PrivateGaze: Preserving User Privacy in Black-box Mobile Gaze Tracking Services

TL;DR

PrivateGaze addresses privacy risks in black-box mobile gaze-tracking by introducing a user-side privacy preserver that obfuscates full-face input while preserving gaze accuracy. It employs an anchor-image template and a surrogate gaze estimator trained on public data to supervise obfuscated-image generation, enabling effective use of black-box gaze services. Empirical results show strong protection against identity and gender attribute inference with obfuscated inputs, while maintaining gaze-estimation performance across four datasets and multiple backbones. The approach is designed for on-device deployment with low latency and broad compatibility, offering a practical path toward privacy-preserving gaze tracking in real-world mobile applications.

Abstract

Eye gaze contains rich information about human attention and cognitive processes. This capability makes the underlying technology, known as gaze tracking, a critical enabler for many ubiquitous applications and has triggered the development of easy-to-use gaze estimation services. Indeed, by utilizing the ubiquitous cameras on tablets and smartphones, users can readily access many gaze estimation services. In using these services, users must provide their full-face images to the gaze estimator, which is often a black box. This poses significant privacy threats to the users, especially when a malicious service provider gathers a large collection of face images to classify sensitive user attributes. In this work, we present PrivateGaze, the first approach that can effectively preserve users' privacy in black-box gaze tracking services without compromising gaze estimation performance. Specifically, we proposed a novel framework to train a privacy preserver that converts full-face images into obfuscated counterparts, which are effective for gaze estimation while containing no privacy information. Evaluation on four datasets shows that the obfuscated image can protect users' private information, such as identity and gender, against unauthorized attribute classification. Meanwhile, when used directly by the black-box gaze estimator as inputs, the obfuscated images lead to comparable tracking performance to the conventional, unprotected full-face images.

Figures (10)

• Figure 1: An illustration of PrivateGaze, a framework to preserve users' privacy when they are using black-box gaze estimation services. The core of PrivateGaze is the privacy preserver, which transforms the original privacy-sensitive full-face image into an obfuscated version as input for the untrusted gaze estimation services. During the training stage, we train the privacy preserver with the assistance of a pre-trained surrogate gaze estimator. After training, the privacy preserve is deployed on the user's device to generate obfuscated images that can be used by the black-box gaze estimation services. This ensures accurate gaze estimation while preventing the user's private attributes, such as gender and identity, from being inferred by the service provider.
• Figure 2: An overview of PrivateGaze, which comprises the privacy preserver, the anchor image generation module, and the surrogate gaze estimator $\mathcal{G}_w(\cdot)$ trained on the training dataset $\mathcal{D}_{w}$. The privacy preserver includes the gaze-feature extractor $F(\cdot)$ and the image generator $IG(\cdot)$. $F(\cdot)$ extracts gaze features $z$ from the raw images $x$ in the training dataset. $IG(\cdot)$ takes $z$ and a pre-generated image $\hat{x}$ as inputs to form the obfuscated images $x'$. $\hat{x}$ serves as the anchor image and is crafted from the training dataset using the proposed anchor image generation module. Subsequently, we compute the privacy loss based on $\hat{x}$ and $x'$ to train $\mathcal{P}(\cdot)$ for the privacy objective. $x'$ is then passed to $\mathcal{G}_w(\cdot)$ to obtain the estimated gaze direction $g'$. Finally, we calculate the utility loss based on the gaze annotations $g$ and $g'$ to train the privacy preserver for the utility objective.
• Figure 3: The overall design of the privacy preserver $\mathcal{P}(\cdot)$, which consists of the gaze-feature extractor $F(\cdot)$ and the image generator $IG(\cdot)$. $F(\cdot)$ extracts gaze features $z$ from the raw image $x$ of the user. $IG(\cdot)$ takes the extracted gaze features $z$ and the anchor image $\hat{x}$ as inputs to generate the privacy-preserved obfuscated image $x'$. $x'$ has a similar appearance to $\hat{x}$ while retaining the gaze features extracted from $x$. Only the components with color-coded yellow will be deployed on the user's device after training for privacy preservation.
• Figure 4: Illustration of images sampled from the four gaze estimation datasets. Our selection of datasets covers a broad spectrum of mobile gaze tracking scenarios: from smartphone usage (GazeCapture) to laptop use cases (MPIIFaceGaze), and to ubiquitous web cameras (ETHXGaze and ColumbiaGazze) that widely appear in many daily devices.
• Figure 5: Illustration of (a) raw images of different subjects and obfuscated images generated by (b) PrivateGaze, (c) TPGD, (d) GauDP ($\epsilon=0.1$), (e) IP-DP ($\epsilon=0.3$), (f) FS-DP ($\epsilon=1.0$), (g) MaxP, and (h) B-DAP. The obfuscated images obtained by PrivateGaze and TPGD have similar appearances, making it challenging for attackers to infer user identity and gender from the obfuscated images.