ID-Cloak: Crafting Identity-Specific Cloaks Against Personalized Text-to-Image Generation

TL;DR

The paper tackles privacy risks from personalized text-to-image generation by shifting from image-specific cloaks to identity-specific universal cloaks. It introduces ID-Cloak, which learns a Gaussian identity subspace $Q(c) \sim \mathcal{N}(\mu,\Sigma)$ in the text-embedding space using a few anchor prompts $\{c_i\}$, and optimizes a single universal cloak $\delta$ within that subspace to distort outputs of personalized models trained on protected images. The method leverages a one-step latent cloaking strategy via DDIM and gradient aggregation to stabilize optimization, demonstrating strong protection across identities, prompts, models, and personalization techniques. Experimental results on CelebA-HQ and VGGFace2 show robust, transferable protection, with significant deterioration of personalized generations while maintaining imperceptibility. Overall, the work presents a scalable privacy-preserving framework that generalizes to unseen images of the protected identity and various downstream personalization settings, representing a practical advance in safeguarding civil privacy in diffusion-based generation.

Abstract

Personalized text-to-image models allow users to generate images of new concepts from several reference photos, thereby leading to critical concerns regarding civil privacy. Although several anti-personalization techniques have been developed, these methods typically assume that defenders can afford to design a privacy cloak corresponding to each specific image. However, due to extensive personal images shared online, image-specific methods are limited by real-world practical applications. To address this issue, we are the first to investigate the creation of identity-specific cloaks (ID-Cloak) that safeguard all images belong to a specific identity. Specifically, we first model an identity subspace that preserves personal commonalities and learns diverse contexts to capture the image distribution to be protected. Then, we craft identity-specific cloaks with the proposed novel objective that encourages the cloak to guide the model away from its normal output within the subspace. Extensive experiments show that the generated universal cloak can effectively protect the images. We believe our method, along with the proposed identity-specific cloak setting, marks a notable advance in realistic privacy protection.

Figures (6)

• Figure 1: Comparison between image-specific and identity-specific protection. (a) Existing image-specific protection methods lose effectiveness when applied to large-scale unknown images. (b) Our identity-specific cloak exhibits effective and consistent protection.
• Figure 2: Qualitative results on VGGFace2 dataset. The cloaks are generated from the images of training set, then applied on the same training set and different test sets respectively. Each row represents a method, and each column represents a different test prompt.
• Figure 3: Additional qualitative results on VGGFace2 dataset. The cloaks are generated from the images of training set, then applied on the same training set and different test sets respectively. Each row represents a method, and each column represents a different test prompt.
• Figure 4: Additional qualitative results on VGGFace2 dataset. The cloaks are generated from the images of training set, then applied on the same training set and different test sets respectively. Each row represents a method, and each column represents a different test prompt.
• Figure 5: Additional qualitative results on CelebA-HQ dataset. The cloaks are generated from the images of training set, then applied on the same training set and different test sets respectively. Each row represents a method, and each column represents a different test prompt.