The rules on exporting biometrics outside the U.S.
29 July, 2008
category: Biometrics, Library
By James M. Anzalone, Compliance Assurance LLC
Did you know that many biometrics technologies are controlled for export? The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) controls the export of biometric technologies for crime control reasons, a policy aimed at promoting human rights throughout the world.
The idea is that that crime control technologies, such as fingerprint scanners, should not be used to track or single out political or religious dissidents in totalitarian states. An export license is generally required for exports or re-exports to all but a few non-NATO countries.
The BIS controls exports through the assignment of an Export Control Classification Number (ECCN), which defines the relative control sensitivity of the product, software or technology. The ECCN is referenced against the Commerce Country Chart to determine if a license is required for export. For example, ECCN 3A981 is defined as fingerprint analyzers, cameras and equipment, and automated fingerprint and identification retrieval systems.
In cross referencing this ECCN with the Commerce Country Chart you will find that a license is required for export to all except the NATO countries—Bulgaria, Canada, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, United Kingdom—and also Australia, New Zealand and Japan.
For example, the National Institute of Standards and Technology’s BOZORTH3, a widely recognized minutiae-based fingerprint matching algorithm that performs both one-to-one and one-to-many matching operations, is controlled for export. Similarly, the NIST fingerprint segmentation algorithm, NFSEG, which segments four-finger ‘slap’ impressions, is also controlled, according to the NIST website (http://fingerprint.nist.gov/NFIS/).
Equipment for voice print identification and analysis are also controlled along with its associated software, both of which require a license.
But surprisingly, iris scanners and facial recognition hardware and software are not controlled for export even though they are generally used for the same purposes as other biometric technologies.
That may, however, soon change. The New York Times reported in January that the Commerce Department is looking into the export of facial recognition technologies due to the increasing involvement of American companies in the Chinese market, particularly with the Beijing 2008 Summer Olympic Games.
On June 17, 2008 the BIS ended public comment on a notice of inquiry on crime control license requirements in the Export Administration Regulations. Specifically mentioned in this request for public comment was whether items such as biometric devices and integrated security systems should be subject to crime control license requirements.
This decision could go either way. Many of the existing technologies are available from firms outside the U.S., making the case that the current policy only hurts U.S. exporters. On the other hand, this decision may indicate a tightening of biometrics export controls and may initiate the inclusion of iris and facial recognition technologies.
While changes might be forthcoming, companies exporting controlled biometrics technologies are required to screen and apply for export licenses as required under the Export Administration Regulations. Failure to do so can result in significant penalties under recently toughened sentencing guidelines.
On Oct. 16, 2007, President Bush signed into law the International Emergency Economic Powers Enhancement Act. The law provides for civil penalties amounting to the greater of $250,000, or twice the value of the transaction on which the violation is based, imposed for each violation. Willful violators can expect criminal penalties, including fines up to $1 million and up to 20 years in prison.
Additional information for biometric vendors and resellers
Now that you know your biometric hardware, software and technologies are controlled for export, you’re doomed, right? Not at all. What does not work is burying your head in the sand and hoping past sins will just go away. The BIS does not take lightly ignorance, or “self blinding,” that is, refusing to accept information about an export. It does, however, give great weight mitigation in assessing penalties in administrative cases.
The first step is to have a qualified expert classify your products to determine whether or not they are controlled under one of the ECCNs mentioned and whether a license may be required for certain countries. An internal audit of your shipping documents or sales orders will uncover any potential violations. Potential violations may be voluntarily self-disclosed to the BIS to re-start with a clean slate.
Keep in mind, however, that a self disclosure will not likely mitigate all penalties and the BIS will probably pay you a personal visit to ask for additional information. In addition, one of the requirements of a voluntary disclosure is the implementation of an export compliance system procedure to ensure that future violations will not occur.
Having a good export compliance policy in place is the best method to avoid fines, being banned from government contracts and bad press. At a recent BIS Export Control Forum in Newport Beach, Calif., Asst. Sec. of Commerce Darryl W. Jackson stated that compliance is more important than ever. Compliance will help you avoid enforcement actions. And, if you cannot avoid an enforcement action, having an effective compliance program will get you great weight mitigation in administrative cases.
Aside from being the “right thing to do,” an effective export compliance program can save you money, keep away negative publicity and be a weapon against competitors who continue to operate in the dark.
James Anzalone is the president of Compliance Assurance LLC, a firm specializing in global trade compliance solutions.
