Meta Removes Hidden Facial Recognition System From Smart Glasses App After WIRED Investigation

Meta quietly embedded an unreleased facial recognition system into a companion app for its smart glasses — and just as quietly removed it after a journalist found it. The episode is a case study in how privacy-invasive capabilities get built into consumer products before legal frameworks catch up, and what it means for the organizations and individuals now navigating a world where facial recognition can be worn on someone’s face.

WIRED reported that Meta’s Meta AI app — the companion application for the Ray-Ban Meta smart glasses — contained dormant code for a facial recognition feature internally called NameTag. The feature was not active and not disclosed to users. After WIRED reanalyzed the app following initial reporting, the capability was no longer present. Meta had removed it.

The removal does not close the compliance and legal questions the discovery opens. It accelerates them.

What NameTag Was and What It Could Do

Based on WIRED’s reporting, NameTag was a system designed to identify individuals in real time using the camera embedded in Meta’s Ray-Ban smart glasses. The glasses — which look like ordinary eyewear — are already capable of streaming video, taking photos, and running AI-assisted queries about what the wearer is looking at. NameTag would have added the ability to match a face captured by the glasses against a database and return identifying information about that person.

The capability was described as unreleased and unactivated. It existed in the app’s code but was not exposed to users or functional in normal use. Whether any backend infrastructure to support it was operational is not publicly known.

Meta has not commented in detail on why the feature was built, how long it had been present in the codebase, or what the intended release timeline was.

Why Dormant Code Still Creates Legal Exposure

The privacy and legal community’s concern with NameTag does not depend on whether it was activated. The presence of unreleased facial recognition infrastructure in a consumer application raises several distinct issues.

First, there is the question of intent. Building a facial recognition system and embedding it in a shipping application requires deliberate engineering effort. It is not an accidental inclusion. The decision to build it, include it in released code, and not disclose it to users or regulators was made by people at Meta. Understanding who made those decisions, under what governance process, and whether legal review was conducted matters for assessing the company’s compliance posture — not just this feature.

Second, under several U.S. state biometric privacy laws, the collection of biometric identifiers triggers consent and disclosure requirements that apply to the intent to collect, not only to actual collection events. Illinois’ Biometric Information Privacy Act (BIPA) defines a biometric identifier to include a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Under BIPA, any private entity that collects, captures, purchases, receives through trade, or otherwise obtains a person’s biometric identifier must first inform the person in writing, inform them of the specific purpose and length of term for which the data is being collected, stored, or used, and receive a written release. The statute does not require a completed data collection event to trigger obligations — the infrastructure and intent to collect are the relevant facts in many BIPA analyses.

Third, from a GDPR perspective, facial recognition data is biometric data used for the purpose of uniquely identifying a natural person, which is Article 9 special category data requiring explicit consent or another narrow legal basis. The fact that NameTag was present but not disclosed means no consent process existed — because no disclosure existed. The European Data Protection Board has repeatedly stated that facial recognition in public spaces warrants the highest level of scrutiny, and the EU AI Act classifies real-time remote biometric identification in public spaces as a prohibited AI practice with narrow exceptions.

The Smart Glasses Problem Is Structural

Meta’s Ray-Ban glasses are not a niche product. They are sold at mainstream retail price points and are designed to look like ordinary eyewear. A person wearing them in a coffee shop, at a conference, or walking through a campus is indistinguishable from someone wearing non-connected glasses. The camera is not obvious. The AI processing is not visible. The person being filmed, analyzed, or potentially identified has no notice and no meaningful way to object.

This is the structural problem that NameTag crystallizes. The combination of always-on wearable cameras, edge AI processing, and cloud-connected identification databases creates a facial recognition system with no fixed location, no visible camera housing, and no way for bystanders to know it is operating. Existing frameworks for regulating facial recognition — which largely focus on fixed surveillance infrastructure, law enforcement databases, and corporate kiosk deployments — were not designed for this threat model.

Two Harvard students demonstrated this point in a separate but related disclosure around the same time, showing they had built a system using Meta’s Ray-Ban glasses and publicly available facial recognition tools to identify strangers in real time from a live stream, including retrieving home addresses and other personal information. That project used off-the-shelf components Meta did not build. NameTag would have been Meta building it natively.

The Regulatory Landscape and Where It Falls Short

The United States has no comprehensive federal biometric privacy law. Regulation is patchwork at the state level, with Illinois’ BIPA remaining the most significant due to its private right of action that has generated hundreds of millions of dollars in settlements. Texas and Washington have biometric laws without private rights of action. Several other states have passed or are considering biometric data provisions within broader privacy frameworks.

For smart glasses specifically, the relevant state-level questions include:

• Illinois BIPA: A company that collects or has the present ability to collect face geometry scans from Illinois residents faces exposure. The fact that NameTag was embedded in released code used by Illinois residents strengthens the argument that the statutory threshold was met even without user-facing activation.
• Texas Capture or Use of Biometric Identifier Act (CUBI): Texas requires informed consent before capturing biometric identifiers. Like BIPA, it applies to face geometry scans. The Texas AG has enforcement authority.
• California CCPA/CPRA: Biometric information is a sensitive personal information category under the CPRA, subject to the right to limit use and disclosure. Consumers have the right to opt out of sale or sharing of sensitive personal information.

At the federal level, the FTC has authority under Section 5 to pursue unfair or deceptive trade practices. Embedding undisclosed facial recognition in a consumer product and not disclosing it fits a straightforward deception analysis. The FTC has taken action against companies for similar gaps between stated privacy practices and actual technical capabilities.

In the EU, the AI Act’s prohibition on real-time remote biometric identification in public spaces directly covers the NameTag use case. The prohibition applies to placing on the market or putting into service AI systems for this purpose, with narrow law enforcement exceptions. A consumer product sold in the EU with embedded real-time facial identification capability — even dormant — raises questions about whether the prohibition was triggered at the product design stage.

What This Means for Compliance Teams

The NameTag episode has direct implications for organizations managing privacy compliance programs, for venues and employers where smart glasses are being worn, and for any company considering building or deploying AI-powered identification features.

For companies building AI-assisted products:

• Dormant features in shipping code are not legally neutral. They are discoverable in litigation, auditable by regulators, and reportable by researchers. “Not activated” is not a compliance defense under statutes that regulate collection infrastructure and intent.
• Privacy by design requires that biometric capabilities either not be built into products intended for markets where they are regulated or restricted, or that the legal and consent framework precedes the technical capability — not the reverse.
• Privacy impact assessments should cover features in development and in unreleased code, not only features that have shipped to users. If a feature would require a DPIA or consent framework to launch, the decision to build it is a DPIA trigger.

For organizations managing workplace and venue policies:

• Smart glasses capable of facial recognition — whether the feature is currently active or not — are a material consideration for badge access control, confidential meeting rooms, healthcare settings, and any location where employee or visitor privacy is legally protected.
• Acceptable use policies covering photography and video recording may not be sufficient to address AI-assisted identification that does not require the wearer to actively record. Policies should be updated to address AI-enabled wearables explicitly.
• Employers in Illinois, Texas, and other biometric law states that permit employees to wear smart glasses in the workplace may be inadvertently participating in the collection of biometric data from coworkers, clients, or facility visitors — triggering their own obligations under state law.

Five Compliance Steps Organizations Should Take Now

1. Update your biometric data inventory. Audit whether any wearable devices used or permitted in your workplace — including consumer smart glasses — have camera and AI capabilities that could implicate biometric privacy laws. Document findings and assess exposure under applicable state statutes.
2. Review and update your acceptable use and device policies. Policies governing photography and recording in the workplace should be extended to cover AI-enabled wearables with facial recognition or identification capabilities, whether or not those features are currently active.
3. Assess your BIPA and state biometric law compliance posture. If your organization operates in Illinois, Texas, Washington, or another state with biometric data requirements, confirm that your consent and disclosure mechanisms cover all potential biometric collection vectors — including third-party devices brought onto your premises by employees or visitors.
4. Build pre-launch privacy review into your product development process. If you are building consumer or enterprise software, implement a gate that requires legal and privacy review before biometric processing capabilities are included in any code that ships — regardless of whether the feature is activated at launch.
5. Monitor EU AI Act enforcement guidance on wearable biometrics. The AI Act’s prohibitions on real-time remote biometric identification are among the provisions with the shortest compliance runway. Organizations selling into EU markets or developing AI-powered identification features need active legal monitoring as implementing regulations and enforcement guidance develop through 2025 and 2026.

The Removal Doesn’t End the Story

Meta removing NameTag from the Meta AI app is the right outcome. It is not the end of the issue. The feature was built, it shipped in consumer code, and it was discovered by journalists — not by regulators, not by an internal ethics review, and not by Meta’s own disclosure. That sequence tells you something about how the capability was governed internally.

The broader question is whether the regulatory frameworks that govern facial recognition are equipped to handle identification capabilities that are wearable, mobile, and embedded in products that look like consumer electronics. The answer, right now, is no. BIPA was written for fixed-location fingerprint scanners. GDPR’s biometric provisions were drafted before consumer AI glasses existed at scale. The EU AI Act’s biometric prohibitions are the most directly applicable framework, but enforcement infrastructure is still being built.

In the gap between what the technology can do and what the law currently requires, the risk lands on the organizations that deploy these products, the individuals whose faces are scanned, and the compliance teams trying to build frameworks for a threat model that moves faster than legislation.