Getty Images
Smart glasses as an enterprise risk: What CIOs should know
Once experimental tech, smart glasses now pose serious risks to businesses through covert recording, data leaks and compliance violations in the workplace.
Executive Summary
- Smart glasses are now enterprise threats. Covert recording capabilities and AI integration expose sensitive data, IP and confidential conversations across facilities without visible detection.
- Compliance violations are inevitable without controls. GDPR, HIPAA, and biometric privacy breaches create legal liability, regulatory penalties, and reputational damage that extends beyond IT.
- Immediate action is required. Audit on-premises devices, ban use in sensitive areas, deploy detection tools, and enforce strict policies before a data breach forces reactive measures.
It wasn't that long ago that smart glasses were considered a niche product, but now they may be considered an enterprise risk.
When Google launched Google Glass in 2013, it looked nothing like actual glasses, and the product was available only to a small number of developers to try as an experimental technology. Google Glass was released to the public the following year, but it received a lukewarm reception and low adoption.
In the years since, the technology and design behind smart glasses have evolved, leading to greater acceptance into the mainstream. Global shipments of smart glasses spiked by 210% in 2024, with popular models such as the Meta Ray-Bans and Snap Spectacles gaining traction. These newer models enable even more covert recording, thanks to their more stylized, traditional design and advanced features such as cloud transmission. In particular, the timing has been a perfect fit with the rise of AI, with smart glasses offering integration and real time AI analysis.
But with increased adoption and enhanced features comes a new wave of security and data privacy concerns. Workplaces now face an increased risk of compliance violations and compromised customer or proprietary data, presenting CIOs and CISOs with a unique governance challenge. Here's what you need to know about the risks that smart glasses pose, and how best to protect your business, your customers and your data from what are effectively always-on surveillance devices.
Surveillance without consent
One of the biggest challenges with newer smart glasses like the Meta Ray-Bans is that they are deliberately designed to blend in; they are, at least in theory, indistinguishable from an ordinary pair of glasses. As such, anyone who sets foot in your company's facilities while wearing them – whether employees, outside contractors, or visitors – could be acting as a mobile sensor, capturing information without your knowledge.
The indicators that smart glasses use to show when they're recording are subtle. Models like the Meta Ray-Bans do have features such as a small LED light that turns on when they're recording, but it can be easy to miss in bright light, not to mention aftermarket methods of circumventing said notification measures.
If a wearer were present in places such as boardrooms, R&D labs or factory floors, the list of enterprise and workplace risks would be lengthy. Leaks of sensitive conversations or IP, violations of GDPR compliance or biometric privacy regulations, and even HIPAA violations all become very real possibilities.
Broader concerns for enterprises
The risks posed by smart glasses in an enterprise environment are not just technical. When CISOs evaluate risks associated with wearable technology, they also need to consider the downstream consequences of losing company data or failing to comply. Any enterprise that has a reputation for losing customer data, privacy violations, or worse is one that's going to struggle with trust issues both inside and outside the company.
Take, for instance, the existence of a new app called Nearby Glasses that can be used to flag the presence of smart glasses – the mere existence of such an app suggests that people are already becoming concerned about the technology.
How the detection app works
Nearby Glasses is a new Android app for those concerned about the privacy and security issues posed by smart glasses. The app continuously scans for a specific type of Bluetooth Low Energy data signature, known as "advertising frames," that is commonly associated with devices from manufacturers such as Meta, Snap and Luxottica (Ray-Ban's parent company and a partner in Meta's smart glasses collaboration).
Once advertising frames are within approximately 10-15 meters, the app detects them and pings the user with a push notification letting them know that smart glasses are nearby. While the app does need to hedge against occasional false positives – Malwarebytes says Meta Quest VR sets are one example – it can still provide users with a sense of security and protection against unwanted recording in both private and professional contexts.
While implementing the app at scale may be difficult, it provides at least one minor countermeasure against smart glasses that can be employed in high-stakes environments such as financial institutions, government buildings or hospitals.
The enterprise attack surface is expanding
The prevalence of smart glasses has suddenly increased the cyber and physical risk profiles of your business. Now that people are wearing what appears to be a common accessory that can surreptitiously record photos and videos, which can then be analyzed and transmitted elsewhere, enterprises become dramatically more vulnerable in numerous ways across sectors.
Data security risks:
- Data can be continuously and ambiently collected, even if the wearer isn't deliberately recording a photo or video. If the smart glasses are on, data collection can be transmitted to third-party cloud servers.
- Given the limited user interfaces of smart glasses, authentication can be difficult. While certain features may be locked behind authentication measures, there's nothing stopping the wrong person from wearing them in the wrong places.
- There's nothing that limits what the glasses see, because they capture everything in their field of view. Even if the glasses are being used deliberately as part of a business process, there's essentially no data minimization; everything the user is looking at is captured whether they mean to or not.
- An increase in data security risks increases the odds that a company will suffer a data breach. With data breaches come a slew of notification obligations under CCPA, GDPR, HIPAA and state laws.
Operational risks:
- The key operational risk with smart glasses is that a company's proprietary information could be compromised if anyone wearing them discusses trade secrets or views sensitive materials.
- It's not just company data at risk; personal data is as well. People's biometric data, such as their faces or voices, can be easily captured by smart glasses without their consent.
- All the above can be hard to spot, given that smart glasses are explicitly designed to blend in. While there are security/notification features, such as LED lights that let nearby people know the glasses are recording, users can "root" devices to bypass these measures.
- AI agents embedded in smart glasses are equipped with superuser permissions, designed to enhance efficiency, streamline operations and ensure integration. This allows them unrestricted access to the data captured by the glasses, including the ability to transmit it for training other AI models.
Compliance risks:
- The use of smart glasses can either directly (if there are explicit policies against them) or indirectly (if there are more general policies about consent to recording) violate privacy laws and requirements.
- Healthcare facilities need to be wary of HIPAA violations, for example, if someone's smart glasses capture data while looking at a patient's chart or medical history.
- Certain regulated industries, such as defense contractors or legal offices, are also at risk of violating the strict compliance laws. Wearing a tool that regularly broadcasts sensitive or proprietary information to third-party servers (or even just recording it) is a violation.
- Relatedly, many industries and individual companies are governed by policies that prohibit cross-border data transfers. If someone's smart glasses send sensitive data outside the company's servers, it could cause problems for the enterprise.
Real-world abuse cases
Security concerns with smart glasses don't solely stem from careless, or at least non-nefarious, behavior. They can be intentionally abused in the form of reconnaissance of high-value targets – such as banks, public infrastructure or airports – or even harassment and stalking.
Abuse of smart glasses technology does not exist solely in the abstract. For instance, there have been reported cases of Border Patrol and Immigration and Customs Enforcement (ICE) agents wearing Meta smart glasses while patrolling in numerous states. Given ICE's use of a facial recognition app called Mobile Fortify, as well as a recent Border Patrol contract with Clearview AI (a facial recognition company), concerns abound that they may be using the glasses to record data and pass it into facial recognition software or government databases.
Two former Harvard University students did just that to demonstrate the privacy and safety risks of smart glasses. AnhPhu Nguyen and Caine Ardayfio hacked a mobile app that processes data from Meta Ray-Bans in real time and provides users with private information about any individual they are looking at. The system, which they dubbed I-XRAY, uses the facial recognition search engine Pimeyes in conjunction with readily available services such as FastPeopleSearch for address lookups or Cloaked.com for Social Security information. Though I-XRAY was designed as an unreleased proof-of-concept, it showed how easily technology could be abused to violate people's privacy.
In some cases, outside actors don't even need to be involved for smart glasses to produce problematic results. Swedish newspapers Svenska Dagbladet (SvD) and Goteborgs-Posten (GP) recently reported that Meta sometimes uses subcontracted workers to review image and video content captured by users of its Ray-Ban Meta smart glasses to improve the "experience."
The content is sometimes sensitive. Meta claims that the data is filtered by blurring faces to protect users' privacy. However, workers from a Kenya-based Meta subcontractor said that these measures sometimes failed and faces could be seen.
Action items for CIOs
To reduce enterprise risk with smart glasses, CIOs can take steps now and, in the future, to protect sensitive information and data.
Immediate (0-30 Days)
- Perform an audit. The first step is to determine the breadth of the issue. Identify where smart glasses are already in use, and by whom. This includes employees, contractors, visitors or partners.
- Governance. Set up guardrails. Determine if smart glasses on-premises are allowed on-premises. Establish clearly defined guidelines for when, where and how they can be used.
- Designate no-recording zones. As part of acceptable use policies, include guidance on protecting high-value spaces such as boardrooms, R&D areas, data centers and customer-facing areas.
Short-term (30-90 Days)
- Implement detection capabilities. Whether it's educating security personnel to spot devices (and whether they're recording) or using scanning tools, detection measures – especially in sensitive areas – are key.
- Require consent protocols. Requiring visual indicators for when smart glasses are recording is an important part of a smart glasses policy. It allows individuals to consent to be recorded or to enable the recording of their surroundings, while giving security a way to protect controlled spaces.
- Educate leadership and staff. Once you've established these policies and security measures, train your teams about them. Also include the risks your enterprise could face if these policies are not followed.
Long-term (90+ Days)
- Align cross-functional ownership. Make sure everyone is on the same page. Coordination among cybersecurity, physical security, legal, HR and compliance teams helps ensure that everyone consistently enforces these policies.
- Update vendor management policies. These rules don't just apply to your own employees. Vendors and contractors should be held to the same standard; ensure your third-party risk assessments now include a smart glasses policy.
- Monitor regulatory developments. Keep your finger on the pulse for any new privacy legislation or guidance specific to your industry. This will help ensure your business remains compliant.
- Evaluate enterprise use cases carefully. The presence of smart glasses in the workplace is not always incidental; in some cases, it's by design. If your business chooses to deploy smart glasses, ensure it's for legitimate reasons, such as hands-free workflows and remote assistance. Establish data governance, encryption and access controls for using them.
Grant Hatchimonji is a freelance writer and solutions architect, where he does software engineering and consulting.