Two Harvard students named AnhPhu Nguyen and Caine Schwartz built something that made headlines worldwide — not because it was technically extraordinary, but because it demonstrated something people suspected but hadn't seen so clearly: real-time facial identification of strangers using off-the-shelf consumer hardware.
Their tool, I-XRAY, used Meta's Ray-Ban smart glasses, a custom computer vision pipeline, and public data scraped from social media to identify faces on the street, retrieve names, addresses, and other personal information — all in seconds, with no interaction from the subject.
Meta was quick to note that their glasses weren't doing the facial recognition. The glasses were just the camera. The identification happened in downstream software. But that distinction, while technically accurate, doesn't change the practical reality.
The I-XRAY demo changed how people think about consumer-grade cameras and facial recognition.
What the Demo Actually Did
The technical pipeline was not particularly novel. Each component was either publicly available or easily assembled from existing tools:
- Ray-Ban Meta smart glasses stream video to a paired phone
- The video stream was intercepted and frames extracted in real time
- Frames were passed to a facial recognition model (PimEyes or similar face-search API)
- Matches were cross-referenced against public social media profiles
- Names, employers, and other public information were retrieved and displayed
The innovation wasn't any single piece — it was demonstrating that the pieces could be assembled in an afternoon with consumer hardware and public APIs.
# Simplified version of the pipeline concept
# (not the actual I-XRAY code — illustrative only)
import cv2
import requests
def identify_person_from_frame(frame):
# 1. Extract face from frame
face_image = extract_face(frame)
# 2. Search face against public databases
# PimEyes, Clearview, or similar face search APIs
search_results = face_search_api(face_image)
# 3. Cross-reference with social media
if search_results:
profile_url = search_results[0]['profile_url']
public_info = scrape_public_profile(profile_url)
return public_info
return None
# The key insight: none of this requires proprietary technology
# Every component is accessible with a basic API key and a consumer device
Nguyen and Schwartz said they built it specifically to demonstrate the gap between what people think is possible and what actually is. They didn't release the code publicly. The point was the demonstration, not the tool.
Meta's Response and What It Actually Means
Meta responded that their glasses "don't have facial recognition capabilities" and that such uses violate their terms of service. Both statements are true. Both are somewhat beside the point.
The issue isn't Meta's glasses specifically. Any small, socially acceptable camera — glasses, a lapel camera, a phone held naturally — can feed this pipeline. Meta's Ray-Ban glasses became the symbol of the problem because they look like ordinary eyewear. Someone wearing them on the subway looks indistinguishable from someone not using AI at all.
The ToS violation argument assumes that ToS enforcement is a meaningful barrier. For a researcher or a bad actor willing to build custom software, it isn't.
The Technical Reality Developers Should Understand
This is where I want to be direct: the barrier to building something like I-XRAY is lower than most developers realize.
Facial recognition technology has become a commodity. Accuracy has improved dramatically; cost has dropped to nearly zero. Face-search APIs like PimEyes are publicly accessible. Social media profiles are largely public by default. The hardware (a phone, a small camera, smart glasses) is consumer-grade.
What the I-XRAY demo showed is that the limiting factor is no longer technology — it's the decision to build it. That's a meaningful shift.
For developers, this creates a genuine ethical question: when you build applications involving cameras and AI, what safeguards are you building in? The technology to identify people without their consent is accessible. The question is whether you think about that when you design your system.
Three Concrete Implications
1. Consent is no longer implicit in public space The pre-AI assumption was that being visible in public didn't mean being identifiable. That assumption is now wrong. When you build applications involving cameras in public spaces, you're operating in a world where the people in the frame can potentially be identified without ever interacting with your system.
2. "Public information" aggregation is a distinct harm None of the data I-XRAY retrieved was private in isolation. Names, employer info, college affiliations — all public. The harm is the aggregation and real-time linking of that information to a physical person in a specific location. Privacy law in most jurisdictions hasn't caught up to this aggregation problem.
3. Platform ToS is insufficient as a safeguard Expecting platform terms of service to prevent misuse of AI capabilities is not a serious technical safeguard. It's a legal backstop, not a prevention mechanism. If you're building systems where misuse could cause harm, the safeguards need to be technical, not contractual.
What Regulation Is Actually Being Proposed
The I-XRAY demo accelerated several legislative conversations:
- Illinois BIPA (Biometric Information Privacy Act) — already in force, the strongest state-level biometric privacy law in the US — was cited frequently as the model for federal legislation
- The EU's AI Act explicitly categorizes real-time facial recognition in public spaces as "unacceptable risk" — prohibited for most use cases
- Several US senators introduced the "No Facial Recognition in Public Spaces Act" following the demo, though as of early 2026 it hasn't passed
The regulatory gap between the US and EU is significant here. Building a product that deploys facial recognition in public spaces in the EU carries serious legal risk. In most US states, it doesn't — yet.
The Harder Conversation
I've seen responses to this demo that land in two camps: "this is terrifying" and "the technology exists, you can't put it back in the bottle." Both are partly right.
The technology does exist. It can't be un-invented. But that's true of a lot of dangerous technologies, and we do regulate them. The question isn't whether facial recognition AI is technically possible — it's what norms and rules we want to establish around when and how it's used.
The I-XRAY demo was valuable because it made an abstract threat concrete. Most people understand facial recognition in the abstract. Seeing it demonstrated with consumer glasses on a city sidewalk is different.
For developers specifically: the fact that you can build something doesn't settle the question of whether you should. The I-XRAY team made a deliberate choice to demonstrate the capability without releasing the code. That's a form of responsible disclosure. It's worth thinking about what the equivalent looks like in your own work.
Related reading:
- Apple Intelligence 2026: From LLM Siri to Gemini Integration (Privacy-first AI approaches)
- Google Search Live Expands to 200 Countries + Gemini 3.1 Flash Live (Camera AI and SynthID watermarking)