Donnie Berkholz pointed out that the Xorg project previously had to overcome some issues with export control vs cryptographic code. I haven’t had a chance to chew on it yet, but there seems to be some good info here:

• Info from Jim Gettys on xdm crypto support
• Legal advice given to the Debian project on the same topic
• README.crypto from Xorg

I’m at the GNOME Summit this weekend, and today I met Jim in person. We talked briefly on the topic which was useful. After going through the above info I’m going to contact the Software Freedom Law Center based on his advice.

Thanks for the responses to my plea for help up to this point. I’ve also contacted a few people who I’m waiting for responses from.

I’ve been told that most of NFIS2 will become a downloadable open source project soon, which is encouraging. However, this project will NOT include the fingerprint matching algorithm, instead it will only include the analysis tools. This implies that scope of the export control issues is limited only to the actual matching and identification part, and leaves me with exactly the same problem.

I’ve also been informed that NFIS2 distribution is subject to ECCN 3D980. Basically, if your export can be classified under the ECCN, you need a license before you can export it (at least this my is interpretation, which may be wrong). Such licenses aren’t exactly open-source compatible.

Previously I was only looking under category 4 (Computers) but apparently they also put software under category 3 (Electronics). Here’s the text of 3D980:

“Software” specially designed for the “development”, “production”, or “use” of items controlled by 3A980 and 3A981.

3A980 is unrelated, but 3A981 says:

Polygraphs (except biomedical recorders designed for use in medical facilities for monitoring biological and neurophysical responses); fingerprint analyzers, cameras and equipment, n.e.s.; automated fingerprint and identification retrieval systems, n.e.s.; psychological stress analysis equipment; electronic monitoring restraint devices; and specially designed parts and accessories, n.e.s.

Opinions or thoughts on the interpretation of this new info are much appreciated.

Despite the earlier legal concerns about libdpfp (which still stand), I went ahead and requested a NFIS2 CD and integrated it into libdpfp locally.

The good news: it works brilliantly. Minutiae detection and comparison completes instantaneously and the results appear to be accurate and reliable. In other words, if I scan my finger twice it says its the same finger, and if I scan two different fingers it says they are different. I’m now in a position to follow up my larger plans of producing a generic fingerprinting library for a range of hardware, except…

The bad news: I’m not going to distribute any more work on libdpfp until I have found legal advice which tells me it’s OK to do so. I’m now at the position where I have a load of code I can throw at lawyers and say “this is exactly what I want to distribute”, so this is where the hunt begins.

If anyone has suggestions for people I might contact (even non-legal types who might be able to pass me on to someone), or has experience seeking advice in this kind of area, please contact me. I’m aware that such advice will probably cost money, although I don’t have any idea how much. Raising funds to cover costs might be a possibility.

In summary I’m looking for someone who understands (or can figure out how to interpret) US export control laws. I guess I also require a tech type who understands the concepts of software distribution to some degree. Any guidance appreciated!

On the journey to find some working fingerprint matching code for use in dpfp and future projects, several people have pointed me towards NFIS2.

NFIS2 is a set of utilities for fingerprint analysis and matching. It has been developed by NIST for DHS and the FBI, so presumably it is of a decent quality. Additionally, Andrei Tchijov tells me that it does work.

This sounds great, and to get a copy all you have to do is ask for them to send you a CDROM. The CD includes source code and documentation. The code is mostly public domain, some with BSD-style “preserve this copyright notice” licensing terms.

There is only one possible problem, the NFIS website makes the following point rather clear:

Distribution of this software is subject to U.S. export control laws.

I’m not sure what this means, so I’ve done some research. The following may be incorrect – this is just my interpretation, which I’m seeking clarification on…

The most important point is that export control laws apply to almost everything that exits the United States – regardless of origin and regardless of transportation method (mail, internet, …). I was encouraged to read this, as surely the U.S. don’t place restrictions on source code — otherwise the whole open source thing would not be happening, however:

All exports should be classified with an ECCN number. If they can be classified, certain restrictions apply — mostly that you cannot export to certain countries.

Even if you can’t be classified with an ECCN, there are still restrictions. For example, you cannot export anything to any entities listed here, people listed here, etc. I find this immensely confusing considering that this effectively means a US-based open source software mirror site is violating export control laws if someone on one of those lists happens to download some software. How is open-source even possible in the US with these kinds of restrictions in place?

Anyway, going back to the NFIS2 thing. It seems fairly redundant for them to point out that NFIS2 is covered by export control laws, when software of any type automatically is. So I ventured further and looked into the ECCN classification lists. Unfortunately, some entries do explicitly cover fingerprint systems, although I’m having trouble determining if they are talking about hardware or software (would they apply to a software-only generic fingerprint matching library distribution?). These entries restrict distribution to a number of countries (for purposes of “crime control”, etc).

I’d be extremely grateful if anyone can confirm or deny any of the above. The question I’m looking to answer is: If I get my hands on NFIS2, can I include it in an open-source project and share it with the world?

Here are some sources which I used in the above research:

• Export Control Basics from the Bureau of Industry and Security
• Collection of technical documents detailing the export regulations
• ECCN categories relating to computers (plain text version here). Search for “finger-print” in these documents to see what I’m talking about – is NFIS2 covered by these? Would my own non-NFIS fingerprint matching library be subject to these requirements, bearing in mind that I am now US-based?
• ffpis is a sourceforge project which appears to include a partial copy of old NFIS2 code. There doesn’t seem to be any consideration for the export control issues here. Is this legal distribution?

I have just released version 0.2.1 of libdpfp, a userspace library with example programs to interact with Microsoft and DigitalPersona fingerprint scanners on Linux.

This release contains code from eFinger and FVS to enhance the fingerprint images. The capture_finger_enhanced example program now produces images like the ones in this post, which is rather cool. Again, the enhancement takes a few seconds to complete, hopefully we can improve on this. Also, I think I saw an infinite loop in the thinning code, but have been unable to reproduce this.

Andrei Tchijov has done some work porting libdpfp to Mac OS X (Darwin). I say porting, only a few small changes were needed. It doesn’t work out-of-the-box on Darwin just yet due to a libusb bug, which Andrei is working on. Andrei also mumbled something about porting libdpfp to Windows, which would be rather interesting.

Download link. As usual, questions and bug reports belong on the mailing list, not in comments on my weblog.