FaceLinkGen: Rethinking Identity Leakage in Privacy-Preserving Face Recognition with Identity Extraction
Wenqi Guo, Shan Du
TL;DR
FaceLinkGen demonstrates that pixel-level distortion metrics used in privacy-preserving face recognition do not reflect true identity leakage. By distilling identity embeddings from protected templates and regenerating identity-consistent faces via diffusion, the authors show strong linkage and regeneration capabilities across multiple SOTA PPFR methods, even under near-zero-knowledge scenarios. This reveals a structural gap between visual distortions and actual privacy, advocating an identity-centric evaluation standard and practical defenses such as secret-key or cryptographic approaches. The work underscores the real-world privacy risks posed by PPFR templates and motivates a reevaluation of privacy guarantees in face recognition systems.
Abstract
Transformation-based privacy-preserving face recognition (PPFR) aims to verify identities while hiding facial data from attackers and malicious service providers. Existing evaluations mostly treat privacy as resistance to pixel-level reconstruction, measured by PSNR and SSIM. We show that this reconstruction-centric view fails. We present FaceLinkGen, an identity extraction attack that performs linkage/matching and face regeneration directly from protected templates without recovering original pixels. On three recent PPFR systems, FaceLinkGen reaches over 98.5\% matching accuracy and above 96\% regeneration success, and still exceeds 92\% matching and 94\% regeneration in a near zero knowledge setting. These results expose a structural gap between pixel distortion metrics, which are widely used in PPFR evaluation, and real privacy. We show that visual obfuscation leaves identity information broadly exposed to both external intruders and untrusted service providers.
