Police staff have had unauthorised access to an online facial recognition website which has been described by critics as "stalkerware by design".
Police did not tell anyone about the access. After RNZ made inquiries, police played it down, saying it was not worth telling anyone outside the force.
But they also admitted that they do not know what staff did on the site.
The site - called PimEyes - scans the internet to assemble photos matches of people. It can scan an uploaded picture against hundreds of millions of images from public sources in less than a second, even if your face is just in background shots, or if the uploaded photo is very old.
The Washington Post reported in 2021 that PimEyes "has become a hit among digital 'creeps' ", making it possible "for strangers to keep tabs on people's personal lives".
UK regulators fielded complaints against it in 2022.
But a year later, New Zealand police realised staff were accessing it, according to a statement issued to RNZ.
That sparked an internal audit that found 22 staff had accessed it between May and January.
"It is not possible to determine what users did while on the website," police said.
"The total amount of data transferred was so low, it is not plausible that there was any significant use."
It was unlikely staff used any of the scanning features, according to police.
Police did not say why staff visited the site.
Australian news site Mlex has reported that New Zealand police devices or networks connected to PimEyes almost 400 times.
Police also reportedly used a similar face-matching site - Facecheck.ID - 274 times.
Police have not responded to queries about these figures or the use of Facecheck.ID.
The internal audit covered 90 days. No external audit has been done, and police did not alert the Privacy Commissioner.
Police blocked the site last year.
The BBC reported in 2022 about "stalking fears" over the PimEyes facial search engine, while a UK privacy group filed a stalking complaint with regulators against PimEyes.
UK police banned it this year after officers accessed it more than 2000 times.
Australian federal police admitted testing PimEyes and Facecheck.ID for possible operational use a year ago.
Europe is moving to ban tools that gather biometric information off the internet without their consent.
In the US, PimEyes blocked searches of children's faces in October.
New Zealand police have repeatedly insisted their use of facial recognition tech was tightly controlled.
They said they did not block websites for use by staff by default, and found out about PimEyes when their in-house tech team realised staff had access to it.
"It would not be accurate to characterise the level of access to the website as misuse, or used for police business," they told RNZ.
"Police took a precautionary measure to block the domain to ensure that there was no misuse. Therefore, no external alert or advice was necessary.
"Our own analysis indicated that there was not enough activity conducted on the website to justify investigating any breach of the Privacy Act."
PimEyes has said its database had nearly three billion faces and could handle 118,000 searches a day. It was only meant to be used by people uploading their own images, it said - but it does not enforce this.
The company - based in Tbilisi, Georgia - argues its tool allows people to find and remove their images from the internet.
By contrast, Facecheck.ID boasts on its website: "Find anyone online... whether it's nabbing that package thief or ensuring your next date has a clean past."