FaceLinkGen: Rethinking Identity Leakage in Privacy-Preserving Face Recognition with Identity Extraction

Transformation-based privacy-preserving face recognition (PPFR) aims to verify identities while hiding facial data from attackers and malicious service providers. Existing evaluations mostly treat privacy as resistance to pixel-level reconstruction, measured by PSNR and SSIM. We show that this reconstruction-centric view fails. We present FaceLinkGen, an identity extraction attack that performs linkage/matching and face regeneration directly from protected templates without recovering original pixels. On three recent PPFR systems, FaceLinkGen reaches over 98.5\% matching accuracy and above 96\% regeneration success, and still exceeds 92\% matching and 94\% regeneration in a near zero knowledge setting. These results expose a structural gap between pixel distortion metrics, which are widely used in PPFR evaluation, and real privacy. We show that visual obfuscation leaves identity information broadly exposed to both external intruders and untrusted service providers.

Key Contributions

• FaceLinkGen attack that extracts usable identity embeddings from protected face templates without pixel-level reconstruction, enabling both identity linkage (>98.5% matching accuracy) and face regeneration (>96% success) against three PPFR systems.
• Demonstration that PSNR/SSIM pixel-distortion metrics fundamentally misalign with real privacy risk, as visual obfuscation does not prevent identity-level leakage.
• Near-zero-knowledge attack variant that still achieves >92% matching and >94% regeneration success without knowledge of the PPFR conversion process.

🛡️ Threat Analysis

Details

Similar Papers