Defeating Image Obfuscation with Deep Learning

TL;DR

This work demonstrates that modern deep learning methods can infer sensitive information from images protected by mosaicing, blurring, or P3-style partial encryption. By training separate CNNs for each obfuscation and recognition task across MNIST, CIFAR-10, AT&T, and FaceScrub, the authors show nontrivial recognition accuracy even under strong privacy protections. The findings imply that obfuscation-based privacy shields may offer limited real-world protection against adversaries with access to large labeled datasets and powerful neural models, motivating the design of more robust privacy techniques. Overall, the paper reframes privacy assessment around the potential information leakage revealed by state-of-the-art inference methods rather than human recognizability alone.

Abstract

We demonstrate that modern image recognition methods based on artificial neural networks can recover hidden information from images protected by various forms of obfuscation. The obfuscation techniques considered in this paper are mosaicing (also known as pixelation), blurring (as used by YouTube), and P3, a recently proposed system for privacy-preserving photo sharing that encrypts the significant JPEG coefficients to make images unrecognizable by humans. We empirically show how to train artificial neural networks to successfully identify faces and recognize objects and handwritten digits even if the images are protected using any of the above obfuscation techniques.

Figures (9)

• Figure 1: An image from The Guardian showing a police raid on a drug gang warondrugs-pic. The accompanying article explains that UK drug gangs are growing more violent and that police informants and undercover operatives face possible retaliation warondrugs. The officers' faces are presumably mosaiced for their protection. The window appears to be $12\times12$ pixels. Using $16\times16$ windows (which obfuscate more information than $12\times12$ windows), our neural network achieves 57% accuracy in recognizing an obfuscated image from a large dataset of 530 individuals. The accuracy increases to 72% when considering the top five guesses.
• Figure 2: A victim of human trafficking in India girlalone-pic. Her face has been blurred, presumably to protect her identity. Our neural networks, trained on black-and-white faces blurred with YouTube, can identify a blurred face with over 50% accuracy from a database of 40 faces.
• Figure 3: P3 works by removing the DC and large AC coefficients from the public version of image and placing them in a secret image. (Image from p3)
• Figure 4: Schematic architecture of a convolutional neural network convolutionimage. The network is composed of convolutional layers followed by max-pooling sub-sampling layers. The last layers are fully connected.
• Figure 5: An original AT&T image and two blurred frames extracted from a blurred YouTube video. Although the unblurred frames were identical, the two blurred frames are different.