Exporting biometrics outside the U.S. by the book

Published 29 July 2008

The U.S. government controls the export of biometric hardware, software, and technologies; U.S. biometric companies would be wise to comply with the various control regulations

Did you know that many biometrics technologies are controlled for export? James Anzalone, president of Compliance Assurance LLC, a firm specializing in global trade compliance solutions, writes that if you are in the biometric field, you should know that the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) controls the export of biometric technologies for crime control reasons, a policy aimed at promoting human rights throughout the world. “The idea is that that crime control technologies, such as fingerprint scanners, should not be used to track or single out political or religious dissidents in totalitarian states. An export license is generally required for exports or re-exports to all but a few non-NATO countries,” he writes.

The BIS controls exports through the assignment of an Export Control Classification Number (ECCN), which defines the relative control sensitivity of the product, software or technology. The ECCN is referenced against the Commerce Country Chart to determine if a license is required for export. For example, ECCN 3A981 is defined as fingerprint analyzers, cameras and equipment, and automated fingerprint and identification retrieval systems. In cross referencing this ECCN with the Commerce Country Chart you will find that a license is required for export to all except the NATO countries-Bulgaria, Canada, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, United Kingdom — and also Australia, New Zealand and Japan. For example, the National Institute of Standards and Technology’s (NIST) BOZORTH3, a widely recognized minutiae-based fingerprint matching algorithm that performs both one-to-one and one-to-many matching operations, is controlled for export. Similarly, the NIST fingerprint segmentation algorithm, NFSEG, which segments four-finger ‘slap’ impressions, is also controlled, according to the NIST Web site.

Equipment for voice print identification and analysis are also controlled along with its associated software, both of which require a license. Surprisingly, iris scanners and facial recognition hardware and software are not controlled for export even though they are generally used for the same purposes as other biometric technologies. That may, however, soon change. The New York Times reported in January that the Commerce Department is looking into the export of facial recognition technologies due to the increasing involvement of American companies in the Chinese market, particularly with the Beijing 2008 Summer Olympic Games. On 17 June 2008 the BIS ended public comment on a notice of inquiry on crime control