Not Your Muse: How Meta Is Building the Most Complete Surveillance Architecture in Human History
By Comms for A Cause
In May 2025, someone at Meta wrote a memo about when to launch facial recognition on Ray-Ban smart glasses already in the hands of millions of people worldwide. The memo, first reported by the New York Times, stated that the company planned to launch during "a dynamic political environment" when civil society groups would be too distracted to respond.
Shortly afterwards, working facial recognition code was discovered in Meta's smart glasses. Within days of those findings becoming public, the code disappeared.
This piece is about what that sequence of events tells us about the surveillance architecture Meta has spent two decades building.
Part One: The Architecture
To understand what Meta has built, we have to stop looking at its platforms as separate products and start looking at them as a single integrated system. Because that is what they are.
Facebook launched in 2004. By 2009 it had 300 million users. Today it has over three billion monthly active users and data going back nearly two decades. That data includes not just what people posted but what they liked, who they were friends with, how their social networks shifted, how their political views evolved, what they searched for, what ads they clicked, what they scrolled past. It is the most comprehensive longitudinal record of human ideological development ever assembled. For hundreds of millions of people, it begins at the moment they first encountered the internet.
Meta acquired Instagram in 2012 for approximately one billion dollars. The acquisition price was considered extraordinary at the time. It is now understood as one of the most significant strategic decisions in the history of technology. Instagram gave Meta something Facebook couldn't easily generate –– visual identity data. Photos with geotags. Location patterns over time. Attention data, measured in seconds of pause on each image, which images a user returns to, which ones they share. The trajectory of who influences a person and in what order. A map not just of where someone has been but of what they find beautiful, threatening, desirable, aspirational.
Meta acquired WhatsApp in 2014 for nineteen billion dollars. The acquisition was, at the time, controversial precisely because WhatsApp had built its reputation on being independent of advertising and data harvesting. Meta promised WhatsApp would remain separate. By 2016 it had begun merging their data systems. WhatsApp holds something neither Facebook nor Instagram can access –– the private voice. The way people communicate when they believe no one else is watching. Group chats where organizing happens. Voice notes sent at 2am. The social graph of trusted relationships. For hundreds of millions of people in the Global South, WhatsApp is not a messaging app. It is the primary infrastructure of daily life. It is how healthcare information travels. How survivors reach support networks. How queer people in criminalizing countries find each other. How movement work gets done.
Threads launched in 2023, adding real-time public discourse to the ecosystem.
Messenger, acquired through Beluga in 2011, holds a billion users' conversation history.
And then there is Oculus, acquired in 2014 for 2.3 billion dollars, now rebranded as Meta Quest. The headset collects eye tracking data, one of the most intimate biometric signals a human body produces, revealing cognitive load, emotional response, and states that cannot be consciously controlled. It collects hand and body movement data. It maps the physical dimensions of the space we live in. It watches our face through internal cameras while we use it, recording involuntary emotional responses in real time. Research published in 2019 demonstrated that raw image data from VR headsets can accurately identify individuals based on movement patterns alone, patterns so unique they cannot be meaningfully anonymized. Meta paid 1.4 billion dollars to settle a Texas lawsuit in 2024 specifically over its collection of facial recognition data from photos and videos uploaded to Facebook. Two years earlier, it had shut down Facebook's facial recognition system under regulatory pressure, promising to find what it called "the right balance."
It found the balance. It moved the facial recognition into a headset. And then into glasses.
In 2025, Meta introduced the Meta Neural Band, a wrist-worn device that uses electromyography to let users control their glasses through neuromuscular signals. Electromyography reads the electrical signals from muscles and nerves, including signals the body sends before conscious decision-making is complete. It sits on our wrist and reads our body's pre-conscious responses.
Each of these acquisitions and products, considered alone, represents a significant data collection system. Considered together, they represent something that has no historical precedent. A single company with access to our ideological history across nearly two decades, our visual identity and location patterns, our private communications and intimate social graph, our physical space, our involuntary biometric responses, and now the signals from our nervous system.
Part Two: The Pixel
There is a layer to Meta's data collection that most users, and most coverage of Meta, consistently overlooks.
The Meta Pixel is a small piece of code embedded invisibly on millions of websites across the internet. Any website running Facebook advertising, which encompasses the majority of the commercial internet, installs it as standard practice. When we visit those websites, whether or not we are logged into any Meta platform, the Pixel tracks our behavior and sends it back to Meta. What we searched for. What we read. What medical symptoms we looked up. What legal resources we accessed. What political content we engaged with. What we almost purchased but didn't.
In June 2025, academic researchers from IMDEA Networks, Radboud University, and KU Leuven disclosed that the Meta Pixel had been tracking Android users through localhost ports, a method that bypassed standard privacy controls including Incognito Mode and Android's permission system entirely. The technique worked even when users were logged out, had cleared their cookies, or were using a VPN. Meta stopped the practice on June 3, 2025, after the research was made public. The more significant fact is that the code was written this way to begin with, and operated for months before anyone outside Meta knew it existed.
The Pixel also aggregates offline behavior. Businesses regularly upload customer data to Meta, purchase records, physical store visits, phone call records, and Meta matches these to Facebook profiles through a process it calls Custom Audiences. The system is designed to build complete behavioral profiles that cross the boundary between online and offline life.
What this means in practice is that Meta's data collection does not begin and end at its own platforms. It extends across a significant portion of the internet and increasingly into physical space. A person who has never created a Facebook account, never posted on Instagram, never sent a WhatsApp message, can still have a substantial behavioral profile within Meta's systems if they have visited websites that use the Pixel, shopped at businesses that upload customer data, or been photographed by someone who uses Meta's platforms.
Part Three: What Happened in Two Weeks
In the last two weeks of June and first week of July 2026, Meta made two announcements that received separate coverage and have not yet been analyzed together.
On June 29, WhatsApp announced a username feature. Users can now claim a handle instead of sharing their phone number. Meta framed this as a privacy improvement. The mainstream response focused on impersonation risk. India's Ministry of Electronics and Information Technology sent WhatsApp a formal notice within three days, citing concerns about fraud. TechCrunch verified that usernames including "indiamodi" and "rbi_verify" were still available to reserve.
The impersonation concern is real. It is not the point.
The username feature specifically enables users to claim their Instagram or Facebook handle on WhatsApp through Meta's Accounts Center. This is described as a convenience feature. What it technically accomplishes is the consolidation of three previously somewhat separate data identities, our Facebook self, our Instagram self, and our WhatsApp self, under a single linked username within Meta's ecosystem.
Until this feature, there was meaningful friction between these three data sets. Different apps. Different contexts. A person might use their real name on Facebook, a pseudonym on Instagram, and share WhatsApp only with trusted contacts via phone number. That friction was not perfect protection but it was something. A degree of compartmentalization available to everyone.
The username feature removes that compartmentalization by default. And it does so at a moment when WhatsApp's foundational privacy claim is under direct legal challenge.
There are currently three separate legal actions questioning whether WhatsApp's encryption promises are accurate. Dawson et al. v. Meta Platforms, Inc. (Case No. 3:26-cv-00751, filed January 23, 2026, Northern District of California) was brought by plaintiffs from Australia, Brazil, India, Mexico, and South Africa, and alleges that Meta employees and Accenture contractors had broad access to WhatsApp message content through internal systems despite encryption promises. Shirazi et al. v. Meta Platforms Inc. (Case No. 3:26-cv-02615, filed March 27, 2026, Northern District of California) makes similar allegations on behalf of US users. Texas v. Meta Platforms Inc. and WhatsApp LLC (filed May 21, 2026, Harrison County District Court) was brought by Texas Attorney General Ken Paxton under the Texas Deceptive Trade Practices Act.
Meta denies the allegations in all three cases. The cases are ongoing. The source code that would technically confirm or deny the claims is not public. Meta's own help page states: "people may be able to create content with your Instagram content using AI features at Meta" and "you will not be notified about content created using AI features at Meta."
That second line belongs to the next announcement.
On July 7, 2026, Meta launched Muse Image, its first in-house AI image generation model, developed by Meta Superintelligence Labs. The consumer framing was friendly. Create images. Remix photos. Generate personalized content.
The detail that matters is this: if your Instagram account is public, anyone can @-mention your username in a Muse Image prompt and Meta will use your photos to generate new images of you. You are opted in by default. You will not be notified. The opt-out is buried four menu levels deep and applies only to future generations. Anything already generated using your photos cannot be retroactively removed.
Creative Artists Agency, the Hollywood talent agency representing Tom Cruise, Meryl Streep, Zendaya, and others, issued a formal statement within 24 hours calling on Meta to make protection the default and require explicit consent. "No one's name, image, likeness, voice, or creative work should be used by any third party, including AI models, without clear, documented consent," CAA stated.
The coverage of CAA's response was extensive. CAA represents people with lawyers, with teams, with the institutional power to opt out quickly and litigate misuse.
The coverage almost entirely missed who is most exposed by this feature.
On July 11, 2026, four days after launch, Meta discontinued the consumer-facing @-mention feature of Muse Image following widespread criticism over consent, privacy, and the risk of non-consensual image generation. "We've heard the feedback that this feature missed the mark, so it's no longer available," the company said. SAG-AFTRA called it a win. CAA praised the swift decision. Across social media, the story settled into a familiar and comfortable shape of public pressure working, a harmful feature being pulled, accountability happening.
The @-mention feature, the part that let any user type a public Instagram handle into a prompt and generate images of that person, was the most visible and most easily criticized element of the Muse Image launch. It was also, in the context of Meta's actual strategic ambitions, the least important part. The Advantage+ advertiser integration, through which businesses and agencies can access the same underlying Muse Image model to automatically generate, modify, and iterate ad creative at scale, was announced on the same day, in the same breath, as part of the same launch. It was never mentioned in the retreat. It was never pulled. It ships on schedule, behind the closed doors of Meta's business ad manager, drawing significantly less public scrutiny precisely because it is not consumer-facing.
What changed on July 11 is that the most publicly visible use of this capability was removed. What did not change is that the capability exists, that the model was trained on public Instagram content, that images generated during the four days the consumer feature was live cannot be retroactively removed, and that the same generative infrastructure now sits inside a business platform accessible to any entity with a Meta advertising account.
The costume came off. The architecture stays. And it stays in a form that is more concealed, and in many ways harder to challenge than the feature that just got pulled.
Part Four: Connecting the Threads
Here is the scenario that the existing coverage has not described.
A person attends a protest. They are not on Instagram. They do not have a public social media presence. They have made deliberate choices about their digital footprint because they understand that visibility carries risk for them specifically.
Someone else at the protest is wearing Meta Ray-Ban glasses. These glasses have a built-in camera. They are filming as a matter of course, the way a phone in a pocket might accidentally record. The EFF confirmed in June 2026 that these glasses already carried working facial recognition code capable of identifying faces in real time and matching them against a database. Meta removed that code within 48 hours of being caught. The person wearing the glasses may not know any of this. What they do have is a camera on their face in a public space, recording everything in their field of view.
The person wearing the glasses posts footage or photos from the protest to their own public Instagram account. They have done nothing that violates any platform policy. They were in a public space. They shared what they saw.
The activist's face, captured without their knowledge or consent at a protest, posted to someone else's public account, processed through Advantage+, the same generative capability that was pulled from consumer view remains available to any entity with a Meta business account, exists somewhere in a system that cannot be unwound. That includes organizations, campaigns, and actors whose interest in generating images of specific people is not commercial.
This is the pattern the article has been tracing. Deploy broadly. Absorb the outrage. Pull the visible thing. Keep the infrastructure. The facial recognition code on Ray-Ban glasses was removed within 48 hours of public exposure, with no explanation and no commitment not to return. The Muse Image consumer feature was pulled within 72 hours of backlash, with praise collected from Hollywood unions. The advertiser pipeline was never mentioned in either retreat.
Meanwhile, the activist cannot find the images generated of them because they were never notified they existed. They cannot have them removed retroactively. They have no legal recourse in most jurisdictions because no single step in this chain violates a clearly established law.
This is not a hypothetical. Every technical component described above is operational or confirmed to have existed. The only variable is whether someone chooses to use them this way.
And the question of whether someone will choose to use them this way is answered by looking at who is already using similar tools, and why.
Part Five: The Power This Creates
The conversation about AI-generated image abuse has centered almost entirely on sexual deepfakes. This is understandable. Non-consensual intimate imagery is a serious and documented harm. Sexual content is not the only way to violate a person using generated images of them. And for people doing advocacy work, it may not even be the most effective way.
Consider what a generated image can do in the context of movement work.
An image of an activist at a meeting they never attended, with funders or government officials they have publicly opposed, circulated in their own organizing community, does not need to be believed by everyone to cause harm. It needs to introduce enough doubt that questions are asked. That trust erodes. That the person spends time and energy defending themselves rather than doing their work.
An image of a queer activist in a country where being queer is criminalized, generated using their publicly available face and placed in a context their government would consider incriminating, does not need to be taken to court to cause harm. It needs to reach one person in a position of authority who is already looking for a reason to act.
An image of a woman human rights defender placed in a sexual context, generated by someone who wants to intimidate her into silence, does not need to circulate widely to cause harm. It needs to reach her. And her family. And the institutions she works with.
These are not new tactics. Fabricated evidence, false association, sexual intimidation, and reputational destruction have been tools of repression against activists and defenders for as long as there have been activists and defenders.
What is new is the scale, the cost, and the legal structure around it.
Previously, fabricating convincing visual evidence of a specific person required resources, technical skill, and left traces that could sometimes be identified and refuted. Muse Image makes it available to anyone with a Meta Advantage+ account and a few seconds. The images are generated from real photos of the real person, making them harder to identify as fabricated. The content seal Meta introduced is a machine-readable watermark invisible to the human eye. Someone looking at a generated image cannot see that it is AI-made unless they run it through a technical detection tool.
Although the consumer-facing feature has been discontinued, Meta's policy of not notifying users when their content is used to generate AI images was never limited to that feature alone. For images generated during the four days the tool was active, there remains no mechanism for the person depicted to know they exist, find them, or have them removed. For images generated through the Advantage+ business integration that continues to operate, the same absence of notification applies. There is no monitoring system, no alert, no mechanism for a person to know that images of them are being created and circulated. The burden of discovery falls entirely on the person being depicted.
And because AI-generated images occupy an unresolved space in copyright law, with no clear rights holder in most jurisdictions, there is currently no straightforward legal basis for demanding their removal even when they are discovered.
The infrastructure enables a form of violation that is systematic, scalable, cheap, and in most of the world, entirely legal. And it lands hardest on the people who already carry the most risk. Women human rights defenders. LGBTQI+ activists in criminalizing contexts. Environmental defenders whose governments are already surveilling them. Dalit and caste-marginalized activists whose communities are targets of coordinated disinformation. People for whom the fabrication of incriminating or humiliating images is not an abstract concern but a live threat from actors who are already motivated and already organized.
These may not be the users Meta imagined when it designed Muse Image. The gap between the user Meta imagined and the users most exposed by what it built is the gap that can cost human rights defenders everything.
Part Six: The Consolidation
It is important to be precise about what is new here and what is not.
The individual harms described above, deepfakes, fabricated evidence, reputational attacks, surveillance of activists, have existed in various forms before Muse Image. What is new is not the category of harm but the infrastructure underneath it.
Three billion people use Meta's platforms. The majority of them are in the Global South. India alone has 500 million WhatsApp users. For many of these users, Meta's platforms are not optional additions to a diverse digital life. They are the primary infrastructure through which they communicate, organize, access information, and build community. Leaving Meta is not a realistic option for most of them because leaving would mean losing access to the networks that constitute their social and professional existence.
Within this captive user base, Meta has now connected the following data streams under a single consolidating identity system.
Seventeen years of ideological and social history from Facebook. Visual identity, location patterns, and attention data from Instagram. Private communications and intimate social graphs from WhatsApp. Biometric and behavioral data from Oculus VR headsets. Pre-conscious neuromuscular signals from the Meta Neural Band. Browsing and purchasing behavior from across the internet via the Meta Pixel. And now, through Muse Image, the generative capacity to produce new synthetic content of any public user in any context, using their own photos as source material, without their knowledge or consent.
This is not a privacy problem in the conventional sense. Privacy problems involve unauthorized access to data that should be protected. What Meta has built involves data that users have, in various senses, made available, through platform use, through public posting, through living in a world where Meta's infrastructure is embedded in most of the commercial internet.
The problem is not unauthorized access. It is the architectural consolidation of data streams that users reasonably understood to be separate, combined with the deployment of generative AI that transforms static data into dynamic synthetic content, combined with a legal and governance framework that has not caught up to what this combination makes possible.
The memo from May 2025 matters in this context not just because of what it reveals about Meta's intentions regarding facial recognition. It matters because of what it reveals about Meta's understanding of its own situation. The company knew that what it was building would face opposition from civil society. It knew specifically which civil society organizations would object. And its documented strategy was to time the rollout to coincide with moments of maximum distraction and minimum capacity to fight back.
That is not a company that believes it is building something the public would endorse if they understood it. That is a company that has made a calculation about the cost of public understanding versus the benefit of moving fast.
Part Seven: The Governance Gap
The EU AI Act, which came into force in 2024, prohibits real-time biometric surveillance in public spaces with narrow law enforcement exceptions. It requires visible labeling of AI-generated content under Article 50, with deployer obligations taking effect August 2, 2026. Meta's Content Seal is machine-readable but invisible to the human eye, which sits on the wrong side of that line. The EU's enforcement of these provisions against Meta will be the first meaningful legal test of whether the Act's protections have any practical reach.
Outside the EU, the protections are substantially weaker or nonexistent. Most countries in Sub-Saharan Africa, Southeast Asia, and Latin America have no specific legal framework addressing AI-generated images of private individuals. The communities most exposed by the architecture described in this piece are the communities with the least legal recourse against it.
This is not coincidental. Meta's Pixel covertly tracked Android users in ways that bypassed privacy controls. The company knew. The feature existed. It was removed when publicly exposed. The facial recognition code shipped to millions of glasses before civil society had capacity to respond, and was removed within 48 hours of being publicly caught, with no explanation and no commitment not to try again. The Muse Image opt-out was buried four menu levels deep at launch. Each of these decisions reflects the same orientation: deploy broadly, capture the network effect, respond to specific challenges when they arrive, pay the fines if necessary.
Meta paid a then-record 5 billion dollar FTC fine in 2019 over Cambridge Analytica. It paid 725 million dollars to settle the class action lawsuit in 2022. It paid 1.4 billion dollars to settle the Texas facial recognition lawsuit in 2024. These fines have not materially altered the trajectory of what the company builds or how it deploys it. They are, in the calculus of a company with a market capitalization exceeding 1.5 trillion dollars, the cost of doing business.
The governance frameworks that exist are national and regional. The infrastructure being described is global. The communities most at risk are the ones least represented in the rooms where these frameworks are designed. The result is a structural gap between the architecture of harm and the architecture of protection that is not closing. It is widening.
Conclusion: What Was Written Down
In May 2025, a Meta employee wrote that the company planned to launch a potentially harmful technology while the people who would oppose it were too distracted to fight back.
That sentence should be read carefully.
None of this happened suddenly. Each piece was built deliberately, acquired strategically, and connected systematically over the course of nearly two decades. The architecture is not the result of feature creep or unintended consequences. It is the result of a company that understood from very early on that data at scale is power at scale, and built accordingly.
The people most exposed by this architecture are not the users Meta designed for. They are the activists, defenders, organizers, and community members for whom the platforms they use are not optional, for whom visibility is simultaneously necessary for their work and dangerous for their safety, and for whom the fabrication of incriminating or humiliating synthetic content is not an abstract risk but a tool already being used by the actors who want them silenced.
They did not consent to be part of this architecture. In most cases they were not told they were part of it. And in the jurisdictions where they live and work, there is currently no legal framework that gives them meaningful recourse.
The memo said the plan was to launch while no one was paying attention.
This piece is a call for all of us to pay attention.