Well, it's obviously fiction, but very much based on reality - That's what CSI is about (not the TV series, the real thing): Even in the most optimistic case, the investigators have all the prints they found near the crime scene, as well as all the faces from CCTV's in the nearby streets. This data is then cross-reffed to the bioDB, and the cross reference sits in the police station for years. In the meanwhile they use this data to obtain more suspects, harvest more prints and pictures, and so on and so forth. Now multiply this by the amount of open investigations. Your DB leaked just because you can automatically make mass queries - ain't science something ?
Note that we played this game And without letting a single image out of the DB, when the legislation (please read it - I gave the link somewhere in this thread) alows tons of people to pull the bio data out - so why wouldn't they ?
Phrased in another way (and directly answering your claim about using the DB w/o exposing it): there are two angles here: the Human angle, and the "provable security" angle. I just showed you that the DB - even under a milder legislation than the suggested one - is provably insecure. That is a reason +Eyal Fink
started the conversation with "I know it's going to leak"
Counter scoop: the fact that you can obtain data for a certain price about almost anyone is feature not a bug. The fact that this price is non trivial (to a back of the envelope estimate, don't just say "it's not hi" - you are simply wrong here) is what's currently stopping us from being under constant surveillance (which will include our medical and financial data, things I - and most people - like to keep to themself).
The database the military has is much better legislated (to be used only to identify your body, this was violated only <10 times ever AFAIK), and it is indexed by name.
Please don't bring the current US as a model for where you want to go. I'm sure you can read the news about the current mischiefs of the NSA and the drone command.
I am not a security expert either, but a) I know enough - some of what I know I told you, and b) most of the security people I know are either terrified, or thinking how to use the situation to their advantage (money, consulting, getting grants - Adi Shamir being a notable example here). If you think I'm wrong, a good counter argument is not "there are procedures", but "here are the procedures, and this is why they will work under any given attack".