Posted on 05/12/2021 3:53:23 PM PDT by LibWhacker
Uploading personal photos to the internet can feel like letting go. Who else will have access to them, what will they do with them—and which machine-learning algorithms will they help train?
The company Clearview has already supplied US law enforcement agencies with a facial recognition tool trained on photos of millions of people scraped from the public web. But that was likely just the start. Anyone with basic coding skills can now develop facial recognition software, meaning there is more potential than ever to abuse the tech in everything from sexual harassment and racial discrimination to political oppression and religious persecution. Related Story This is how we lost control of our faces
The largest ever study of facial-recognition data shows how much the rise of deep learning has fueled a loss of privacy.
A number of AI researchers are pushing back and developing ways to make sure AIs can’t learn from personal data. Two of the latest are being presented this week at ICLR, a leading AI conference.
“I don't like people taking things from me that they're not supposed to have,” says Emily Wenger at the University of Chicago, who developed one of the first tools to do this, called Fawkes, with her colleagues last summer: “I guess a lot of us had a similar idea at the same time.”
Data poisoning isn’t new. Actions like deleting data that companies have on you, or deliberating polluting data sets with fake examples, can make it harder for companies to train accurate machine-learning models. But these efforts typically require collective action, with hundreds or thousands of people participating, to make an impact. The difference with these new techniques is that they work on a single person's photos.
“This technology can be used as a key by an individual to lock their data,” says Sarah Erfani at the University of Melbourne in Australia. “It’s a new frontline defense for protecting people’s digital rights in the age of AI.” Hiding in plain sight
Most of the tools, including Fawkes, take the same basic approach. They make tiny changes to an image that are hard to spot with a human eye but throw off an AI, causing it to misidentify who or what it sees in a photo. This technique is very close to a kind of adversarial attack, where small alterations to input data can force deep-learning models to make big mistakes.
Give Fawkes a bunch of selfies and it will add pixel-level perturbations to the images that stop state-of-the-art facial recognition systems from identifying who is in the photos. Unlike previous ways of doing this, such as wearing AI-spoofing face paint, it leaves the images apparently unchanged to humans.
Wenger and her colleagues tested their tool against several widely used commercial facial recognition systems, including Amazon’s AWS Rekognition, Microsoft Azure, and Face++, developed by the Chinese company Megvii Technology. In a small experiment with a data set of 50 images, Fawkes was 100% effective against all of them, preventing models trained on tweaked images of people from later recognizing images of those people in fresh images. The doctored training images had stopped the tools from forming an accurate representation of those people’s faces. Related Story The NYPD used a controversial facial recognition tool. Here’s what you need to know.
Newly-released emails show New York police have been widely using the controversial Clearview AI facial recognition system—and making misleading statements about it.
Fawkes has already been downloaded nearly half a million times from the project website. One user has also built an online version, making it even easier for people to use (though Wenger won’t vouch for third parties using the code, warning: “You don't know what's happening to your data while that person is processing it”). There’s not yet a phone app, but there’s nothing stopping somebody from making one, says Wenger.
Fawkes may keep a new facial recognition system from recognizing you—the next Clearview, say. But it won’t sabotage existing systems that have been trained on your unprotected images already. The tech is improving all the time, however. Wenger thinks that a tool developed by Valeriia Cherepanova and her colleagues at the University of Maryland, one of the teams at ICLR this week, might address this issue.
Called LowKey, the tool expands on Fawkes by applying perturbations to images based on a stronger kind of adversarial attack, which also fools pretrained commercial models. Like Fawkes, LowKey is also available online.
Erfani and her colleagues have added an even bigger twist. Together with Daniel Ma at Deakin University, and researchers at the University of Melbourne and Peking University in Beijing, Erfani has developed a way to turn images into "unlearnable examples," which effectively make an AI ignore your selfies entirely. “I think it’s great,” says Wenger. “Fawkes trains a model to learn something wrong about you, and this tool trains a model to learn nothing about you.” Images of me scraped from the web (top) are turned into unlearnable examples (bottom) that a facial recognition system will ignore. (Credit to Sarah Erfani, Daniel Ma and colleagues)
Unlike Fawkes and its followers, unlearnable examples are not based on adversarial attacks. Instead of introducing changes to an image that force an AI to make a mistake, Ma’s team adds tiny changes that trick an AI into ignoring it during training. When presented with the image later, its evaluation of what’s in it will be no better than a random guess.
Unlearnable examples may prove more effective than adversarial attacks, since they cannot be trained against. The more adversarial examples an AI sees, the better it gets at recognizing them. But because Erfani and her colleagues stop an AI from training on images in the first place, they claim this won’t happen with unlearnable examples.
Wenger is resigned to an ongoing battle, however. Her team recently noticed that Microsoft Azure’s facial recognition service was no longer spoofed by some of their images. “It suddenly somehow became robust to cloaked images that we had generated,” she says. “We don’t know what happened.”
Microsoft may have changed its algorithm, or the AI may simply have seen so many images from people using Fawkes that it learned to recognize them. Either way, Wenger’s team released an update to their tool last week that works against Azure again. “This is another cat-and-mouse arms race,” she says.
For Wenger, this is the story of the internet. “Companies like Clearview are capitalizing on what they perceive to be freely available data and using it to do whatever they want,” she says.”
Regulation might help in the long run, but that won’t stop companies from exploiting loopholes. “There’s always going to be a disconnect between what is legally acceptable and what people actually want,” she says. “Tools like Fawkes fill that gap.”
“Let’s give people some power that they didn’t have before,” she says.
Am I the only one who doesn’t do selfies, and has never even used the camera on my cell phone?
Thanks for the ping. I’m number five most of the time.
Except when reading something about BuckFiden or his handlers. Then I’m a combo of numbers seven and ten :)
They have recognition software for that as well. It’s called the “tool tool”.
Couple coats of black fingernail polish works well.
No you are not... See #24. :)
What about people who do not take selfies but our idiot family members take pictures at the reunion and plaster our face and name all over their stupid fakebook accounts?
'Course, it's a little more complicated than that. That's why they'd like to have more than just a picture of your eyes and ears. But eyes and ears could do it, or at least significantly narrow down the probability they've misidentified you.
Good point. I knew there was reason I didn’t go to that reunion!
Now I’m worried about using an ATM card, credit card, etc. Aren’t there cameras capturing it all? And they have your name and everything because you used your card.
I have always kept my name and photo private.
Call it paranoia but in these days where nit-wits track people down and harass them for stupid junk it has always seemed like a wise policy.
Not happy about it being violated because they wanted to brag.
😂🤣🥸
Hurtling headlong into the abyss.
And the Gods of the Copybook Headings limped up to explain it once more.
Simple. Don’t do selfies.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.