Two Harvard undergrads invented a way to instantly find your home address, phone number, and even your relatives — simply by looking at you.
They built this facial surveillance machine, which they call I-XRAY(neues Fenster), using nothing more than off-the-shelf Ray-Ban Meta smart glasses and publicly available LLMs, databases, and facial search engines.
The students, AnhPhu Nguyen and Caine Ardayfio, didn’t release the code because their purpose for this project is to highlight how today’s internet, awash with data, has put us on the edge of a world where complete strangers can find your identity and personal information in an instant according to 404 Media(neues Fenster), the outlet that initially reported the story.
Their DIY surveillance kit demonstrates how quickly the battlelines can shift in the fight for privacy. But it’s not too late to protect yourself from facial surveillance. Below, we examine what these smart glasses can do, how they work, and what you can do to prevent people from violating your privacy.
Doxxing people in real time
Nguyen shared a video on X showing just how quickly and easily you can find sensitive, personal information using their modified glasses. Just a few seconds after seeing someone, they know where they’ve worked, what they’ve published, and where they went to school.
Their system uses the Meta smart glasses’ ability to live stream to Instagram. They created a program that monitors the feed and uses AI to detect faces. Those faces are then fed into PimEyes, a face search and reverse image search engine, to find the person’s name and other images of them. Once the name is found, I-XRAY uses AI to feed the name into dozens of publicly available data sources, like voter registration databases, to find other sensitive information. This is all compiled and displayed in an app on their phone.
The most concerning part of I-XRAY is that it was created simply by patching together hardware, software, and databases that are already available to anyone.
And while Nguyen and Ardayfio could have used any camera that can live stream to Instagram (a smartphone, for example), Meta’s smart glasses make it easy to record people without their knowledge. Technically, a “privacy light” turns on when you’re using video to inform people that they’re being recorded, but it’s easy to overlook. If you walk through a crowd and use your smart glasses to record their faces, most people will simply assume you’re wearing a normal pair of sunglasses.
In Nguyen’s video, you can watch them walk up to strangers and convincingly reference their work. These people had no idea they were being recorded or doxxed, showing how easy it would be to use these glasses for social engineering.
The slippery slope toward facial surveillance
While I-XRAY is the most impressive demonstration of how smart devices can be used to track and dox people, the risks have been well-known for years. Both Google and Facebook (now Meta) decided against including facial recognition features(neues Fenster) in their products due to privacy concerns in 2017, writes Kashmir Hill in her book on PimEyes and Clearview AI, Your Face Belongs to Us. But organizations like Clearview AI(neues Fenster) and PimEyes pushed forward with facial recognition, scraping billions of images from the internet without anyone’s permission.
PimEyes is arguably the key to I-XRAY. It’s a publicly available facial recognition service that’s been used to identify January 6 rioters(neues Fenster) and dox people on TikTok(neues Fenster). All you need to do is upload an image of someone, and PimEyes will provide a list of images of matching faces along with the URLs of where those images came from. In Nugyen’s video, you can see the shock on people’s faces when they find their kindergarten photos on the I-XRAY app.
Using I-XRAY, if someone can get a decent photo of your face (in other words, if you step into a public area), it’s relatively easy for them to find all sorts of sensitive information on you.
Despite their worries about facial recognition seven years ago, Meta officials didn’t seem eager to prevent users from creating spyware from scratch. When 404 Media asked Meta for a comment on I-XRAY, its spokesperson simply referred them to the terms of service for Facebook View(neues Fenster) (the app that comes with the smart glasses), which states, “You are also responsible for using Facebook View in a safe, lawful, and respectful manner” — tantamount to a shoulder shrug.
You must protect your privacy – no one else will
As we’ve repeatedly seen, people are left to fend for themselves when it comes to protecting their privacy. Fortunately, Nguyen and Ardayfio list some steps you can take to protect yourself from this type of facial surveillance. This mostly involves going to multiple databases, data brokers, and face search engines and requesting that they remove your data.
Remove your information from face search engines
This most important place to start if you want to prevent doxxing attacks using smart glasses is removing yourself from face search engines. If you can remove yourself from PimEyes(neues Fenster) and Facecheck ID(neues Fenster), you’ll make it much harder for attackers to get your name if they only have a photo of you.
Remove your information from public people search engines
If someone has your name, they can use these search engines to find all kinds of sensitive information, including your home addresses (past and present), phone numbers (past and present), job history, and more. Some of the largest people search engines include:
- FastPeopleSearch(neues Fenster)
- CheckThem(neues Fenster)
- InstantCheckmate(neues Fenster)
- WhitePages(neues Fenster)
- Spokeo(neues Fenster)
- Intelius(neues Fenster)
Increase privacy controls on social media
You can also adjust your privacy settings on X (Twitter)(neues Fenster), Facebook(neues Fenster), TikTok(neues Fenster), and other social media platforms to make it harder for attackers to find sensitive information.
Push politicians for meaningful data privacy controls
While this process can make a big difference when it comes to your online privacy, it’s not a sustainable or comprehensive solution. That would require lawmakers to pass legislation that strengthens people’s data privacy protections.
The US Congress recently moved to ban data brokers from selling sensitive information to China(neues Fenster), Russia, and several other countries. However, that still leaves these massive databases to continue collecting and selling your information. And China has had no problem(neues Fenster) breaching(neues Fenster) these databases(neues Fenster) in the past(neues Fenster).
Minimize how much of your data is available
The internet is awash in data, from Big Tech to data brokers. In this age of internet-connected devices, it’s somewhat shocking it took this long for someone to create I-XRAY. Nguyen and Ardayfio have shown that now people can create tools that tap into the surveillance network that governments and Big Tech have used for years.
Removing your data from data brokers is an important step, but preventing as much of your data as possible from ever being collected is an even better one. While it’s difficult to prevent data brokers from getting much of your data (they often compile publicly available information or buy it from service providers, like phone companies), every bit of data you can keep private makes a difference.
Once data reaches the internet, it’s hard to control where it ends up or who can access it. As we’ve seen, China has hacked dozens of databases. The US government has outsourced much of its mass surveillance to Big Tech and will buy data from data brokers to avoid needing to get warrants (this is one reason lawmakers might be hesitant to pass privacy reforms).
This is why we began Proton. The best way to prevent these abuses, from I-XRAY all the way up to the US government’s warrantless surveillance program, is to simply minimize data collection at every step. It’s why we built an entire suite of services that encrypt your data so you’re in control of who can access it.
- Proton Calendar keeps your schedule private with end-to-end encryption and customizable event management features.
- Proton Drive provides secure cloud storage with end-to-end encryption, allowing for encrypted file sharing to protect sensitive documents, including identity papers and personal photos, from data breaches and surveillance.
- Proton Mail offers encrypted email services with zero-access encryption, protection against tracking, and phishing prevention, ensuring private communication.
- Proton Pass, our password manager, creates strong passwords, supports two-factor authentication, and offers email aliasing to enhance security against cyber threats.
- Proton VPN(neues Fenster) encrypts your internet traffic, follows a strict no-logs policy, and blocks ads, trackers, and malware, ensuring safe and private browsing.
We’re building a better internet where privacy is the default. Join us as we empty the databases of personal information that fuel today’s surveillance tools.
