A Pennsylvania State Police corporal with 20 years on the force allegedly spent years downloading women’s driver’s license photos from a restricted law enforcement database and feeding them into artificial intelligence software to generate pornographic deepfake images. The case, now working its way through the courts, has exposed a disturbing vulnerability at the intersection of government-held biometric data and rapidly advancing AI tools — one that privacy advocates have long warned about but that lawmakers have been painfully slow to address.
Corporal Kerry M. Watkins, 49, stationed at the state police barracks in Dunmore, Pennsylvania, was charged in late March with 97 felony counts related to unlawful use of a computer database and related offenses. According to Ars Technica, investigators found that Watkins accessed the Justice Network (JNET) — a secured Pennsylvania system that gives law enforcement access to driver’s license photos, criminal records, and other sensitive personal data — to pull photographs of women he knew personally. He then allegedly used AI-powered applications to superimpose those women’s faces onto explicit images.
The scale is staggering. Prosecutors say Watkins targeted at least 97 women over a period spanning several years. None of them consented. None of them knew.
The criminal complaint, filed in Lackawanna County, describes a pattern of behavior that went undetected for an extended period despite the existence of audit systems designed to flag suspicious database queries. Watkins allegedly searched for women by name — acquaintances, neighbors, women he’d encountered in various personal contexts — then downloaded their official PennDOT photographs. From there, according to the complaint, he used commercially available AI tools, some of them free or nearly free, to generate realistic nude images featuring the women’s likenesses. Investigators reportedly discovered hundreds of manipulated images on Watkins’s personal devices.
The investigation began after an internal tip led the Pennsylvania State Police Internal Affairs Division to examine Watkins’s JNET access logs. What they found was a long trail of queries that bore no connection to any active investigation, traffic stop, or legitimate law enforcement purpose. Every single search appeared personal in nature. According to Ars Technica, prosecutors allege Watkins violated the state’s Computer Fraud and Abuse statute as well as provisions governing misuse of law enforcement databases.
Watkins has been suspended without pay. He faces a preliminary hearing in the coming weeks. His attorney has not commented publicly on the specifics of the charges.
But the Watkins case is far more than a single bad actor. It’s a stress test for an entire system — and the system failed.
Government agencies at every level maintain vast repositories of facial photographs. The Department of Motor Vehicles in each state holds what amounts to one of the largest facial image databases in the country, often accessible to law enforcement through interconnected networks like JNET in Pennsylvania, NLETS nationally, and various fusion center platforms. These systems were built for legitimate purposes: identifying suspects, verifying identities during traffic stops, supporting investigations. The underlying assumption was always that access controls and audit trails would prevent abuse.
That assumption now looks naive. The emergence of consumer-grade AI tools capable of generating photorealistic synthetic images has fundamentally changed the threat model. What once required sophisticated technical skill — convincingly placing one person’s face onto another’s body — can now be accomplished in minutes by anyone with a smartphone. The barrier isn’t expertise anymore. It’s willingness.
And as the Watkins case demonstrates, the people with the easiest access to high-quality facial photographs are often the ones least subject to meaningful oversight when they misuse that access.
Privacy researchers have been sounding alarms about this convergence for years. The Georgetown Law Center on Privacy & Technology published research as far back as 2016 documenting the extent to which law enforcement agencies access DMV photo databases, often without warrants and with minimal logging. Their findings suggested that roughly half of all American adults had their photos in a law enforcement-accessible facial recognition network — not because they’d been arrested, but simply because they’d applied for a driver’s license.
The proliferation of deepfake technology has added an entirely new dimension to this concern. According to recent reporting, the number of deepfake pornographic images detected online has roughly doubled every year since 2022. The vast majority target women. And while much public attention has focused on deepfakes involving celebrities or political figures, the Watkins case illustrates a far more insidious pattern: ordinary people, targeted by someone they may have met only in passing, violated through the misuse of an image they were compelled by law to provide to the government.
Think about that for a moment. Pennsylvania, like most states, requires a photograph for a driver’s license. Citizens don’t have a choice. They sit for the photo, trust the state to safeguard it, and go about their lives. The implicit social contract is that the image will be used for identification purposes — not downloaded by a state trooper and fed into an app that strips the person naked.
Pennsylvania does have laws on the books governing database misuse. The state’s Wiretapping and Electronic Surveillance Control Act, along with its computer crime statutes, provide criminal penalties for unauthorized access to restricted systems. But enforcement has historically been reactive, not preventive. Audits happen after suspicion arises, not as a matter of routine real-time monitoring. And penalties, even when charges are filed, have often been modest relative to the violation.
The charges against Watkins are felonies, which suggests prosecutors are treating the case seriously. Still, legal experts note that Pennsylvania lacks a specific statute addressing nonconsensual deepfake pornography. The charges relate to computer misuse, not to the creation or distribution of the manipulated images themselves. This is a gap. A significant one.
Other states have moved faster. As of early 2026, more than 30 states have enacted some form of legislation targeting nonconsensual intimate deepfakes, according to tracking by the Cyber Civil Rights Initiative. These laws vary widely in scope and teeth. Some classify the creation of such images as a misdemeanor. Others target only distribution. A handful treat it as a felony, particularly when the images involve minors or are used for extortion. But no state has yet enacted a comprehensive framework that addresses the specific risk posed by government employees using official databases as source material for AI-generated abuse imagery.
Federal legislation remains stalled. The DEFIANCE Act, introduced in Congress in 2024, would have created a federal civil cause of action for victims of nonconsensual deepfakes. It passed the Senate but died in the House. Similar bills have been reintroduced in the current session, but none have advanced past committee.
So where does that leave the 97 women allegedly victimized by Corporal Watkins?
In a difficult position. They may have civil claims against Watkins individually, and potentially against the Pennsylvania State Police under theories of negligent supervision or failure to implement adequate database safeguards. But sovereign immunity doctrines and qualified immunity for individual officers make such suits complicated and expensive. Victims of government database abuse often find that the legal system offers far more protection to the institutions that failed them than to the individuals who were harmed.
The Pennsylvania State Police issued a brief statement acknowledging the charges and noting that Watkins had been suspended pending the outcome of the criminal case. The agency said it “takes seriously any allegation of misconduct” and cooperated fully with the investigation. It did not address questions about whether JNET access protocols would be changed or whether other personnel had engaged in similar conduct.
That silence is telling. Large-scale database access abuse by law enforcement is not a new phenomenon. The Associated Press documented in 2016 that officers across the country routinely ran database searches on romantic interests, ex-spouses, journalists, and personal enemies. A 2019 investigation found that dozens of officers in Minnesota alone had been disciplined for improper database searches over a five-year period. The fundamental problem — too many people with too much access and too little oversight — has been known for a decade. And yet the systems remain largely unchanged.
JNET, for its part, does maintain audit logs. That’s how Watkins was eventually caught. But an audit log that flags abuse only after months or years of ongoing violations is a forensic tool, not a preventive one. Real-time anomaly detection — the kind of monitoring that financial institutions deploy to catch fraudulent transactions as they happen — is technically feasible for database access systems. It simply hasn’t been prioritized.
The AI dimension makes this urgency acute. Before deepfake tools became widely available, an officer who improperly accessed a driver’s license photo might look at it, save it, or share it. Harmful, certainly. But the advent of generative AI means that a single photograph can now be transformed into dozens or hundreds of explicit images, each one realistic enough to cause devastating personal and professional harm to the victim. The damage multiplier is enormous. And it’s only going to grow as the technology improves.
Some technologists have proposed watermarking or fingerprinting official government photographs in ways that would make them identifiable if they appeared in AI-generated content. Others have suggested restricting the resolution of images stored in law enforcement databases, making them useful for identification but less suitable as source material for deepfake generation. These are interesting ideas. None are close to implementation.
The deeper question is one of trust. Every interaction between a citizen and the state involves an implicit exchange: you provide personal information, and the state promises to protect it. Driver’s license photos, Social Security numbers, biometric data collected at borders and airports — all of it sits in databases accessible to thousands of government employees. The overwhelming majority of those employees will never misuse that access. But the Watkins case is a reminder that the ones who do can inflict harm on a scale that was unimaginable just a few years ago.
Ninety-seven women. A single officer. A government database and a smartphone app. That’s all it took.
The question now is whether legislators, law enforcement agencies, and the courts will treat this as the systemic failure it is — or dismiss it as an isolated incident involving one rogue cop. History suggests the latter. The stakes demand the former.


WebProNews is an iEntry Publication