ML Security PapersDivTrackee versus DynTracker: Promoting Diversity in Anti-Facial Recognition against Dynamic FR Strategy
Wenshu Fan 1,2, Minxing Zhang 1,2, Hongwei Li 1, Wenbo Jiang 1, Hanxiao Chen 1,3, Xiangyu Yue 3, Michael Backes 2, Xiao Zhang 2
1 University of Electronic Science and Technology of China
Published on arXiv
2501.06533
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
DynTracker defeats all existing AFR methods, while DivTrackee successfully prevents user facial images from being identified by dynamic FR strategies across multiple benchmarks and feature extractors.
DivTrackee / DynTracker
Novel technique introduced
The widespread adoption of facial recognition (FR) models raises serious concerns about their potential misuse, motivating the development of anti-facial recognition (AFR) to protect user facial privacy. In this paper, we argue that the static FR strategy, predominantly adopted in prior literature for evaluating AFR efficacy, cannot faithfully characterize the actual capabilities of determined trackers who aim to track a specific target identity. In particular, we introduce DynTracker, a dynamic FR strategy where the model's gallery database is iteratively updated with newly recognized target identity images. Surprisingly, such a simple approach renders all the existing AFR protections ineffective. To mitigate the privacy threats posed by DynTracker, we advocate for explicitly promoting diversity in the AFR-protected images. We hypothesize that the lack of diversity is the primary cause of the failure of existing AFR methods. Specifically, we develop DivTrackee, a novel method for crafting diverse AFR protections that builds upon a text-guided image generation framework and diversity-promoting adversarial losses. Through comprehensive experiments on various image benchmarks and feature extractors, we demonstrate DynTracker's strength in breaking existing AFR methods and the superiority of DivTrackee in preventing user facial images from being identified by dynamic FR strategies. We believe our work can act as an important initial step towards developing more effective AFR methods for protecting user facial privacy against determined trackers.
Key Contributions
- DynTracker: a dynamic FR strategy that iteratively updates the gallery with newly recognized target images, defeating all existing AFR protections
- DivTrackee: a diversity-promoting AFR defense built on text-guided image generation with adversarial losses that prevents identification under dynamic FR strategies
- Demonstrates that lack of diversity in protected images is the primary cause of failure for existing AFR methods
🛡️ Threat Analysis
Anti-facial recognition (AFR) is fundamentally about crafting adversarial input perturbations that cause facial recognition models to fail at inference time. DynTracker is an adaptive strategy that defeats existing adversarial perturbation defenses by iteratively updating the gallery database. DivTrackee proposes novel diversity-promoting adversarial losses to craft stronger input perturbations that evade even dynamic FR strategies.