By Allan Juma, Lead Cyber Security Engineer at ESET.
In 2025, EssilorLuxottica and Meta sold more than seven million Ray-Ban and Oakley smart glasses, tripling their sales from the previous two years and making the category a mainstream product for the first time. The technology has gone mainstream faster than public awareness, regulation or governance, and, despite the fact that East Africa remains an underrepresented market for this technology, it has been placed at the centre of a growing controversy that has no legal or constitutional precedent.
Early 2026, a Russian vlogger identified by Kenyan and Ghanian authorities as Vladislav Luilkov travelled through Kenya and Ghana wearing the Ray-Ban Meta smart glasses, recording intimate encounters with women without their knowledge and posting the footage online for profit.
The recording and distribution of these encounters were not consensual, according to a petition filed with the Kenya’s Office of the Data Protection Commissioner (ODPC) by digital rights organisation, The Oversight Lab. Since then, the ODPC has launched a full suo moto investigation into the incident.
It was not an isolated event. A BBC investigation in January 2026 documented how a woman was covertly filmed at a beach, with the footage receiving around one million views online. By May 2026, a second victim was also reported by the BBC. She was told that the footage would only be removed as a paid service, effectively extortion.
Around the same time, an investigation by Svenksa Dagladet confirmed that footage captured through the glasses was being routed to human contractor teams for review, including deeply private material: people in intimate moments, accessing banking systems, in domestic spaces. The Nairobi-based company Sama, which held a major Meta content moderation contract, found itself at the centre of this controversy before Meta terminated the contract in April 2026, triggering the redundancy of 1,108 employees.
These devices are rapidly becoming so much more than stylish technology, especially in the wrong hands. Smart glasses can track and record their surroundings and allow the wearer to use AI to interrogate what they see. The Meta Ray-Ban glasses, for example, come with a 12-megapixel camera that can capture photos and video on the move.
Wearers can potentially discover a person’s identity, address, and other personal details and share these, along with video footage, with anyone they want, on any platform they want, and this creates significant security and privacy risks. Two Harvard students recently showed how the footage streamed through these glasses could be linked to external AI facial recognition tools, allowing strangers to be identified in real time with names, home addresses and personal information pulled from the internet.
This risk goes both ways. For wearers, smart glasses can be compromised through conventional attack vectors, allowing hackers to hijack their devices for data theft, account takeover or surveillance. The glasses are linked to social media and cloud accounts, so a compromised device means a compromised account.
Smart glasses are also an Internet of Things (IoT) device with connected hardware running software that can be targeted in the same way any connected device can. Research by ESET has found that specific attack vectors such as unpatched firmware vulnerabilities, compromised companion apps, and malicious Wi-Fi hotspots are gaining in momentum and capability. These threats can compromise the glasses or the device they are paired with and the attacker gains access to everything the wearer sees.
For bystanders in East Africa, there are personal, privacy and legal concerns that currently go beyond most of the protections governments have in place. Fortunately, for Kenya, the legal position is more substantive than citizens realise. The ODPC has issued 184 compensation orders under the Data Protection Act, 2019, marking one of the strongest enforcement actions since the law’s enactment.
The case law is clear on the commercial use of images, and both the courts and the ODPC have upheld compensation claims where images were used without express consent. In one case, a woman’s image was used in a marketing campaign without her permission, and she was awarded KES 1,000,000 in damages.
The bystander is in many ways more vulnerable as they have no relationship with the device, cannot configure its settings and may not know they are being recorded. The primary mechanism Meta has put in place to address this issue is a small LED light that pulses when recording is active, but this can be physically disabled for as little as $60 by a third-party modification service.
While this remains an issue, it is possible to manage some of the risks that come with smart glasses and their invasion of privacy. Be aware of people shoulder surfing in queues, at ATMS, on public transport or in cafes, as smart glasses can capture PINs, passwords and sensitive information. If you are uncomfortable, challenge wearers directly – in Kenya this is the first step in a legally meaningful process – and speak to management if you are in a business environment like a gym or banking hall.
Uganda’s government has publicly committed to updating the Data Protection and Privacy Act, 2019, to address artificial intelligence, with the Deputy Speaker explicitly warning that AI’s ability to harvest and exploit data has outpaced the current law and calling for amendments to bring it in line with “technologies of the fourth industrial revolution.