ErasableMask: A Robust and Erasable Privacy Protection Scheme against Black-box Face Recognition Models

TL;DR

ErasableMask is a novel privacy protection scheme that creates erasable, transferable adversarial perturbations against black-box face recognition models, balancing robustness and privacy with high success rates.

Contribution

It introduces a meta-auxiliary attack and perturbation erasion mechanism, enhancing transferability and erasure capabilities in face privacy protection.

Findings

Achieves over 72% confidence in commercial FR systems

Over 90% success rate in perturbation erasion

Outperforms existing methods in transferability and erasure

Abstract

While face recognition (FR) models have brought remarkable convenience in face verification and identification, they also pose substantial privacy risks to the public. Existing facial privacy protection schemes usually adopt adversarial examples to disrupt face verification of FR models. However, these schemes often suffer from weak transferability against black-box FR models and permanently damage the identifiable information that cannot fulfill the requirements of authorized operations such as forensics and authentication. To address these limitations, we propose ErasableMask, a robust and erasable privacy protection scheme against black-box FR models. Specifically, via rethinking the inherent relationship between surrogate FR models, ErasableMask introduces a novel meta-auxiliary attack, which boosts black-box transferability by learning more general features in a stable and balancing optimization strategy. It also offers a perturbation erasion mechanism that supports the erasion of semantic perturbations in protected face without degrading image quality. To further improve performance, ErasableMask employs a curriculum learning strategy to mitigate optimization conflicts between adversarial attack and perturbation erasion. Extensive experiments on the CelebA-HQ and FFHQ datasets demonstrate that ErasableMask achieves the state-of-the-art performance in transferability, achieving over 72% confidence on average in commercial FR systems. Moreover, ErasableMask also exhibits outstanding perturbation erasion performance, achieving over 90% erasion success rate.