AEGIS: Preserving privacy of 3D Facial Avatars with Adversarial Perturbations

The growing adoption of photorealistic 3D facial avatars, particularly those utilizing efficient 3D Gaussian Splatting representations, introduces new risks of online identity theft, especially in systems that rely on biometric authentication. While effective adversarial masking methods have been developed for 2D images, a significant gap remains in achieving robust, viewpoint-consistent identity protection for dynamic 3D avatars. To address this, we present AEGIS, the first privacy-preserving identity masking framework for 3D Gaussian Avatars that maintains the subject's perceived characteristics. Our method aims to conceal identity-related facial features while preserving the avatar's perceptual realism and functional integrity. AEGIS applies adversarial perturbations to the Gaussian color coefficients, guided by a pre-trained face verification network, ensuring consistent protection across multiple viewpoints without retraining or modifying the avatar's geometry. AEGIS achieves complete de-identification, reducing face retrieval and verification accuracy to 0%, while maintaining high perceptual quality (SSIM = 0.9555, PSNR = 35.52 dB). It also preserves key facial attributes such as age, race, gender, and emotion, demonstrating strong privacy protection with minimal visual distortion.

Key Contributions

• First viewpoint-consistent identity obfuscation method for 3D Gaussian Splatting avatars, perturbing only spherical harmonics color coefficients without modifying geometry
• Multi-viewpoint PGD optimization through a differentiable rendering pipeline ensuring stable de-identification across arbitrary camera poses and animations
• Complete de-identification reducing face retrieval and verification accuracy to 0% while preserving SSIM=0.9555 and facial attributes (age, gender, race, emotion)

🛡️ Threat Analysis

Details

Similar Papers