On the (Im)Practicality of Adversarial Perturbation for Image Privacy

Rajabi, Arezoo; Bobba, Rakesh B.; Rosulek, Mike; Wright, Charles V.; Feng, Wu-chi

doi:10.2478/popets-2021-0006

Cited by 29 publications

(32 citation statements)

References 55 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Of particular interest are works by Gao et al [20] and Cherepanova et al [12] that develop transferable adversarial examples by optimizing in the metric space of facial recognition networks and study how much distortion individuals are willing to accept in their photos. In addition, Rajabi et al [47] and Oh et al [43] develop new approaches for generating adversarial examples against facial recognition that do not rely on the "standard" methods from [10,40] and show that they are robust even in the face of countermeasures.…”

Section: Adversarial Examples and Face Recognitionmentioning

confidence: 99%

FoggySight: A Scheme for Facial Lookup Privacy

Evtimov

Sturmfels

Kohno

2021

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Advances in deep learning algorithms have enabled better-than-human performance on face recognition tasks. In parallel, private companies have been scraping social media and other public websites that tie photos to identities and have built up large databases of labeled face images. Searches in these databases are now being offered as a service to law enforcement and others and carry a multitude of privacy risks for social media users. In this work, we tackle the problem of providing privacy from such face recognition systems. We propose and evaluate FoggySight, a solution that applies lessons learned from the adversarial examples literature to modify facial photos in a privacy-preserving manner before they are uploaded to social media. FoggySight’s core feature is a community protection strategy where users acting as protectors of privacy for others upload decoy photos generated by adversarial machine learning algorithms. We explore different settings for this scheme and find that it does enable protection of facial privacy – including against a facial recognition service with unknown internals.

show abstract

Section: Adversarial Examples and Face Recognitionmentioning

confidence: 99%

FoggySight: A Scheme for Facial Lookup Privacy

Evtimov

Sturmfels

Kohno

2021

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

show abstract

“…The game dynamics change if the user can use adversarial examples to evade the model [53,46,54,13,8,41,38,9,1]. Such evasion attacks favor the attacker: the defender must first commit to a defense and the attacker can then adapt their strategy accordingly [55].…”

Section: Poisoning Attack Gamesmentioning

confidence: 99%

“…A growing body of research explores how tools from adversarial machine learning can help users fight back [46,38,54,26,45,12,13,64,66,25,7,41,1]. We revisit a recently proposed approach where users perturb the pictures they post online, in order to poison facial recognition models into misidentifying unperturbed pictures (e.g., a picture taken by a stalker or by the police).…”

Section: Introductionmentioning

confidence: 99%

Data Poisoning Won't Save You From Facial Recognition

Radiya-Dixit¹,

Hong²,

Carlini³

et al. 2021

Preprint

View full text Add to dashboard Cite

Data poisoning has been proposed as a compelling defense against facial recognition models trained on Web-scraped pictures. By perturbing the images they post online, users can fool models into misclassifying future (unperturbed) pictures. We demonstrate that this strategy provides a false sense of security, as it ignores an inherent asymmetry between the parties: users' pictures are perturbed once and for all before being published (at which point they are scraped) and must thereafter fool all future models-including models trained adaptively against the users' past attacks, or models that use technologies discovered after the attack. We evaluate two systems for poisoning attacks against large-scale facial recognition, Fawkes (500,000+ downloads) and LowKey. We demonstrate how an "oblivious" model trainer can simply wait for future developments in computer vision to nullify the protection of pictures collected in the past. We further show that an adversary with black-box access to the attack can (i) train a robust model that resists the perturbations of collected pictures and (ii) detect poisoned pictures uploaded online. We caution that facial recognition poisoning will not admit an "arms race" between attackers and defenders. Once perturbed pictures are scraped, the attack cannot be changed so any future successful defense irrevocably undermines users' privacy.Preprint. Under review.

show abstract

“…Similar ideas of using grayscale transformation have also used in [17,37] Privacy Protection. In addition to data poisoning approaches that can be used to make user data unexploitable during training [7,13,30,31], approaches based on adversarial machine learning have also been developed to protect privacy by misleading the machines during test time, for in-stance, in person-related recognition [22,23,25] and social media mining [18,20]. Privacy attributes in images were analyzed in depth by [24,27].…”

Section: Related Workmentioning

confidence: 99%

Going Grayscale: The Road to Understanding and Improving Unlearnable Examples

Liu

Zhao

Kolmus

et al. 2021

Preprint

View full text Add to dashboard Cite

Recent work has shown that imperceptible perturbations can be applied to craft unlearnable examples (ULEs), i.e. images whose content cannot be used to improve a classifier during training. In this paper, we reveal the road that researchers should follow for understanding ULEs and improving ULEs as they were originally formulated (ULEOs). The paper makes four contributions. First, we show that ULEOs exploit color and, consequently, their effects can be mitigated by simple grayscale pre-filtering, without resorting to adversarial training. Second, we propose an extension to ULEOs, which is called ULEO-GrayAugs, that forces the generated ULEs away from channel-wise color perturbations by making use of grayscale knowledge and data augmentations during optimization. Third, we show that ULEOs generated using Multi-Layer Perceptrons (MLPs) are effective in the case of complex Convolutional Neural Network (CNN) classifiers, suggesting that CNNs suffer specific vulnerability to ULEs. Fourth, we demonstrate that when a classifier is trained on ULEOs, adversarial training will prevent a drop in accuracy measured both on clean images and on adversarial images. Taken together, our contributions represent a substantial advance in the state of art of unlearnable examples, but also reveal important characteristics of their behavior that must be better understood in order to achieve further improvements. Code is available at https://github.com/liuzrcc/ULE-GrayAug.

show abstract

On the (Im)Practicality of Adversarial Perturbation for Image Privacy

Cited by 29 publications

References 55 publications

FoggySight: A Scheme for Facial Lookup Privacy

FoggySight: A Scheme for Facial Lookup Privacy

Data Poisoning Won't Save You From Facial Recognition

Going Grayscale: The Road to Understanding and Improving Unlearnable Examples

Contact Info

Product

Resources

About