Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Privacy Blur: Quantifying Privacy and Utility for Image Data Release

Saeed Mahloujifar, Narine Kokhlikyan, Chuan Guo, Kamalika Chaudhuri

TL;DR

The paper investigates how to privately release image data without sacrificing model training usefulness. It introduces a formal privacy-utility framework and compares four obfuscation methods, revealing that Gaussian blur is easily reversible and thus weak on privacy, while pixelization and DP-Pix can offer strong privacy with minor utility loss when tuned. Reversal and discrimination attacks are developed to quantify privacy, and extensive experiments across OCR-like datasets and vision tasks demonstrate that cropping is highly private but harms utility, whereas pixelization and DP-Pix strike a favorable balance for many tasks. The work culminates in a practical Privacy Blur software package to guide privacy-aware image data releases.

Abstract

Image data collected in the wild often contains private information such as faces and license plates, and responsible data release must ensure that this information stays hidden. At the same time, released data should retain its usefulness for model-training. The standard method for private information obfuscation in images is Gaussian blurring. In this work, we show that practical implementations of Gaussian blurring are reversible enough to break privacy. We then take a closer look at the privacy-utility tradeoffs offered by three other obfuscation algorithms -- pixelization, pixelization and noise addition (DP-Pix), and cropping. Privacy is evaluated by reversal and discrimination attacks, while utility by the quality of the learnt representations when the model is trained on data with obfuscated faces. We show that the most popular industry-standard method, Gaussian blur is the least private of the four -- being susceptible to reversal attacks in its practical low-precision implementations. In contrast, pixelization and pixelization plus noise addition, when used at the right level of granularity, offer both privacy and utility for a number of computer vision tasks. We make our proposed methods together with suggested parameters available in a software package called Privacy Blur.

Privacy Blur: Quantifying Privacy and Utility for Image Data Release

TL;DR

The paper investigates how to privately release image data without sacrificing model training usefulness. It introduces a formal privacy-utility framework and compares four obfuscation methods, revealing that Gaussian blur is easily reversible and thus weak on privacy, while pixelization and DP-Pix can offer strong privacy with minor utility loss when tuned. Reversal and discrimination attacks are developed to quantify privacy, and extensive experiments across OCR-like datasets and vision tasks demonstrate that cropping is highly private but harms utility, whereas pixelization and DP-Pix strike a favorable balance for many tasks. The work culminates in a practical Privacy Blur software package to guide privacy-aware image data releases.

Abstract

Image data collected in the wild often contains private information such as faces and license plates, and responsible data release must ensure that this information stays hidden. At the same time, released data should retain its usefulness for model-training. The standard method for private information obfuscation in images is Gaussian blurring. In this work, we show that practical implementations of Gaussian blurring are reversible enough to break privacy. We then take a closer look at the privacy-utility tradeoffs offered by three other obfuscation algorithms -- pixelization, pixelization and noise addition (DP-Pix), and cropping. Privacy is evaluated by reversal and discrimination attacks, while utility by the quality of the learnt representations when the model is trained on data with obfuscated faces. We show that the most popular industry-standard method, Gaussian blur is the least private of the four -- being susceptible to reversal attacks in its practical low-precision implementations. In contrast, pixelization and pixelization plus noise addition, when used at the right level of granularity, offer both privacy and utility for a number of computer vision tasks. We make our proposed methods together with suggested parameters available in a software package called Privacy Blur.

Paper Structure

This paper contains 39 sections, 4 theorems, 8 equations, 2 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Obfuscation Methods
  4. Privacy Attacks on Blurring and Pixelization
  5. Utility
  6. Machine-Learning with Guaranteed Privacy.
  7. Preliminaries
  8. Obfuscation Methods
  9. Cropping.
  10. Gaussian Blur.
  11. Pixelization.
  12. DP-Pix.
  13. Privacy
  14. Reversal Attack.
  15. Discrimination Attack.
  16. ...and 24 more sections

Key Result

Proposition 1

Let $M_g$ be any bijective transformation. If $P_k$ and $P_l$ are any two distributions, then for any $\alpha > 0$,

Figures (2)

  • Figure 1: We use random images from Casual Conversations v2 dataset. We use deep-face to create face bounding boxes and use blurring pipeline in yang2022study to blur images. We use two different radius multipliers. Our attack is initialized randomly (Gaussian noise) and uses learning rate 0.1 and momentum of 0.9. We run the attack for 5000 iterations. We then run the attack for 30 times and take the average over all runs.
  • Figure 2: We use an image of a license plate, resize it to 210x210 pixels and use OpenCV blurring with various kernel sizes. Then we use our attack to reconstruct the image. Our attack is initialized randomly (Gaussian noise) and uses learning rate 0.1 and momentum of.9. We run the attack for 5000 iterations.

Theorems & Definitions (6)

  • Definition 1: Indistinguishability
  • Definition 2: $(N, \alpha, \epsilon)$-Profile-Based Privacy
  • Proposition 1
  • Proposition 2
  • Proposition 3
  • Proposition 4