What I-XRAY was
In September 2024, Harvard juniors AnhPhu Nguyen and Caine Ardayfio built a system called I-XRAY that chained together consumer smart glasses, a reverse face-search engine, and public data-broker sites to identify strangers in real time. They demonstrated it on Boston public transit — looking at someone, and within about 90 seconds seeing that person's name, home address, phone number, and employer on a phone screen.
They posted a demo video on X on September 30, 2024, with the tagline: "Are we ready for a world where our data is exposed at a glance?" By mid-October, the video had been viewed more than 20 million times. 404 Media, The Verge, Ars Technica, Forbes, and the Harvard Crimson all covered the story.
The students explicitly stated they would never release the code. This was a demonstration project intended to show what was already possible with publicly available tools — and to push people to opt out of the databases that make it work.
How it worked technically
I-XRAY was not a single piece of software. It was a pipeline of existing services, none of which were built for this purpose:
Step 1 — Capture. Ray-Ban Meta glasses (Gen 2) livestreamed video to Instagram Live. A laptop program monitored the live stream and extracted face images from the video feed.
Step 2 — Reverse face search. Face images were uploaded to PimEyes, a reverse face-search engine based in Tbilisi, Georgia. PimEyes returned URLs of publicly indexed photos matching the face — not a name, but links to web pages where that face appeared.
Step 3 — Identity extraction. A large language model scraped text from those URLs to infer a name, occupation, school, and other details from unstructured web pages.
Step 4 — Data-broker lookup. With a name identified, the system queried public people-search sites — FastPeopleSearch, CheckThem, Instant Checkmate — to retrieve a home address, phone number, age, and relatives.
Step 5 — Optional deeper lookup. With a phone number, the system could query services like Cloaked.com to retrieve partial Social Security Number digits.
All processing happened on an external computer, not on the glasses. The glasses were just a camera that looked like ordinary eyewear — which was the entire point. Nguyen told Business Insider the same pipeline would work with any camera, including a smartphone. The glasses made it covert.
What made the glasses central
The students chose Ray-Ban Meta Gen 2 specifically because they "look almost indistinguishable from regular glasses." A phone camera pointed at someone on a train is conspicuous. Glasses that look like glasses are not.
They also covered the recording-indicator LED to make the scan fully invisible — a detail that foreshadowed the LED-tampering investigation by Joanna Stern 20 months later.
How Meta responded
Meta's statement, repeated across multiple outlets:
"To be clear, Ray-Ban Meta glasses do not have facial recognition technology. From what we can see, these students are simply using publicly available facial recognition software on a computer that would work with photos taken on any camera, phone, or recording device."
Meta emphasized three points: the glasses do not run facial recognition on-device; a capture LED exists that cannot be user-disabled; and terms of service prohibit LED tampering. The students had, of course, simply covered the LED.
How PimEyes responded
In January 2025, PimEyes CEO Giorgi Gobronidze told Snopes that the company was "not involved" in I-XRAY and "does not support such experiments." PimEyes stated that eight accounts potentially linked to the project were closed and that the students had used personal accounts — the company had not granted API access.
PimEyes also maintained that its service does not "identify" people. It returns links to web pages where a matching face appears. The distinction is technically accurate and practically irrelevant — the links lead to pages that contain names.
What happened afterward
No code was released. The students refused all requests. Snopes confirmed in January 2025 that the tool was not actively maintained and was last fully functional in November 2024.
No documented copycats. Despite the viral attention, no public reimplementation of I-XRAY was found in any reporting through July 2026.
Academic engagement. Harvard Law School's Library Innovation Lab hosted a lunch with Professor Jonathan Zittrain in January 2025 to discuss the project and opt-out guidance.
Legislative momentum. No U.S. bill explicitly names I-XRAY, but the demonstration became a reference point for smart-glasses privacy legislation in 2026. California's SB 1130 (introduced February 2026) criminalizes secret wearable recording in businesses and targets hardware that disables recording lights. Pennsylvania's HB 2603 (introduced June 2026) requires visible recording indicators on smart glasses.
The NameTag connection
In June 2026 — 20 months after I-XRAY — WIRED discovered dormant facial-recognition code called "NameTag" in the Meta AI app, which has 50 million downloads. The code included face detection, faceprint generation, and a matching system that could recognize previously encountered people.
I-XRAY and NameTag are technically different systems. I-XRAY used third-party reverse face search to identify strangers. NameTag used on-device biometric faceprints to recognize people the wearer had previously met. But the arc is the same: the form factor that makes smart glasses useful for photography and AI assistance is the same form factor that enables surveillance without consent.
Meta removed nearly all NameTag code from the app within 24 hours of the WIRED report, after public backlash and an ACLU-led coalition letter signed by 75 organizations.
Why I-XRAY matters for detection
The I-XRAY pipeline required the glasses to livestream to Instagram — which means the glasses were actively transmitting over Wi-Fi and Bluetooth. The entire pipeline depended on wireless communication between the glasses and the paired phone.
This is the exact signal that radio-based detection reads. Glasses Radar does not try to determine whether facial recognition is running on the other end. It detects that camera-equipped glasses are nearby and communicating — the precondition for every I-XRAY-style attack.
The students' own opt-out recommendation was to remove yourself from PimEyes and data-broker sites. That is good advice and worth doing. But it is defense after-the-fact — it reduces the damage from an identification attempt but does not tell you one is happening. Awareness that camera glasses are present is the first line of defense.
How to opt out of the databases I-XRAY used
The students published a Google Doc with opt-out instructions. The core steps:
- PimEyes — Request removal of your face from their index at pimeyes.com/en/opt-out-request-form
- FaceCheck.ID — Submit a takedown request
- FastPeopleSearch — Visit fastpeoplesearch.com/removal and follow the form
- CheckThem — Request removal at checkthem.com/optout
- Instant Checkmate — Use instantcheckmate.com/opt-out
These removals reduce your exposure but are not permanent. Data brokers re-index public records. Opting out is a recurring task, not a one-time fix.
The bottom line
I-XRAY demonstrated in 2024 what many privacy researchers had warned about for years: consumer smart glasses that look like ordinary eyewear, combined with freely available facial-recognition tools and unregulated data brokers, make real-time stranger identification possible for anyone motivated enough to chain the tools together.
The code was never released. The pipeline is no longer maintained. But every component still exists and is still publicly accessible. PimEyes is still operating. Data brokers are still selling records. And the glasses now sell in greater volume than when the demo went viral.
The threat model I-XRAY established is not hypothetical. It was demonstrated on a train, on camera, and watched by tens of millions of people.