KRYOTECH PRIVACY AND SECURITY ANALYSIS

FACEBOOK/META RAY-BAN STORIES VIDEO-GLASSES

INTRODUCTION

Quoting Facebook/Meta, the Ray-Ban Stories Glasses, launched on 9th September 2021, are smart glasses that give you a new way to capture photos and video, share your journeys and listen to music or engage in phone calls, so that you can, apparently, stay present with friends, family, and the world around you. They have been developed as a partnership between Facebook/Meta and Essilor Luxottica. Retailing from $299, they are already available to purchase in twenty different style combinations online and in selected retail stores in the US, Australia, Canada, Ireland, Italy, and the UK.

The video-glasses feature dual-integrated 5MP cameras that allow you to capture life’s moments as they happen from the first-person perspective. You can record the world through your point of view, taking photos and up to 30-second videos using the capture button or hands-free with Facebook/Meta Assistant voice commands. A hard-wired capture LED lights up to inform people nearby that you are taking a photo or recording a video. Streamlined, open-ear speakers are built in, and the glasses include three-microphone arrays which apparently deliver richer voice and sound transmission for calls and videos. Beamforming technology and a background noise suppression algorithm provide for an enhanced calling experience which is expected from dedicated headphones.

The video-glasses pair with the Facebook/Meta View app, so that you can share your stories and captures seamlessly with friends and other social media followers, only on Facebook/Meta. The app, available on both iOS and Android, provides a way to import, edit and share content captured on the video-glasses to all Facebook/Meta platforms and applications.

CONCERNS AND CONSIDERATIONS

1. Not Smart Glasses
a. These are not ‘smart glasses’ but in fact video-glasses. Smart glasses feature
visual and sensory feedback displayed to the user. The Facebook/Meta Ray-Ban Glasses only takes photographs, records video and listens to audio. This is a gross misrepresentation of what the core product offering is and feels like an
attempt to artificially bolster the perception of the product by claiming that it is something more complex and interesting than it actually is in reality.
2. Voice-Command Always Listening
a. The video-glasses feature the ability to be controlled by voice commands which means that the device is continually ‘listening’ for voice commands, which also means listening to the entire ambient environment. This poses a serious threat to the privacy of anyone within range of the three-microphone arrays. There are a multitude of usages for voice data, including stress and behavioural analysis.
3. Dual-Integrated First-Person Cameras
a. The dual-integrated first-person cameras are 5MP and positioned on either side of the wearer’s field-of-vision. The hardware is designed to integrate into the video-glasses frame. Due to their size and colour, they ostensibly disappear into the lines, curves, and profile of the glasses themselves which makes them hard for casual observers to detect.
b. When the cameras are activated, a capture led light turns on. However, the
capture led light is small, approximately five percent the size of the embedded
cameras. There is nothing to prevent covering of the capture led light with
either black masking tape or permanent marker pen.
4. Lack of Privacy for External Users
a. The video-glasses provide no privacy to protect the external public that may
encounter you.
b. No thought has been given to providing tools and strategies for protecting
members of the public from intrusion in their privacy.
c. Facebook/Meta have ignored obvious security measures that could be
implemented, like automatic anonymisation of all faces and computer screens
detected in the wearer’s field-of-vision.
5. Implied Trust by Device Design and Popularity
a. A range of glass frames have been designed by Ray Ban featuring this
technology, some of which do not look like sunglasses.
b. Facebook/Meta are effectively ‘hiding’ their technology in plain site by imitating a pre-existing brand and design that already has ubiquity thereby making it harder for detection of their technology in the wild by the average consumer.
6. Made by Facebook/Meta
a. Facebook/Meta as a corporation has a long history of being irresponsible with their user’s data, ranging from their participation in the Cambridge Analytica scandal to exploitation of personal user data for personalised ads, largely without properly informed consent.
b. Facebook/Meta have also consistently demonstrated themselves to be
untrustworthy and opaque as demonstrated from their lack of cooperation in
ensuring that their platform is free of misinformation and exploitation.
7. Not Open-Source
a. Despite the claim that Facebook/Meta do not have access to your data from the video-glasses their argument for how this is the case is spurious and includes no guarantees or indicators of safeguards that would prevent access by Facebook/Meta.
b. The video-glasses stream, via Bluetooth, to the Facebook/Meta View mobile
app. Quoting Facebook/Meta the app is described
i. “as a standalone app that lets your import your photos and videos from
your glasses and create unique content — all while giving you control
over what you choose to share and when.”
c. The description of the app is a misrepresentation as the app requires a
Facebook/Meta login to use and access. This app is not standalone despite the
description.
d. The privacy page published on the Facebook/Meta Reality Labs site gives the impression of protecting the wearer’s security while at the same time providing:
i. no information on what meta data is saved that you do not have control
over,
ii. no information on where your data is stored,
iii. no information on what type of encryption is used,
iv. no information on how the encryption is used,
v. no information on how to report a breach of privacy or data.

THE THREATS

There are multiple threats to personal and public privacy that this technology and its current implementation represents.
1. Personal Privacy Threat
a. Despite the claims made by Facebook/Meta, it is abundantly clear, based on their previous and current corporate behaviour and culture, that personal user data privacy is at either not overly considered or, at worst, deliberately co-opted for their personal profit.
b. Facebook/Meta cannot be trusted with your personal user data.
c. By having access to your first-person perspective Facebook/Meta can start building a virtual picture of your individual world which allows them to potentially build a psychological profile, which can be used for enhanced direct targeting.
2. Public Privacy Threat
a. The capture led light is small and hard to see and in daylight conditions especially would be near impossible for the casual consumer to identify.
b. As already demonstrated by various journalists and reviewers of the video-glasses, the capture led light can easily be covered with either black masking tape or permanent marker pen thereby instantly negating their built-in ‘privacy feature’.
c. Members of the public have literally no control over their image and audio
appearing in the wearer’s videos.
d. The technology could be used for stalking, harassment and even gathering data to produce deepfakes without the observed having awareness.
e. Criminals involved in card cloning and identity theft will particularly benefit from this technology due to being able to directly record their view of their target’s details or their targets in operation in the wild.
3. National Security Threat
a. Via any wearer of these video-glasses, Facebook/Meta can ‘see’ into any institution that has their wearers working there.
b. The video-glasses cannot be easily distinguished from their non-camera equipped equivalencies without close inspection.
c. Because the video-glasses use Bluetooth to connect to their host handset, they cannot be detected by network or wireless access monitors.
d. National and/or security secrets could be easily exfiltrated from any location with little difficulty or barriers.
4. Corporate Espionage
a. Via any wearer of these video-glasses, Facebook/Meta can ‘see’ into any workplace, academic, military and government institution in a way that would have previously been impossible unless you were working for a covert intelligence organisation.
b. This represents a particular threat to direct competitors of Facebook/Meta.
c. Legal, medical, and financial institutions are particularly at threat from bad actors wearing this technology to subvert cyber security protocols.

THE RECOMMENDED SOLUTIONS

There are a number of recommendations that could be made in order to make this product actually
viable as a safe and useful product:
1. Automatic Anonymisation
a. It is trivial to detect people and their faces in a user’s field of view and then
automatically anonymise the faces of any people not identified in the user’s whitelist.
b. The companion app should be open-source in order to provide assurance that the
app is in fact decoupled from Facebook/Meta’s servers.
2. Visible Recording Warning
a. The ability for other people to realise that they’re being recorded is effectively
neutered by only having a tiny, almost imperceptible light showing which can easily
be concealed. The recording activity light should be expanded to a lightbar that runs
across the center of the glasses above the bridge of the glasses, combined with
additional light indicators on the actual sides of the glasses themselves.
3. Improve Privacy Explanations
a. Provide explicit and granular explanation of all the privacy and security measures
being taken to protect user data.