Skip to main content

Reversible anonymization for privacy of facial biometrics via cyclic learning

Abstract

Facial recognition systems have emerged as indispensable components in identity verification. These systems heavily rely on facial data, which is stored in a biometric database. However, storing such data in a database raises concerns about privacy breaches. To address this issue, several technologies have been proposed for protecting facial biometrics. Unfortunately, many of these methods can cause irreversible damage to the data, rendering it unusable for other purposes. In this paper, we propose a novel reversible anonymization scheme for face images via cyclic learning. In our scheme, face images can be de-identified for privacy protection and reidentified when necessary. To achieve this, we employ generative adversarial networks with a cycle consistency loss function to learn the bidirectional transformation between the de-identified and re-identified domains. Experimental results demonstrate that our scheme performs well in terms of both de-identification and reidentification. Furthermore, a security analysis validates the effectiveness of our system in mitigating potential attacks.

1 Introduction

Facial recognition technology is designed to identify and authenticate individuals [1,2,3,4,5]. This process involves analyzing facial features, including the position, shape, and spacing of the eyes, nose, and mouth, which are then compared with pre-stored data in the biometric databases to verify the individual’s identity. Nowadays, this technology has found widespread applications across various domains, including security surveillance, mobile phone unlocking, financial transactions, and more [6,7,8,9,10]. However, the widespread adoption of facial recognition systems has raised concerns regarding unauthorized access and potential misuse of sensitive biometric data stored in the associated databases. In response to these challenges, facial anonymization has emerged as a viable solution [11].

Anonymization is the process of removing or altering personally identifiable information (PII) from data sources to safeguard individuals’ privacy. Techniques include eliminating direct identifiers such as names and social security numbers [12], employing data generalization to reduce specificity [13], and introducing noise to obfuscate sensitive information [14]. These methods are employed to ensure that the data cannot be traced back to specific individuals, thus preserving their privacy. Within this context, facial anonymization emerges as a specialized subset aimed at removing or altering facial features in images or video, making it challenging or even impossible to identify individuals. Through facial image anonymization techniques, identity information within the facial region is effectively erased, preventing unauthorized third parties from discerning the identity of any specific individual from a protected face.

While the primary objective of facial anonymization techniques is to safeguard individuals’ privacy, the potential reversibility of these procedures also warrants consideration [15]. Certain scenarios, particularly within law enforcement or medical research, may necessitate the restoration of anonymized data to its original form for investigative or analytical purposes. Consequently, the development of reversible facial anonymization methodologies is crucial, enabling the restoration of facial features while preserving privacy. It is noteworthy that reversing the anonymization process involves converting obscured or altered data back into its original form, potentially reintroducing sensitive information. Hence, within the framework of reversible facial anonymization, robust measures should be implemented to ensure that only authorized individuals can execute the reversal process.

Combining the application requirements mentioned above, we propose a reversible anonymization for privacy via cyclic learning. The contributions of the proposed scheme are summarized as follows:

  • (1) We present a facial anonymization system that effectively obscures facial features within the facial region, thereby safeguarding the privacy of underlying identity information.

  • (2) Our system incorporates reversibility, enabling the restoration of anonymized facial features as needed. Additionally, the recovered images retain a high level of fidelity, ensuring accurate representation.

  • (3) The proposed method demonstrates a certain level of security and provides resistance against potential security attacks.

The organization of this paper is as follows. In Sect. 2, we introduced the existing face anonymization methods for privacy protection. Section 3 presents the proposed privacy-preserving face anonymization scheme. Section 4 details the implementation of our reversible anonymization scheme. Section 5 discusses the performance of the proposed model and compares it with the advanced method.

2 Related works

Numerous researchers have been engaged in developing face anonymization techniques to protect identity information in facial images. As the easily manipulated anonymization elements, masking [16], blurring [17], and mosaicking (pixelization) [18,19,20] are extensively used in face privacy-preserving commercial applications. To evaluate the effectiveness of these three techniques in balancing privacy protection and image intelligibility, a study conducted a subjective evaluation through crowdsourcing [21]. The study revealed that masking tends to have a more negative impact on visual experience. Moreover, it was observed that blurring provides weak privacy protection and may expose sensitive information. Following that, a subsequent study [22] further investigated the effectiveness of blurring and mosaicking. In this study, researchers evaluated human observers’ ability to extract information from images processed with varying degrees of blurring and mosaicking. The results demonstrated that mosaicking generally provides better privacy protection compared to blurring across most levels. Therefore, we can conclude that compared to masking and blurring, mosaicking offers a better trade-off between intelligibility and privacy.

Recent advancements have introduced facial anonymization techniques based on deep neural networks (DNNs). In 2017, Meden et al. proposed a facial de-identification method that utilizes generative neural networks (GNNs) to synthesize artificial surrogate faces [23]. In their approach, each generated face is composed of multiple identities selected from a predefined gallery. Subsequently, Sun et al. introduced a hybrid approach that combines a data-driven method with a parametric face model [24]. Within their methodology, they replaced the identity-related components of the facial parameter vectors. Moreover, generative adversarial networks (GANs) are employed to further refine image quality. Building upon the face attribute transfer model (FATM), Li and Lyu transfer non-identity-related facial attributes from the original faces to donor faces [25]. However, this approach necessitates a computationally demanding face alignment step. Later, DeepPrivacy was introduced, which anonymizes facial images while preserving the original data distribution [26]. While these anonymization techniques effectively obscure personal identity information within the face images, they also result in irreparable damage to the original data. In certain scenarios, there might emerge a requirement to restore the original data, rendering such methods inadequate for those contexts.

As a consequence, the notion of reversibility has been introduced. Based on a spatial relocation algorithm, Cichowski and Czyzewski presented a reversible anonymization method that permutes the pixel ordering within the region of interest (ROI) for privacy protection [27]. Later, Yamac et al. combined a multi-level encryption scheme with compressive sensing for a reversible privacy-preserving method [28]. In 2020, Gu et al. introduced a face identity transformer network where identity alteration is conditioned by a password. This network generates multiple anonymized face images corresponding to different passwords and reconstructs the original face images only when the correct password is provided [29]. Following that, Cao et al. proposed a personalized and invertible de-identification method with deep generative models [30]. Within their approach, they introduced a user-specific password to control the direction and degree of identity alteration by adjusting parameters. In 2022, a reversible face de-identification method for video surveillance data was presented [31]. This method focuses on optimizing two main components: a public module and a private module. The public module is responsible for receiving the original data and generating the de-identified stream. In contrast, the private module, intended for legal or security authorities, analyzes the public stream and reconstructs the original data. In these methods, despite authors claiming anonymization of identity-related biometrics, the remaining biometrics could still be collected and utilized for other purposes.

3 Methodology

Reversible facial anonymization has emerged as a promising solution for effectively balancing privacy preservation and data utility in facial protection. However, many existing methods preserve partial facial biometrics in anonymized images that may still contain information the image owner wishes to keep undisclosed. To address this issue, we propose a novel reversible anonymization system that globally anonymizes facial biometrics, thereby preventing access to underlying identity information. Moreover, the de-identified facial features can be re-identified to provide data utility for authorized users. Further details regarding our proposed system will be presented in subsequent sections.

3.1 Reversible anonymization system

Figure 1 depicts the schematic diagram of the proposed reversible anonymization system. The system consists of two sub-networks: the de-identification network (De-ID network) and the re-identification network (Re-ID network). To protect the ID image \(X\), the De-ID network de-identifies the facial biometrics and generates the De-ID image \(Y=\text{De}-\text{ID}(X)\), where the face region is globally pixelized. Conversely, the Re-ID network reidentifies the de-identified facial biometrics and generates the re-identified (Re-ID) image \(\widetilde{X}=\text{Re}-\text{ID}(Y)\). The primary objective of our reversible anonymization system is to optimize the De-ID and Re-ID networks, ensuring that \(X\ne Y\) and \(X\approx \widetilde{X}\) at the identity level.

Fig. 1
figure 1

Schematic diagram of the proposed reversible anonymization scheme

3.2 System properties

This section explores the key properties of the proposed reversible anonymization system. It is widely recognized that faces contain numerous biometric features, such as the eyes, nose, mouth, eyebrows, chin, cheeks, and other facial structures. Each of these features contributes to shaping an individual’s distinctive appearance. Notably, apart from features directly related to an individual’s identity, other indirectly related features can also be integrated and analyzed to determine individual identity. Therefore, merely obscuring biometric features directly related to identity is insufficient. In our system, we globally de-identify facial features by pixelating with De-ID networks. This process, illustrated in Fig. 1, renders facial features unrecognizable, thereby safeguarding the privacy of the face image. Consequently, the ID image and the De-ID image generated by the De-ID network do not share the same identity, as depicted in Fig. 2.

Fig. 2
figure 2

Anonymity describes a mismatch of identity between De-ID and ID images

However, as a consequence of this de-identification process, the face image loses its inherent usability. To maintain the usability of face images, our Re-ID networks restore the De-ID image to its original form, as shown in Fig. 1. The Re-ID image not only matches the ID image in terms of identity but also demonstrates a high level of fidelity, as illustrated in Fig. 3. It is crucial to acknowledge that the reversible process could also result in the re-leakage of sensitive information. Hence, stringent access restrictions, such as the use of cryptographic keys, must be enforced on the Re-ID network in practical applications.

Fig. 3
figure 3

Reversibility describes a match of identity between Re-ID and ID images

Although the proposed reversible face anonymization system effectively achieves the goals of de-identifying and reidentifying face images, it is crucial to recognize the inherent value of such data and the susceptibility of privacy-protected systems to potential third-party attacks. Hence, the consideration of security as an evaluation factor becomes imperative in refining our scheme. Among the various third-party attacks, model theft attacks are the most prevalent and damaging. In this type of attack, the attacker employs API requests to obtain the output of the proposed system, enabling them to acquire a local training set. With this local training set, the attacker can retrain a local system capable of performing the same task. Notably, if the attacker possesses knowledge of the proposed system’s structure, the locally trained system can be equally effective. However, even with an identical network model and training data, we anticipate that the forged Re-ID network cannot accurately recover the genuine Re-ID image from the De-ID image generated by the proposed system. In other words, the Re-ID image generated by the forged Re-ID network cannot match the identity of the Re-ID image generated by the proposed system, as illustrated in Fig. 4.

Fig. 4
figure 4

Security describes a mismatch between Re-ID and ID images, where the Re-ID image is generated via an attacker’s model

4 Model implementation

In this section, we present the details of the system implementation. First, we present the system architecture of our scheme. Next, we explain the loss function employed in our scheme. Finally, we present the dataset used for training and testing the proposed system.

4.1 Architecture

Cyclic learning involves learning features from different domains through the circulation of data within them. It is consistent with the concept of the proposed system, i.e., learning the properties of the face image domain and the face mosaic domain and implementing data transformation. Consequently, most neural networks based on cyclic learning can be utilized to implement the proposed system. Cycle-consistent adversarial networks (CycleGAN) [32] have garnered considerable attention as a prominent application of cyclic learning in computer vision. They facilitate image style transformation between different domains. Figure 5 shows the schematic diagram of CycleGAN. It comprises four sub-networks, \(\mathcal{G}\), \(\mathcal{F}\), \({\mathcal{D}}_{(\mathcal{X})}\), and \({\mathcal{D}}_{(\mathcal{Y})}\), where \(\mathcal{G}\) and \(\mathcal{F}\) serve as two generators, while \({\mathcal{D}}_{(\mathcal{X})}\) and \({\mathcal{D}}_{(\mathcal{Y})}\) function as two discriminators. Both \(\mathcal{G}\) and \(\mathcal{F}\) are utilized to generate images in the target domain, each comprising two convolutional layers, nine residual layers, and two deconvolution layers. Meanwhile, \({\mathcal{D}}_{(\mathcal{X})}\) and \({\mathcal{D}}_{(\mathcal{Y})}\) adopt a network structure of \(70\times 70\) PatchGAN to further facilitate the generated images to approximate the target domain, i.e., \({\mathcal{D}}_{(\mathcal{Y})}\) makes the generated image \(Y\) from \(\mathcal{G}\) more like the real image in the domain \(\mathcal{Y}\), and \({\mathcal{D}}_{(\mathcal{X})}\) makes the generated image \(X\) from \(\mathcal{F}\) more like the real image in the domain \(\mathcal{X}\). Moreover, to stabilize the network performance, cyclic consistency loss constrains the images generated through two consecutive generators back to the original domain, i.e., \(\widetilde{X}=\mathcal{F}(\mathcal{G}(X))\) is constrained to \(X\) domain and \(\widetilde{Y}=\mathcal{G}(\mathcal{F}(Y))\) is constrained to \(Y\) domain. On this basis, CycleGAN is employed for face anonymization in this study. In the implementation, the face images and pixelated face images are mutually transformed, with each serving as the target domain for the other.

Fig. 5
figure 5

The schematic diagram of CycleGAN

4.2 Loss function

The overall objective of our reversible face anonymization system based on CycleGAN is expressed as follows:

$${{L}_{A}=LGAN}_{(\mathcal{X}\to \mathcal{Y})}+{LGAN}_{(\mathcal{Y}\to \mathcal{X})}+{L}_{cyc},$$
(1)

where \({{L}_{A}=LGAN}_{(\mathcal{X}\to \mathcal{Y})}\) and \({LGAN}_{(\mathcal{Y}\to \mathcal{X})}\) are adversarial losses and \({L}_{cyc}\) is cyclic consistency loss.

Based on the system architecture described above, there are two mapping between \(\mathcal{X}\) domain and \(\mathcal{Y}\) domain. For the mapping \(\mathcal{X}\to \mathcal{Y}\), the adversarial loss \({{L}_{A}=LGAN}_{(\mathcal{X}\to \mathcal{Y})}\) is defined as follows:

$${LGAN}_{(\mathcal{X}\to \mathcal{Y})} = [\mathit{log}{\mathcal{D}}_{\mathcal{Y}}(y)] + [\mathit{log}{(1-\mathcal{D}}_{\mathcal{Y}}(\mathcal{G}(x)))].$$
(2)

In this mapping, \(\mathcal{G}\) devoted to generating image \(Y=\text{De}-\text{ID}(X)\) like the real image in the domain \(Y\) and \({\mathcal{D}}_{(\mathcal{Y})}\) as far as possible to distinguish the generated image \(Y\) from the real image in domain \(\mathcal{Y}\), i.e., \(y\). Therefore, \(\mathcal{G}\) aims to maximize this adversarial loss \({LGAN}_{(\mathcal{X}\to \mathcal{Y})}\), while \({\mathcal{D}}_{\mathcal{Y}}\) does the opposite. The adversarial loss \({LGAN}_{(\mathcal{Y}\to \mathcal{X})}\) is defined as follows:

$${LGAN}_{(\mathcal{Y}\to \mathcal{X})} = [\mathit{log}{\mathcal{D}}_{(\mathcal{X})}(x)] + [\mathit{log}(1-{\mathcal{D}}_{(\mathcal{X})}(\mathcal{G}(x)))],$$
(3)

which is similar as \({LGAN}_{(\mathcal{X}\to \mathcal{Y})}\).

Cyclic consistency loss is employed to ensure the cyclic consistency between the original image and the reconstructed image. To achieve the desired outcome of \(X\approx \widetilde{X}\) and \(Y\approx \widetilde{Y}\), we leverage the utilization of the cyclic consistency loss \({L}_{cyc}\), which is formulated as follows:

$${L}_{cyc} = {||\widetilde{X} -X ||}_{1}+ {||\widetilde{Y}- Y||}_{1}.$$
(4)

In this equation, the distance between the original and Re-ID images is computed using the pixel-wise L1 norm \({||*||}_{1}\), which measures the absolute difference between corresponding pixels, where \(\widetilde{X}=\mathcal{F}(\mathcal{G}(X))\) and \(\widetilde{Y}=\mathcal{G}(\mathcal{F}(Y))\).

4.3 Train dataset

To train our system, we initially selected 924 images from the CelebA [33] dataset. These images were divided into two distinct sub-training datasets: one for natural face images and another for pixelated face images. The images within the pixelated face dataset were further processed by pixelating the face region identified by the “CV.CascadeClassifier” function. The size of each pixelated block was determined as \(\text{min }(M, N)/20\times \text{min}(M, N)/20\), where \(M\) and \(N\) represent the length and width of the face region. Our system was evaluated using two test datasets, CelebA and FFHQ [34]. It is important to clarify that the CelebA dataset used for testing purposes does not contain any data that was used for training the system.

5 Experiments

In this section, we conduct a series of experiments to evaluate the performance of the proposed reversible face anonymization system. Our experiments begin with intuitive perception and quantitative criteria to measure the anonymity and reversibility of the system. Furthermore, we analyze the system’s capability to withstand potential attacks. The proposed reversible anonymization scheme is implemented using PyTorch, with acceleration provided by an NVIDIA RTX 3090 GPU.

5.1 Anonymity analysis

We first evaluate the anonymity performance by visual inspection. Figure 6 presents the de-identification results obtained by our De-ID networks. The face regions in the four De-ID images are globally pixelated, and none of the facial features is exposed, thus preventing the retrieval of identifying information from the images. Next, we assess the anonymization accuracy. Complex regions in images tend to contain more detailed information than smoother regions. In face images, complex regions typically contain facial features like the eyes and the nose, which may reveal individual identities. Conversely, smoother regions, like the skin, usually exhibit fewer distinctive facial features. It is important to highlight that our system implements de-identification through pixelation, resulting in reduced complexity within each pixelated block. Thus, we can quantify the anonymization accuracy by examining changes in complex pixels before and after the anonymization process. In the implementation, we first compute the complexity of each pixel in both the ID and De-ID images. The pixel complexity is computed by the following:

$${P}_{(x)} =\sum_{i=1}^{8}{({d}_{(xi)}-{\overline{d} }_{(xi)})}^{2} .$$
(5)

where \({P}_{(x)}\) denotes the complexity of the pixel \(x\), \({d}_{(xi)}\) represents the gradient of the \(i\)-th neighboring pixel relative to pixel \(x\) within a \(3\times 3\) matrix, and \({\overline{d} }_{(xi)}\) denotes the average gradient. Pixels are then classified as complex or smooth based on a predefined threshold value \(T\). Subsequently, the complexity of each pixel in the ID image is compared with its corresponding pixel in the De-ID image. In the facial region, accurate anonymization occurs when the pixel in the ID image is complex, while its counterpart in the De-ID image appears smooth. Conversely, in the background region, accurate anonymization is achieved when both the ID and De-ID images appear smooth. Lastly, anonymization accuracy can be determined by calculating the ratio of correctly anonymized pixels to the total number of complex pixels.

Fig. 6
figure 6

The de-identification results of our reversible anonymization scheme. For each pair, the first one is ID image, and the second one is De-ID image

Figure 7 illustrates the anonymization accuracy results for the four images depicted in Fig. 6, with corresponding values of 61.15%, 52.66%, 42.71%, and 59.63%. Moreover, the average accuracy results for the CelebA and FFHQ datasets are 65.27% and 58.43%, respectively. Upon analyzing the data alongside the corresponding images, it becomes apparent that most pixels in the facial region undergo a transition from complexity to smoothness. However, it is noteworthy that certain pixels do not undergo the anticipated transformation, particularly those concentrated in the hair and background areas. This discrepancy is primarily attributed to slight blurring in the de-identified image, resulting in improper changes in complexity. Additionally, variations in values among pixel blocks contribute to inaccuracies. Nevertheless, if we overlook these two factors, the system achieves accurate anonymization.

Fig. 7
figure 7

Quantitative results of the anonymization accuracy. Each image pair consists of a top image depicting the pixel complexity of the ID image and a bottom image illustrating the quantified anonymization accuracy. Smooth pixels are depicted by white dots, complex pixels by blue dots, and yellow dots indicate pixels inaccurately anonymized

5.2 Reversibility

Reversibility analysis is vital to determine if the De-ID images generated by our scheme are suitable for other face-related tasks. Figure 8 illustrates the reidentification outcomes of our reversible anonymization scheme. Upon comparison and analysis, it becomes evident that although some blurring is observed in the generated Re-ID images, the facial features are nearly recovered without significant loss.

Fig. 8
figure 8

The reidentification results of our reversible anonymization scheme. For each pair, the first one is ID image, and the second one is Re-ID image

To evaluate the impact of our de-identification and reidentification processes on the identifiability of facial images, we utilize FaceNet [35] to assess the identities of image pairs at various stages. FaceNet projects facial images into a high-dimensional space, where the distances between face embeddings indicate the similarity or dissimilarity between the depicted faces. In our assessment, ID images undergo de-identification and reidentification to generate corresponding De-ID and Re-ID images. These De-ID and Re-ID images, along with their respective ID images, are then fed into FaceNet to determine their similarity. Furthermore, we also assess the distances among different ID images to provide an objective evaluation. The distance metric employed is cosine similarity [36], defined as follows:

$$\text{Cosine similarity}(a,b)=\frac{a\cdot\,b}{\left|a\right|\left|b\right|},$$
(6)

where the vectors output by FaceNet for image pairs are denoted as \(a\) and \(b\). In our experimental setup, we established the face similarity threshold as 0.8. This threshold denotes that face images with a similarity score exceeding 0.8 exhibit significant resemblance in facial features. To visualize the results, we selected 100 ID images from the dataset and obtained their corresponding De-ID and Re-ID images for similarity evaluation. Additionally, we randomly selected 200 different ID images to assess their similarity. The outcomes are depicted in Fig. 9. Upon analysis, we observed that the distances between De-ID images and their corresponding ID images, as well as among different ID images, fall within the range of − 0.4 to 0.4, with overlaps. This distribution highlights a noticeable disparity between the generated De-ID images and their corresponding ID images. This outcome also indirectly indicates the security of our method. Conversely, the distances between re-identified (Re-ID) images and their ID counterparts predominantly range from 0.8 to 1.0, indicating a high degree of similarity between Re-ID and ID images. The dataset results in Table 1 further support our findings.

Fig. 9
figure 9

The results of cosine similarity distance of different face image pairs

Table 1 The average cosine similarity distance of test datasets

Additionally, we also discuss fidelity, which is a higher-level requirement for reversibility. To evaluate fidelity, we utilize two commonly used metrics: peak signal-to-noise ratio (PSNR) [37] and structural similarity index (SSIM) [38]. PSNR measures the fidelity of a reconstructed image by pixel-wise comparison with its original version. It is defined as follows:

$$\text{PSNR}=10\cdot {\text{log}}_{10}(\frac{{MAX}^{2}}{MSE}),$$
(7)

where \(\text{MAX}\) represents the maximum possible pixel value and \(\text{MSE}\) denotes the mean squared error between the original and reconstructed images. Additionally, SSIM quantifies the similarity between two images by assessing their luminance, contrast, and structural features. It is expressed as follows:

$$\text{SSIM}=\frac{(2{\mu }_{x}{\mu }_{y}+{C}_{1})(2{\sigma }_{xy}+{C}_{2})}{({\mu }_{x}^{2}+{\mu }_{y}^{2}+{C}_{1})({\sigma }_{x}^{2}+{\sigma }_{y}^{2}+{C}_{2})}.$$
(8)

where \({\mu }_{x}\) and \({\mu }_{y}\) represent mean values, \({\sigma }_{x}\) and \({\sigma }_{y}\) donate standard deviations, and \({\sigma }_{xy}\) represents the covariance. In addition, \({C}_{1}\) and \({C}_{2}\) are constants included to prevent instability at low luminance or contrast levels. The PSNR and SSIM results for the De-ID images, Re-ID images with their corresponding ID images, and different ID images are presented in Table 2. Notably, the average PSNR between the De-ID images and their corresponding ID images is calculated to be 20.87 dB and 19.26 dB, accompanied by an average SSIM value of 0.4231 and 0.3648 for the two datasets, respectively. The results exceed those obtained when comparing different ID images, indicating that the proposed anonymization scheme primarily focuses on modifying the facial region while causing minimal alterations to the background region. In contrast, the average PSNR between the Re-ID images and their corresponding ID images reaches 37.44 dB and 35.21 dB, while the average SSIM value stands at 0.9017 and 0.8823, respectively, which signifies excellent fidelity.

Table 2 The average PSNR and SSIM of the images in the datasets

5.3 Security analysis

In this section, we provide a security analysis of our proposed system. As discussed, privacy-protected systems are susceptible to model theft attacks. In such attacks, adversaries exploit API requests to obtain a local dataset from the target system. Subsequently, this dataset is used to train local networks that mimic the functionality of the target system. Through this method, attackers gain access to sensitive data generated by the targeted system. For our system, adversaries may leverage trained local networks to decrypt the De-ID images produced by our system and access identity information within authentic Re-ID images.

To assess the system’s resilience against model theft attacks, we conducted a series of simulation experiments. In each experiment, we assumed that attackers had access to training data identical to ours but with variations in network architecture, training duration, and loss functions and optimization methods. Specifically, we adjusted the attacker’s local network by reducing the number of residual blocks from 9 to 6 to introduce differences in network architecture. Furthermore, we trained the attacker’s network for 150 epochs, whereas our system underwent training for 250 epochs to assess the impact of training duration. Additionally, we employed the Wasserstein Generative Adversarial Network with Gradient Penalty (WGAN-GP) in the attacker’s generator instead of the Least Squares Generative Adversarial Network (LSGAN) used in our system to introduce variations in loss functions and optimization methods. Moreover, we conducted simulation experiments under identical training conditions.

After training the simulated networks, we utilized the forged Re-ID networks to de-identify the De-ID images produced by our system. The resulting Re-ID images are depicted in Fig. 10. It can be observed that the forged Re-ID network introduces noticeable artifacts and distortions, resulting in a visibly distinct appearance compared to the Re-ID images generated by our system. Additionally, we found that even when trained under identical conditions, the Re-ID images produced by the forged Re-ID network differ from the authentic ones. To further investigate whether randomness in the training process affects the results, we conducted three additional training sessions under the same conditions. The De-ID images and Re-ID images from these experiments are shown in Fig. 11. To quantify the differences, we visualized the pairwise differences between the De-ID images and Re-ID images generated by these three models, as shown in Fig. 12. This observation leads to the conclusion that despite identical training conditions, randomness in the network results in variations in the generated images. Consequently, even if attackers possess comprehensive training knowledge, they cannot decrypt the De-ID images generated by our system without access to the network parameters.

Fig. 10
figure 10

The results of the resistance model theft attacks. The first column displays the De-ID images generated by the proposed system, the second column depicts the corresponding Re-ID images, and the third column showcases the Re-ID images produced by forged Re-ID networks trained under identical conditions to the authentic Re-ID networks. The remaining columns exhibit Re-ID images generated by various forged Re-ID networks, which differ from the authentic networks in terms of architecture, training duration, loss functions, and optimization methods

Fig. 11
figure 11

De-ID images and Re-ID images obtained under the same training conditions

Fig. 12
figure 12

Pairwise difference images of De-ID images and Re-ID images in Fig. 11

5.4 Comparisons

In this section, we compare the key features of the proposed method with nine state-of-the-art methods [23,24,25,26,27,28,29,30], and [31]. Our analysis focuses on three main indicators: reversibility, integration of deep learning, and anonymity strategy. The findings of our comparison are presented in Table 3. From the comparison results, several key distinctions emerge. Firstly, [27,28,29,30,31], and our method provide reversibility, thereby enhancing data usability. Secondly, [29,30,31], and our approach utilize deep learning-based techniques, thereby enhancing efficiency. Lastly, unlike [29, 30], and [31], our approach embraces a global anonymity strategy, mitigating the risk of facial feature leakage.

Table 3 Comparison of key features

6 Conclusions

This work designs a reversible facial feature anonymization scheme that removes face features from face images through De-ID networks and recovers them through Re-ID networks. The experimental results demonstrate the effectiveness of the proposed De-ID network in achieving successful anonymization, rendering the identity information within the face images inaccessible. Conversely, the Re-ID network can restore face images with remarkable fidelity, preserving the utility of the original face image. Furthermore, our system demonstrates the ability to withstand a certain level of security attacks.

Although our model achieves excellent performance, it is worth noting that the generated images may exhibit tonal shifts and blurring artifacts. While achieving a completely lossless recovery of the original image is not the primary objective of our system, we acknowledge the necessity for further refinement of our facial trait anonymization technique in future research endeavors.

Availability of data and materials

Not applicable.

Abbreviations

PII:

Personally identifiable information

SVD:

Singular value decomposition

ROI:

Region of interest

De-ID network:

De-identification network

Re-ID network:

Re-identification network

De-ID image:

De-identification image

Re-ID image:

Re-identification image

ID image:

Identification image

CycleGAN:

Cycle-consistent adversarial networks

PSNR:

Peak signal-to-noise ratio

SSIM:

Structural similarity index

WGAN-GP:

Wasserstein Generative Adversarial Network with Gradient Penalty

LSGAN:

Least Squares Generative Adversarial Network

References

  1. H. Wang, Y. Wang, Z. Zhou, X. Ji, D. Gong, J. Zhou, Z. Li, W. Liu. Cos-face: large margin cosine loss for deep face recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. (Salt Lake City, 2018), pp. 5265–5274

  2. D.S. Trigueros, L. Meng, M. Hartnett, Face recognition: from traditional to deep learning methods. (2018). arXiv preprint arXiv:1811.00116.

  3. G.L. Foresti, C. Micheloni, L. Snidaro, C. Marchiol. Face detection for visual surveillance. In 12th International Conference on Image Analysis and Processing (ICIAP). (Mantova, 2003), pp. 115–120

  4. B. Kamgar-Parsi, W. Lawson, B. Kamgar-Parsi, Toward development of a face recognition system for watchlist surveillance. IEEE Trans. Pattern Anal. Mach. Intell. 33(10), 1925–1937 (2011)

    Article  Google Scholar 

  5. M. Grgic, K. Delac, S. Grgic, SCface-surveillance cameras face database. Multimedia Tools and Applications 51(3), 863–879 (2011)

    Article  Google Scholar 

  6. H. Qezavati, B. Majidi, M.T. Manzuri. Partially covered face detection in presence of headscarf for surveillance applications. In 2019 4th International Conference on Pattern Recognition and Image Analysis (IPRIA). (Tehran, 2019), pp. 195–199 

  7. T. Kwon, H. Moon, Biometric authentication for border control applications. IEEE Trans. Knowl. Data Eng. 20(8), 1091–1096 (2008)

    Article  Google Scholar 

  8. J.S. Del Rio, D. Moctezuma, C. Conde, I.M. de Diego, E. Cabello, Automated border control e-gates and facial recognition systems. Computers & security. 62, 49–72 (2016)

    Article  Google Scholar 

  9. A.K. Bobak, A.J. Dowsett, S. Bate, Solving the border control problem: evidence of enhanced face matching in individuals with extraordinary face recognition skills. PLoS ONE 11(2), e0148148 (2016)

    Article  Google Scholar 

  10. G. Zhao, M. Pietikainen, Dynamic texture recognition using local binary patterns with an application to facial expressions. IEEE Trans. Pattern Anal. Mach. Intell. 29(6), 915–928 (2007)

    Article  Google Scholar 

  11. S. Garfinkel. De-identification of personal information: US Department of Commerce, National Institute of Standards and Technology. pp. 1–46 (2015)

  12. A. Majeed, S. Lee, Anonymisation techniques for privacy preserving data publishing: a comprehensive survey. IEEE access 9, 8512–8545 (2020)

    Article  Google Scholar 

  13. Y. He, J.F. Naughton, Anonymisation of set-valued data via top-down, local generalization. Proceedings of the VLDB Endowment. 2(1), 934–945 (2009)

    Article  Google Scholar 

  14. S. Virupaksha, V. Dondeti, Anonymized noise addition in subspaces for privacy preserved data mining in high dimensional continuous data. Peer-to-Peer Networking and Applications 14(3), 1608–1628 (2021)

    Article  Google Scholar 

  15. M. Ye, W. Shen, J. Zhang, Y. Yang, B. Du, SecureReID: privacy-preserving anonymisation for person re-identification. IEEE Trans. Inf. Forensics Secur. 19, 2840–2853 (2024)

    Article  Google Scholar 

  16. X. Yu, K. Chinomi, T. Koshimizu, N. Nitta, Y. Ito, N. Babaguchi, N. Privacy protecting visual processing for secure video surveillance. In 2008 15th IEEE International Conference on Image Processing. (San Diego, 2008), pp. 1672–1675

  17. C. Neustaedter, S. Greenberg, M. Boyle, Blur filtration fails to preserve privacy for home-based video conferencing. ACM Transactions on Computer-Human Interaction (TOCHI) 13(1), 1–36 (2006)

    Article  Google Scholar 

  18. I. Kitahara, K. Kogure, N. Hagita, Stealth vision for protecting privacy. In 17th International Conference on Pattern Recognition. 4, 404–407 (2004)

    Google Scholar 

  19. Y. Kusama, H. Kang, K. Iwamura, I. Echizen. Privacy-protected video surveillance in crowded environments using robust watermarking. In 2016 IEEE 5th Global Conference on Consumer Electronics. (Nagoya, 2016), pp. 1–2

  20. Y. Kusama, H. Kang, K. Iwamura, Mosaic-based privacy-protection with reversible watermarking. In 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE). 5, 98–103 (2015)

    Google Scholar 

  21. P. Korshunov, S. Cai, T. Ebrahimi. Crowdsourcing approach for evaluation of privacy alters in video surveillance. In ACM multimedia 2012 workshop on Crowdsourcing for multimedia. pp. 35–40 (2012)

  22. M. Boyle, C. Edwards, S. Greenberg. The effects of altered video on awareness and privacy. In 2000 ACM conference on Computer Supported Cooperative Work. (Philadelphia, 2000), pp. 1–10

  23. B. Meden, R.C. Mallı, S. Fabijan, H.K. Ekenel, V. Štruc, P. Peer, Face deidentification with generative deep neural networks. IET Signal Proc. 11(9), 1046–1054 (2017)

    Article  Google Scholar 

  24. Q Sun, A. Tewari, W. Xu, M. Fritz, C. Theobalt, B. Schiele. A hybrid model for identity obfuscation by face replacement. In European conference on computer vision (ECCV). (Munich, 2018), pp. 553–569

  25. Y. Li, S. Lyu. De-identification without losing faces. In Proceedings of the ACM Workshop on Information Hiding and Multimedia Security. (Paris, 2019), pp. 83–88

  26. H. Hukkelås, R. Mester, F. Lindseth. Deepprivacy: a generative adversarial network for face anonymisation. In International symposium on visual computing. (California, 2019), pp. 565–578

  27. J. Cichowski, A. Czyzewski. Reversible video stream anonymisation for video surveillance systems based on pixels relocation and watermarking. In 2011 IEEE International Conference on Computer Vision Workshops (ICCV Workshops). (Barcelona, 2011), pp. 1971–1977

  28. M. Yamaç, M. Ahishali, N. Passalis, J. Raitoharju, B. Sankur, M. Gabbouj. Reversible privacy preservation using multi-level encryption and compressive sensing. In 2019 27th European Signal Processing Conference (EUSIPCO). (Spain, 2019), pp. 1–5

  29. X. Gu, W. Luo, M. S. Ryoo, Y.J. Lee. Password-conditioned anonymisation and deanonymisation with face identity transformers. In European conference on computer vision (ECCV). (Glasgow, 2020), pp. 727–743

  30. J. Cao, B, Liu, Y. Wen, R. Xie, L. Song. Personalized and invertible face de-identification by disentangled identity information manipulation. In IEEE/CVF international conference on computer vision (ICCV). (Montreal, 2021), pp. 3334–3342

  31. H. Proença, The UU-NET: reversible face de-identification for visual surveillance video footage. IEEE Trans. Circuits Syst. Video Technol. 32(2), 496–509 (2022)

    Article  Google Scholar 

  32. J.Y. Zhu, T. Park, P. Isola, A.A. Efros. Unpaired image-to-image translation using cycle-consistent adversarial networks. In IEEE international conference on computer vision. (Venice, 2017), pp. 2223–2232

  33. Z. Liu, P. Luo, X. Wang, X. Tang, Large-scale celebfaces attributes (celeba) dataset. 15, 11 (2018)

  34. T. Karras, S. Laine, T. Aila. A style-based generator architecture for generative adversarial networks. In IEEE conference on computer vision and pattern recognition (CVPR). (Long Beach, 2019), pp. 4401–4410 

  35. F. Schroff, D. Kalenichenko, J. Philbin. FaceNet: a unified embedding for face recognition and clustering. In IEEE conference on computer vision and pattern recognition (CVPR). (Boston, 2015), pp. 815–823 

  36. P. Xia, L. Zhang, F. Li, Learning similarity with cosine similarity ensemble. Inf. Sci. 307, 39–52 (2015)

    Article  MathSciNet  Google Scholar 

  37. S. Smith, Digital signal processing: a practical guide for engineers and scientists (Newnes, 2003)

    Google Scholar 

  38. D.G. Lowe, Distinctive image features from scale-invariant keypoints. Int. J. Comput. Vision 60, 91–110 (2004)

    Article  Google Scholar 

Download references

Acknowledgements

Not applicable.

Funding

This work was supported in part by the Japan Society for the Promotion of Science (JSPS) under KAKENHI grants (JP16H06302, JP18H04120, JP20K23355, JP21H04907, and JP21K18023) and the Japan Science and Technology Agency (JST) under CREST grants (JPMJCR18A6 and JPMJCR20D3).

Author information

Authors and Affiliations

Authors

Contributions

Conceptualization, SX and C-CC; methodology, SX; software, SX; validation, SX and C-CC; formal analysis, SX; investigation, SX and C-CC; resource, C-CC and IE; data curation, SX; writing—original draft preparation, SX; writing—review and editing, SX, C-CC, and IE; and visualization, C-CC, SX, IE, and HHN; supervision, HHN and IE; and project administration, IE. All authors have read and agreed to the published version of the manuscript.

Corresponding author

Correspondence to Ching-Chun Chang.

Ethics declarations

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Xu, S., Chang, CC., Nguyen, H.H. et al. Reversible anonymization for privacy of facial biometrics via cyclic learning. EURASIP J. on Info. Security 2024, 24 (2024). https://doi.org/10.1186/s13635-024-00174-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1186/s13635-024-00174-3

Keywords