An Attack on Facial Soft-biometric Privacy Enhancement

TL;DR

This paper presents a black-box attack method that can effectively compromise privacy-enhancing face recognition systems by inferring soft-biometric attributes, demonstrating significant vulnerabilities in current privacy protection techniques.

Contribution

The authors introduce a novel black-box attack that infers soft-biometric attributes from privacy-enhanced face representations, revealing vulnerabilities in existing privacy-preserving face recognition methods.

Findings

The attack circumvents privacy protection with high accuracy.

It correctly classifies gender with up to 90% accuracy.

The attack is effective against two state-of-the-art approaches.

Abstract

In the recent past, different researchers have proposed privacy-enhancing face recognition systems designed to conceal soft-biometric attributes at feature level. These works have reported impressive results, but generally did not consider specific attacks in their analysis of privacy protection. We introduce an attack on said schemes based on two observations: (1) highly similar facial representations usually originate from face images with similar soft-biometric attributes; (2) to achieve high recognition accuracy, robustness against intra-class variations within facial representations has to be retained in their privacy-enhanced versions. The presented attack only requires the privacy-enhancing algorithm as a black-box and a relatively small database of face images with annotated soft-biometric attributes. Firstly, an intercepted privacy-enhanced face representation is compared against the attacker's database. Subsequently, the unknown attribute is inferred from the attributes associated with the highest obtained similarity scores. In the experiments, the attack is applied against two state-of-the-art approaches. The attack is shown to circumvent the privacy enhancement to a considerable degree and is able to correctly classify gender with an accuracy of up to approximately 90%. Future works on privacy-enhancing face recognition are encouraged to include the proposed attack in evaluations on the privacy protection.