Category: Cyber Security | Published: 2026-06-09
Smart glasses have always raised a question that phone cameras never quite did. When someone points a phone at you, you can see it happening. You can object, move away, ask them to stop. Smart glasses look like ordinary glasses. You would not know the camera was active. You would not know anything was being recorded or analysed. And if the glasses were running facial recognition software, you would not know you had been identified.
That scenario moved closer to reality than most people realised, and it took a report from WIRED to make it visible. Code found inside Meta's AI companion app, the smartphone application that works alongside its Ray-Ban smart glasses, contained a fully developed facial recognition system that had never been publicly disclosed and had been present on tens of millions of devices.
What Was Found Inside the App
The system, discovered within the Meta AI app, was internally named NameTag. According to the WIRED report, it contained multiple AI models designed specifically for detecting faces, cropping facial images from video frames, and converting those images into unique biometric identifiers known as faceprints. These faceprints would then be compared against a database stored locally on the user's device.
The code also indicated that faces the system could not match would be cropped, indexed, and stored for future processing, effectively building a growing local database of unidentified individuals over time. An alert labelled Person recognised was found within the software, suggesting the system was built to notify users when a successful identification had been made.
Meta had repeatedly stated publicly that no final decision had been made about whether to introduce facial recognition capabilities to its smart glasses. The NameTag code was present in the app throughout that period.
Gone Within 24 Hours
The day after the WIRED report was published, Meta released an updated version of the app in which almost all traces of the NameTag system had been removed. The speed of that response attracted as much attention as the discovery itself.
Meta described the system as an internal exploratory project that was never intended to be a released product feature. The company has not publicly explained the timeline of the removal or whether the decision to strip out the code had been made before the reporting appeared.
For privacy researchers and commentators, the sequence of events raised an obvious question. If the system was purely an internal exploration with no plans for deployment, why did it exist in a live app installed on tens of millions of devices? And why was it removed within hours of becoming public knowledge rather than at any earlier point in the development process?
Why Smart Glasses Change the Calculation
The debate around Meta facial recognition technology is not a new one. Facial recognition has been deployed for years across smartphones, airports, security systems, and retail environments. What makes smart glasses qualitatively different is the relationship between the technology and deliberate human action.
Using facial recognition on a phone requires someone to consciously point the camera at another person. It is an action. Smart glasses worn in the course of a normal day can continuously capture the environment around the wearer without any deliberate targeting. For a person walking past someone wearing connected smart glasses, there is no visible signal that their face is being scanned, no opportunity to decline, and no awareness that the interaction is happening.
Combined with AI capable of identifying people from biometric data, that creates the possibility of real-time identification of strangers in public spaces as an incidental by-product of everyday activity rather than as a deliberate act.
The I-XRAY Demonstration
The theoretical risk of this technology combination had already been demonstrated in practice before the NameTag discovery. Two Harvard students, AnhPhu Nguyen and Caine Ardayfio, built a system they called I-XRAY using off-the-shelf Meta Ray-Ban smart glasses combined with publicly available facial recognition and data tools.
Their system streamed video from the glasses to Instagram, where software monitored the feed and used a facial recognition engine called PimEyes, previously described by the New York Times as alarmingly accurate, to match faces to publicly available images. That facial data was then combined with public records and social media profiles to surface home addresses, phone numbers, ages, and family connections for the people identified.
Using this setup, the students say they were able to identify dozens of people around Harvard's campus without any of those people being aware it was happening. They chose not to release the tool publicly, citing the obvious potential for misuse, but noted that it was only a matter of time before someone else built an open-source equivalent and made it available.
The I-XRAY experiment used no proprietary technology. Everything in the pipeline was available to any technically capable individual. The NameTag discovery suggests Meta had already built something considerably more sophisticated and integrated it directly into its own hardware ecosystem.
The Case for Facial Recognition in Wearables
It would be unfair to treat all possible uses of Meta facial recognition in smart glasses as inherently harmful. There are genuine use cases worth acknowledging.
For people with visual impairments, a system that could identify familiar faces and provide audio confirmation of who is nearby could be genuinely valuable. For people with certain cognitive conditions, memory difficulties, or face-blindness, a discreet identification tool could help maintain social connections that would otherwise be difficult to navigate. These are real benefits for real people.
The difficulty is that the same infrastructure that enables those beneficial uses also enables surveillance of strangers, identification of people without consent, and the construction of detailed profiles of individuals who have never interacted with the person wearing the glasses.
The Biometric Data Problem
Whatever position one takes on the appropriate use of Meta facial recognition technology, biometric data carries a specific category of risk that other data types do not. A password that is compromised can be changed. A leaked email address can be abandoned. A facial faceprint cannot be recalled or reset. The face that generated it cannot be changed.
That permanence means that if a biometric database is breached, the consequences for the individuals whose data it contains are permanent. It also means that consent decisions made now have implications that extend indefinitely into the future, since the underlying biometric identifier does not expire.
Regulators in the EU, the UK, and the United States have been paying increasing attention to how biometric data is collected, stored, and used. The UK's Information Commissioner's Office has made clear that biometric data falls under the special category protections within data protection law, requiring explicit consent and legitimate purpose before it can be processed.
Meta's Longer Ambition
The NameTag discovery also illuminates something about where Meta's smart glasses strategy is heading. Chief executive Mark Zuckerberg has described smart glasses as the next major computing platform, positioning them as devices through which AI assistants will be constantly available throughout the day. The company's investments in Ray-Ban and Oakley smart glasses are part of a sustained push to normalise wearable AI before the technology matures into something more capable.
Facial recognition would fit naturally into that vision. An AI assistant that can identify the person you are speaking with, recall previous interactions, surface relevant context, and provide real-time information would be substantially more capable than one responding only to voice commands. The question of whether that capability should exist is separate from the question of whether Meta wants to build it. The NameTag code suggests the answer to the latter is yes.
What This Means for Businesses and Individuals
For most people, the immediate practical consequence of the NameTag story is a prompt to think about what consumer technology is doing in the background and how much visibility they have into it.
For businesses, the story raises questions about wearable technology policies in the workplace. Employees wearing connected smart glasses in office environments, client meetings, or sensitive facilities is a scenario that many organisations have not yet thought through formally. If those glasses are capable of capturing, processing, and storing biometric data about colleagues, clients, or visitors, that has implications under data protection law regardless of whether the wearer is aware of what the device is doing.
Understanding how the technology your people use handles personal data, including biometric data, is an increasingly important part of information security governance. Our Cyber Security page covers the protections and guidance we help businesses put in place as the technology landscape continues to evolve in ways that policy has not always kept pace with.