Smart glasses risk: Meta’s code suggests covert face recognition and biometric privacy threats

Smart glasses are deeply creepy. Why are celebrities like Kylie Jenner endorsing them?

On a packed tram, an LED blinks and no one notices. Later a short clip of a woman, laughing and unguarded, appears online with thousands of views. A celebrity posts a smiling selfie wearing the same hardware and a privacy risk gets packaged as a fashion moment.

The core issue is convenience versus consent. Tiny cameras built into everyday accessories change what people expect in public. The latest reporting on Meta‑branded smart glasses raises a practical question for businesses and regulators: can these devices turn casual captures into searchable biometric records, and if so, what do we do?

What the code actually shows, and what it doesn’t

Wired’s reverse engineering of Meta’s companion app identified code paths that look like the pieces of a face‑recognition pipeline: face detection, cropping, creation of facial encodings (faceprints), and local matching logic. A security researcher working with Wired ran one test that triggered a “Person recognized” notification, showing the pipeline can be made to work in a controlled setting.

Important clarifying line: Wired’s reporting shows capability in code, not a live, consumer‑facing system matching captures to an authenticated identity gallery at scale. Meta has told reporters the work was “exploratory” and that “nothing has shipped to consumers.” That difference, capability present in code but not publicly deployed, is central to assessing the risk.

Meta’s stated safeguards, and why users report different experiences

“Our glasses have an LED light that activates whenever someone captures content, so it’s clear to others that the device is recording and features tamper detection technology to prevent people from covering that light.”, Meta, to CNN (Feb 9, 2026)

Meta emphasizes hardware and firmware safeguards: a visible recording indicator and tamper detection. CNN reported, though, that none of the women it spoke to said they saw a flashing light during their encounters. Creators on social platforms have shared simple workarounds, like covering the LED, using reflective tape, or exploiting firmware quirks. News reporting later noted that Meta and Ray‑Ban pushed a firmware update in July 2026 intended to close obvious routes for hidden recording.

So we have three facts that do not line up: a company claim of visible indicators, real‑world testimony that people did not see them, and public instructions for bypassing them. That gap between design intent and field reality is often where harm starts.

Documented harms reporters have tied to wearable cameras

  • Outlets including the BBC have reported men filming interactions with women and posting clips to TikTok and Instagram without consent.
  • Local reporting (TMJ4) covered allegations that a former public official secretly recorded a sexual partner.
  • The Brussels Times reported women in public spaces being filmed without their knowledge.
  • Journalism outlets have described cases in which people were recorded and later threatened or pressured to remove footage.

These examples are not evidence of a single centralized conspiracy. They do show the kinds of harms small wearable cameras enable, and those harms often move faster than firmware patches or PR statements.

Face detection versus face recognition: why the distinction matters

Face detection finds a face so a camera can focus or place AR elements. Face recognition converts a face into a biometric identifier and matches it against a gallery. The latter creates a persistent, searchable record: a faceprint that can be stored, transferred, or queried.

Wired’s analysis suggests Meta’s app contains the software components that could create and cache faceprints on devices or fetch them from servers. Whether those pathways are enabled, how galleries would be populated, where encodings would be stored, and what retention policies would apply remain open technical and policy questions. Those operational details determine whether code becomes an actionable privacy hazard.

Legal exposure: this isn’t just theoretical

Biometric privacy laws already impose meaningful obligations and damages. Illinois’ Biometric Information Privacy Act (BIPA) requires notice and consent for biometric collection and allows statutory damages. PrivacyWorld’s legal analysis notes statutory figures of $1, 000 per negligent violation and $5, 000 for willful or reckless violations, and 2025 saw heavy litigation activity and several high‑value settlements. In the EU, GDPR treats biometric data as a special category that generally requires a strict lawful basis and extra safeguards.

An “exploratory” feature can create liability if it leads to collecting or storing biometric identifiers without compliant notice and consent. The difference between an internal experiment and deployed processing is legally decisive. Companies need clear documentation and defensible controls before any biometric pipeline reaches users.

Assistive uses exist, but they require strict guardrails

There are legitimate uses for face‑related features, such as assistive tech for people with visual impairments. Those uses can be valuable when built with privacy‑first architecture: local‑only processing, explicit and revocable opt‑in, minimal retention, strong access controls, and independent audits. The problem is not face awareness itself. The problem is opaque pipelines that can fetch or cache biometric identifiers without informed consent.

Celebrity promotion and normalization

Reports that influencers and celebrities, Kylie Jenner among them, have appeared in campaigns or posts featuring smart glasses matter beyond marketing. Celebrity endorsements lower social friction. When wearing recorders looks vogue, social norms shift and what once felt intrusive becomes routine. Normalization changes consent dynamics. People feel more pressure to accept being recorded because everyone else seems to be doing it.

Firmware updates cannot restore social norms once surveillance practices become commonplace. Product decisions now have social and policy externalities that go far beyond device margins or early‑adopter buzz.

What leaders in product, legal, and risk should do today

For companies building or integrating wearable cameras, the next steps are practical and immediate. Do not treat “exploratory” code as harmless. Treat it as a risk that requires governance, documentation, and accountability.

Product & engineering checklist

  • Confirm whether any shipped build collects or creates biometric identifiers. If code contains biometric pipelines, isolate them from consumer builds until independently audited.
  • Prefer local‑only processing for any assistive features, and avoid pulling biometric galleries from servers to devices unless you have explicit user consent and a legal basis.
  • Design opt‑in flows that are explicit, granular, and revocable, and log verifiable consent events and retention schedules.
  • Mandate independent security and privacy audits, including reverse‑engineering tests, before any biometric feature reaches users.

Legal & governance checklist

  • Conduct a formal Data Protection Impact Assessment (DPIA) that documents data flows, retention, access, and deletion processes for any biometric processing.
  • Obtain written vendor assurances and technical diagrams from suppliers (chipmakers, camera firmware, companion apps) showing what code is present in releases.
  • Map regulatory exposure across jurisdictions, BIPA in Illinois, GDPR in the EU, and other state laws, and quantify realistic litigation and statutory risk.
  • Prepare communications and incident response plans focused on consent failures and misuse claims. Reputation damage escalates quickly with non‑consensual recordings.

Board‑level questions to ask right now

  • Who has access to captured images and derived faceprints? Where are they stored?
  • Are biometric identifiers being created, transmitted, or cached in any production builds?
  • What is the opt‑in experience and how is consent documented and revocable?
  • Which independent auditors or labs will the company accept for attestation, and will audit results be published or summarized for regulators?

Key takeaways, questions you should be asking

  • Can these glasses actually recognize and store people’s faces?
    Wired reported code in Meta’s companion app that contains the components to detect faces, create facial encodings, and match them; a researcher working with Wired triggered a single “Person recognized” test. Meta says the work was exploratory and that nothing has shipped to consumers. Wired did not demonstrate a live, scaled identity‑matching system in the field.
  • Do the hardware safeguards (LED light, tamper detection) work?
    Meta told CNN (Feb 9, 2026) the glasses include an LED that activates when content is captured and tamper detection to stop users covering the light. CNN reported that the women it spoke to did not see a flashing light, and creators have posted methods that obscure indicators, showing a gap between company assurances and some real‑world experiences. Meta and Ray‑Ban issued a firmware update in July 2026 intended to reduce routes for hidden recording.
  • Is there real harm from people using these glasses?
    Yes, news outlets (BBC, TMJ4, Brussels Times) have reported cases of non‑consensual recordings and alleged extortion tied to wearable cameras, illustrating the types of harms smart glasses enable even when biometric features are not widely deployed.
  • What are the legal stakes for companies?
    Biometric laws carry statutory damages and active litigation. Legal analysis (PrivacyWorld) notes Illinois’ BIPA allows statutory recoveries measured per violation and that 2025 saw vigorous enforcement and settlements. If faceprints are created or stored without compliant notice and consent, companies face meaningful litigation and regulatory risk.
  • Does celebrity promotion matter?
    Yes, celebrity endorsements (reported coverage cites Kylie Jenner among influencers) accelerate mainstream acceptance and can normalize recording behaviors that compound consent problems and disproportionately impact vulnerable people.

Where to watch next

Demand transparency. Companies that call features exploratory should publish independent audits, clear data‑flow diagrams, and explicit policies about what is collected, how long it is retained, and who can access it. Regulators and courts are already active. Firms that ignore the legal contours of biometric privacy are choosing risk over restraint.

At the human level, ask whether a product’s conveniences are worth the asymmetry it creates. Tiny, hidden cameras were already easy to buy. The new variable is the ability to layer identification on top of stealthy recording, converting casual footage into searchable biometric data. That shift changes the balance of power in public spaces and private life. Businesses, boards, and regulators need to treat it as a governance problem, not just a marketing one.