Meta quietly shipped code for an unreleased facial recognition system across multiple smart glasses updates, and security researchers caught them.
The system, called "NameTag," was discovered by analysts examining Meta's smart glasses app. While the company publicly announced basic facial recognition features, they simultaneously deployed infrastructure for something far more powerful - a system that appears designed to identify people by name.
This is the privacy nightmare scenario we've been warning about, and it's not theoretical anymore. It's shipping in production code.
Meta says they're being transparent about facial recognition. But shipping undisclosed capabilities tells a different story. As someone who's built and shipped software, I know the difference between features and foundation. You don't build elaborate infrastructure for "NameTag" functionality unless you plan to use it.
The analysis found this code integrated across multiple 2026 updates, suggesting sustained development rather than experimental code that accidentally shipped. This was deliberate.
Think about the implications. Someone wearing Meta's smart glasses could look at you and instantly get your name, your social media profiles, potentially your work history and connections - all without your knowledge or consent. The glasses look like regular eyewear. You'd have no idea you're being scanned.
Illinois and Texas have biometric privacy laws that could apply here. Europe's GDPR absolutely would. But the code is already out there, already running on devices people bought.
Meta's track record on privacy doesn't inspire confidence. This is the company that paid a $5 billion FTC fine over privacy violations. The company that ran psychological experiments on users without consent. The company that repeatedly promised privacy controls and then undermined them.
The announced facial recognition features are concerning enough - identifying friends in photos, recognizing celebrities, matching faces to find similar images. But "NameTag" suggests something beyond recognition into identification. That's a meaningful distinction.
When I ran a startup, we had a rule: never ship code you're not prepared to defend publicly. If you can't explain why it's there, it shouldn't be in production. Meta apparently disagrees.
