Gretta Goodwin, director of Homeland Security’s Government Accountability Office, testified on June 4, 2019, about the results of a three-year audit on how the FBI and Justice Department use of facial-recognition technology.

WASHINGTON (CN) – Back for Day 2 of an oversight hearing on the government’s use of facial-recognition software, lawmakers were left momentarily and uncharacteristically speechless Tuesday as an auditor at Homeland Security detailed the FBI’s database of 640 million faces, a number that is twice the population of the United States.

Gretta Goodwin, director of Homeland Security’s Government Accountability Office, explained that just 36 million of the photos in the FBI’s Next Generation Identification System depict people who have been arrested or part of a criminal probe.

Another 21 million photos in the same system involve people from civil matters, but Goodwin said the bulk of the 640 million faces come from the myriad state and federal agencies, like a DMV or the State Department, which the FBI can reach out to, as it deems appropriate.

Goodwin’s office began an audit in May 2016 on how the FBI and Justice Department use of facial-recognition technology, publishing its findings today to coincide with this morning’s hearing of the House Committee on Oversight and Reform.

Though Goodwin said roughly 77 percent of the GAO’s recommendations on advancing the use facial-recognition technology have been implemented since 2016, she noted that privacy protections are one of several critical issues to go largely unaddressed.

This graphic appears in a June 4, 2019, audit on how the FBI and Justice Department use of facial-recognition technology.

If followed, the recommendations could have “gone a long way” toward helping the DOJ ensure that the data relied on to conduct criminal probes or potentially arrest someone was, indeed, accurate, Goodwin said.

Goodwin’s office found three years ago that the DOJ had not completed or published any privacy-impact assessments analyzing how personal information – like a person’s passport photo, mug shot or driver’s license photo – is retained or shared for facial-recognition use.

The DOJ and FBI had also failed to roll out a record-notification system that was aimed at regulating the collection and maintenance of photos used as a part of the FBI’s Next Generation Identification program.

Goodwin said the 2016 audit warned that the the agency could eventually run afoul of the First and Fourth amendments without better self-reporting, but that neither the Justice Department nor the FBI agreed with the watchdog’s assessment of potential threats to privacy or gaps in accuracy.

Instead, the agencies argued that what the GAO considered a “legal requirement” for notification under existing privacy rules was not actually mandatory.

Goodwin pushed back on this Tuesday.

“Anytime there’s a change to the system or the technology used, they must make that information public. We stand behind this because it speaks to transparency,” Goodwin said.

Kimberly Del Greco, deputy assistant director for the FBI’s criminal justice information services division, said the FBI disagreed with the GAO on legal principle because no civil rights violation actually occurred. The information forked over to the FBI came willingly and with the approval of state officials.

Kimberly Del Greco, deputy assistant director for the FBI’s criminal justice information services division, testifies on June 4, 2019, about the results of a three-year audit on how the FBI and Justice Department use of facial-recognition technology.

Pointing to the 1980 Privacy Protection Act as an example, Del Greco said this law allows states to disclose photos or images from the DMV to law enforcement in the case of a criminal investigation and that is mainly what the FBI is doing today.

Last year, the state of Vermont suspended the FBI from using its DMV databases to conduct facial recognition searches, citing threats to privacy. But as of Tuesday, at least 21 states still permit the practice.

Del Greco said the FBI has reached out to all 50 states but that their participation is voluntary. Though she noted that the FBI has conducted at least 150,000 searches of such databases using facial-recognition technology since 2017, Del Greco was unable to say how many of those individuals may have been wrongfully arrested or convicted because of it.

Representative Alexandria Ocasio-Cortez illuminated concerns over privacy in a short round of questioning with Austin Gould, assistant administrator for the Transportation Security Administration.

Representative Alexandra Ocasio-Cortez, D-N.Y., questions a witness on June 4, 2019, about the results of a three-year audit on how the FBI and Justice Department use of facial-recognition technology.

After the congresswoman described reports about Delta and Jet Blue’s plans to implement facial-recognition search systems inside airports at bag-drop locations, Gould confirmed talks were still underway.

“Do individuals know this is happening and do they provide explicit consent?” asked Ocasio-Cortez, a New York Democrat.

Gould replied that passengers would be given a chance to opt out of being scanned.

“So it’s opt-out, but not opt-in?” Ocasio-Cortez said.

Assuring a third hearing will be held in the coming weeks, Committee Chairman Elijah Cummings requested multiple follow-ups from members of Tuesday’s panel.