Ulixes: Facial Recognition Privacy with Adversarial Machine Learning

TL;DR

Ulixes introduces visually non-invasive facial noise masks that prevent facial recognition systems from accurately identifying or clustering users, enhancing privacy even in unlabeled online images.

Contribution

The paper presents Ulixes, a novel adversarial approach that generates facial noise masks to protect user privacy against various facial recognition and clustering methods.

Findings

Ulixes effectively prevents reliable facial clustering and recognition.

The method remains robust in black-box and adversarially trained models.

Ulixes outperforms existing adversarial techniques in privacy preservation.

Abstract

Facial recognition tools are becoming exceptionally accurate in identifying people from images. However, this comes at the cost of privacy for users of online services with photo management (e.g. social media platforms). Particularly troubling is the ability to leverage unsupervised learning to recognize faces even when the user has not labeled their images. In this paper we propose Ulixes, a strategy to generate visually non-invasive facial noise masks that yield adversarial examples, preventing the formation of identifiable user clusters in the embedding space of facial encoders. This is applicable even when a user is unmasked and labeled images are available online. We demonstrate the effectiveness of Ulixes by showing that various classification and clustering methods cannot reliably label the adversarial examples we generate. We also study the effects of Ulixes in various black-box settings and compare it to the current state of the art in adversarial machine learning. Finally, we challenge the effectiveness of Ulixes against adversarially trained models and show that it is robust to countermeasures.