standard encryption algorithms for purposes other than those listed as exemptions under question 2, you need to submit for an ERN authorization. Examples of standard encryption are: AES, SSL, https. This authorization requires that you submit an annual report to two U.S. Government agencies with information about your app every January.


#6

It is not incumbent on Github to clarify regarding Electron because the code in question is part of Node, which is run by the Node.js Foundation. Electron is really nothing more than a wrapper for Node and the V8 engine.

For something less dense, you can read Apple’s app store submittal requirements with relation to US Export control:

Question 2 on that same page lists as an exemption, “(vi) the source code of your app is “publicly available”, your app distributed at free of cost to general public, and you have met the notification requirements provided under 740.13.(e).” If you’re asking about the status of Electron, specifically, that’s a concrete answer. The status of an application built on Electron is less clear, but in that case, you’re not using somebody else’s software, you’re designing your own and you would probably talk to a lawyer before monetizing it anyway.

If you’re concerned about the statement here that reads, “if the item includes encryption functionality, even if the encryption functionality is not used by the item, then BIS evaluates the item based on the included encryption functionality,” then you can just go into your local version of the Node repo and remove lib/crypto.js. Piece of cake.


#7

You are correct, Electron may be subject to US export controls, because it is, at least in part, created in the US, and hosted on US-based servers.

As @DamnedScholar rightfully pointed out, however, part 740.13(e) of the EAR exempts open source projects from the more stringent licensing requirements. Thus I believe is is not necessary for us to provide an ECCN for Electron (or Node for that matter).

That does not mean, however, that an application built on Electron would cary the same designation, and I strongly encourage you to seek professional legal advice if you are concerned about the status of your application. We’re not in a position where we can provide that advice.

If it’s helpful, I found this post which provides an overview of export control laws and open source.


#8

Thanks @leedohm and @DamnedScholar. Really good feedback. I wasn’t aware of the open source software exemption.

I know my path forward at this point.


#9

Good to learn about that.
Would that effect non-us dev usng atom??


#10

I can’t even begin to answer something so vague. But in any case, I can’t give legal advice. If you’re concerned, please contact a legal professional.


#11

Atom is free and open-source software.


#12

Sorry i asked a wrong question , i wanted to mean what happen if electron apps that are developed in non-us countries. Yeah i am sure it is a hard question, better ask at a legal forum.


#13

Electron should not be covered by anything, since it falls into the open source exemption mentioned above. If you develop a proprietary application, it’s probably just covered by whatever your government’s laws are. The laws mentioned are specifically for cryptography, so if you’re really worried, you can build a custom Node without crypto.js, and that would make it a moot point.


#14

Let me preface with: I’m not a lawyer. But here has been my conclusion and the path we will be following:

If you are a US developer / work for a US development company and develop proprietary software which uses SSH / TLS / hashing, encryption, etc… then you need to comply with US Export laws. This likely means determining an ECCN classification and potentially registering your product with the US Department of Commerce. This is the case, even if you are using open source libraries or frameworks.

Thus if you are using Electron or Node.js in a product that can be exported (downloaded outside the US, embedded with a product, or physically shipped like on a DVD), then this is applicable to you. In our case, we are developing a desktop app which can be used outside of the US so we must comply with US Export Control laws.

This is because:

  1. Node.js Crypto library
  2. Embedded Chromium SSH / TLS / various cipher support functionality

@leedohm I would offer a suggestion that atom.io / electron.atom.io have a page which briefly covers this info. Something titled “Electron US Export Control Compliance” would have been really helpful and saved me a lot of time.


#15

I understand that it would be useful to have this information easily available. The fact of the matter is that legal compliance is not something that is simple and clear cut. For example, did you know that @v3ss0n doesn’t reside in the US? In that case, does US Export Control apply? Is there some other import/export restriction that would apply in their jurisdiction? I don’t know. But you know who would know? A lawyer who is trained in import/export law.

Since none of us here are lawyers, I’m going to reiterate that people needing legal advice should contact legal professionals. Additionally, any discussion of general legal issues is off topic for this forum and will be closed.