Chapter 26: Exercises — Biometrics and Facial Recognition Ethics

These 25 exercises range from reflection and analysis to policy drafting and role-play. They are designed for individual completion, paired work, or classroom discussion.

Reflection and Analysis

Exercise 1: The Permanence Problem Make a list of all the credentials or identifiers you use in a typical week: passwords, PINs, badge codes, security questions, and biometric inputs (fingerprint to unlock phone, Face ID, voice authentication, etc.). For each biometric item on the list, identify what would happen if that biometric data were compromised. Compare the remediation options for biometric vs. non-biometric credentials. What does this exercise reveal about the permanence problem?

Exercise 2: Error Rate Calculation A facial recognition system has a false positive rate of 0.1% (one in one thousand). A police department uses this system to search a database of 500,000 faces. - How many false matches would a single query be expected to generate on average? - Now assume the system has a false positive rate 50 times higher for a specific demographic group (still within the range documented in NIST FRVT). How many false matches does a query of a face from that group generate? - What does this exercise reveal about why 1:many identification is more problematic than 1:1 verification?

Exercise 3: Identifying the Accountability Gap Using the Robert Williams case, map the chain of actors involved in the wrongful arrest: the algorithm developer, the Michigan State Police unit that ran the search, the Detroit Police investigator, the witness identification process, the prosecutor's office, and the department that adopted the technology. For each actor, identify: (a) the decision they made, (b) the information they had at that decision point, and (c) what accountability mechanism, if any, applied to them.

Exercise 4: Dissecting the NIST Findings Review the summary of NIST FRVT findings in Section 3 of this chapter. Why do algorithms developed by US companies tend to have higher error rates for African American and Asian faces, while algorithms developed by Asian companies tend to have higher error rates for Caucasian faces? What does this suggest about the relationship between training data and algorithm performance? What policy implication follows?

Exercise 5: Consent Architecture Analysis Consider the following three scenarios. For each, analyze whether meaningful informed consent (informed, freely given, revocable) can realistically exist for biometric data collection: - (a) A hospital collects fingerprints from all employees for building access. - (b) A grocery store deploys facial recognition at all entrances to identify known shoplifters. - (c) A city deploys real-time facial recognition cameras across all transit stations to identify individuals with outstanding arrest warrants.

Policy and Regulatory Analysis

Exercise 6: BIPA vs. GDPR Comparison Compare the Illinois BIPA and GDPR Article 9 approaches to biometric data protection on the following dimensions: (a) what data is covered, (b) what legal basis is required, (c) what rights individuals have, (d) what enforcement mechanism exists, and (e) what penalties apply. Which framework provides stronger protection in practice? Why?

Exercise 7: Drafting a Biometric Use Policy You are the Chief Privacy Officer of a mid-sized retail chain considering deploying facial recognition at store entrances to identify customers on a shoplifter watch list. Draft a one-page internal policy that specifies: the accuracy standard required before deployment, the consent disclosure mechanism, the error review procedure, the retention and deletion timeline, the audit schedule, and the conditions under which deployment would be suspended.

Exercise 8: Evaluating the EU AI Act Approach The EU AI Act takes the approach of presumptively prohibiting real-time biometric identification in public spaces for law enforcement, with narrow judicial-authorization exceptions. Critics argue this is too restrictive and will hamper legitimate law enforcement. Defenders argue it appropriately reflects the severity of the risks. Construct the strongest possible version of each argument, then take a position.

Exercise 9: The Moratorium Argument Some civil liberties groups and legislators have called for a complete moratorium on law enforcement facial recognition use until comprehensive legislation is enacted. Evaluate this argument. What would be the costs of a moratorium? What would be the costs of continued unrestricted use during the regulatory gap? How would you weigh them?

Exercise 10: Federal Legislation Drafting Draft the key provisions (in plain language, not statutory code) of a federal Facial Recognition Accountability Act. Include: definitions, accuracy standards, prohibited uses, required disclosures, audit requirements, private right of action, and agency oversight. Explain your choices.

Business Scenarios

Exercise 11: Procurement Due Diligence Your company is evaluating two facial recognition vendors for an employee time-and-attendance system. Vendor A provides overall accuracy of 99.2% but cannot provide demographic breakdown of accuracy rates. Vendor B provides overall accuracy of 98.8% with documented accuracy rates across gender and skin tone groups, showing maximum disparity of 1.5 percentage points. Which vendor would you recommend, and why? What additional information would you want before proceeding?

Exercise 12: The MSG Scenario Madison Square Garden Entertainment used facial recognition to eject attorneys with pending litigation against MSG entities from its venues. Evaluate this use case from: (a) a legal perspective (what laws might this violate?), (b) an ethical perspective (what principles does it violate?), and (c) a business perspective (what were the business risks of this approach?). Would any commercial facial recognition use at venues be ethically justifiable?

Exercise 13: Clearview AI Vendor Decision Assume you are a chief of police in a mid-sized US city. A Clearview AI representative offers your department access to its database. Evaluate the decision from: (a) an investigative utility perspective, (b) a legal compliance perspective, (c) an equity and civil rights perspective, and (d) a political accountability perspective. What would you decide, and what conditions (if any) would govern that decision?

Exercise 14: Remote Employee Monitoring During the COVID-19 pandemic, your company deployed software that analyzes employee faces during video calls to score attention levels. The software flags employees whose attention score falls below a threshold for manager follow-up. You are now reviewing this policy. What ethical issues does this practice raise? What changes would you recommend? Is any version of this practice ethically justifiable?

Exercise 15: The Taylor Swift Scenario At a concert, a performer's team deploys facial recognition at a merchandise kiosk to identify known stalkers from a threat database. No disclosure is made to concertgoers. Evaluate the ethics of this deployment. What factors distinguish this use case from other facial recognition deployments? Does the specific protective purpose justify the undisclosed surveillance? What alternatives exist?

Critical Thinking and Debate

Exercise 16: The Public Space Argument The standard legal argument for permitting facial recognition in public spaces is that people in public have no reasonable expectation of privacy in their appearance. Evaluate this argument. Does the distinction between being visible and being enrolled in a biometric identification database matter? What legal and ethical principles should govern the transition from CCTV to facial recognition?

Exercise 17: The Clearview Trade-Off Clearview AI's CEO has cited specific cases — trafficking victims identified, predators caught — where his company's technology produced identifications that led to successful investigations. Assuming these cases are accurately described, what is the strongest ethical argument against Clearview's continued operation? What is the strongest argument for it? How should society weigh concentrated benefits against distributed harms?

Exercise 18: Intersectionality and Compounding The Gender Shades study found that darker-skinned women faced the highest error rates of any group tested — higher than darker-skinned men or lighter-skinned women. What does this intersectional result reveal that a non-intersectional analysis would miss? Design an accuracy audit framework for a facial recognition system that captures intersectional performance, not just single-axis demographic performance.

Exercise 19: Voice Biometrics and the Deepfake Problem A bank uses voice authentication for telephone customer service. It accepts a call as authenticated if the voice matches the account holder's enrolled voiceprint. Voice cloning technology can now produce convincing vocal reproductions from as little as 30 seconds of target speech — which is available for many people on social media. Evaluate the current security of this authentication model. What changes would you recommend the bank make?

Exercise 20: Genealogical DNA and Consent A woman submits a DNA sample to an ancestry database to learn about her family heritage. She is not informed that her genetic relatives — who have not submitted DNA — may be identified through her submission, or that law enforcement may access the database for investigative genealogy. Evaluate the consent architecture of ancestry DNA databases from an ethics perspective. Who has the right to consent to genealogical database searches? Can an individual consent on behalf of relatives who share their DNA?

Case Application

Exercise 21: Audit Design Design a demographic bias audit for a facial recognition system used in a retail loss prevention context. Specify: what test dataset you would use, what metrics you would measure, what threshold of disparity would be acceptable, how often the audit would be conducted, and what the consequences of failing the audit would be.

Exercise 22: Comparing the Wrongful Arrest Cases Compare the three documented wrongful arrest cases — Robert Williams, Nijeer Parks, and Michael Oliver — on the following dimensions: the context of the investigation, the type of identification procedure used after the facial recognition match, the time spent in custody or under charge, the outcome, and the legal action taken. What patterns do you observe? What systemic factors are consistent across cases?

Exercise 23: Regulatory Jurisdiction Analysis Clearview AI has been fined by regulators in Italy, France, Greece, Sweden, the UK, and Canada. The company has generally disputed the jurisdiction of these regulators and has not demonstrated compliance with deletion orders. What does this reveal about the limits of national data protection law when the company being regulated is foreign? What international mechanisms would be required for effective enforcement? Do any such mechanisms currently exist?

Exercise 24: Proportionality Analysis Apply the proportionality principle to each of the following facial recognition deployments. For each, assess whether the stated purpose is sufficiently weighty to justify the degree of biometric surveillance: - (a) Real-time facial recognition in all subway stations to identify individuals with active arrest warrants - (b) Post-incident facial recognition of protest footage to identify participants in property damage - (c) Facial recognition at border crossings to verify travel document identity - (d) Facial recognition in workplace cafeterias to automatically bill employees for meals - (e) Facial recognition in school buildings for access control and attendance tracking

Exercise 25: Legislative Testimony Preparation You have been asked to testify before a Congressional subcommittee on proposed legislation that would impose a two-year moratorium on federal agency use of facial recognition technology. Prepare two sets of testimony: (a) testimony in support of the moratorium, emphasizing accountability failures and equity concerns; and (b) testimony in opposition, emphasizing investigative value and the availability of policy alternatives to a blanket ban. In both cases, ground your argument in specific evidence from this chapter.

Chapter 26 | AI Ethics for Business Professionals