Facial recognition technology has great potential — and risks. Law enforcement officers with the photo of an unidentified criminal suspect or wanted person can search a database to turn up photos with similar parameters in a first step toward identifying the person.

It can be put to use for security purposes at airports, at border crossings, and at large sporting or music venues.

But with privacy issues at play, and misuse by unauthorized users of databases possible, caution is needed with facial recognition programs, particularly those operated by government.

Ohio Attorney General Dave Yost ordered a review of Ohio’s system last month after reports surfaced that federal law enforcement had accessed photo databases in some state bureaus of motor vehicles without the approval of Congress or state legislatures — and without the knowledge or consent of millions of drivers who have no criminal record.

While Yost’s report, released Wednesday, found the state’s facial recognition system had not been used improperly by federal, state or local law enforcement to conduct “mass surveillance, broad dragnets, political targeting or other illegitimate uses,” he still revoked access to the system by about 4,500 police officers until they can be trained on the use and limitations of the technology. In the meantime, searches can still be done, but will be conducted directly by the state Bureau of Criminal Investigation.

Yost’s actions would appear to be an appropriate response.

Ohio’s database, which contains 24 million photos, was launched in 2013 by Gov. Mike DeWine, who was then attorney general. The FBI and certain other federal agencies were granted access by DeWine in 2016, and between 2017 and 2019, the system fielded 10,652 facial recognition inquiries. Only 418 were from federal agencies. The rest were conducted by state or local law enforcement agencies, courts or other criminal justice agencies.

All were legitimate inquiries, according to Yost.

The federal government so far has not regulated facial recognition technology, leaving states and cities to construct their own restrictions. In Ohio, the Bureau of Motor Vehicles turned over driver’s license photos from 2011 to the BCI for its facial recognition system designed to identify criminal suspects. The BMV has not provided additional or updated photos for use in the system, according to the report.

While Yost’s review found no misuse of the facial recognition system to date, regular audits should be made by the attorney general to ensure the system is not being accessed by those without authorization.

Yost also indicated this week that an advisory committee of law enforcement officers, privacy and technology experts and civil libertarians will be formed to provide advice on training standards and rules and controls governing the evolving facial recognition system.

That is a prudent way to proceed. Ohio should strive to find the right balance between the use of an important law enforcement tool and an individual’s right to privacy.