Fig. 2. Evaluating small image perturbations as a defense.

(A) Effectiveness of perturbations as a defense against re-identification for k = 1 (i.e., the attacker considers only the top match). Pixel values are normalized to a [0,1] interval, and perturbation strengths ϵ are with respect to these normalized pixel values. It can be seen that prediction accuracy is near zero at a perturbation strength ϵ ≥ 0.01. Moreover, even for very small amounts of adversarial noise, such as ϵ = 0.001, matching success is nearly indistinguishable from random matching if we have at least 20 individuals in a consideration pool. (B) Effectiveness of perturbations that only target sex prediction from a face image. The effect of larger perturbations (ϵ ≥ 0.01) is similar to (A). However, smaller perturbations are considerably less effective. (C) Example images [photo credit: The CelebA Face Dataset (15)] illustrate the visible effect of introducing small perturbations to images. The perturbations are essentially imperceptible to a human until ϵ > 0.01, when the effect becomes clearly visible.