We upload so many personal photos on the internet, so we might have questions like who else would have access to them, what would they do with them—and which machine-learning algorithms would be trained with this data?
Clearview AI, an American facial recognition company, has already provided a facial recognition tool trained on millions of such photos scraped from the public web to US law enforcement agencies. But that was likely just the start. It’s easy for anyone with basic coding skills to develop facial recognition software. Thus, it’s easier to abuse tech in everything, from sexual harassment and racial discrimination to political oppression and religious persecution.
To address this issue, there’s a requirement to develop ways to make sure AIs can’t learn from the personal data people upload. Emily Wenger at the University of Chicago and her colleagues developed one of the first tools to do this, called Fawkes.
Most of the tools, including Fawkes, take some basic approach. They make minute changes to an image that a human eye cannot distinguish, but those can throw off an AI that causes it to misidentify, i.e., it can’t detect whose photograph it is. This technique is very similar to a kind of adversarial attack, where small changes can lead the deep-learning models to make big mistakes.
How does Fawkes work?
Fawkes intakes many selfies. It adds pixel-level perturbations to the images that help stop state-of-the-art facial recognition systems from identifying who is in the photos. It leaves the images apparently unchanged to human eyes.
This tool was tested against many commercial facial recognition systems, such as Amazon’s AWS Rekognition, Microsoft Azure, Face++, etc. The team performed a small experiment with a data set of 50 images and found that Fawkes was 100% effective against all of the systems mentioned above. Also, if the model is trained on tweaked images of a person, and a fresh image of that person is given to the model, the model won’t recognize that person in the new image. The doctored training images stop the tools from forming an accurate representation of that person’s face.
Fawkes can be downloaded from the project website.
Limitation of Fawkes and Introduction to LowKey and Unlearnable examples
Fawkes may prevent a new facial recognition system from recognizing a person but can’t change or sabotage the existing systems that have already been trained on one’s unprotected images. Thus, Valeriia Cherepanova and her colleagues at the University of Maryland, one of the teams at ICLR, recently addressed this issue and developed a tool called LowKey. This tool expands on Fawkes by applying perturbations to images based on a stronger adversarial attack, which can also fool the pretrained commercial models. LowKey is available online.
Erfani and her colleague Daniel Ma at Deakin University, and researchers at the University of Melbourne and Peking University in Beijing, developed a method to convert images into “unlearnable examples.” Unlike Fawkes and similar techniques, unlearnable examples are something that is not based on adversarial attacks. Instead of making changes to an image that force an AI to make a mistake, we can add tiny changes that trick an AI into ignoring it during training. Thus, it’ll give results similar to a random guess when presented with the image later.
Now, Wenger says that facial recognition systems are changing algorithms and are in a cat-and-mouse race. It means that continuous updates are being made from both sides.