A promising defense against face biometrics scraping comes up short
Scratch data poisoning off the list of possible tactics to fend off horizon-to-horizon biometric photo-scraping algorithms.
A public-private team of researchers looked at claims that digital photographs (in this case, face photos largely found on social media services) could be altered, or perturbed, just enough to poison facial recognition models training on the changed images.
Poisoning in this case means a model would misidentify scraped images. The initial hope was that people and organizations could use a fairly simple software tool to make face scraping impractical, if not impossible.
Scientists from Google, Stanford University and Oregon State University have posted their findings on the open-access arXiv.org platform. The paper is not peer-reviewed.
They point out that altered photos would have to be so cleverly engineered that they could never be sussed out by face biometrics profiteers. If a better algorithm rises, the perturbed code is as good as cracked.
And, according to their report, black-box access to an attack can train a model to get around the target images. There are other versions of data poisoning, but they seem to count on overly optimistic assumptions.
A number of software-and-service startups, most notably Clearview AI, have laid claim to billions of internet images in order to create biometric databases holding billions of photographs.
Most of the pictures — including those stored by Clearview — have been taken from social media services that expressly prohibit scraping. The practice has annoyed service owners and identity-rights activists.
Clearview sells subscriptions to law enforcement agencies, and police often use the company’s algorithms to identify the images of people picked up on facial recognition networks. (Its services are being used by the Ukraine government, possibly to ID Russian troops and war dead.)