The FBI’s use of facial recognition technology is exploding, according to a new report from the Government Accountability Office — and its growth is largely unchecked, unaudited, and possibly flawed.

“FBI should better ensure privacy and accuracy” of its facial recognition technology and the databases that photographs are stored in, urged the GAO.

According to the report, the FBI has never reviewed its facial recognition searches for misuse — on either state databases or its own massive biometric database, known as the Next Generation Identification system.

The FBI has access to 16 different state databases of driver’s license photos – almost 173 million people — not just criminal mug shots.

The FBI also hasn’t run any tests on how accurate the facial recognition technology is when searching state databases, and whether those searches come back with false positives, which could lead to misidentifying an innocent person as a criminal suspect. According to a National Institute of Standards and Technology report on facial recognition, error rates of technology surveyed can range between a few percent to more than 50.

And the bureau has repeatedly dragged its feet when assessing the privacy impact of its facial recognition technology — information that would “improve the public’s understanding” of the FBI’s efforts to protect privacy, according to the GAO.

“When people go to the DMV to take their driver’s license photos, they don’t expect that their faces will be scanned and searched tens of thousands of times by the FBI. They don’t expect that their faces will become part of a permanent, digital line-up. What the FBI is doing may be legal, but it isn’t right,” Alvaro Bedoya, the executive director of Georgetown Law School’s Center on Privacy and Technology, wrote in a statement.

In the meantime, the FBI has requested that its own biometric database be exempt from legal provisions in the Privacy Act that would require the agency to tell people their fingerprints, faces, and more have been collected so they can challenge the accuracy of the information.

On June 15, industry groups also came to an agreement on privacy standards for commercial use of facial recognition technology — discussions that advocacy groups dropped out of last year in protest.

While industry members seemed satisfied with the loose guidelines, which recommended that companies should protect user data, privacy activists repeated their concerns that there are still no real protections.