Fighting Back Against Smart Glass Surveillance

Smart Glass Privacy Requires Action

I was sipping tea this morning when I read something that genuinely unsettled me. Not in the abstract, performative way that tech news sometimes lands -- but in the specific, physical way that makes you put your cup down and stare at the wall for a moment. Meta has been quietly building facial recognition into its Ray-Ban and Oakley smart glasses. The feature, internally called NameTag, generates biometric faceprints from the glasses camera feed, checks them against a database, and triggers a notification when it recognizes someone. The code is already sitting on millions of phones. The smart glass surveillance just hasn't been switched on yet.

Surprised? This is Meta we are talking about and who really can be surprised by anything anti-privacy they do. Their track record is an open book for ad-tech surveillance.

I've written about smart glasses before. I've tracked the privacy concerns, the misuse cases, the Senate pressure, the lawsuits. But NameTag felt different -- not because facial recognition is new, but because the delivery mechanism is trying to be 'innocent'. These glasses look like regular eyewear. The camera is invisible at conversational distance. And now the software to identify you by face is essentially ready to deploy, sitting dormant in an app update, waiting for Meta to decide the timing is right.

This even exceeds the glasshole mentality--remember them?

That morning I decided to stop writing about the problem and start building a response to it.

What NameTag Actually Is

Wired's investigation into the Meta AI app found code added across multiple updates this year describing a system that captures faces through the glasses camera, generates unique biometric signatures called faceprints, and checks those faceprints against data stored on the user's device. Faces that aren't recognized get cropped, indexed, and saved to a folder marked pending. A security researcher from the Electronic Frontier Foundation reviewed the code and described it as nearly ready to go.

Meta's public response was that nothing has shipped and no final decision has been made. What they didn't address was why the code was being added as early as January -- two months before Meta told Wired it was taking a thoughtful approach to facial recognition. The gap between those two timelines is the story.

This isn't Meta's first encounter with biometric data collection at scale. The company previously collected faceprints from over a billion Facebook users, stored them in a database, and argued that accepting the terms of service constituted consent. That position didn't survive litigation. Meta said it deleted the face scans in 2021. Now a similar system is being built into hardware you can't see someone wearing from across a coffee shop.

The Legal Landscape Is Actually on Your Side

Before I get into what I built, it's worth understanding the statutory ground you're standing on -- because it's stronger than most people realize.

The Illinois Biometric Information Privacy Act requires written consent before any biometric identifier can be collected, captured, or stored. Violations carry statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, with a private right of action that doesn't require proving actual harm. Illinois has produced the largest biometric privacy settlements in US history as a result.

California's Consumer Privacy Act and Privacy Rights Act grant residents the right to opt out of the collection and sharing of personal information including biometric data. The CPRA specifically covers sharing with third parties -- which is precisely what happens when a faceprint captured by Meta glasses gets pushed to Meta servers. Civil penalties run up to $7,500 per intentional violation.

Texas CUBI prohibits capturing biometric identifiers for commercial purposes without prior notice and consent, with civil penalties up to $25,000 per violation enforced by the Attorney General. A March 2026 class action -- Bartone et al. v. Meta Platforms -- was filed in the Northern District of California arguing Meta violated federal and state laws by failing to disclose that video captured by the glasses is transmitted to servers and reviewed by human contractors.

The legal momentum is running against the collectors, not the people asserting non-consent. That matters for what comes next.

Detection First -- Nearby Glasses

The first layer of any counter-surveillance approach is awareness. You can't respond to something you can't detect.

A developer named Yves Jeanrenaud built an app called Nearby Glasses after reading reporting on how Meta's Ray-Ban glasses had been used to film and harass people without their knowledge. The app scans for the distinctive Bluetooth Low Energy advertising frames that smart glasses broadcast as part of their normal operation -- signals that are mandatory and cannot be hidden while the glasses are in use. When it detects a signature matching Meta, Luxottica, or Snap devices, it alerts you.

The app is available on iOS and Android. On iOS it operates in what the developer calls Canary Mode -- a visual indicator rather than background notifications, due to platform constraints on continuous BLE scanning. It isn't perfect. It can produce false positives near VR headsets. But it works on the fundamental exploit that makes this whole category of counter-surveillance possible: the glasses have to broadcast to function, and that broadcast is detectable.

I installed it the same morning I read the NameTag story. Within an hour I had a plan for the second layer.

The Assertion Layer -- Broadcasting Non-Consent

Detecting a threat is one thing. Asserting your legal position in response to it is another. I wanted to do both.

Bluetooth Low Energy isn't just a scanning technology -- any device with a BLE radio can also broadcast. An iPhone running LightBlue, a free developer tool from Punch Through, can operate as a BLE peripheral and advertise custom data to any scanning device in range. The broadcast is passive, continuous, one-way, and operates independently of your phone number, Apple ID, or any identifying account information.

The plan was straightforward. Publish a formal non-consent notice at a permanent URL. Assign it a registered UUID -- a unique identifier that anchors the notice in the BLE ecosystem. Then broadcast that UUID alongside a human-readable device name from my iPhone, creating a proximity-based legal assertion that any BLE scanner in range can detect.

I spent an afternoon building on this. The non-consent notice went live at teaz.me/no-consent -- a formal declaration citing BIPA, CPRA, Texas CUBI, the Federal Wiretap Act, and the Washington My Health MY Data Act. It establishes the date of first publication, documents the UUID, and states explicitly that detection of the beacon constitutes constructive notice of non-consent. The page is indexed in Google Search Console and will be submitted to the Wayback Machine for independent third-party timestamping.

In LightBlue I configured a virtual peripheral device named teaz.me no bio data consent -- plain text, visible to any BLE scanner in range without requiring a connection. The service UUID is the documented identifier. The characteristic is labeled Non-Consent Notice with a value that resolves to the notice page URL. Permissions are read-only. Nothing is transmitted to any server. Nothing is stored. The broadcast goes out and that's where it ends.

LightBlue's internal log confirmed the system operational -- the CoreBluetooth framework reported the local name, confirmed the service was added, and logged that advertising had started. The beacon was live.

The Workflow in Practice

The two apps work sequentially rather than simultaneously. Nearby Glasses runs in the foreground for detection. If smart glasses are detected nearby -- particularly in a static environment like a coffee shop, coworking space, or meeting -- I switch to LightBlue and activate the broadcast. The blue dot goes active and the beacon starts transmitting.

This isn't a magic shield. The broadcast doesn't prevent someone from pointing a camera at you. It doesn't jam the glasses, disable the connection, or trigger any technical response in the device. What it does is establish a documented, timestamped, legally grounded assertion of non-consent that was publicly broadcast in the vicinity of the alleged collection. In a jurisdiction with strong biometric privacy law, that matters.

Think of it less like a firewall and more like a certified letter. You're creating a record.

Where This Goes From Here

WWDC 2026 kicks off Monday June 8th. Apple is widely expected to announce significant Siri and automation upgrades in iOS 27, including a natural language Shortcuts builder and an expanded App Intents framework that lets Siri call into third-party apps. I'm eager to see the results and ways it might automate further a more robust workflow.

The counter-surveillance landscape is moving fast. Sixty-four organizations have formally asked Congress to block Meta's facial recognition glasses. US Senators Padilla, Markey, and Merkley have demanded answers from DHS about plans to deploy smart glasses for biometric identification in immigration enforcement. A class action against Meta and Luxottica is working through the Northern District of California. The EFF is watching the NameTag code closely.

None of that stopped Meta from writing the code in January while publicly claiming a thoughtful approach in April. Legislative and legal remedies matter but they move slowly. Individual counter-measures, imperfect as they are, move at the speed of an afternoon.

A Note on Limitations and Legality

Broadcasting a BLE beacon is legal. BLE operates on an unlicensed frequency band. The signal is passive, non-interfering, and read-only. There is no existing law that prohibits an individual from broadcasting a non-consent declaration over BLE -- and given the direction of biometric privacy legislation, that position is unlikely to change.

This is not a complete technical solution. It is a documented legal assertion combined with situational awareness tooling. The value is real but it operates in the space between what technology permits and what law requires -- which is exactly where most meaningful privacy advocacy lives right now.

So, here we are in a spy vs spy dynamic. One side is wearing the glasses, scanning faces, building faceprint databases, and calling it innovation. The other side is detecting the signal, broadcasting non-consent, documenting the assertion, and not taking it without a fight. The berets may look the same from a distance. The intentions less so.

Update -- How the Glasses Actually Handle BLE

A question worth addressing after publishing: do smart glasses actively scan BLE frequencies and surface nearby peripherals to the wearer? Like all Bluetooth devices, smart glasses perform environmental scanning -- that's fundamental to how Bluetooth operates. But the scanning is targeted, not general. The glasses are looking for their paired companion phone and known service profiles, not sweeping the RF environment for arbitrary peripherals. No current smart glasses platform -- Meta, Snap, or otherwise -- has a designed mechanism in its firmware or companion app to interpret, display, or act on arbitrary BLE peripheral advertisements from unknown devices. A wearer would only see this beacon by deliberately opening Bluetooth settings and looking. Many never will when they just decide to record at some random moment.

That is not the point of this beacon.

The non-consent broadcast exists as a public record in the BLE environment -- documented, timestamped, and legally grounded -- regardless of whether any wearer ever sees it. The RF environment is not private. Any active BLE scanner, any future forensic review, any technical audit of what signals were present in a given space at a given time can confirm the beacon was broadcasting. That is the legal value. This is not trying to communicate with the wearer. This is establishing that a non-consent was publicly asserted, in the same wireless environment where the collection allegedly occurred, at a specific date and time, tied to a published notice that predates the event. In a jurisdiction with strong biometric privacy law, that documented assertion is the thing that matters -- not whether the person pointing a camera at your face ever noticed it.

You can see them. They cannot easily see you. But the record sees everything.