Protecting Privacy Using Fawkes Against Unauthorized Surveillance
An overview and understanding of the paper, “Fawkes: Protecting Privacy against Unauthorized Deep Learning Models” for security against unwarranted facial recognition.
The world is slowly coming to grips with the privacy-invading drawbacks of facial recognition. It allows strangers to click a photo of anyone and get a background about them without any permission. It can be used to track people assembling and monitor their activities. Companies like Amazon, Microsoft, and IBM have started pulling the plug on these technologies. However, companies like Clearview.ai still provide solutions to law enforcement groups and highly accurate face recognition models of individuals are being trained without their knowledge.
To protect privacy a group of students from the University of Chicago has made Fawkes, a model that tries to cloak images such that it renders these systems ineffective.
To understand how this system works we need to understand how a naive facial recognition system works.
- Firstly, we take a model trained on a large dataset of faces through which we can extract the encodings or features of a face.
- Then we take several images of a person and find where the cluster of encodings of each person would lie in a feature space.
- This creates distinct boundaries and if the encodings of the test image lie close to that cluster, then the model can recognize that person.
Moreover, unlike other deep learning models that require a ton of data 5–10 images are enough to provide reasonably estimate a person.
How does Fawkes work?
Through Fawkes, the researchers have tried to perform “clean label attacks.” In clean label attacks, the values of the labels remain the same but the content is changed. They search for a cloak that shifts its feature representation towards another set. This prevents the generation of extreme results that can be caught via anomaly detection. So through Fawkes, the features extracted of the face would point to a completely different feature space leading to misclassification.
All this is done without making the changes visible to the naked eye. Impressive, isn’t it? Now, when the models are trained on the cloaked images, and a stalker presents a new uncloaked image then they won’t match.
The distance between the cloaked and uncloaked images is monitored by a parameter called DSSIM (Structural Dis-Similarity Index). Increasing its values can lead to improved accuracy but with a trade-off between the similarities of the images.
How well does it work?
The researchers tested their system using Microsoft Azure Face API, Amazon Rekognition, and Face++ where they were able to achieve 100% protection if all the images present in the dataset were cloaked. However, the accuracy drops to around 15% if only 40% of the images were cloaked.
So what about the normal images that are collected over the years by these companies and have already trained a model on them? Yes, it is a little late implementing these types of technologies, but we can add our cloaked images, and slowly they will eclipse the number of normal ones or the major platforms like Facebook, Linkedin, etc can start cloaking the images any image uploaded for a better future.
They have even made executable applications for Windows and Mac OS to generate cloaked images easily for people who don’t code.
Improving Results for Datasets having Uncloaked Images
Users can create Sybil (fake) accounts on communities like Facebook and upload images of different people modified such that they overlap in their feature space. This would mean that when a person would search an image for the original person, they might get a result of the proxy account further protecting privacy.
As you can see, even with a high number of uncloaked images they model can be fooled more often than not.
Other than this, they also tried image processing operations to disrupt the cloak with Gaussian blurring, Gaussian noise, and JPEG compression.
They found that when the image was subjected to large changes the normal classification results plummeted before the cloak broke.
They have open-sourced their code at this GitHub repository and also have a project website with more details.
How to Use?
You can use the executable files but it only offers a minimum cloaking mode. To use other modes like low, medium, and high you can pip install it and run a single command to get the result.
pip install fawkes
fawkes -d /content/imgs --mode high
#change mode with min, low, med, or high as per requirement
Playing Around
I also measured the PSNR and SSIM of the original image and cloaked image using the following code:
import cv2
from skimage.metrics import structural_similarity as SSIMpsnr = cv2.PSNR(orig, cloak, 255)
ssim = SSIM(orig, cloak, multichannel=True)
The results:
Minimum cloak - PSNR: 44.033, SSIM: 0.995Low cloak - PSNR: 43.012, SSIM: 0.994Medium cloak - PSNR: 41.699, SSIM: 0.992High Cloak - PSNR: 38.933, SSIM: 0.989
After this, I subtracted the cloaked image from the original image for all the channels separately as well as together and thresholded it, followed by combining all the channels using bitwise OR to find which pixels were modified.
import cv2
import numpy as nporig = cv2.imread('Paris.jpg')
cloak = cv2.imread('Paris_low_cloaked.png')orig = orig.astype(np.int16)
cloak = cloak.astype(np.int16)r = abs(cloak[:, :, 2] - orig[:, :, 2])
g = abs(cloak[:, :, 1] - orig[:, :, 1])
b = abs(cloak[:, :, 0] - orig[:, :, 0])diff_color = abs(cloak - orig)
ret, diff_color = cv2.threshold(diff_color, 1, 225, cv2.THRESH_BINARY)ret, r = cv2.threshold(r, 1, 225, cv2.THRESH_BINARY)
ret, g = cv2.threshold(g, 1, 225, cv2.THRESH_BINARY)
ret, b = cv2.threshold(b, 1, 225, cv2.THRESH_BINARY)orig = orig.astype(np.uint8)
cloak = cloak.astype(np.uint8)
r = r.astype(np.uint8)
g = g.astype(np.uint8)
b = b.astype(np.uint8)
diff_color = diff_color.astype(np.uint8)diff_bw = cv2.bitwise_or(r, g)
diff_bw = cv2.bitwise_or(diff_bw, b)
This shows that the major changes are near the face area, so let’s find out the PSNR and SSIM for the face area. I will use an SSD detector available with OpenCV’s DNN module to find the faces. Discussing it is beyond the scope of this article. To know more about it or it’s code you can refer to the article linked below or have a look at this GitHub repository.
Minimum cloak - PSNR: 38.184, SSIM: 0.979Low cloak - PSNR: 36.553, SSIM: 0.972Medium cloak - PSNR: 34.759, SSIM: 0.960High Cloak - PSNR: 32.077, SSIM: 0.944
As expected the values of PSNR and SSIM drop sharply for the face region. It would be interesting to see how it performs with multiple faces and finding if certain pixels intensities affect the cloaking, but let’s stop here for now.
This project is not the end of the unfair use of our images, but just a start. In the future, even better algorithms like these can be expected which would help us to protect privacy against unauthorized deep learning models created without our consent.
