LDP-Feat: Image Features with Local Differential Privacy

TL;DR

This paper introduces LDP-Feat, a method that privatizes image features with local differential privacy, providing strong privacy guarantees while maintaining performance in visual localization tasks.

Contribution

It presents the first local differential privacy approach for image features, addressing privacy risks and demonstrating effectiveness in localization tasks.

Findings

Inversion attacks can recover original features from existing embeddings.

LDP-Feat guarantees privacy bounds regardless of attack strength.

LDP-Feat maintains high localization accuracy with privacy protection.

Abstract

Modern computer vision services often require users to share raw feature descriptors with an untrusted server. This presents an inherent privacy risk, as raw descriptors may be used to recover the source images from which they were extracted. To address this issue, researchers recently proposed privatizing image features by embedding them within an affine subspace containing the original feature as well as adversarial feature samples. In this paper, we propose two novel inversion attacks to show that it is possible to (approximately) recover the original image features from these embeddings, allowing us to recover privacy-critical image content. In light of such successes and the lack of theoretical privacy guarantees afforded by existing visual privacy methods, we further propose the first method to privatize image features via local differential privacy, which, unlike prior approaches, provides a guaranteed bound for privacy leakage regardless of the strength of the attacks. In addition, our method yields strong performance in visual localization as a downstream task while enjoying the privacy guarantee.