The session at RSAC 2026 was called “Facing Reality: Hacking Facial Recognition.”

ESET cybersecurity advisor Jake Moore didn’t hack anything. He bought a pair of Meta Ray-Ban smart glasses — the $299 consumer product available at any Best Buy — paired them with Corsight’s commercial facial recognition platform, and walked through the RSA Conference in San Francisco.

As he moved through crowds, the system returned real-time identification of the people around him: names, social media profiles, personal details. Strangers who had never consented to be identified. People who had no idea it was happening.

He didn’t need a law enforcement badge. He didn’t need classified access. He needed a consumer product, a commercial subscription, and an afternoon at a security conference.

This is where we are.

The Demo: What Actually Happened

Moore’s demonstration was methodologically straightforward — which is precisely what made it terrifying.

The Meta Ray-Ban glasses include a front-facing camera capable of streaming video to a connected smartphone. The glasses look like ordinary Ray-Bans. There is a small LED that is supposed to indicate when the camera is recording, but in ambient lighting conditions at a busy conference, it is nearly invisible.

Moore connected the glasses’ camera feed to Corsight, an enterprise facial recognition platform marketed primarily to law enforcement and security agencies. Corsight claims its system can identify faces with high accuracy even in challenging conditions — crowds, partial occlusion, poor lighting.

As Moore walked through the conference space, the Corsight system processed the faces in his field of view and returned matches from publicly available databases — LinkedIn profiles, social media accounts, news photos, any publicly indexed image that could be cross-referenced.

The results came back in seconds. Name. Employer. Social media profiles. Sometimes addresses and phone numbers, depending on what the person had made publicly available.

Moore also demonstrated two additional capabilities in the same session:

  • Opening a real bank account using an AI-generated synthetic face — bypassing standard KYC (Know Your Customer) identity verification
  • Walking past a London train station’s watchlist surveillance system undetected using face-swap software

The RSAC session was about demonstrating defensive security awareness. The unintended message was clear: these capabilities are no longer theoretical, classified, or expensive.

Meta’s Senate Silence

The RSAC demonstration didn’t happen in a vacuum. Three months earlier, on March 5, 2026, US Senators Ed Markey, Ron Wyden, and Jeff Merkley sent Meta CEO Mark Zuckerberg a formal letter demanding answers about the company’s facial recognition plans for Ray-Ban smart glasses.

According to internal documents cited in reporting at the time, Meta had been developing a feature internally called “Name Tag” — a system that would allow Ray-Ban wearers to identify people they encounter in real time. The feature was reportedly timed for rollout during a “dynamic political environment” in which civil society groups would be focused on other concerns.

The senators gave Meta until April 6, 2026 to respond. They asked specific questions:

  • Does Meta have plans to implement real-time facial recognition on Ray-Ban glasses?
  • What data would be collected and where would it be stored?
  • Would users be able to opt out of being identified?
  • What consent mechanisms would exist for the people being identified?

April 6 came and went. As of April 10, Meta had not responded.

The company that recently reversed end-to-end encryption on Instagram DMs, that fought a $375 million verdict over child safety, and that is building the hardware layer for mass public facial recognition — chose to say nothing to the United States Senate.

Why This Is Different from a Camera

The instinctive comparison — “people have always been able to take photos in public” — misses what makes this technology categorically different.

Speed. A human looking at a photo cannot identify most strangers. Even with Google Lens, identification is hit-or-miss, requires deliberate effort, and takes time. Corsight and comparable systems process faces in real time, at scale, continuously, without any deliberate human action.

Scale. One person with Meta glasses and Corsight can process hundreds of faces in a day without conscious effort. Previously, mass identification required law enforcement resources, multiple cameras, and significant infrastructure. Now it requires a consumer device.

Aggregation. Identifying someone’s face doesn’t just reveal their name. Combined with location data (embedded in the glasses’ GPS), time data, and the ability to cross-reference public profiles, the system can build a log of where you went, who you were with, and how long you stayed — in real time, continuously, without your knowledge.

Permanence. If these identification events are logged — and there’s no technical reason they wouldn’t be — then every public appearance becomes part of a permanent, searchable record.

This is what the end of anonymous public life looks like. Not a dramatic government decree. A pair of sunglasses and a commercial API.

The Regulatory Landscape

The US has no federal law specifically governing real-time public facial recognition by private individuals. Several cities have banned government use of facial recognition — San Francisco, Boston, Portland — but those bans apply to law enforcement, not to private citizens or companies.

At the state level, Illinois has the strongest protection through its Biometric Information Privacy Act (BIPA), which requires consent before collecting biometric identifiers including facial geometry. Texas and Washington have similar laws. Most states have nothing.

The EU’s approach under the AI Act bans real-time remote biometric identification in public spaces — specifically the kind of thing Moore demonstrated at RSAC — with limited law enforcement exceptions. That ban is among the AI Act’s highest-risk classifications.

The US has not moved in this direction at the federal level. The Senate letter to Zuckerberg — now ignored — may be the most concrete congressional action taken so far.

What You Cannot Do (and What You Can)

The honest answer is that there is no reliable technical countermeasure for a determined person using this technology in public. You cannot opt out of being in public. You cannot opt out of having a face.

What you can do:

Minimize your public digital surface. The facial recognition systems in use today cross-reference public photos — LinkedIn profiles, social media accounts, news coverage, anything publicly indexed. A profile photo that doesn’t clearly show your face provides less to match against. This is not a suggestion to hide; it’s a note on how the system works.

Understand what “public” means differently now. If you post a clear, high-resolution photo of your face publicly on any platform, it may become training data or a matching target for facial recognition systems. The privacy calculus around public posting has changed.

Support policy engagement. The Senators’ letter to Meta deserves a response. Constituent pressure on legislators to address real-time public biometric identification is one of the few meaningful levers available.

Watch for the rollout. If Meta’s “Name Tag” feature ships — which internal memos suggest was being planned for 2026 — it will come with a privacy policy update that few people will read. When it does, the surveillance capability Moore demonstrated at RSAC will be in the hands of anyone who owns a pair of Ray-Bans.

That day may already be closer than you think.