NFIS2 and U.S. export control laws
NFIS2 is a set of utilities for fingerprint analysis and matching. It has been developed by NIST for DHS and the FBI, so presumably it is of a decent quality. Additionally, Andrei Tchijov tells me that it does work.
This sounds great, and to get a copy all you have to do is ask for them to send you a CDROM. The CD includes source code and documentation. The code is mostly public domain, some with BSD-style “preserve this copyright notice” licensing terms.
There is only one possible problem, the NFIS website makes the following point rather clear:
Distribution of this software is subject to U.S. export control laws.
I’m not sure what this means, so I’ve done some research. The following may be incorrect – this is just my interpretation, which I’m seeking clarification on…
The most important point is that export control laws apply to almost everything that exits the United States – regardless of origin and regardless of transportation method (mail, internet, …). I was encouraged to read this, as surely the U.S. don’t place restrictions on source code — otherwise the whole open source thing would not be happening, however:
All exports should be classified with an ECCN number. If they can be classified, certain restrictions apply — mostly that you cannot export to certain countries.
Even if you can’t be classified with an ECCN, there are still restrictions. For example, you cannot export anything to any entities listed here, people listed here, etc. I find this immensely confusing considering that this effectively means a US-based open source software mirror site is violating export control laws if someone on one of those lists happens to download some software. How is open-source even possible in the US with these kinds of restrictions in place?
Anyway, going back to the NFIS2 thing. It seems fairly redundant for them to point out that NFIS2 is covered by export control laws, when software of any type automatically is. So I ventured further and looked into the ECCN classification lists. Unfortunately, some entries do explicitly cover fingerprint systems, although I’m having trouble determining if they are talking about hardware or software (would they apply to a software-only generic fingerprint matching library distribution?). These entries restrict distribution to a number of countries (for purposes of “crime control”, etc).
I’d be extremely grateful if anyone can confirm or deny any of the above. The question I’m looking to answer is: If I get my hands on NFIS2, can I include it in an open-source project and share it with the world?
Here are some sources which I used in the above research:
- Export Control Basics from the Bureau of Industry and Security
- Collection of technical documents detailing the export regulations
- ECCN categories relating to computers (plain text version here). Search for “finger-print” in these documents to see what I’m talking about – is NFIS2 covered by these? Would my own non-NFIS fingerprint matching library be subject to these requirements, bearing in mind that I am now US-based?
- ffpis is a sourceforge project which appears to include a partial copy of old NFIS2 code. There doesn’t seem to be any consideration for the export control issues here. Is this legal distribution?