When the FBI announced its Next Generation Identification System in 2014, it said the database would include about 51 million photographs. A new report from the Government Accountability Office finds the system actually includes about 411 million photos, only 30 million of them “civil and criminal mugshots.”

The rest of the data comes from “the State Department’s Visa and Passport databases, the Defense Department’s biometric database, and the drivers license databases of at least 16 states,” according to Jennifer Lynch of the Electronic Frontier Foundation.

The GAO found the state of the FBI system unsettling, pointing out that error rates have not been properly assessed yet, the accuracy of the databases maintained by the FBI’s federal and state partner agencies has not been measured, and the reliability of facial recognition algorithms remains in doubt.

The GAO also thought the FBI had not done enough to inform the American people of the privacy issues raised by the existence of the new system. In fact, the FBI only allowed 30 days for public response to its demand for a Privacy Act exemption for the facial recognition system.

Lynch notes that a “bright spot” in the GAO report was the FBI’s decision to keep the civil photos out of the primary search algorithm. In other words, civil photos are only drawn into the data mix for people who have also been arrested for a crime.

The report includes a lengthy section detailing the back-and-forth between GAO and the Justice Department, which only concurred with half of the recommendations made by the Government Accountability Office. For example, the Justice Department defended the amount of accuracy testing the system has been subjected to, but the GAO continues to disagree with their defense, and was not completely sold on the notion that standards for the facial recognition system should be loosened because it only generates “investigative leads,” rather than positive identification leading to arrest.

Also, when GAO raised the point that agencies contributing data to the program might have lower accuracy than the FBI, the Justice Department responded that “there is value in searching all available external databases, regardless of their level of accuracy.” That didn’t sit well with GAO, and probably won’t with citizens worried about their electronic integrity.

Ars Technica notes concerns that facial-recognition failures could not only harass innocent citizens improperly identified as suspects, but could also lead law enforcement to divert time and energy to false leads. It is also noted that facial recognition has been “found to be biased against African-Americans, and utterly failed in the Boston bombing manhunt.”