Adversarial Image Perturbation for Privacy Protection -- A Game Theory Perspective

TL;DR

This paper introduces a game theory framework to analyze the effectiveness of adversarial image perturbations for privacy protection, providing strategies that guarantee limited recognition regardless of countermeasures.

Contribution

It develops a novel game theoretical model for user-recognizer interactions and derives optimal user strategies against recognition systems.

Findings

Optimal user strategy bounds recognition rate

Framework applies to state-of-the-art AIP and recognition techniques

Code implementation available online

Abstract

Users like sharing personal photos with others through social media. At the same time, they might want to make automatic identification in such photos difficult or even impossible. Classic obfuscation methods such as blurring are not only unpleasant but also not as effective as one would expect. Recent studies on adversarial image perturbations (AIP) suggest that it is possible to confuse recognition systems effectively without unpleasant artifacts. However, in the presence of counter measures against AIPs, it is unclear how effective AIP would be in particular when the choice of counter measure is unknown. Game theory provides tools for studying the interaction between agents with uncertainties in the strategies. We introduce a general game theoretical framework for the user-recogniser dynamics, and present a case study that involves current state of the art AIP and person recognition techniques. We derive the optimal strategy for the user that assures an upper bound on the recognition rate independent of the recogniser's counter measure. Code is available at https://goo.gl/hgvbNK.