Meta has quietly deployed working facial recognition code to millions of Ray-Ban Meta Smart Glasses - code confirmed by EFF's Threat Lab through static analysis and verified by independent researchers. The feature is not yet activated for consumers, but it requires nothing more than a server-side flag change. No update. No notice. No consent.
What EFF and Wired Found About Meta's Facial Recognition
The disclosure came on June 5, 2026, when Wired published an investigation based on reverse-engineering the Meta View companion app. EFF's Threat Lab independently confirmed the finding: fully functional facial recognition code is embedded and active in the application. The system is not a prototype - it is deployed infrastructure waiting for a single remote switch to flip.
An independent researcher went further: by connecting a phone in debug mode and adding a face to the app database with a few commands, the glasses began recognizing that face in real time. When someone wearing the glasses looked at the test subject, the glasses matched them against the stored faceprint. The pipeline from capture to identification is fully operational.
Meta acknowledged the code exists but stated the feature "has not been enabled for consumers." The company did not disclose how many users could be affected when it is enabled, nor did it provide a timeline or a commitment not to enable it.
How Ray-Ban Meta Glasses Scan Faces in Public
The facial recognition system converts every detected face into a faceprint - a mathematical representation stored as a series of 2,048 numbers that encode the unique positioning of facial features. These numbers are processed and compared against faceprints already stored in the user's database.
When the feature is enabled, the glasses do not need to recognize a celebrity or public figure. The mechanism is personal: a user adds faces of individuals they want to track - friends, colleagues, or strangers - and the glasses silently alert them whenever those faces appear in the camera's field of view. The wearer sees recognition; the recognized person sees nothing.
The smart glasses are always-on cameras. They record without warning lights visible to the subject. Paired with facial recognition, they transform a consumer accessory into a personal identification device capable of tagging individuals across public spaces without their knowledge or consent.
Meta's History Makes Mass Identification Worse
This is not Meta's first encounter with facial recognition at scale. In 2021, Meta settled a class-action lawsuit under Illinois' Biometric Information Privacy Act (BIPA) for $650 million - at the time the largest privacy settlement in US history - over its practice of automatically scanning faces in photos uploaded to Facebook and building faceprint databases without user consent. The company subsequently shut down that feature.
The parallels are direct. Meta built a mass facial recognition database without consent, paid $650 million, shut it down - and has now built the infrastructure for an even more invasive version embedded in a wearable device that operates in public spaces rather than on uploaded photos. The scale of potential exposure is qualitatively different: this system can capture faces of people who never interacted with Meta, never agreed to its terms of service, and never uploaded a single photo.
The Internal Document: Timed for When Nobody Is Watching
What makes the disclosure particularly alarming is a separate revelation: an internal Meta document indicates the company explicitly planned to launch the facial recognition feature "during a dynamic political environment where many civil society groups that we would expect to attack us would have their resources focused on other concerns."
This is not a plan to launch when the feature is ready. It is a plan to launch when oversight capacity is weakest. Privacy advocates, journalists, and regulators stretched thin by other crises are exactly the audience Meta intended to avoid when introducing a feature it knew would draw intense scrutiny. The document reveals that Meta understands the privacy implications of what it built - and planned its disclosure strategy accordingly.
A Distributed Surveillance Network in 2 Million Glasses
EFF described the implications precisely: Meta is "turning customers into a distributed surveillance machine." The 2 million Ray-Ban Meta glasses currently in circulation represent 2 million potential facial recognition nodes, each capable of silently identifying individuals in public spaces. Unlike centralized surveillance cameras - which at least carry some expectation of institutional oversight - this system places identification capability in the hands of any individual who purchases a pair.
The privacy asymmetry is stark. A VPN protects your data in transit; it does nothing against a camera that identifies your face before you connect to anything. Traditional digital privacy tools - encryption, anonymization, network-level protection - are structurally irrelevant to a surveillance vector that operates in physical space, in real time, without your participation.
For privacy-conscious users, the appropriate response is to treat wearable camera products from large technology companies with the same skepticism applied to any data-collection device. The feature is not live yet. When it is, there will likely be no announcement loud enough to guarantee you hear it before someone you know - or a stranger on the street - is wearing glasses that recognize your face.
What Comes Next for Smart Glasses Privacy
EFF has stated it "will be watching if this feature is rolled out to the public." Several US states with biometric privacy laws - Illinois (BIPA), Texas, and Washington - could provide legal grounds for challenges if Meta enables the feature without meaningful consent mechanisms. The EU's GDPR and AI Act place facial recognition in the highest-risk category, with strict requirements for transparency and lawful basis.
Whether those legal frameworks move faster than Meta's server-side switch is the open question. Meta has already demonstrated that it will deploy the infrastructure first and negotiate the legal boundaries afterward. The $650 million BIPA settlement was, in that context, a cost of doing business - not a deterrent.
The feature is one flag away from going live on 2 million pairs of Ray-Ban Meta smart glasses that have been in circulation for months. The code for facial recognition is there. The database mechanism is there. The only thing standing between the current state and mass consumer deployment is a decision Meta has already shown it is capable of making at any time it chooses.
