FlowSAN: Privacy-enhancing Semi-Adversarial Networks to Confound Arbitrary Face-based Gender Classifiers
Vahid Mirjalili, Sebastian Raschka, Arun Ross

TL;DR
FlowSAN enhances privacy in face images by enabling semi-adversarial networks to confound various gender classifiers while preserving face recognition, using model diversity for better generalization.
Contribution
This work introduces FlowSAN, a novel approach that combines multiple SAN models to improve generalization across unseen gender classifiers.
Findings
Effective confounding of unseen gender classifiers
Improved privacy preservation in face recognition tasks
Robustness achieved through model diversity
Abstract
Privacy concerns in the modern digital age have prompted researchers to develop techniques that allow users to selectively suppress certain information in collected data while allowing for other information to be extracted. In this regard, Semi-Adversarial Networks (SAN) have recently emerged as a method for imparting soft-biometric privacy to face images. SAN enables modifications of input face images so that the resulting face images can still be reliably used by arbitrary conventional face matchers for recognition purposes, while attribute classifiers, such as gender classifiers, are confounded. However, the generalizability of SANs across arbitrary gender classifiers has remained an open concern. In this work, we propose a new method, FlowSAN, for allowing SANs to generalize to multiple unseen gender classifiers. We propose combining a diverse set of SAN models to compensate each…
| Authors | Domain | Proposed Method | Transferable | Generalizable | Matching Performance |
|---|---|---|---|---|---|
| Othman and Ross [23] | Face images | Mixing faces of opposite gender | Yes | Yes | Severely degraded |
| Sim and Li [10] | Face images | Multimodal Discriminant Analysis | Yes | Yes | Severely degraded |
| Mirjalili et al. [24] | Face images | Adversarial perturbations | No | No | Mostly retained |
| Mirjalili et al. [44] | Face images | Semi-Adversarial Networks | Yes | No | Mostly retained |
| Chhabra et al. [9] | Face images | Adversarial perturbations | No | No | Mostly retained |
| Mirjalili et al. [45] | Face images | Ensemble of SAN models | Yes | Yes | Mostly retained |
| Morales et al. [8] | Face representations | SensitiveNet | Yes | Yes | Mostly retained |
| Terhörst et al. [13] | Face representations | Noise transformation | Yes | Yes | Mostly retained |
| Dataset | #male | #female | Usage |
|---|---|---|---|
| CelebA-train | 73,549 | 103,772 | a, b |
| CelebA-test | 7,929 | 11,511 | c |
| MORPH-train | 41,587 | 7,567 | d |
| MORPH-test | 4,643 | 863 | c |
| LFW | 10,064 | 2,905 | d |
| MUCT | 1,844 | 1,910 | c |
| RaFD | 1,008 | 600 | c |
| Gender: | Matching: | |||
| EER | TMR at | |||
| FMR=0.1% | ||||
| Orig. | 10% | 76.3% | ||
| Ref [23] | 46% | 9.1% | ||
| Ens-Avg | 23% | 40% | 64.9% | 48.1% |
| Ens-Gibbs | 29% | 31% | 65.2% | 65.6% |
| Ens-Best | 48% | 57% | – | – |
| FlowSAN | 49% | 64% | 61.9% | 35.4% |
| Gender | Orig. | Ref. [23] | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Classifier | Ens-Avg | Ens-Gibbs | Ens-Best | FlowSAN | Ens-Avg | Ens-Gibbs | Ens-Best | FlowSAN | ||
| G-COTS | 0.13 | 0.48 | 0.05 | 0.18 | 0.30 | 0.40 | 0.17 | 0.18 | 0.35 | 0.71 |
| IntraFace | 0.10 | 0.46 | 0.23 | 0.38 | 0.61 | 0.65 | 0.47 | 0.41 | 0.71 | 0.80 |
| AFFACT | 0.09 | 0.46 | 0.26 | 0.28 | 0.44 | 0.38 | 0.36 | 0.32 | 0.58 | 0.45 |
| CNN-1 | 0.10 | 0.46 | 0.38 | 0.36 | 0.62 | 0.53 | 0.55 | 0.38 | 0.74 | 0.75 |
| CNN-2 | 0.12 | 0.47 | 0.23 | 0.23 | 0.35 | 0.48 | 0.45 | 0.25 | 0.38 | 0.59 |
| CNN-3 | 0.05 | 0.46 | 0.23 | 0.30 | 0.53 | 0.51 | 0.39 | 0.32 | 0.65 | 0.57 |
| Average | 0.10 | 0.46 | 0.23 | 0.29 | 0.48 | 0.49 | 0.40 | 0.31 | 0.57 | 0.64 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsBiometric Identification and Security · Face recognition and analysis · Digital Media Forensic Detection
FlowSAN: Privacy-enhancing Semi-Adversarial Networks to Confound Arbitrary Face-based Gender Classifiers
Vahid Mirjalili, Sebastian Raschka, and Arun Ross V. Mirjalili and A. Ross are with the Department of Computer Science and Engineering, Michigan State University, East Lansing, MI, 48824.
E-mail: {mirjalil,rossarun}@cse.msu.edu S. Raschka is with the Department of Statistics, University of Wisconsin – Madison, Madison, Wisconsin.
E-mail: [email protected]
Abstract
Privacy concerns in the modern digital age have prompted researchers to develop techniques that allow users to selectively suppress certain information in collected data while allowing for other information to be extracted. In this regard, Semi-Adversarial Networks (SAN) have recently emerged as a method for imparting soft-biometric privacy to face images. SAN enables modifications of input face images so that the resulting face images can still be reliably used by arbitrary conventional face matchers for recognition purposes, while attribute classifiers, such as gender classifiers, are confounded. However, the generalizability of SANs across arbitrary gender classifiers has remained an open concern. In this work, we propose a new method, FlowSAN, for allowing SANs to generalize to multiple unseen gender classifiers. We propose combining a diverse set of SAN models to compensate each other’s weaknesses, thereby, forming a robust model with improved generalization capability. Extensive experiments using different unseen gender classifiers and face matchers demonstrate the efficacy of the proposed paradigm in imparting gender privacy to face images.
Index Terms:
Biometrics, Face Image, Semi-Adversarial Networks, SAN, Gender, Privacy, Adversarial, Deep Learning.
1 Introduction
Face images of individuals contain valuable information unique to themselves that facilitates biometric face recognition. In addition, other auxiliary information such as age, gender, and race, which are called soft-biometrics, can also be extracted from face images using machine learning techniques [1, 2, 3]. Face recognition involves comparing features extracted from a pair of face images, using a face matcher, to determine their degree of similarity [1, 4]. The increasing use of face recognition in various applications has brought the issue of data privacy to the forefront [5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18]. While extracting soft-biometric information can be useful in many applications [19], we should note that such information can be abused in several ways, such as profiling users, targeted advertisement, and increasing the risk of linkage attacks [20]. Furthermore, extracting this information without the users’ consent may be viewed as a violation of their privacy. One aspect of privacy involves granting users the right to determine which personal information to reveal and which to conceal [21, 22]. In this regard, soft-biometric privacy was introduced as a means for preserving the biometric utility of face images, while confounding soft-biometric information, such as gender characteristics [23, 24].
Recently, European Union’s General Data Protection Regulation (GDPR) [25] has come to effect. One of its goals is to protect the data collected from European users and to regulate its usage. To this effect, it enforces any entity (individual or group) collecting data from European users to disclose the type-of-data collected, the intended usage, and the data-processing techniques that will be used. Accordingly, GDPR prohibits any processing of individuals’ information beyond the stated purpose at the time of data collection. For example, consider a scenario where users of an application or service can optionally withhold their gender information; however, such information could still be extracted automatically from their biometric data [26, 27, 28, 29, 30, 31, 32, 33, 34].
In the context of GDPR, biometric data of individuals, such as face photos or fingerprints, are collected solely for the purpose of user recognition, without acquiring other demographic information such as age, gender, and ethnicity. In such a scenario, applying data processing techniques that allow extracting such sensitive information automatically from a person’s biometric data [1, 2, 35, 36, 32, 37, 38, 39, 40] without their knowledge and consent is a violation of the users’ privacy. While GDPR prohibits unsolicited data extraction from European users, the possibility of unlawful data collection still remains and can ultimately lead to negative societal, economic, and political consequences [41, 42, 43].
Previously, we developed Semi-Adversarial Networks (SAN) [44] for imparting soft-biometric privacy to face images, where a face image is modified such that the matching utility of the modified face image is retained while the automatic extraction of gender information is confounded. In our previous work [44], we empirically showed that the ability to predict gender information, using an unseen gender classifier from outputs of the SAN model, is successfully diminished. In [45], we defined the generalizability of the SAN model as its ability to confound arbitrary unseen111The term “unseen” indicates that a certain classifier (or face matcher) was not used during the training stage. On the contrary, the term “auxiliary” in this paper refers to the classifier (or face matcher) that is used during the training phase. gender classifiers. Generalizability is an important property for real-world privacy applications since the lack thereof implies that there exists at least one gender classifier that can still reliably estimate the gender attribute from outputs of the SAN model and, therefore, jeopardizes the privacy of users. In order to address the generalizability issue of SAN models, in this paper, we propose the FlowSAN model, that progressively degrades the performance of unseen gender classifiers. Extensive experiments on a variety of independent gender classifiers and face image datasets show that the proposed FlowSAN method (Fig. 1) results in a substantially improved generalization performance compared to the original SAN method with regard to concealing gender information while retaining face matching utility.
2 Related Work
With regard to privacy concerns in recent years, a new line of research has emerged that focuses on methods for imparting soft-biometric privacy to biometric data and face images in particular [23, 24, 9, 8, 10, 46]. Othman and Ross [23] first proposed an approach for mixing input face images with candidate images of the opposite gender using Active Shape Model [47]. Subsequently, Mirjalili and Ross [24] developed a scheme that modifies an input face image using adversarial perturbations [48] where the performance of a given gender classifier was confounded while the performance of a face matcher was retained. Chhabra et al. [9] later extended this research by including multiple attribute classifiers. They applied additive perturbations to face images to either preserve or suppress certain soft-biometric attributes [9]. While these proposed schemes successfully confound a target attribute classifier, they fail to generalize to unseen attribute classifiers. Thus, soft-biometric attributes remain susceptible to extraction by unseen classifiers.
In order to derive perturbations that are transferable to unseen gender classifiers, Mirjalili et al. [44] designed a convolutional autoencoder that modifies input face images such that an auxiliary face matcher still retains good matching performance on the modified output image while confounding an auxiliary gender classifier. As a result, since the output of their model is adversarial to one classifier and not to the other, the architecture is referred to as Semi-Adversarial Networks (SAN). The SAN model was shown to be able to derive perturbations that are transferable to two unseen gender classifiers. In [45], we investigated the generalizability of SAN models across multiple arbitrary gender classifiers and formulated an ensemble SAN model with a training scheme based on different data augmentation techniques, to enhance diversity in the ensemble of SAN models. Furthermore, we explored the effectiveness of randomly selecting a perturbed image from an ensemble of SAN models, which we refer to as Ens-Gibbs [45].
While these methods directly apply perturbations to face images, recently, new techniques have emerged where perturbations were applied to face representation vectors computed by face matchers [8, 13]. In particular, Morales et al. [8] proposed a neural-network-based model, called SensitiveNet, that is able to remove soft-biometric information from face representation vectors. Therefore, any attribute classifier trained on face representation vectors may not be able to extract such sensitive information. However, these methods are based on the assumption that only face representation vectors are stored in a biometric database. This scheme is not desirable in many applications since only storing face representations results in 1) losing human interpretability, and 2) losing backward matching compatibility when the face matcher is updated. An overview of existing techniques and their properties (transferability, generalization to arbitrary attribute classifiers, and retaining matching utility) is shown in Table I.
In this work, we address the generalization issue of the SAN method using a novel stacking paradigm that will successively enhance the perturbations for confounding an arbitrary unseen gender classifier as illustrated in Fig. 1. We refer to this method as FlowSAN. The primary contributions of this work are as follows:
- •
Designing the FlowSAN model that can successively degrade the performance of arbitrary unseen gender classifiers;
- •
Generalizing the FlowSAN model to multiple arbitrary gender classifiers;
- •
Demonstrating the practicality and efficacy of the proposed approach in confounding the gender information for real-world privacy applications via extensive experiments involving broad and diverse sets of datasets.
3 Proposed Method
Original SAN model [44]: The SAN model for imparting gender privacy to face images was first proposed in [44], and the overall architecture is shown in Fig. 2. The SAN model leverages pre-computed face prototypes, which are average face images for each gender. SAN consists of three subnetworks: 1) a convolutional autoencoder that perturbs an input face image via face prototypes, 2) an auxiliary face matcher, which is a convolutional neural network (CNN), and 3) a CNN-based auxiliary gender classifier. The input to the convolutional autoencoder is a gray-scale222Since most face-matchers work with gray-scale face images, we used gray-scale images in all experiments to allow for a fair comparison between matchers based on the same input data. face image , of size , fused with a face prototype belonging to the same gender (). After the fused input image was passed through the encoder and decoder networks, the face prototypes ( prototype face image from the same gender as input image, or the prototype face image of the opposite gender) are added as additional channels to the resulting -channel feature-map representation. Finally, a -convolutional operation is used to reduce the number of channels in the resulting feature-maps to a -dimensional output image, which is denoted as or , depending on the type of prototype used by the decoder:
[TABLE]
These output images, and , are then passed to both the auxiliary face matcher and the auxiliary gender classifier. The auxiliary face matcher predicts whether the original and the perturbed face images belong to the same individual via a face match score. The gender classifier predicts the gender of the input and output images via gender probabilities for male and female.333In this paper, we have assumed binary labels for gender; however, it must be noted that societal and personal interpretation of gender can result in many more classes. For the auxiliary face matcher, the pre-trained, publicly available VGG-face model [51] is used, which computes the face representation vectors for an input face image, and the similarity between two face representation vectors determines the associated match-score.
Three different loss functions are defined based on the outputs from the autoencoder, the auxiliary gender classifier, and the auxiliary face matcher. The first component of the loss function, , measures the pixelwise dissimilarity between the input and the output from the same-gender prototype , which is used to ensure that the autoencoder subnetwork is able to construct realistic face images:
[TABLE]
where indicates the cross-entropy function for the binary case, defined as
[TABLE]
The second loss term, , is the squared distance between the face representation vectors obtained from the auxiliary face matcher (VGG-face network [51]) for the input image and the perturbed output, making the autoencoder learn how to perturb face images such that the accuracy of the face matcher is retained:
[TABLE]
where and indicate the face representation vectors for the input image and the perturbed output based on the opposite-gender prototype.
Finally, the third loss term, , is the cross-entropy loss function applied to the gender probabilities computed by the auxiliary gender classifier, , on the two perturbed output images. Here, the ground-truth label of the input image is used for , but the reverse () is used for :
[TABLE]
The total loss, , is the weighted sum of the three individual loss functions described in the previous paragraphs,
[TABLE]
where the parameters are the relative weighting terms that can be chosen uniformly or adjusted via hyperparameter optimization.
In the remaining part of the paper, we use notation for the output of a SAN model on a face image when using the opposite-gender prototype, i.e., .
Based on our previous study [45], we employed a data augmentation and resampling scheme for training the auxiliary gender classifiers as a means to diversify the SAN models. In particular, by resampling the instances belonging to the underrepresented race in the CelebA [49] dataset, we aimed to balance the racial distribution in the training data. In this regard, we generated five resampled training datasets, where in each one a random disjoint subset of samples from the underrepresented race was replicated times. This is an effort to enhance the diversity among the SAN models in an ensemble. The resampling approaches that are used to mitigate the imbalances in the different training datasets employed in this study are described in [45].
3.1 Training and Evaluation of an Ensemble SAN model
In our previous work [45], we proposed an ensemble approach for generalizing SAN models to unseen gender classifiers. The objective of an ensemble SAN was to create SAN models such that their union can span a larger subset of the hypothesis space compared to a single SAN model. Therefore, for a new test image and an arbitrary unseen gender classifier, , it is likely that at least one of these SAN models in the ensemble is able to confound . For training an ensemble of SANs, we start with auxiliary gender classifiers, , which were trained using different data augmentation schemes (to achieve higher diversity among classifiers), and a pre-trained face matcher . Then, we train SAN models, where is associated with the auxiliary gender classifier , as shown in Fig. 3. According to the original SAN model proposed in [44], the loss function for training each model is composed of three components: gender loss, matching loss, and pixelwise dissimilarity loss (Eq. 6). Note that the ensemble of SAN models described with this setting can be trained in parallel since each SAN model is independent of others, and each individual SAN model takes unmodified images as input (Fig. 3).
Evaluation of an ensemble of models, that were trained independently, can be performed in two ways:
Averaging: Evaluating the ensemble of SANs by computing the average output image from the set of outputs as shown in Fig. 4-A. 2. 2.
Gibbs: Randomly selecting the output of one SAN model (Fig. 4-B).
These two ensemble-based methods serve as a basis for the comparison with the proposed FlowSAN method, which is described in the following section.
3.2 FlowSAN: Connecting Multiple SAN Models
Assume there exists a large set of gender classifiers , where each predicts the probability that a face image belongs to a male individual. Furthermore, suppose there exists a set of face-matchers denoted by , where each computes the match score between a pair of face images, and . Our goal is to design an ensemble of SAN models, , that, once they are sequentially stacked together, can be shown to generalize to confound unseen gender classifiers in . We hypothesize that stacking diverse SANs sequentially would have a cumulative effect, where each SAN adds perturbations to an input image that confound a particular gender classifier. Therefore, stacking SANs would enhance their generalizability in terms of decreasing the performance of multiple, diverse gender classifiers.
We define a recursive function for stacking SAN models in , as follows:
[TABLE]
By varying from to , produces a sequence of output images :
- •
,
- •
,
- •
…
- •
.
In particular, we hypothesize that for each , the stacking of SAN models will progressively confound . Since the individual SAN models were trained to have a minimal impact on face matching performance, we further hypothesize that the perturbations introduced in the output face images from the stacked SAN models should not substantially affect the face recognition performance of the matchers in .
Training Procedure for the FlowSAN Model
The goal of this work is to develop a model that leverages the image perturbations induced by individual, diverse SAN models to broaden the spectrum of diverse gender classifiers that can successfully be confounded. To accomplish this goal, we designed and evaluated the FlowSAN model, where multiple individually-trained SAN models were sequentially combined.
This section describes the training procedure for the FlowSAN model, where SAN models are trained in sequential order, each with their corresponding auxiliary gender classifier and an auxiliary face matcher, which is common among all SANs. The first SAN model, , takes the original image as input and generates a perturbed output, , while using the auxiliary gender classifier during its training. Then, once is trained, the entire training dataset is transformed by , and the transformed data is then used for training the next SAN model while using its corresponding auxiliary gender classifier. This process is repeated for SAN models , to obtain SAN models that are trained in sequential order. Note that the matching loss is computed between face representation vectors (generated by a face matcher) of the SAN output with that of the corresponding original face image, as opposed to the input to the SAN model (which is already perturbed for ). This is to ensure that the matching performance does not substantially decline as the sequence is expanded. Furthermore, we considered three different scenarios for the pixelwise dissimilarity loss:
Omitting the pixelwise dissimilarity loss term; 2. 2.
pixelwise dissimilarity with respect to the input, i.e., for ; 3. 3.
pixelwise dissimilarity loss with respect to the original image for each of SAN models .
We evaluated all three different pixelwise loss function schemes listed above. However, we were unable to observe any noticeable differences except for some cases where the third scheme slightly outperformed the other two. Therefore, we only report the results of the third case in this paper. The training procedure is illustrated in Fig. 5.
Evaluating the FlowSAN Model
During the model evaluation, the auxiliary networks (the auxiliary gender classifiers and auxiliary face matchers) from the individual SANs are discarded, and the SAN models are stacked in the same sequence they were trained, in order to enhance their generalizability to arbitrary gender classifiers. In the FlowSAN model, the first SAN model () takes an original image () as input and generates a perturbed output image . This output image is then passed into the next SAN model in the sequence to obtain , and so forth. In general, the th SAN model ( for ) takes the output of the previous SAN model () as input and generates the perturbed output .
4 Experiments and Results
We designed two different protocols for training SAN models:
(a)
Training an ensemble of SANs independent of each other as described in [45] (see Section 3.1);
(b)
Training the FlowSAN model using the sequential procedure described in Section 3.2.
Protocol (a) was adapted from [45] and is further described in Section 3.1. For evaluating models trained in the ensemble, we applied two techniques: 1) taking the average output from SAN models which we denote as Ens-Avg, and 2) randomly selecting the output which we denote as Ens-Gibbs. In addition, similar to [45], we also define the oracle best-perturbed sample for a specific gender classifier, :
[TABLE]
The results of best-perturbed samples are denoted as Ens-Best. This analysis indicates which output from the ensemble model has resulted in the highest prediction error for a particular gender classifier if the best output is selected.
The training of the FlowSAN model was initiated from the pre-trained individual SAN models in [45] and then trained for additional epochs on the CelebA-train subset [49] (see Table II) using the training procedure described in Section 3.2. Then, the models were stacked successively to generate a sequence of perturbed output images, .
As the FlowSAN model conceals the gender information in face images incrementally, it naturally produces a sequence of perturbed face images, where the length of this sequence is determined by its ensemble size. By varying the size of the ensemble, we can have a fair comparison between the ensemble approach vs. the FlowSAN model, such that the number of SANs used to obtain an output from the ensemble model is consistent with the number of SANs that are used to generate the output from the FlowSAN model.
For model evaluation and comparison, we used four test datasets: CelebA-test [49], MORPH-test [52], MUCT [53], and RaFD [54]. The number of male and female individuals in each dataset is listed in Table II.
4.1 Performance in Confounding Unseen Gender Classifiers
In order to evaluate the generalization performance of the three ensemble-based methods discussed in the previous section (Ens-Avg, Ens-Gibbs, Ens-Best) as well as the proposed FlowSAN model, we considered six independent gender classifiers. The experiments designed in this section assess how well the proposed models are able to confound gender classifiers that were unseen during training. These six gender classifiers include three models that were already trained: a commercial-of-the-shelf gender classifier (G-COTS), IntraFace [55], AFFACT [56], and three CNN models built in-house, which we refer to as CNN-1, CNN-2 (trained using MORPH-train and LFW, respectively), and CNN-3 (trained on the union of MORPH-train and LFW). Note that these three CNN models have shown a similar level of performance on the original test-sets, compared to the other three pre-trained gender predictors.
Fig. 6 shows the area under the ROC curve as a performance metric for evaluating the generalization performance of each unseen gender classifier on the four independent test datasets. The performance of these gender classifiers on the original images (before perturbations), as well as the outputs from the mixing approach by [23], is also shown for comparison.
In all cases, the FlowSAN approach results in lower AUC values (lower is better) of predictions made by unseen gender classifiers (Fig. 6) compared to the ensemble models Ens-Avg and Ens-Gibbs. In fact, the results of the stacking SAN models are almost on par with the oracle best-perturbed samples (Ens-Best) for each gender classifier. In some cases, the FlowSAN model even outperforms Ens-Best. It is important to note that selecting the best-perturbed sample (from the individual SAN models) for each gender classifier without a priori knowledge of the classifier is infeasible in practice. Yet, we are able to outperform the best result using the FlowSAN model in several cases.
Note that in a real privacy application, reaching a near random gender prediction performance (, and Equal Error Rate (EER) ) is desired for gender anonymization. As it can be seen in Fig. 6, both Ens-Avg and Ens-Gibbs methods produce samples that are mostly incapable of lowering the AUC of the unseen gender classifiers below . Based on the results shown in Fig. 6 (and the EER results shown in Fig. S1), it is evident that, in the majority of cases, a sequential stacking of three SAN models via FlowSAN produces the desired behavior in terms of face gender-anonymization, i.e., (similarly, ). Although, in some cases, the \nth5 output from Ens-Avg and Ens-Gibbs resulted in a low, desired AUC of , it also has a substantially detrimental effect on the face matching performance, as discussed in Section 4.2.
As a result, we conclude that stacking three SAN models in FlowSAN is sufficient to achieve the best gender label anonymization performance across a set of different, unseen gender classifiers and face image datasets. Stacking fewer than three models affects unseen gender classifiers substantially less, and stacking more than three models induces such strong perturbations that flipping the predicted labels could again de-anonymize the perturbed face images with respect to their gender labels.
We shall note that our study was not the first to confound gender classifiers to produce random predictions. In [23], researchers proposed a face mixing approach that also leads to successful gender anonymization (approximately AUC gender prediction performance for a specific gender classifier); however, this approach was unable to retain the face matching utility. In different studies, the researchers were able to retain face matching utility but without generalizing to arbitrary gender classifiers [24, 9]. Thus, the FlowSAN model we propose in this paper presents the first successful approach for satisfying both objectives: concealing gender information and retaining matching performance to a satisfactory degree across a variety of independent gender classifiers and face matchers.
4.2 Retaining the Performance of Unseen Face Matchers
To assess the effect of the gender perturbations on the matching accuracy, we considered four different unseen face matchers. This includes a commercial-of-the-shelf face matcher (M-COTS), which has shown state-of-the-art performance in face recognition, as well as three publicly available algorithms that provide face representation vectors: DR-GAN [57], FaceNet [58], and OpenFace [59]. For the latter three models, we measured the cosine similarity between face representation vectors obtained from the original images and face representation vectors obtained from the SAN-perturbed output images.
Fig. 8 shows the True Match Rate (TMR) values at False Match Rate (FMR) of for different ensemble methods. In most cases, the performance of the face matchers regarding the first three outputs (, , and ) is similar and relatively close to the matching performance on original images. We note that stacking three SANs in FlowSAN yields the desired performance with regard to confounding unseen gender classifiers. Therefore, the evaluation of the face matching performance for stacking more than three SANs (i.e., and ) is only included for completeness.
Comparing the performance of face matchers for equal values of , we observe that the face matchers appear to perform slightly better on outputs produced by the ensemble model compared to the FlowSAN model. However, the extent to which the gender classification performance is reduced by the two models is not the same for equal values of (Table III). The ensemble model requires at least individual SAN models to be able to confound unseen gender classifiers to reach the same level of gender anonymization as the FlowSAN model with . Therefore, if we compare the ensemble models with to the FlowSAN model with , the face matchers perform substantially better on the face image outputs by the FlowSAN model (Fig. 8). Further, note that the performance of M-COTS on CelebA on the original images is already as low as . In fact, all matchers perform poorly on the CelebA dataset, which may be due to different face orientations captured in the wild.
Preserving Privacy
The overall average performance considering the two target objectives of this study, i.e., confounding gender classifiers and retaining the matching utility of face images, is provided in Table III. In this analysis, the average EER results of all six gender classifiers over all four evaluation datasets were computed for original images, outputs from Ref. [23], as well as outputs from the stacking and the ensemble models using and . The results clearly show that the FlowSAN model outperforms the ensemble-based methods, including the oracle-best results. On the other hand, the average true matching rate (TMR) values, at a false matching rate (FMR) of 0.1%, are also computed similarly, and the results indicate that the Ens-Gibbs method has the highest performance for both ensemble sizes, while the performance of the FlowSAN model at is ranked as second, but it is very close to that of Ens-Gibbs. The detailed EER results for each gender classifier is provided in Table S1.
Computational Efficiency
The overall computational cost for training the ensemble-based approach and the FlowSAN model is similar, except that FlowSAN requires an additional data transformation step between each consecutive SAN training. However, the ensemble approach comes with a bigger advantage that the individual SAN models can be trained in parallel, while the SAN models in the FlowSAN model have to be trained sequentially.
5 Conclusion
In this work, we address one of the main limitations of previous gender privacy methods, namely, their inability to generalize across multiple previously unseen gender classifiers. In this regard, we propose the FlowSAN method that sequentially combines diverse perturbations for an input face image to confound the gender information with respect to an arbitrary gender classifier. We compared the performance of the proposed FlowSAN model with two ensemble-based approaches: 1) using the average output of SAN models trained independent of each other (Ens-Avg); 2) randomly selecting the output from the SAN models in the ensemble (Ens-Gibbs).
Our experiments show that the FlowSAN method outperforms the other ensemble-based approaches in terms of confounding gender attribute for a range of gender classifiers. More importantly, while gender classification is successfully confounded, face matching accuracy is retained for all perturbed output face images, thereby preserving the biometric utility of the gender-anonymous face images.
While this work only focused on confounding gender labels to demonstrate this method’s efficacy in hiding soft-biometric attributes, our method can be readily extended and generalized to incorporate other soft-biometric attributes (for example, age and ethnicity), which is subject of future studies.
6 Supplementary Materials
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] A. Jain, A. A. Ross, and K. Nandakumar, Introduction to biometrics . Springer Science & Business Media, 2011.
- 2[2] A. Dantcheva, P. Elia, and A. Ross, “What else does your biometric data reveal? A survey on soft biometrics,” IEEE Transactions on Information Forensics and Security , vol. 11, no. 3, pp. 441–467, 2016.
- 3[3] K. Sundararajan and D. L. Woodard, “Deep learning for biometrics: A survey,” ACM Comput. Surv. , vol. 51, no. 3, pp. 65:1–65:34, May 2018. [Online]. Available: http://doi.acm.org/10.1145/3190618
- 4[4] K. Chang, K. Bowyer, and P. Flynn, “Face recognition using 2D and 3D facial data,” in ACM Workshop on Multimodal User Authentication . Citeseer, 2003, pp. 25–32.
- 5[5] A. K. Jain, A. Ross, and S. Pankanti, “Biometrics: a tool for information security,” IEEE Transactions on Information Forensics and Security , vol. 1, no. 2, pp. 125–143, 2006.
- 6[6] N. K. Ratha, J. H. Connell, and R. M. Bolle, “Enhancing security and privacy in biometrics-based authentication systems,” IBM Systems Journal , vol. 40, no. 3, pp. 614–634, 2001.
- 7[7] I. Natgunanathan, A. Mehmood, Y. Xiang, G. Beliakov, and J. Yearwood, “Protection of privacy in biometric data,” IEEE Access , vol. 4, pp. 880–892, 2016.
- 8[8] A. Morales, J. Fierrez, and R. Vera-Rodriguez, “Sensitive Nets: Learning agnostic representations with application to face recognition,” ar Xiv preprint ar Xiv:1902.00334 , 2019.
