Does using SSL mean you have to say your app uses Cryptography?

Question

I am almost ready to submit a Windows 8 Store app to the store. As part of this process you must answer the question:

Does your app call, support, contain, or use cryptography or encryption?

It goes on to mention these possibilities:

• Any use of a digital signature, such as authentication or integrity checking
• Encryption of any data or files that your app uses or accesses
• Key management, certificate management, or anything that interacts with a public key infrastructure
• Using a secure communication channel such as NTLM, Kerberos, Secure Sockets Layer (SSL), or Transport Layer Security (TLS)
• Encrypting passwords or other forms of information security
• Copy protection or digital rights management (DRM)
• Antivirus protection

(emphasis mine.) There are some exemptions:

• Password encryption
• Copy protection
• Authentication
• Digital rights management
• Using digital signatures

My app was originally a Windows Phone app with limited ability to store or export data locally, so we have functionality to backup to or restore from SkyDrive. (For the purposes of this question the fact that SkyDrive may soon change its name is not relevant.) We put this same capability into the Windows Store app. The connection to SkyDrive is https - in other words we are using SSL.

Does this mean I need an Export Commodity Classification Number (ECCN)? Really?

Answer 1

From this page, Understanding export restrictions on cryptography, it looks like the answer is yes, SSL counts unless you are not transporting content over the wire. But I'm not a lawyer.

Does your app call, support, contain, or use cryptography or encryption?

This question helps you determine if your app uses a type of cryptography that is governed by the Export Administration Regulations. The question includes the examples shown in the list here; but remember that this list doesn't include every possible application of cryptography.

Important When you answer this question, consider not only the code you wrote for your app, but also all the software libraries, utilities and operating system components that your app includes or links to.

• Any use of a digital signature, such as authentication or integrity checking
• Encryption of any data or files that your app uses or accesses
• Key management, certificate management, or anything that interacts with a public key infrastructure
• Using a secure communication channel such as NTLM, Kerberos, Secure Sockets Layer (SSL), or Transport Layer Security (TLS)
• Encrypting passwords or other forms of information security
• Copy protection or digital rights management (DRM)
• Antivirus protection

For the complete and current list of cryptographic applications, see EAR Controls for Items That Use Encryption.

Is the cryptography or encryption limited to one or more of the tasks listed here?

If you answered yes to the first question, then the second question lists some of the applications of cryptography that are not restricted. Here are the unrestricted tasks:

• Password encryption
• Copy protection
• Authentication
• Digital rights management
• Using digital signatures

If your app calls, supports, contains, or uses cryptography or encryption for any task that is not in this list then your answer to this question is No.