CamPro: Camera-based Anti-Facial Recognition

TL;DR

CamPro tackles the privacy risk of facial recognition by enabling privacy-by-birth inside commodity camera modules. It optimizes color-related ISP functions (CCM and Gamma) through a minimax adversarial framework to suppress face-identification while preserving non-sensitive vision utilities, complemented by a CNN-based image enhancer for human readability. Across ten black-box FR models and multiple HAR tasks, CamPro achieves an average face-identification accuracy near 0.3% on captured images and around 0.6% on enhanced images, with strong generalization to unseen models and datasets, and resilience under white-box adaptive attacks. The approach yields practical privacy protection with maintained utility, validated in real-world camera setups and showing better privacy-utility trade-offs than baselines, while remaining compatible with Android devices and commodity hardware.

Abstract

The proliferation of images captured from millions of cameras and the advancement of facial recognition (FR) technology have made the abuse of FR a severe privacy threat. Existing works typically rely on obfuscation, synthesis, or adversarial examples to modify faces in images to achieve anti-facial recognition (AFR). However, the unmodified images captured by camera modules that contain sensitive personally identifiable information (PII) could still be leaked. In this paper, we propose a novel approach, CamPro, to capture inborn AFR images. CamPro enables well-packed commodity camera modules to produce images that contain little PII and yet still contain enough information to support other non-sensitive vision applications, such as person detection. Specifically, CamPro tunes the configuration setup inside the camera image signal processor (ISP), i.e., color correction matrix and gamma correction, to achieve AFR, and designs an image enhancer to keep the image quality for possible human viewers. We implemented and validated CamPro on a proof-of-concept camera, and our experiments demonstrate its effectiveness on ten state-of-the-art black-box FR models. The results show that CamPro images can significantly reduce face identification accuracy to 0.3\% while having little impact on the targeted non-sensitive vision application. Furthermore, we find that CamPro is resilient to adaptive attackers who have re-trained their FR models using images generated by CamPro, even with full knowledge of privacy-preserving ISP parameters.

Figures (17)

• Figure 1: CamPro resides inside a camera module to achieve anti-facial recognition (AFR) during the generation of images, i.e., privacy-preserving by birth, while traditional AFR methods desensitize the raw images output by the camera module, i.e., based on post-processing.
• Figure 2: Typical stages of face identification.
• Figure 3: A camera module typically consists of an image sensor and an image signal processor (ISP). CamPro achieves privacy protection by tuning the parameters of ISP functions in the common camera module.
• Figure 4: Color inversion effects on FR and HAR. FR: Faces highlighted in circles are compared by FaceNet, and they are not viewed as the same identity. HAR: The front person is detected yet the back one is missed after color inversion. Color inversion affects the normal operation of HAR less.
• Figure 5: Overview of CamPro system. CamPro system consists of two main modules, i.e., (1) the camera module where the parameters of built-in ISP functions, i.e., color correction matrix (CCM) and gamma correction (Gamma), are optimized to prevent facial recognition but support the non-sensitive HAR vision application, e.g., person detection, and (2) the image enhancer that further improves the visual appearance of images for human view.