Harvard duo hacks Meta Ray-Bans to dox strangers on sight in seconds

A pair of inventive Harvard undergraduates have created what they believe could be one of the most intrusive devices ever built – a wake-up call, they tell The Register, for the world to take privacy seriously in the AI era.

AnhPhu Nguyen and Caine Ardayfio, who've collaborated previously on some positively explosive projects, shared their latest project on X in the form of a pair of camera-fitted Meta Ray-Ban smart glasses that can attempt to automatically and swiftly identify anyone in view of the device's camera and return an AI-generated dossier on them. 

Dubbed "I-XRAY" by Nguyen and Ardayfio, the project uses Meta glasses to stream videos to Instagram. Faces captured from the specs' livestream are fed through services like PimEyes, which match the images to publicly available ones and return the URLs. With at least a name, I-XRAY can then cross-reference this data using people-search sites to find addresses and other details – potentially even partial Social Security numbers, pieced together from different sites displaying SSN fragments.

The server-side system doing the work, built by the pair in Python, spits its LLM-summarized results to a mobile app built in JavaScript, and boom: A mini biography on anyone, available instantly. Or, almost instantly – Ardayfio told us the app is actually a bit slow, and usually takes "a minute or so" to pull results. 

To top it all off, every bit of data I-XRAY pulls is publicly available – making this a potential open source intelligence privacy nightmare.

All style – and some substance, too

Using a pair of Ray-Ban smart glasses for the project was relatively arbitrary, Nguyen told us in an email exchange, and was largely down to using a visually striking gadget that would draw attention to what could be achieved by the wearable tech. 

"Ninety-nine percent of the damage a bad actor could make from this tool is independent of whether they have smart glasses," Nguyen explained. "Someone could very easily, discreetly, take a picture of someone from afar – cameras have 50x zoom today. They're really good at that." 

• NFL to begin using face scanning tech across all of its stadiums
• Can I phone a friend? How cops circumvent face recognition bans
• Remote ID verification tech is often biased, bungling, and no good on its own
• Data watchdog fines Clearview AI $33M for 'illegal' data collection

Any hidden – or not-so-hidden – camera could be used to do what the duo did, they told us. And it doesn't take much coding know-how either: The pair only needed two or three days of coding, around four to six hours a day, to get the project running, Nguyen recalled. While Ardayfio has nine years of coding experience, and Nguyen three, that doesn't matter, we're told. 

"Anyone who can run some simple web automations with ChatGPT can build this," Nguyen said. "It's astonishing that you can build this in a few days – even as a very naïve developer."  

The duo doesn't intend to release their code – primarily because of its potential for misuse. But they noted it was also originally just a side project that wouldn't be fit for public consumption. 

"The tech works okay," Ardayfio told The Register. "But it's slow, and not fully accurate." 

"Our main goal [was] to show people what's possible with fairly standard technology so that people can take their own privacy and data into their hands," Ardayfio added. "Bad actors already know how to do what we did, but we can help the good guys and the general public be more conscious of how to protect themselves." 

Consumer Reports' Yael Grauer maintains an extensive list of data broker websites – and what needs to be done to request information deletion – on GitHub, for those who would like to minimize their online presence. ®