← Back to Blog
Research

Open Questions: What Should a Camera Never See?

Published 21 April 2026 · 7 min read

Coming soon — join the waitlist

Quick answer. Five hard problems: strict refusal of facial recognition even under user pressure, bystander consent in ambient AR, recovering from misidentification without harm, age and biometric recognition limits, and defining ‘always-on’ boundaries for AR glasses. None of these have final answers; we are drafting in public.

Why these are hard

A camera that understands the world is a surveillance primitive by default. Turning it into a service-discovery primitive without turning it into a surveillance tool requires thought about where the lines are. These are the ones we keep coming back to.

1. Facial recognition — strict refusal

The lens must never identify people. Even if a user wants it to. Even if the person in frame is a public figure. The model is trained to refuse face outputs and to blur face-shaped regions in embeddings. This is a product commitment, not a consent setting.

Open question: how do we handle "the user points at a street sign and a passer-by walks in frame"? We think on-device face-blurring at the encoder stage is the right answer but want to hear from researchers who have looked at this.

2. Bystander consent in ambient AR

A user wearing AR glasses walks down a street. The lens is ambient. Bystanders did not consent to any recording. What is the right default?

Current thinking: in ambient AR mode, no category recognition runs against living subjects. Recognition is restricted to objects, signage, buildings, products. A distinct explicit-user-gesture enables broader recognition and is logged on-device.

Open question: jurisdictions vary on recording rights in public spaces. We would like an opinion from privacy lawyers in the UK, EU, US, Brazil, India and China.

3. Misidentification harm

The lens thinks a medication is a different medication and suggests a contraindication warning. The lens reads a shop sign incorrectly and offers a wrong delivery. Low-stakes misidentifications are an annoyance; high-stakes ones could hurt people.

Current thinking: every action surface shows the user what the lens saw before committing. High-stakes categories (medication, medical imagery, legal documents) require explicit text match confirmation, not just image recognition.

Open question: how to handle the tail — categories we didn’t categorise as high-stakes but turn out to be. Post-launch monitoring matters here.

4. Age and biometric inference

Even without facial recognition, vision models pick up age, body type, and other attributes. These are features we do not want.

Current thinking: the model is trained to refuse age / gender / body-type outputs. We are testing adversarial evaluation suites to verify the refusals hold.

Open question: standards for this. The EU AI Act’s prohibitions on emotion recognition in workplace and education (Article 5) are a start, but the full shape of permitted-vs-prohibited inference is still being interpreted.

5. Always-on boundaries for AR

AR glasses are the natural form factor. "Always on" is the natural default. That combination is the reason GeraLens could become a surveillance tool rather than a service tool.

Current thinking: ambient mode runs without category inference by default. A visible indicator (on the glasses, to bystanders) shows when recognition is active.

Open question: is a visible indicator enough? Google Glass learned this was not. We are looking at AR design norms emerging through 2026-2028.

6. Transparency — what did the lens see

Users should be able to ask the lens, in plain language, "what did you see a minute ago?" and get a readable answer. Not telemetry — an actual human-readable log.

Related reading

GeraMind’s per- query consent model informs our thinking on lens consent. GeraNexus’s audit-trail design informs our thinking on lens logging.

How to help

Privacy researchers, vision-safety researchers, lawyers — waitlist, or research at geralens dot com.

Help us design ambient discovery.

Join the waitlist