How Federal Law Enforcement is Using Facial Recognition — and Why It Outpaced Its Rules

Federal law enforcement agencies are actively using facial recognition technology to investigate crimes, according to a Government Accountability Office report published in March 2024. This is not a new development — what is notable is that the GAO has now examined the practice multiple times over several years, and each report reveals the same underlying issue: the technology has become embedded in investigative work faster than federal rules have caught up to govern it.

A Pattern of Oversight

The GAO, a federal watchdog agency, has been studying how facial recognition works in law enforcement since 2021. That first report surveyed 42 federal agencies about their use of the technology. A year later, GAO testified to Congress about the same issue. In 2023, it published another report focused specifically on the risks these agencies face. The March 2024 report is the latest in that series.

What emerges from reading them together is a methodical progression: first, an inventory of who is using the technology; second, a look at privacy concerns; third, an examination of where things could go wrong. But notably, there is no corresponding federal law that actually governs the practice. Recommendations have been made by the GAO, but recommendations are not legally binding — agencies can ignore them.

How It Actually Works

When federal law enforcement uses facial recognition, they are not using it the way you might see in a movie — running a suspect's photo through a database and making an arrest on that alone. Instead, the technology works more like a sieve: investigators run an image through a database of known faces (driver's license photos, booking photos, passport images, and others), and the system returns a ranked list of possible matches. A human analyst then looks at those candidates and decides whether any of them are worth investigating further. The technology is a lead-generation tool, not proof of guilt.

The reliability of that system depends on several things. One is the quality of the image — a clear booking photograph is far more reliable than a blurry security camera frame. Another is the database being searched. If an agency is searching its own database of driver's license photos, the results carry different weight than if it is searching a commercial system that has scraped images from the internet without asking permission. The accuracy of facial recognition also varies noticeably depending on a person's age, skin tone, and other demographic factors — a fact documented extensively in testing by the National Institute of Standards and Technology.

The 2021 GAO survey found that some federal agencies were indeed using commercial facial recognition systems that source images this way, which raises questions about whether those images should have been used at all.

Cities Say No, Feds Keep Going

While federal agencies have been expanding their use of facial recognition, something different has happened at the local level. San Francisco banned its government agencies from using facial recognition in May 2019 — the first U.S. city to do so. The ban included a provision that agencies could not even use facial recognition data obtained from other sources, a deliberate choice to prevent workarounds. According to reporting from the Electronic Frontier Foundation, at least 16 other cities and towns followed San Francisco's example within three years.

This divergence — cities moving toward restriction, federal agencies moving toward greater use — is a meaningful signal. But it is not surprising if you know the history of surveillance technology in America. Tools like phone wiretaps, cell-site simulators (which mimic cell phone towers to collect location data), and others all followed the same pattern: agencies deployed them, and laws came later, sometimes decades later. Facial recognition appears to be following that same arc.

The Real Problem: No Audit Trail

The deeper issue that the GAO reports have uncovered is not simply whether agencies use facial recognition, but whether they have basic safeguards in place. Do they log who ran what searches? Do they train analysts on how to use the results responsibly? Have they assessed the privacy risks? Do they keep records of their decisions?

Think of it this way: if an agency deploys facial recognition without documenting how it is used, how often it generates errors, and what happens with those results, then mistakes become invisible. No one can discover them later. No one can hold anyone accountable. The system operates in darkness.

One silver lining: ICE (Immigration and Customs Enforcement) had documented and assessed its own privacy risks, according to the 2021 GAO report. The implication — which the GAO did not state but which is hard to miss — is that other agencies had not done equivalent work.

No Law, No Consistent Rules

As of March 2024, there is no comprehensive federal law that governs how law enforcement can use facial recognition. Several proposals for such a law have been introduced in Congress, but none has passed. The result is a patchwork: some agencies with internal policies, some without; some using government-operated systems, others using commercial tools; and a GAO that can recommend best practices but cannot force compliance.

This is not unique to facial recognition. The federal government has broader guidance on artificial intelligence, including a 2023 executive order from the Biden administration and a framework from NIST (the National Institute of Standards and Technology). But guidance is voluntary. It does not carry the force of law.

What this means in practice is that the GAO's periodic audits — roughly every 12 to 18 months — function as the closest thing to federal accountability that exists. That is a reasonable temporary solution, but audits look backward. They document what happened. They do not set rules for what can happen going forward. That gap is where risk quietly builds.

Where We Stand

Facial recognition is now confirmed as an active, operational tool in federal law enforcement. Multiple independent audits have documented that. But the question of who is allowed to use it, under what conditions, with what documentation and accountability, remains formally unanswered at the federal statutory level.

For anyone working in technology, especially in identity systems, biometrics, or AI used in government, the GAO's reports are worth reading as primary source material. They contain unusual specificity about which agencies do what, what documentation standards are or are not in place, and where the vulnerabilities are. That level of detail is rare in federal oversight and gives a clearer picture than most news coverage of where the accountability architecture actually stands right now.

The technology works. It is in use. It is generating leads. The rules that should govern it are still being debated.