Proton
Smart glasses that have been modified for facial surveillance and dox you in real time, finding your personal information after seeing your face.

Meta’s smart glasses open door to new levels of facial surveillance

Two Harvard undergrads invented a way to instantly find your home address, phone number, and even your relatives — simply by looking at you. 

They built this facial surveillance machine, which they call I-XRAY(new window), using nothing more than off-the-shelf Ray-Ban Meta smart glasses and publicly available LLMs, databases, and facial search engines.

The students, AnhPhu Nguyen and Caine Ardayfio, didn’t release the code because their purpose for this project is to highlight how today’s internet, awash with data, has put us on the edge of a world where complete strangers can find your identity and personal information in an instant according to 404 Media(new window), the outlet that initially reported the story.

Their DIY surveillance kit demonstrates how quickly the battlelines can shift in the fight for privacy. But it’s not too late to protect yourself from facial surveillance. Below, we examine what these smart glasses can do, how they work, and what you can do to prevent people from violating your privacy. 

Doxxing people in real time

Nguyen shared a video on X showing just how quickly and easily you can find sensitive, personal information using their modified glasses. Just a few seconds after seeing someone, they know where they’ve worked, what they’ve published, and where they went to school. 

Their system uses the Meta smart glasses’ ability to live stream to Instagram. They created a program that monitors the feed and uses AI to detect faces. Those faces are then fed into PimEyes, a face search and reverse image search engine, to find the person’s name and other images of them. Once the name is found, I-XRAY uses AI to feed the name into dozens of publicly available data sources, like voter registration databases, to find other sensitive information. This is all compiled and displayed in an app on their phone.

The most concerning part of I-XRAY is that it was created simply by patching together hardware, software, and databases that are already available to anyone.

And while Nguyen and Ardayfio could have used any camera that can live stream to Instagram (a smartphone, for example), Meta’s smart glasses make it easy to record people without their knowledge. Technically, a “privacy light” turns on when you’re using video to inform people that they’re being recorded, but it’s easy to overlook. If you walk through a crowd and use your smart glasses to record their faces, most people will simply assume you’re wearing a normal pair of sunglasses. 

In Nguyen’s video, you can watch them walk up to strangers and convincingly reference their work. These people had no idea they were being recorded or doxxed, showing how easy it would be to use these glasses for social engineering

The slippery slope toward facial surveillance

While I-XRAY is the most impressive demonstration of how smart devices can be used to track and dox people, the risks have been well-known for years. Both Google and Facebook (now Meta) decided against including facial recognition features(new window) in their products due to privacy concerns in 2017, writes Kashmir Hill in her book on PimEyes and Clearview AI, Your Face Belongs to Us. But organizations like Clearview AI(new window) and PimEyes pushed forward with facial recognition, scraping billions of images from the internet without anyone’s permission.

PimEyes is arguably the key to I-XRAY. It’s a publicly available facial recognition service that’s been used to identify January 6 rioters(new window) and dox people on TikTok(new window). All you need to do is upload an image of someone, and PimEyes will provide a list of images of matching faces along with the URLs of where those images came from. In Nugyen’s video, you can see the shock on people’s faces when they find their kindergarten photos on the I-XRAY app.

Using I-XRAY, if someone can get a decent photo of your face (in other words, if you step into a public area), it’s relatively easy for them to find all sorts of sensitive information on you.

Despite their worries about facial recognition seven years ago, Meta officials didn’t seem eager to prevent users from creating spyware from scratch. When 404 Media asked Meta for a comment on I-XRAY, its spokesperson simply referred them to the terms of service for Facebook View(new window) (the app that comes with the smart glasses), which states, “You are also responsible for using Facebook View in a safe, lawful, and respectful manner” — tantamount to a shoulder shrug.

You must protect your privacy – no one else will

As we’ve repeatedly seen, people are left to fend for themselves when it comes to protecting their privacy. Fortunately, Nguyen and Ardayfio list some steps you can take to protect yourself from this type of facial surveillance. This mostly involves going to multiple databases, data brokers, and face search engines and requesting that they remove your data. 

Remove your information from face search engines

This most important place to start if you want to prevent doxxing attacks using smart glasses is removing yourself from face search engines. If you can remove yourself from PimEyes(new window) and Facecheck ID(new window), you’ll make it much harder for attackers to get your name if they only have a photo of you.

Remove your information from public people search engines

If someone has your name, they can use these search engines to find all kinds of sensitive information, including your home addresses (past and present), phone numbers (past and present), job history, and more. Some of the largest people search engines include:

Increase privacy controls on social media

You can also adjust your privacy settings on X (Twitter)(new window), Facebook(new window), TikTok(new window), and other social media platforms to make it harder for attackers to find sensitive information.

Push politicians for meaningful data privacy controls

While this process can make a big difference when it comes to your online privacy, it’s not a sustainable or comprehensive solution. That would require lawmakers to pass legislation that strengthens people’s data privacy protections.  

The US Congress recently moved to ban data brokers from selling sensitive information to China(new window), Russia, and several other countries. However, that still leaves these massive databases to continue collecting and selling your information. And China has had no problem(new window) breaching(new window) these databases(new window) in the past(new window).

Minimize how much of your data is available

The internet is awash in data, from Big Tech to data brokers. In this age of internet-connected devices, it’s somewhat shocking it took this long for someone to create I-XRAY. Nguyen and Ardayfio have shown that now people can create tools that tap into the surveillance network that governments and Big Tech have used for years.

Removing your data from data brokers is an important step, but preventing as much of your data as possible from ever being collected is an even better one. While it’s difficult to prevent data brokers from getting much of your data (they often compile publicly available information or buy it from service providers, like phone companies), every bit of data you can keep private makes a difference. 

Once data reaches the internet, it’s hard to control where it ends up or who can access it. As we’ve seen, China has hacked dozens of databases. The US government has outsourced much of its mass surveillance to Big Tech and will buy data from data brokers to avoid needing to get warrants (this is one reason lawmakers might be hesitant to pass privacy reforms).

This is why we began Proton. The best way to prevent these abuses, from I-XRAY all the way up to the US government’s warrantless surveillance program, is to simply minimize data collection at every step. It’s why we built an entire suite of services that encrypt your data so you’re in control of who can access it. 

  • Proton Calendar keeps your schedule private with end-to-end encryption and customizable event management features.
  • Proton Drive provides secure cloud storage with end-to-end encryption, allowing for encrypted file sharing to protect sensitive documents, including identity papers and personal photos, from data breaches and surveillance.
  • Proton Mail offers encrypted email services with zero-access encryption, protection against tracking, and phishing prevention, ensuring private communication.
  • Proton Pass, our password manager, creates strong passwords, supports two-factor authentication, and offers email aliasing to enhance security against cyber threats.
  • Proton VPN(new window) encrypts your internet traffic, follows a strict no-logs policy, and blocks ads, trackers, and malware, ensuring safe and private browsing.

We’re building a better internet where privacy is the default. Join us as we empty the databases of personal information that fuel today’s surveillance tools.

Related articles

laptop showing Bitcoin price climbing
en
  • Guias de privacidade
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
  • Atualizações de produto
  • Proton Pass
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
en
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
en
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.