While much of the public might believe that facial-recognition software is the stuff of Jason Bourne films, the reality is that the technology is already being used by government agencies such as the F.B.I. With new technologies come new ways for the government to ostensibly fight crime—an effort that often includes major privacy trade-offs, and, when not used responsibly, can put residents and civilians at risk.

Such is the case with FACE, an F.B.I. program described in a new, blistering report from the United States Government Accountability Office. FACE stands for Facial Analysis, Comparison, and Evaluation, the name of a relatively new unit within the agency. The G.A.O. found that the F.B.I. has been disregarding some of even the most basic privacy protections and standards.

To wit: the driver’s-license photos of the residents of 16 states and some additional 30 million photos from a biometric database are available for the F.B.I. to search at will. Another 18 states are reportedly negotiating with the F.B.I. over the use of driver’s-license images. The F.B.I. hadn’t sufficiently notified the public of the technology’s use.

“Not knowing how often the system is producing false positives makes it impossible to know if FACE actually benefits F.B.I. investigations.”

According to the G.A.O., the F.B.I. has no idea how often the technology they’re using mis-identifies people. It has previously been determined that facial-recognition software can exhibit a racial bias—some algorithms are significantly more effective at parsing the faces of white people than they are at identifying black people. Erroneous identification in an F.B.I. investigation can, of course, wreak havoc on an individual’s life.

“We have a mismatch here between the power and speed with which these technologies are being developed, and the oversight that they’re being subject to,” Jay Stanley, a senior policy analyst at the A.C.L.U.’s Speech, Privacy, and Technology Project told VF.com.

Not knowing how often the system is producing false positives also makes it impossible to know if FACE actually benefits F.B.I. investigations at all, the G.A.O. found. If that sounds familiar, perhaps that’s because it recalls the government’s eventual admission that N.S.A. mass-surveillance programs revealed by Edward Snowden did not disrupt a single plot that would not already have been revealed through other, less intrusive forms of targeted surveillance.

The F.B.I. also has not been auditing FACE to determine whether it complies with standard privacy rules and protections, and, as the A.C.L.U. notes, “for five years did not publish a legally required System of Records Notice (SORN) informing the public about its use of face recognition.”

How often was the F.B.I. using FACE? According to the G.A.O., the unit fielded approximately 214,920 searches or requests between 2011 and 2015—36,420 involving the 16 states’ driver’s-license photos. Overall, FACE found 8,590 cases in which a “likely candidate” was returned to an F.B.I. agent.

According to Alvaro Bedoya, the executive director of the Center on Privacy and Technology at Georgetown University Law Center, “facial recognition searches are far more common than wiretaps.”

“And yet,” Bedoya tweeted on Thursday, “we regulate wiretaps, and don’t regulate face recognition.”

“Erroneous identification can, of course, wreak havoc on an individual’s life.”

In response to a draft version of the G.A.O.’s report, the Department of Justice (the parent agency of the F.B.I.) said it concurred with some, but not all, of the report’s findings and recommendations. The D.O.J. claimed that since the FACE program is meant to provide potential leads, rather than “positive identification,” even inaccurate leads do not amount to false positives. The G.A.O. disagreed, as it also did when the D.O.J. claimed that, since it lacks the authority to set a certain accuracy benchmark for facial-recognition software used by external agencies, there therefore cannot be a standard of any sort.

The G.A.O. pointed out that the technology used by the F.B.I. and its state and local partners can search some 380 million photos. If an agency is absorbing the biometric data of millions of unwitting Americans, the G.A.O. argues, it should greatly increase efforts to inform the public, protect its data from leaks, and address concerns about the technology’s potential inaccuracy.