NFIS2 and U.S. export control laws

On the journey to find some working fingerprint matching code for use in dpfp and future projects, several people have pointed me towards NFIS2.

NFIS2 is a set of utilities for fingerprint analysis and matching. It has been developed by NIST for DHS and the FBI, so presumably it is of a decent quality. Additionally, Andrei Tchijov tells me that it does work.

This sounds great, and to get a copy all you have to do is ask for them to send you a CDROM. The CD includes source code and documentation. The code is mostly public domain, some with BSD-style “preserve this copyright notice” licensing terms.

There is only one possible problem, the NFIS website makes the following point rather clear:

Distribution of this software is subject to U.S. export control laws.

I’m not sure what this means, so I’ve done some research. The following may be incorrect – this is just my interpretation, which I’m seeking clarification on…

The most important point is that export control laws apply to almost everything that exits the United States – regardless of origin and regardless of transportation method (mail, internet, …). I was encouraged to read this, as surely the U.S. don’t place restrictions on source code — otherwise the whole open source thing would not be happening, however:

All exports should be classified with an ECCN number. If they can be classified, certain restrictions apply — mostly that you cannot export to certain countries.

Even if you can’t be classified with an ECCN, there are still restrictions. For example, you cannot export anything to any entities listed here, people listed here, etc. I find this immensely confusing considering that this effectively means a US-based open source software mirror site is violating export control laws if someone on one of those lists happens to download some software. How is open-source even possible in the US with these kinds of restrictions in place?

Anyway, going back to the NFIS2 thing. It seems fairly redundant for them to point out that NFIS2 is covered by export control laws, when software of any type automatically is. So I ventured further and looked into the ECCN classification lists. Unfortunately, some entries do explicitly cover fingerprint systems, although I’m having trouble determining if they are talking about hardware or software (would they apply to a software-only generic fingerprint matching library distribution?). These entries restrict distribution to a number of countries (for purposes of “crime control”, etc).

I’d be extremely grateful if anyone can confirm or deny any of the above. The question I’m looking to answer is: If I get my hands on NFIS2, can I include it in an open-source project and share it with the world?

Here are some sources which I used in the above research:

5 Responses to “NFIS2 and U.S. export control laws”

  1. Samir M. Nassar Says:

    Daniel,

    While only tangentially of note for you I suppose it is interesting to note that the software export regulations apply to software not print. So printing out code on paper does not fall under export control laws since it is covered under the first amendment. At least I’ve heard of some instances where this happened. I am no lawyer though so don’t quote me.

  2. Richard Fish Says:

    Daniel,

    Not a laywer or corporate export control officer either…but as an indentured servant at a large multi-national corporation, I’ve had to deal with this export crap more than once. And honestly, most export control officers don’t have a clue either.

    I believe that you need to be very careful here. Regarding whether it can apply to a “software-only generic fingerprint matching library”, I think the answer is clearly yes, but it also depends on the capabilities of the library.

    4A003, which has the ‘”digital computers” for computerized finger-print equipment” for crime control statement, appears to cover the hardware (super-computer or cluster, maybe some custom DSP and image enhancement hardware) necessary for a finger-print matching system.

    4D001 covers the software designed to work with such a system. So if NFIS2, a bit of scripting, and a cluster of computers can give you the start of a crime lab, then I think NFIS2 would clearly be export controlled.

    So I suspect you do not want to wholesale include NFIS2 directly in a project, as you would probably get into trouble quickly. But rather to take the parts you want and make it very targeted to the specific hardware and application that you are working towards. There should be very large differences between using fingerprints for authentication (where you always have a ‘complete’ prints, and a relatively small number of users to authenticate against) vs identification (where you have to deal with partial prints, huge databases, etc).

    This is very much the same line that Intel has to toe with their wireless cards…if they opensourced the entire driver, people could mod them easily to transmit on any frequency they wanted. So to protect themselves they keep some parts secret.

    Fortunately none of this deals with the readers themselves, so at least we don’t need an export license to take our laptops to the Bahamas! And more to the point, I believe any software you came up with on your own would be no-license-required for export, as long as your matching algorithm is slow and fragile, so as to make it useless on a large scale.

    But again, I’m not a lawyer, so…good luck.

  3. Rafael Colon Says:

    Her is my commnets as an export control officer from a large U.S. corporation.

    Crime control technologies include such things as finger print and voice identification hardware and software. Fingerprint and Voice authentication (i.e. one to one matching) is not considered to fall under the scope of the crime control export restrictions. A police database which will scan a fingerprint record to identify a convict is an example of a controlled technology. This identification of an individual against a large sample (i.e. one to many matching) is what the U.S. Government is controlling. Crime control hardware and software is only eligible to be exported to a very small portion of countries (i.e. some NATO countries).

    Public Domain – The Burea Of Industry and Security determined that manuals in the public domain (e.g. provided on an Internet site free to the public), were not controlled per Regulation 734 of the U.S. Export Adminstration Regulation (EAR). It was stated that exporters can make their manuals publically available at any time as long as the manuals are not restricted for release by government contracting controls or specific national security controls such as a secret classification.

  4. dsd’s weblog » Blog Archive » NFIS2 works! Says:

    [...] Despite the earlier legal concerns about libdpfp (which still stand), I went ahead and requested a NFIS2 CD and integrated it into libdpfp locally. [...]

  5. Arturo Says:

    Daniel, the NFIS2 CD would be classified as ECCN 3D980. You can do some research to find out the details, but in a few words it means you need to pull an export license to send it to any Country outside NATO. Regards, Arturo

Leave a Reply

You must be logged in to post a comment.