On 4 June 2026, a security analyst named Bucciodi published a technical analysis of Stella, Meta’s companion app for Ray-Ban and Oakley smart glasses. Examining Android build version 273.0.0.21, the researcher found what they described as a complete, passive face recognition pipeline: three on-device AI models, a biometric database scheme, a dimensioned vector similarity index for those models, a write path for unidentified faces, and labeled channels. The research was published alongside reporting in WIRED, which confirmed that the code had been included in the app in several updates since January 2026.
The app, which is required to use the main features of the glasses, was downloaded more than 50 million times before any of these were released.
What the researcher found in the application
The three models identified in the Stella framework are SCRFD, a face detection model developed by InsightFace; KPSAligner, which aligns detected faces using crops and facial key points; and SFace, which converts an aligned face into a 2048-digit biometric fingerprint. The SFace variant in Stella seems larger than the public reference implementation: 96 megabytes versus about 40 megabytes in the open-source, 2048-dimensional output. These models arrive on the device through Meta’s asset delivery system.
Along with the models, the researcher found a SQLite database stored in a namespace under RLDrive, Meta’s cross-device synchronization framework. person_profiles. The database scheme maintains a vector table of named person records, face records associated with each person, and using cosine-distance search to match the SFace embedding, dimensioned in exactly 2048 floats. Each facial sequence reconnects with a person’s name. Authentication, when it runs, is a cosine-unity query against stored facial expressions, followed by a link to retrieve the person’s name for the notification text.
The researcher ran the pipeline end-to-end against a test image. On a mismatched result, the app writes the cropped face image and its biometric embedding to a folder. NameTagsPending. In a contest, it announced Android nametags_recognition Channel, with title “Authorized Person” and Body “Authorized”. [name].” notification contains a deep link that can be tapped to open a person’s profile screen in Stella; the target screen is not present in this configuration.
A separate user-facing widget titled “Connections” was found in the APK, which “remember people you’ve met and make new connections.” In a standard unregistered account, the card will not appear in the app’s interface.
According to a report by WIRED, the same feature will appear in the May 2026 version of the app under the name “Connections”.
It still doesn’t show what
The researcher is careful about this, and anyone writing about it should be. In a role account with no registered contacts, the user-facing interface does not appear and the authentication pipeline is not active. The researcher didn’t notice pushing the meta face data person_profiles Database on trial account. The database is configured to receive server-side updates via RLDrive, which Meta uses to synchronize other types of data, but the researcher did not directly observe the exchange in the face namespace.
Meta’s response, attributed to company representative Ryan Daniels and reported by PhoneArena quoting WIRED, is that the findings are “just evidence” that Meta is developing a concept, “nothing has been sent to consumers and no final decision has been made” and that if Meta continues with the feature, it apparently will. The company said it did not secretly build a central biometric database of users’ faces.
The distinction between “instrument built and put together” and “instrument active for users” is real and worth keeping. The researcher makes it clear. Code review establishes the presence and operational consistency of the facial recognition system, not its functionality for ordinary users.
Why context makes this difficult to reject
This isn’t the first time a Meta smart glasses product has come into contact with facial recognition. In February 2021, BuzzFeed News reported that Facebook considered building facial recognition into the first Ray-Ban smart glasses, deciding that state biometric privacy laws would make provisioning impossible. That same month, two Harvard students, AnhPhu Nguyen and Caine Ardayfio, demonstrated a project called I-XRAY: software they added to a standard pair of Ray-Ban Meta glasses fed a video stream from external facial recognition tools and public data sources to identify strangers on the street. Nguyen and Ardayfio said they created the demonstration to show what was technically possible, declined to release the code, and advised people to stay away from the data sources involved. Meta’s glasses weren’t the reason for the demonstration, but they were the interface.
In November 2021, Meta announced that it would delete more than a billion facial expressions collected by Facebook’s photo-tagging system and shut down the system altogether, citing concerns about the use of facial recognition technology overall. Meta later paid US$650 million to settle a class-action lawsuit brought by users in Illinois, and in 2024, agreed to a separate US$1.4 billion settlement with the state of Texas.
In February 2026, the The New York Times Citing internal documents, Meta has updated its plans for facial recognition in smart glasses. The report described a feature internally called NameTag and cited an internal memo suggesting that “in a changing political environment, many civil society groups expecting to attack us will focus their resources on other concerns.” Meta’s projects, The times Mentioned that it can be changed.
A Buchodi/WIRED code analysis published in June 2026 adds a technical layer to that reporting: the machines described in the February accounts had already shipped to millions of devices in a non-functional form at the time.
The code raises the question
The researcher’s construct is indicated: “A potential that is not sent by chance.” Building three production-scale facial recognition models, a biometric database, a dimensional vector index matching those models, a write path, and a notification surface with hard-coded text below the notification channel name is a significant engineering investment. It’s coherent, not bad code. Whether this represents a feature in an active product or a feature reserved for an integrated form is a question that cannot be resolved by the available evidence.
What the code shows is that users of a consumer device aren’t told during download or updates that models have arrived on their phones that their device now has a functional facial recognition infrastructure. Meta’s position is that the feature is not enabled. From a user’s perspective, a meaningful disclosure interval is between “not enabled” and “not currently available,” which are not the same thing, and are different before either is reported.
What to watch next
Meta has not confirmed whether NameTag will go to public release. Senator Ed Markey and other lawmakers wrote to Meta in March 2026 requesting information about its facial recognition plans; The letters have not provoked a public response as of this writing. Illinois and Texas biometric privacy laws were the basis for Meta’s two previous settlements; Both states have specific requirements for the collection and storage of biometric identifiers NameTagsPending What constitutes a write path collection under those laws is a question regulators will ultimately have to answer.
According to the report, Meta’s glasses have sold around seven million pairs in the past year The New York Times. The companion app, required for full functionality, has been downloaded over 50 million times. At that distribution level, the difference between a passive feature and an enabled feature is a server-side configuration change.
#Metas #smart #glasses #companion #app #downloaded #million #times #revealed #models #capable #facial #recognition #biometric #fingerprinting #authorized #person #notification