ML Security PapersDo Protective Perturbations Really Protect Portrait Privacy under Real-world Image Transformations?
Ruiqing Sun , Xingshan Yao , Zhijing Wu , Tian Lan , Chenhao Cui , Huiyang Zhao , Jialing Shi , Chen Yang , Xianling Mao
Published on arXiv
2604.23688
Output Integrity Attack
OWASP ML Top 10 — ML09
Key Finding
Proposed purification method efficiently removes protective perturbations from portrait images with low computational cost by exploiting vulnerabilities from real-world transformations
TIP-RSR
Novel technique introduced
Proactive defense methods protect portrait images from unauthorized editing or talking face generation (TFG) by introducing pixel-level protective perturbations, and have already attracted increasing attention for privacy protection. In real-world scenarios, images inevitably undergo various transformations during cross-device display and dissemination--such as scale transformations and color compression--that directly alter pixel values. However, it remains unclear whether such pixel-level modifications affect the effectiveness of existing proactive defense methods that rely on pixel-level perturbations. To solve this problem, we conduct a systematic evaluation of representative proactive defenses under image transformation. The evaluated methods are selected to span different generation architectures such as diffusion and GAN-based models, as well as defense scopes covering both portrait and natural images, and are assessed using both qualitative and quantitative metrics for subjective and objective comparison. Experimental results indicate that defense methods based on pixel-level perturbations struggle to withstand common image transformations, posing a risk of defense failure in real-world applications. To further highlight this risk, we propose a simple yet effective purification framework by leveraging the vulnerabilities induced by real-world image transformations. Experimental results demonstrate that the proposed method can efficiently remove protective perturbations with low computational cost, highlighting previously overlooked risks to the research community.
Key Contributions
- Systematic evaluation showing pixel-level protective perturbations fail under common real-world image transformations (scaling, compression)
- Simple purification framework leveraging image transformations to efficiently remove protective perturbations with low computational cost
- Demonstration that proactive portrait privacy defenses are vulnerable in real-world dissemination scenarios
🛡️ Threat Analysis
The paper evaluates and attacks protective perturbations applied to portrait images to prevent unauthorized editing/deepfakes. These perturbations are content protection schemes (similar to anti-deepfake perturbations or style-transfer protections). The proposed purification method REMOVES these protections via image transformations — this is an attack on content integrity/protection schemes, making it ML09. Even though the protections use adversarial perturbations, removing/defeating them is an ML09 attack on content protection, not an ML01 adversarial example attack.