The Code That Wasn't Supposed to Be Seen
On June 4, 2026, WIRED published findings that Meta had quietly embedded facial recognition code — internally called "NameTag" — into the Meta AI app, the companion software for its Ray-Ban smart glasses, distributing it to more than 50 million phones. The code had not been activated for consumers. But it was present, functional enough in debug mode to identify faces in real time, and nobody outside the company had been told it existed.
Within roughly 24 to 48 hours, after public outcry and condemnation from privacy advocates, Meta pushed an update stripping the code. No regulator ordered the removal. No court issued an injunction. A company that has paid over two billion dollars in biometric privacy settlements across two major legal actions simply pulled the code when it became embarrassing — and then called the original reporting "incredibly misleading."
That sequence — covert deployment, public exposure, voluntary reversal, angry denial — tells policymakers something important: existing law has not deterred a determined company from moving toward real-time stranger identification. And the company's own internal documents suggest it knew that.
What NameTag Could Do
The Electronic Frontier Foundation, which confirmed the code's presence through static analysis, described a system capable of converting images of faces into unique biometric signatures — a series of 2,048 numbers representing the geometry of facial features — and matching those signatures against a stored database to identify people encountered in public. When Ray-Ban glasses captured a face, NameTag could have surfaced a "Person recognized" alert in the companion app.
Unactivated code is not a crime. But the EFF also documented that Meta's internal communications showed the company planning to launch the feature "during a dynamic political environment where many civil society groups that we would expect to attack us would have their resources focused on other concerns." That phrase is a statement of calculated corporate timing: deploy when opponents are distracted. It is the opposite of transparent product development.
Meta's public response reinforced this posture. VP of communications Andy Stone called the WIRED reporting "intellectually dishonest." CTO Andrew Bosworth called it "incredibly misleading" and "absolutely dishonest." Meta declined to answer ten specific questions from WIRED about whether a facial database already existed, how long photos were retained, and whether biometric data had been transmitted to Meta's servers.
A Two-Billion-Dollar Track Record That Changed Nothing
The NameTag episode is not the first time Meta has faced legal consequences for biometric overreach — and the scale of those consequences makes the recidivism remarkable.
In February 2021, a federal judge approved a $650 million class-action settlement after Facebook scanned the faces of 1.6 million Illinois users for its photo-tagging feature without the informed consent required by the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14, enacted 2008). The company subsequently discontinued the automatic tagging feature.
In July 2024, Texas Attorney General Ken Paxton secured a $1.4 billion settlement — the largest ever obtained by a single state attorney general — after suing Meta under Texas's Capture or Use of Biometric Identifier (CUBI) Act for collecting facial geometry from Facebook photos without consent over more than a decade. The first installment of $500 million was due within 30 days of the agreed final judgment.
In May 2026, Paxton's office issued a new Civil Investigative Demand to Meta, specifically targeting the Ray-Ban AI glasses and their "always-enabled" recording mode — before the WIRED exposé even landed.
Three enforcement actions. Two billion dollars in settlements. NameTag code shipped to 50 million phones anyway. The company's appetite for real-time biometric identification has not diminished; only its timing has grown more cautious.
The 2024 Warning Sign
There is an irony in the timeline. In October 2024, two Harvard undergraduates demonstrated a tool called I-XRAY that combined Meta Ray-Ban glasses with public reverse-image search to identify strangers in real time — surfacing names, addresses, and additional personal details within seconds using entirely off-the-shelf components. The demonstration went viral. It showed that the technical capability to turn Ray-Ban glasses into a stranger-identification system already existed without any cooperation from Meta. It also generated zero federal legislative response.
Meta shipped the NameTag code to 50 million phones roughly fifteen months later.
The Missing Federal Layer
Privacy advocates are right that the stakes here are high, and their strongest argument deserves full acknowledgment: wearable cameras with real-time face recognition could enable stalkers to track survivors of domestic abuse, allow anyone to identify a stranger on public transit, and erode the practical anonymity that urban life has historically provided. These are not speculative fears. They follow directly from the technology's capabilities.
But the correct response is not a blanket prohibition on facial recognition. The technology has proportionate and legitimate applications — from locating missing persons to identity verification at security checkpoints — and outright bans would not stop the underlying AI development, only concentrate it in jurisdictions with weaker rules.
What is clearly inadequate is the current U.S. patchwork. Illinois's BIPA and Texas's CUBI Act are strong state laws with private rights of action and meaningful penalties. But they cover only residents of those states, apply only after harm is alleged, and cannot be invoked against dormant code that has not yet collected data. There is no federal biometric privacy statute. The FTC has issued policy guidance on biometric information misuse and taken enforcement actions against specific companies, but it cannot impose comprehensive ex-ante consent requirements — the kind that would make NameTag-style silent deployments illegal before they ship, not merely embarrassing when discovered.
Meta's internal memo about launching "when advocacy groups would be focused on other concerns" is the tell. The company is not deterred by enforcement risk; it is deterred by political attention. That is a fragile substitute for law.
What Good Policy Would Require
A proportionate federal biometric privacy framework would need three elements. First, affirmative, informed consent before any biometric identifier is collected, processed, or stored — including code that is technically dormant. Second, private rights of action with statutory damages, so enforcement is not entirely dependent on overstretched regulators or investigative journalists. Third, transparency mandates requiring companies to disclose what biometric-capable code has been deployed to consumer devices, even in non-activated form.
The third element is the most novel and the most necessary. Code distributed to 50 million devices but "not exposed to consumers" is still a deployment decision. It bypasses the consent process by design. A mandatory disclosure requirement would have made the NameTag rollout publicly known before WIRED discovered it — and would have given regulators and the public an opportunity to respond before the capability was one configuration flag away from activation.
Public shaming produced the right outcome this time. It is not a governance model that scales.