Assessing Privacy Risks from Feature Vector Reconstruction Attacks
This work addresses privacy risks for users of facial recognition systems by quantifying threats, though it is incremental as it builds on known reconstruction attacks.
The paper tackled the problem of understanding privacy risks from feature vector reconstruction attacks in facial recognition, showing that reconstructed face images enable re-identification by commercial systems and humans at rates up to four times higher than baselines.
In deep neural networks for facial recognition, feature vectors are numerical representations that capture the unique features of a given face. While it is known that a version of the original face can be recovered via "feature reconstruction," we lack an understanding of the end-to-end privacy risks produced by these attacks. In this work, we address this shortcoming by developing metrics that meaningfully capture the threat of reconstructed face images. Using end-to-end experiments and user studies, we show that reconstructed face images enable re-identification by both commercial facial recognition systems and humans, at a rate that is at worst, a factor of four times higher than randomized baselines. Our results confirm that feature vectors should be recognized as Personal Identifiable Information (PII) in order to protect user privacy.