Uploading personal photos to the internet can feel like letting go. Who else will have access to them, what will they do with them—and which machine-learning algorithms will they help train?
The company Clearview has already supplied US law enforcement agencies with a facial recognition tool trained on photos of millions of people scraped from the public web. But that was likely just the start. Anyone with basic coding skills can now develop facial recognition software, meaning there is more potential than ever to abuse the tech in everything from sexual harassment and racial discrimination to political oppression and religious persecution.
A number of AI researchers are pushing back and developing ways to make sure AIs can’t learn from personal data. Two of the latest are being presented this week at ICLR, a leading AI conference.
“I don’t like people taking things from me that they’re not supposed to have,” says Emily Wenger at the University of Chicago, who developed one of the first tools to do this, called Fawkes, with her colleagues last summer: “I guess a lot of us had a similar idea at the same time.”
Data poisoning isn’t new. Actions like deleting data that companies have on you, or deliberating polluting data sets with fake examples, can make it harder for companies to train accurate machine-learning models. But these efforts typically require collective action, with hundreds or thousands of people participating, to make an impact. The difference with these new techniques is that they work on a single person’s photos.
“This technology can be used as a key by an individual to lock their data,” says Daniel Ma at Deakin University in Australia. “It’s a new frontline defense for protecting people’s digital rights in the age of AI.”
Hiding in plain sight
Most of the tools, including Fawkes, take the same basic approach. They make tiny changes to an image that are hard to spot with a human eye but throw off an AI, causing it to misidentify who or what it sees in a photo. This technique is very close to a kind of adversarial attack, where small alterations to input data can force deep-learning models to make big mistakes.
Give Fawkes a bunch of selfies and it will add pixel-level perturbations to the images that stop state-of-the-art facial recognition systems from identifying who is in the photos. Unlike previous ways of doing this, such as wearing AI-spoofing face paint, it leaves the images apparently unchanged to humans.
Wenger and her colleagues tested their tool against several widely used commercial facial recognition systems, including Amazon’s AWS Rekognition, Microsoft Azure, and Face++, developed by the Chinese company Megvii Technology. In a small experiment with a data set of 50 images, Fawkes was 100% effective against all of them, preventing models trained on tweaked images of people from later recognizing images of those people in fresh images. The doctored training images had stopped the tools from forming an accurate representation of those people’s faces.
Fawkes has already been downloaded nearly half a million times from the project website. One user has also built an online version, making it even easier for people to use (though Wenger won’t vouch for third parties using the code, warning: “You don’t know what’s happening to your data while that person is processing it”). There’s not yet a phone app, but there’s nothing stopping somebody from making one, says Wenger.
Fawkes may keep a new facial recognition system from recognizing you—the next Clearview, say. But it won’t sabotage existing systems that have been trained on your unprotected images already. The tech is improving all the time, however. Wenger thinks that a tool developed by Valeriia Cherepanova and her colleagues at the University of Maryland, one of the teams at ICLR this week, might address this issue.
Called LowKey, the tool expands on Fawkes by applying perturbations to images based on a stronger kind of adversarial attack, which also fools pretrained commercial models. Like Fawkes, LowKey is also available online.
Ma and his colleagues have added an even bigger twist. Their approach, which turns images into what they call unlearnable examples, effectively makes an AI ignore your selfies entirely. “I think it’s great,” says Wenger. “Fawkes trains a model to learn something wrong about you, and this tool trains a model to learn nothing about you.”
Unlike Fawkes and its followers, unlearnable examples are not based on adversarial attacks. Instead of introducing changes to an image that force an AI to make a mistake, Ma’s team adds tiny changes that trick an AI into ignoring it during training. When presented with the image later, its evaluation of what’s in it will be no better than a random guess.
Unlearnable examples may prove more effective than adversarial attacks, since they cannot be trained against. The more adversarial examples an AI sees, the better it gets at recognizing them. But because Ma and his colleagues stop an AI from training on images in the first place, they claim this won’t happen with unlearnable examples.
Wenger is resigned to an ongoing battle, however. Her team recently noticed that Microsoft Azure’s facial recognition service was no longer spoofed by some of their images. “It suddenly somehow became robust to cloaked images that we had generated,” she says. “We don’t know what happened.”
Microsoft may have changed its algorithm, or the AI may simply have seen so many images from people using Fawkes that it learned to recognize them. Either way, Wenger’s team released an update to their tool last week that works against Azure again. “This is another cat-and-mouse arms race,” she says.
For Wenger, this is the story of the internet. “Companies like Clearview are capitalizing on what they perceive to be freely available data and using it to do whatever they want,” she says.”
Regulation might help in the long run, but that won’t stop companies from exploiting loopholes. “There’s always going to be a disconnect between what is legally acceptable and what people actually want,” she says. “Tools like Fawkes fill that gap.”
“Let’s give people some power that they didn’t have before,” she says.