The FBI steadily, stealthily compiled a massive facial recognition database without oversight and in disregard of federal law, according to a report released today by the Government Accountability Office.

The bombshell report reveals that the FBI dipped into driver’s license photo databases from 16 states, as well as passport and visa photo databases from the State Department, feeding its facial recognition with millions of photos of Americans and foreigners who have never been accused of a crime. The FBI has access to a whopping 411.9 million images for use in facial recognition, roughly 30 million of which are mug shots.

The sheer number of photos described in the GAO report is staggering, but what’s worse is that the FBI didn’t make public disclosures about the program required by law, the report says. The GAO recommended that the FBI make several improvements to its transparency process and assess its past failures. The report instructs that the U.S. Attorney General should determine why the FBI didn’t publish legally mandated privacy assessments as it expanded its facial recognition program.

The Privacy Act requires government agencies to disclose how they harvest and use personal information like ID photos, but the GAO found that the FBI didn’t make the mandatory disclosures.

“There appears to be no internal oversight on this system and that’s remarkable,” Alvaro Bedoya, the executive director of the Center on Privacy and Technology at Georgetown Law, told TechCrunch. Bedoya previously worked for Senator Al Franken, the legislator who has frequently pushed for oversight of facial recognition technology and requested that the GAO audit the FBI’s use of the technology.

“Today we found out that they have no idea if they’re misusing it or not,” Bedoya said of the FBI. “They’ve literally never done an audit.”

Bedoya pointed out that many Americans don’t expect their driver’s license photos to end up in a federal law enforcement database.

“When you turn 16 or 17, you don’t go down to the police station and give them your fingerprints; you go get your driver’s license. Turns out, it’s the same thing as far as the FBI is concerned,” he said. “They might not be storing these photos at Quantico but it has built, in effect, a nationwide biometric database using driver’s license photos. It’s breathtaking.”

The GAO report also notes that the reliability of the FBI’s facial recognition technology is virtually untested, and testing it for accuracy is complicated, given that the FBI searches several different state and federal databases for photos. Studies have consistently found facial recognition software to be faulty when identifying minorities, women and young people, and it’s probable that the FBI’s databases are susceptible to similar biases.

The GAO made three recommendations to help the FBI test and audit the accuracy of the system and to ensure that the data from other databases is reliable, but the Justice Department argued that the FBI has done sufficient accuracy testing.

“This GAO report raises some very serious concerns, and reveals that the FBI’s use of facial recognition technology is far greater than had previously been understood. This is especially concerning because the report shows that the FBI hasn’t done enough to audit its own use of facial recognition technology or that of other law enforcement agencies that partner with the FBI, nor has it taken adequate steps to ensure the technology’s accuracy,” Franken said in a statement on the report.

The GAO findings come at an interesting moment in the FBI’s push for facial recognition. The bureau has asked that its biometric information be exempt from certain Privacy Act provisions. Nearly 50 organizations have signed on to oppose this exemption, and public comment on the issue remains open until July 6.

As the issue of biometric databases and individual privacy continues to grow, so does the FBI’s photo collection. The GAO report reveals that 16 more states are in negotiations with the FBI to provide access to their driver’s license photo databases.