Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fantômas: Understanding Face Anonymization Reversibility

Julian Todt, Simon Hanisch, Thorsten Strufe

TL;DR

This work addresses the privacy risks of face anonymizations by revealing that many commonly used methods are reversibly vulnerable when evaluated against a worst-case attacker. It introduces a general de-anonymization framework that couples reconstruction and inversion to reverse anonymizations before recognition, and it evaluates 15 anonymization techniques across CelebA and DigiFace-1M datasets, including a human and computational utility assessment. The study finds that 11 of 15 anonymizations are at least partially reversible, with global permutations and some synthesis-based methods showing strong reversal, while truly removing methods like DeepPrivacy and CIAGAN are much harder to reverse. The findings emphasize the need for rigorous, empirical reversibility testing in privacy benchmarks and provide design guidance for irreversible anonymizations, highlighting that formal guarantees alone may be insufficient for ensuring privacy in image data. Practically, the work urges researchers and practitioners to adopt attacker models that consider reversal capabilities and to balance privacy guarantees with real-world evaluation of utility and reversibility.

Abstract

Face images are a rich source of information that can be used to identify individuals and infer private information about them. To mitigate this privacy risk, anonymizations employ transformations on clear images to obfuscate sensitive information, all while retaining some utility. Albeit published with impressive claims, they sometimes are not evaluated with convincing methodology. Reversing anonymized images to resemble their real input -- and even be identified by face recognition approaches -- represents the strongest indicator for flawed anonymization. Some recent results indeed indicate that this is possible for some approaches. It is, however, not well understood, which approaches are reversible, and why. In this paper, we provide an exhaustive investigation in the phenomenon of face anonymization reversibility. Among other things, we find that 11 out of 15 tested face anonymizations are at least partially reversible and highlight how both reconstruction and inversion are the underlying processes that make reversal possible.

Fantômas: Understanding Face Anonymization Reversibility

TL;DR

This work addresses the privacy risks of face anonymizations by revealing that many commonly used methods are reversibly vulnerable when evaluated against a worst-case attacker. It introduces a general de-anonymization framework that couples reconstruction and inversion to reverse anonymizations before recognition, and it evaluates 15 anonymization techniques across CelebA and DigiFace-1M datasets, including a human and computational utility assessment. The study finds that 11 of 15 anonymizations are at least partially reversible, with global permutations and some synthesis-based methods showing strong reversal, while truly removing methods like DeepPrivacy and CIAGAN are much harder to reverse. The findings emphasize the need for rigorous, empirical reversibility testing in privacy benchmarks and provide design guidance for irreversible anonymizations, highlighting that formal guarantees alone may be insufficient for ensuring privacy in image data. Practically, the work urges researchers and practitioners to adopt attacker models that consider reversal capabilities and to balance privacy guarantees with real-world evaluation of utility and reversibility.

Abstract

Face images are a rich source of information that can be used to identify individuals and infer private information about them. To mitigate this privacy risk, anonymizations employ transformations on clear images to obfuscate sensitive information, all while retaining some utility. Albeit published with impressive claims, they sometimes are not evaluated with convincing methodology. Reversing anonymized images to resemble their real input -- and even be identified by face recognition approaches -- represents the strongest indicator for flawed anonymization. Some recent results indeed indicate that this is possible for some approaches. It is, however, not well understood, which approaches are reversible, and why. In this paper, we provide an exhaustive investigation in the phenomenon of face anonymization reversibility. Among other things, we find that 11 out of 15 tested face anonymizations are at least partially reversible and highlight how both reconstruction and inversion are the underlying processes that make reversal possible.
Paper Structure (43 sections, 31 figures, 4 tables)

This paper contains 43 sections, 31 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Anonymization Evaluation State of the Art
  4. Related Work
  5. Evaluation Methodology
  6. Analysis
  7. Attacker Model
  8. Reversibility Evaluation
  9. Design
  10. Techniques
  11. Anonymizations
  12. Basics
  13. Adversarial Machine Learning
  14. Overlay
  15. Differential Privacy
  16. ...and 28 more sections

Figures (31)

  • Figure 1: Data access of the attacker model. For training, the model has access to both anonymized and respective clear images, for testing only anonymized images are available.
  • Figure 2: Recognition attacker models and their respective data usage for training and testing the biometric recognition system they use for their attack.
  • Figure 3: Design of our machine learning model
  • Figure 4: Different face anonymization methods we consider
  • Figure 5: Data usage of our evaluation framework. The upper part depicts how the data sets are used for the anonymization, the bottom left show how the de-anonymization approach is trained and applied, and the right bottom shows how the recognition system is used.
  • ...and 26 more figures