Personalized Privacy Protection Mask Against Unauthorized Facial Recognition

Chameleon performs preprocessing of the user’s photos before sharing them online by applying the user-specific P3-Mask. This mask is generated offline for a Chameleon user. Figure 2 provides an overview of Chameleon’s workflow.

Offline Learning Phase. Chameleon learns the unique facial signature of a user from a few facial images of her using the P3-Mask generator (Section 4), as shown in Figure 2 ①. P3-Mask is designed to apply directly to any facial images of the same user, including those unseen during offline learning, and is robust against lossy image processing operations in an end-to-end ML system without compromising the image quality. We use a focal diversity-optimized ensemble learning method to find a team of FR models such that the P3-Mask generated against them has strong robustness and is effective in countering other FR models that are unknown during offline learning.

Online Protection Phase. After the offline learning, ② the P3-Mask can be sent to the user’s local device (e.g., the mobile phone). For a photo of the user to be protected, ③ a lightweight face detection model, such as MediaPipe [23], can be used by the Chameleon user running on the user’s device to locate the face region and ④ instantly protect it with the P3-Mask before the user shares it online ⑤. The user can also authorize some trusted entities to conduct FR on their shared photos protected with P3-Mask. The user-specific de-obfuscation key ⑥ allows the protected photos to be restored for authorized FR.

The cross-image protection capability comes from iterative learning on a set of training images the user provides. The idea is to keep fine-tuning the P3-Mask so that it can offer protection simultaneously to training images while preserving image quality. At the $t$-th iteration, it samples a mini-batch $\boldsymbol{\mathcal{B}}$ from the training dataset $\boldsymbol{\Omega}$ containing photos of user $\mathcal{P}$. Then, we find the modification to the P3-Mask that can lead to better protection on each image in the mini-batch with better visual quality with the following operations:

$$\small\boldsymbol{\mathcal{M}}_{\mathcal{P}}^{t+1}=\textsc{ Clip}_{[-\epsilon,\epsilon]}(\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}}-\eta\textsc{Sign}(\frac{1}{|\boldsymbol{\mathcal{B}}|}\sum_{\mathcal{X}\in\boldsymbol{\mathcal{B}}}\nabla_{\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}}}\mathcal{L}(\mathcal{X},\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}};\boldsymbol{\mathcal{T}},\omega))).$$

(2)

Specifically, for each image $\mathcal{X}\in\boldsymbol{\mathcal{B}}$, we use the P3-Mask learned up to the current iteration, $\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}}$, to protect it and compute the loss designed with dual goals:

$$\small\mathcal{L}(\mathcal{X},\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}};\boldsymbol{\mathcal{T}},\omega)=\mathcal{L}_{\text{Protect}}(\mathcal{X},\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}};\boldsymbol{\mathcal{T}})+\mathcal{L}_{\text{Percept}}(\mathcal{X},\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}};\omega).$$

(3)

It uses $\mathcal{L}_{\text{Protect}}$ to learn how to adjust the P3-Mask $\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}}$ from the previous iteration to better protect against a team of pre-selected FR models $\boldsymbol{\mathcal{T}}$ and $\mathcal{L}_{\text{Percept}}$ to preserve the image quality controlled by $\omega$. We use the Sign of the gradients to update the P3-Mask with a learning rate $\eta$. A clipping function $\textsc{Clip}_{[-\epsilon,\epsilon]}$ is applied to ensure the changes made by the P3-Mask on the facial image are bounded by $\epsilon$. Such cross-image protection is not limited to those in the training dataset $\boldsymbol{\Omega}$ but also unseen images of the same user. We next discuss the design of $\mathcal{L}_{\text{Protect}}$, and $\mathcal{L}_{\text{Percept}}$ will be detailed in Section 4.2.

For privacy protection, P3-Mask maximizes the distance between the protected and unprotected images in the embedding spaces of a team $\boldsymbol{\mathcal{T}}$ of pre-selected FR models. We incorporate image processing operations into the optimization to avoid those lossy operations degrading P3-Mask’s protection. Consider the raw training image $\mathcal{X}$ in the mini-batch in Figure 3.

We first conduct face detection to produce the cropped face $\mathcal{FD}(\mathcal{X})$. Quantization and resizing are executed on the P3-Mask to match the resolution of the cropped face, denoted by $\mathcal{QR}(\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}})$. Then, we can apply the mask to the face for protection:

$$\small\Theta(\mathcal{X};\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}})=\Psi(\textsc{Clip}_{[0,255]}(\mathcal{FD}(\mathcal{X})-\mathcal{QR}(\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}}))),$$

(4)

where $\Psi$ is a padding and resizing function to meet the input resolution requirement of an FR model (e.g., $(112\times 112)$ in ArcFace [17]). Note that to simplify the notation, we removed certain arguments without causing confusion.

The protection optimization in P3-Mask maximizes the average arccosine distance [17], ArcCos, between the embedding of the protected face $F(\Theta(\mathcal{X};\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}}))$ and the embedding of its unprotected counterpart $F(\Psi(\mathcal{FD}(\mathcal{X})))$ extracted by every FR model $F\in\boldsymbol{\mathcal{T}}$ in the team:

$$\small\mathcal{L}_{\text{Protect}}(\mathcal{X},\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}};\boldsymbol{\mathcal{T}})=\frac{-1}{|\boldsymbol{\mathcal{T}}|}\sum_{F\in\boldsymbol{\mathcal{T}}}\textsc{ArcCos}(F(\Psi(\mathcal{FD}(\mathcal{X}))),F(\Theta(\mathcal{X};\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}}))).$$

(5)

Preserving the visual quality of the facial image is necessary to maintain the usability of the protected image in practice. Hence, we incorporate a perceptibility optimization term in Equation 3. The idea is to minimize the perceptual difference between unprotected and protected images while learning a user’s facial signature, such that removing the facial signature from a given facial image will have minimal impact on the visual quality of the protected version of the original image. We use the structural similarity (SSIM) [35] to capture perceptual differences, as it has been shown to align with the human perception system:

$$\small\mathcal{L}_{\text{Percept}}(\mathcal{X},\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}};\omega)=\lambda_{\text{SSIM}}\max\bigg{[}\frac{1-\textsc{SSIM}(\Psi(\mathcal{FD}(\mathcal{X})),\Theta(\mathcal{X};\boldsymbol{\mathcal{M}}^{t}_{\mathcal{P}}))}{2}-\omega,0\bigg{]}.$$

(6)

The parameters, $\omega$ and $\lambda_{\text{SSIM}}$, enable two features. $\omega$ controls the SSIM degradation. Any SSIM degradation greater than $2\omega$ will cause the term to be non-zero, making the optimization adjust the P3-Mask reducing its impact on image quality. $\lambda_{\text{SSIM}}$ balances the importance of privacy protection and perceptibility. We use dynamic scheduling [31] such that it will be adjusted automatically.

For each original image and its protected version by removing the facial signature learned up to the current iteration, we use two FR models in Figure 3 to generate two embeddings, which serve as alternative channels to learn a high-quality facial signature. Choosing FR models that best complement each other can achieve better protection than randomly selected FR models. We use an ensemble optimization method to select the best $k$-model ensemble among a pool of $N$ FR models. The key idea is to find an ensemble with members making decorrelated mistakes. To quantify this behavior, we leverage the focal diversity framework [37, 14, 13]. As shown in Figure 5, the higher the focal diversity of the ensemble (a green dot), the stronger the P3-Mask will be in protecting against other FR models not used during the P3-Mask generation process.

Given a collection of $N$ FR models $\{F_{1},...,F_{N}\}$, we first identify the negative samples for each FR model $F$ by locating validation images that $F$ fails to recognize their true identity. To rank ensembles of size $S$, we enumerate all ${N\choose S}$ combinations. For each combination (ensemble) $\boldsymbol{\mathcal{T}}$, we consider each member to be the focal model $F_{\text{focal}}$ and use its negative samples to statistically estimate the level of negative correlation $\lambda_{\text{focal}}(\boldsymbol{\mathcal{T}};F_{\text{focal}})$ between $F_{\text{focal}}$ and the remaining models in $\boldsymbol{\mathcal{T}}$, computed by measuring the degree of disagreements using the generalized non-pairwise measure [27]. The same procedure is repeated by considering each member in the ensemble as the focal model, and the focal diversity of the ensemble $\boldsymbol{\mathcal{T}}$ is finalized as $d_{\text{focal}}(\boldsymbol{\mathcal{T}})=\frac{1}{S}\sum_{F_{\text{focal}}\in{\boldsymbol{\mathcal{T}}}}[1-\lambda_{\text{focal}}(\boldsymbol{\mathcal{T}};F_{\text{focal}})]$. Given a team size $S$, the ensemble with the highest focal diversity can be deployed. As shown in Figure 5, the selected two-model team (green bar) is indeed the one leading to the strongest protection among all $28$ options, which is over $20\%$ stronger than a randomly selected ensemble (red bar). Note that we only need to analyze the failures of individual FR models, which is significantly more efficient than generating P3-Mask for each option and conducting evaluation.

Table 3 shows the personalized mask for seven users on FaceScrub (other users are available in the appendix). Different users have distinct facial signatures (P3-Mask) learned by Chameleon. We apply these masks to their respective gallery images and test the FR accuracy using probe images. All probe images can be correctly identified when no protection mechanism is used. Under Chameleon, the probe images should be matched to an incorrect identity, resulting in a low FR accuracy. Hence, we define an evaluation metric, Protection Success Rate (PSR), to be $(100-\textsc{FR Accuacy})$ reported in percentages.

Chameleon can protect against unknown FR models. We compare the cross-model protection of Chameleon with OPOM [40], the only anti-FR approach generating one privacy protection mask for each person as Chameleon, and both TIP-IM [39] and Fawkes [31], which conduct per-image optimization. For a fair comparison, all methods are set with the same perturbation budget. Figure 6 summarizes the results on both datasets.

All five FR models are $\underline{\emph{unknown}}$ to both protection mechanisms. We make two observations. First, Chameleon consistently outperforms OPOM by a large margin. We found that OPOM masks do not transfer well, especially considering the end-to-end ML pipeline. Its PSR can drop by $33\%$ because of those lossy operations. Second, Chameleon can be as competitive as those methods conducting per-image optimization. TIP-IM and Fawkes spend minutes to optimize the protection for each image. Still, Chameleon outperforms them and can be applied instantly.

Table 4 reports the detailed PSR for each user Chameleon achieves when the privacy intruder uses different FR models ($2$nd to $9$th columns).

We make two observations. First, when the privacy intruder uses an FR model known to the generation process, a PSR of $100\%$ can be consistently achieved ($2$nd to $3$rd columns). Second, Chameleon can protect against unknown FR models ($4$th to $9$th columns). Even when the FR model used by the intruder is trained on a different dataset (i.e., RN50-VF and RN50-WF) or with a different neural architecture (i.e., RN18-MC, RN34-MC, and RN100-MC) than any FR models known by Chameleon, it still provides a PSR over $90.65\%$, meaning that facial images of a user are matched to gallery images of a different person. To demonstrate such a mismatch, in Table 5, we show the probe images from two users and their most similar gallery images found by four unknown FR models with two settings: (i) the “Unprotected" scenario where no one employs protection and (ii) the “Chameleon" scenario where the intruder scraped photos protected by our solution. Taking M. Baccarin as an example, the most similar gallery images found in the unprotected scenario belong to her. In contrast, when Chameleon is used, the same probe image is misidentified, e.g., as L. Hartley by RN50-MC.

Chameleon allows users to grant FR permission to trusted third parties by sharing their P3-Mask to de-obfuscate the protected image. There is no need to transmit and store an unprotected photo for internal use and a protected one for public visibility, doubling network and storage costs. Table 6 shows the results in FR accuracy.

First, using the correct mask (i.e., the one used to protect the images) to reverse the protection can restore FR accuracy. Taking M. Baccarin as an example, the FR accuracy increases from $6.82\%$ before unmasking (b) to $100\%$ after unmasking (c). Second, using an incorrect mask for unmasking cannot restore the FR accuracy and can lead to even worse performance. It drops from $6.82\%$ to $1.14\%$ after unmasking (d).

Speed and Resources. Figure 7 compares Chameleon with OPOM, TIP-IM, and Fawkes regarding the protection time per face, compute, and storage costs.

Chameleon and OPOM produce masks that are applicable to any facial image of the same user. The protection can be completed in $0.0076$ seconds. Note that Chameleon is significantly more effective than OPOM, as described in Figure 6. Instead, TIP-IM and Fawkes require per-image optimization and take $105.12$ seconds to complete the protection with GPUs for acceleration and storage for FR models. Chameleon only needs to conduct simple arithmetic operations. Only the P3-Mask needs to be stored on the user device. Hence, it can be deployed with instant protection even on an edge device with weak computing power.

Image Quality. Chameleon can well preserve image quality. Table 8 provides two examples for four users, contrasting the facial images with no protection ($3$rd and $5$th columns) with the ones with their facial signature removed by Chameleon ($4$th and $6$th columns).

They capture different variations of facial images: M. Baccarin’s images have different lighting conditions, B. Cooper’s have different face sizes, E. Longoria’s have different postures, and G. Bulter’s have different expressions. The protected images are visually similar to the unprotected counterparts, but they will not be matched to the clean images of the corresponding person. Indeed, Chameleon can generate higher-quality images than existing methods. As reported in Table 8, Chameleon not only offers better protection (Figure 6) with a similar cost (Figure 7) as OPOM but also achieves much better image quality measured in SSIM ($0.9493$ vs $0.8839$).

Chameleon automatically selects a high-quality team for deployment with a specified budget. Table 9 compares the detailed PSR using the most diverse and the least diverse teams with (a) two and (b) three models.

In both cases, the most diverse team outperforms the least diverse one, which is only effective when the privacy intruder uses the FR model known in the team. The selection of high-quality teams is non-trivial because we observe that composing a team of FR models with the highest FR accuracy is not always a good option, and a team of models having different neural architectures is not always the top priority [13].

In Figure 8, we further show that the P3-Mask generated from a carefully-chosen team can protect against FR models of unknown algorithms. Specifically, we consider the most and the least diverse three-model teams in Table 9(b). Even though both teams include only FR models based on ArcFace [17], the most diverse one can effectively protect against FR models based on FaceNet [30] or MagFace [24]. The protection effectiveness can be further strengthened by incorporating more FR models into the collection.

An adaptive adversary may run Chameleon to produce the P3-Mask for each person and de-obfuscate their photos. When probe images need to be identified, they will be matched against a “clean" face database. However, it is infeasible, as we show in Section 6.2, that the FR accuracy can only be restored when the masks used for obfuscation and de-obfuscation are identical. It is impossible to reproduce the same P3-Mask used by the user because it requires the same set of clean images and random states.

Alternatively, an adaptive adversary may wash out patterns introduced by Chameleon before performing FR. We consider three popular lightweight and task-agnostic methods studied in the adversarial example domain [18] in Figure 9, including (a) JPEG compression [15], (b) Gaussian Filter, and (d) Median Filter [38]. The results show that their effectiveness is limited on Chameleon. The consideration of the end-to-end ML pipeline increases the robustness of P3-Mask.