ACLU senior staff attorney Nathan Freed Wessler was concerned not just that Microsoft wanted to sell a “dangerous” tech to an agency involved in a “racist drug war,” but that it came just as the US Attorney General had reportedly expanded the DEA’s surveillance powers. The DEA could misuse the tech to spy on people protesting police brutality, Wessler speculated.

We’ve asked Microsoft for comment. The company has defended federal contracts in the past, but not universally so. While it argued that a military HoloLens contract was important to support people who “protect the freedoms” of Americans, it justified an Immigrations and Customs Enforcement deal by noting that it didn’t cover the agency’s most controversial practices. The DEA case is another matter — there’s little doubt that facial recognition would be used for contentious purposes.

There was good reason to put those efforts under tight scrutiny, the Inspector General’s office said.

Under one program, nicknamed Program A, the DEA relied on “non-target specific” subpoenas to make telecoms supply metadata for calls made between the US and countries it deemed a “nexus to drugs,” even when there was no apparent link to a specific case. Program B, meanwhile, used equally vague subpoenas to scoop up data for anyone buying certain products through key vendors, and had no plans to get rid of that data once it was no longer useful. Program C saw the DEA buy metadata on targets through a contractor for another agency, but it wasn’t clear if the DEA’s authority covered that data.

On top of this, the DEA took numerous steps that “hindered” the Inspector General’s access to info.

The potential for abuse isn’t as high as it was years ago. The DEA shut down Program B in 2013, and scaled back Program A to focus on specific investigations in the wake of Edward Snowden’s leaks. The DEA also told Nextgov in a statement that it agreed to abide by 16 recommendations from the report that would keep bulk data collection legal and respectful of civil rights. Still, the findings aren’t comforting — they indicate that the DEA spent years (dating as far back as 1992) gathering data without checking that was honoring the law, compromising privacy safeguards in the process.