RDP: Ranked Differential Privacy for Facial Feature Protection in Multiscale Sparsified Subspace

TL;DR

This work tackles the risk of facial feature leakage from publicly shared face images by introducing Ranked Differential Privacy (RDP) in a multiscale sparsified feature space. It perturbs weight-ranked sparse wavelet coefficients with Laplacian noise drawn via a geometric scheme, and proves that the resulting mechanism satisfies $\varepsilon_0$-DP. To maximize visualization quality under privacy, the authors formulate a nonlinear LM optimization and solve it with two strategies: Normalization Approximation for online use and LM Optimization via Gradient Descent for offline use. Empirical results on LFW and PubFig83 show substantial PSNR improvements (about $10$ dB over the best baselines at $\varepsilon_0=0.2$) while maintaining strong privacy, highlighting the method's potential for privacy-preserving release of high-quality face images.

Abstract

With the widespread sharing of personal face images in applications' public databases, face recognition systems faces real threat of being breached by potential adversaries who are able to access users' face images and use them to intrude the face recognition systems. In this paper, we propose a novel privacy protection method in the multiscale sparsified feature subspaces to protect sensitive facial features, by taking care of the influence or weight ranked feature coefficients on the privacy budget, named "Ranked Differential Privacy (RDP)". After the multiscale feature decomposition, the lightweight Laplacian noise is added to the dimension-reduced sparsified feature coefficients according to the geometric superposition method. Then, we rigorously prove that the RDP satisfies Differential Privacy. After that, the nonlinear Lagrange Multiplier (LM) method is formulated for the constraint optimization problem of maximizing the utility of the visualization quality protected face images with sanitizing noise, under a given facial features privacy budget. Then, two methods are proposed to solve the nonlinear LM problem and obtain the optimal noise scale parameters: 1) the analytical Normalization Approximation (NA) method with identical average noise scale parameter for real-time online applications; and 2) the LM optimization Gradient Descent (LMGD) numerical method to obtain the nonlinear solution through iterative updating for more accurate offline applications. Experimental results on two real-world datasets show that our proposed RDP outperforms other state-of-the-art methods: at a privacy budget of 0.2, the PSNR (Peak Signal-to-Noise Ratio) of the RDP is about ~10 dB higher than (10 times as high as) the highest PSNR of all compared methods.

Figures (6)

• Figure 1: The process of breaching face recognition systems: for each individual's face recognition, there are the corresponding standard facial features stored in face recognition-based systems, such as face recognition check-in systems. When adversaries download the particular individual's face images from public databases, corresponding to applications, e.g., Facebook, Weibo, TikTok, or Bing, they may use the downloaded images to breach face recognition-based systems which are used by such individual. On the contrary, if all the face images are protected with a privacy protection method, adversaries will fail to achieve the threat aforementioned.
• Figure 2: Normalized difference between real and theoretical variances, i.e., $\frac{{\left| {{\sigma _r}^2 - \sigma _t^2} \right|}}{{\sigma _t^2}}$.
• Figure 3: Logarithm of real variance $\log \left( {{\sigma _r}^2} \right)$ vs. $\varepsilon_0$.
• Figure 4: Privacy Budget $\varepsilon_0$ vs. PSNR.
• Figure 5: Visualization of LFW Data.

Theorems & Definitions (7)

• Definition 1: Neighboring Face Images
• Definition 2: The Sensitivity of Facial Features
• Definition 3: Differential Privacy
• Definition 4: Ranked Differential Privacy
• Theorem 1
• Definition 5: Cost Function
• Theorem 2