A security researcher has found a complete, dormant facial recognition system inside Meta's Stella companion app for its smart glasses. The analysis, published June 4, 2026, identified three neural network models totaling roughly 100 MB, a SQLite biometric database, and a notification system for "Person recognized" alerts. The machinery is present and functional but not active on standard user accounts.

What Was Found

The security researcher at buchodi.com reverse-engineered the Stella app and identified three computer vision models bundled with the application:

  • SCRFD face detector (3.4 MB): A face detection model from the InsightFace library, designed for fast multi-scale face detection in images and video frames.
  • KPSAligner (117 KB): A keypoint-based face alignment model that crops and normalizes detected faces before passing them to the embedder.
  • SFace embedder (96 MB): A face recognition model that converts aligned face images into 2048-dimensional biometric fingerprints for identity matching.

Alongside the models, the researcher found a SQLite database configured with cosine-similarity vector indexing, the standard structure for comparing biometric fingerprints against a stored gallery. A notification system was also present in the app code, with a display string reading "Person recognized."

Meta smart glasses facial recognition

A folder called "NameTagsPending" was identified in the app's local storage structure. It stores cropped face images paired with their biometric fingerprints, creating a gallery structure for faces that have not yet been assigned a name. This is the architecture you would build if you intended to retroactively label faces once a match or user input arrives.

Current Status: Dormant, Not Active

The researcher emphasizes an important distinction. On standard unenrolled accounts, the user-facing "Connections" card is hidden and the notification target screen is absent from the active build. The facial recognition machinery exists in the app but is not accessible through the normal interface.

The components are present and functional when directly invoked, but Meta has not enabled the feature for general users. This means the system has been built and shipped in the app but is gated behind server-side or account-level controls.

As the researcher notes, "This doesn't ship by accident." A 96 MB SFace model, a local biometric database, and a notification pipeline represent significant engineering investment. Features of this scope are designed, reviewed, and bundled deliberately.

Meta has not publicly commented on the finding. Creative AI News reached out to the Meta AI team for comment and will update this post if a response is received.

How the Technology Works

The pipeline the researcher identified follows a standard biometric identification flow:

  1. The SCRFD model detects faces in the camera feed from the smart glasses.
  2. KPSAligner crops and normalizes each detected face to a standard orientation.
  3. SFace converts the normalized face image into a 2048-dimensional vector fingerprint.
  4. The fingerprint is compared against the SQLite database using cosine similarity. A high similarity score indicates a match.
  5. If a match is found, the notification system triggers a "Person recognized" alert.

This is the same architecture used in access control systems, photo management apps, and surveillance technology. The SFace model and SCRFD detector are both from InsightFace, an open-source face analysis library widely used in research and commercial applications.

Privacy protection steps

The local processing aspect is notable. Running inference on-device means the identification happens without a server round-trip. Face data does not need to leave the device for the recognition to occur, though the NameTagsPending folder suggests synchronization with user-defined labels could happen later.

Privacy Implications for Creators

Smart glasses are increasingly used by photographers, filmmakers, and location scouts who wear them during shoots, client meetings, and public events. A functional facial recognition system on a wearable device, even a dormant one, raises specific concerns for creative professionals:

  • Consent: Subjects in a shoot may not know they are being identified by a wearable. Standard model releases cover image capture, not biometric processing.
  • Client confidentiality: Creators working with talent, executives, or private clients may inadvertently build biometric records of people who have not agreed to be enrolled in any recognition system.
  • Data residency: The NameTagsPending folder creates a local biometric database on the device. The scope of any cloud sync is unknown.
  • Regulatory exposure: Biometric data collection is regulated under Illinois BIPA, the EU's GDPR, and several other frameworks. The EFF tracks biometric privacy legislation across US states. Even using a device that collects biometrics without consent can create liability.

The "dormant" framing matters, but so does the fact that the capability is present. If Meta activates it via an app update or account setting, users would not need to download anything new; it is already installed.

What Creators Should Do Now

  1. Review your release forms. If you use smart glasses in creative work, update release language to address biometric processing, not just image capture.
  2. Check app permissions. Audit what camera, storage, and network permissions the Stella app holds on your device. Restricting storage access limits what the NameTagsPending folder can accumulate.
  3. Follow app updates. If Meta updates Stella with new permissions requests or a new "Connections" feature in settings, review what it does before accepting.
  4. Know your jurisdiction. If you work in Illinois, Texas, Washington, or the EU, biometric collection rules apply. Consult with a legal professional if you use AI-powered wearables in professional settings.
  5. Read the source analysis. The full technical breakdown is at buchodi.com. It includes model sizes, database schema, and folder structure.

Frequently Asked Questions

Is facial recognition currently running on Meta smart glasses?

No, not on standard user accounts. The researcher found the models and database present in the app but confirmed the user-facing feature is hidden and inactive on unenrolled accounts. The capability is there, but the on-switch has not been flipped for general users.

Facial recognition ID technology

What is the SFace model?

SFace is a face recognition model from InsightFace that converts face images into 2048-dimensional biometric fingerprints. These fingerprints can be compared against a stored database to identify individuals. It is widely used in both research and commercial face recognition systems.

What is the NameTagsPending folder?

The NameTagsPending folder stores cropped face images paired with biometric fingerprints for faces that have not been assigned a name yet. This is the architecture for a "pending identification" queue, suggesting the system is designed to label unidentified faces once additional input arrives.

Has Meta addressed these findings?

As of the time of publication, Meta has not publicly commented on the security researcher's findings. The company has previously discussed facial recognition in the context of accessibility features for its smart glasses.

Should creators stop using Meta smart glasses?

That is a personal and professional judgment call. The feature is dormant. What this finding establishes is that the infrastructure exists and could be activated through an app update. Creators working in legally sensitive contexts should review their practices and consult legal counsel if needed.