DiffPrivate: Facial Privacy Protection with Diffusion Models
Authors: Minh-ha Le (Linköping University), Niklas Carlsson (Linköping University)
Volume: 2025
Issue: 2
Pages: 54–70
DOI: https://doi.org/10.56553/popets-2025-0049
Abstract: The widespread use of facial recognition (FR) technology has heightened concerns about personal privacy. With surveillance systems becoming ubiquitous, the demand for effective privacy-enhancing technologies is growing urgent. In response to this challenge, we introduce DiffPrivate, a versatile technique designed to protect individuals from FR systems (FRS) through two distinct approaches: a Perturb-based and an Edit-based approach. The Perturb-based mode generates robust adversarial samples by manipulating the diffusion process of a latent diffusion model to alter identity-specific features, ensuring the preservation of visual fidelity to the original images. On the other hand, the Edit-based approach employs an additional DDPM model for fine-grain editing of attributes, allowing for more precise control over the appearance while subtly shifting the identity features to evade FRS. By leveraging the strengths of both modes, DiffPrivate effectively shields an individual's identity against advanced defense mechanisms like DiffPure, maintaining high image quality. Our experiments demonstrate that DiffPrivate achieves competitive attack performance in terms of success rates and transferability while producing more natural-looking adversarial images than state-of-the-art methods. Overall, DiffPrivate represents a significant step towards balancing personal privacy and image naturalness in the face of advancing FR technology.
Keywords: privacy protection, adversarial samples, diffusion models, facial recognition, blackbox attacks
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
