Altering Facial Features Significantly to Evade Facial Recognition Systems: Requirements and Extent
Our biometric details, like facial features, are easily accessible to anyone with the right AI model and camera equipment. With advancements in technology, facilities like airport security and drugstores use facial recognition software, making it hard to evade this system. The only possible solution, as suggested by privacy experts, might be federal regulations to protect our biometric data.
There's a common belief that wearing masks, scarfs, and sunglasses can help avoid facial recognition. However, the trend during the pandemic led to facial recognition systems relying heavily on the shape of people's eyes, making it harder to deceive the system using masks. If you opt to drastically change your appearance through plastic surgery, your face won't match your official documents like driver's licenses or passports, making travel complex. Moreover, once your transformed face appears online, all facial recognition systems can identify you.
Cynthia Rudin
Gilbert, Louis, and Edward Lehrman Distinguished Professor of Computer Science; Departments of Computer Science, Electrical and Computer Engineering, Statistical Science, Mathematics, and Biostatistics & Bioinformatics; Duke University
In response to the query about whether it's feasible to alter one's appearance to avoid computer vision systems, I express my belief that it's highly challenging to change your face to bypass state-of-the-art facial recognition. During the pandemic, they adjusted the systems to focus more on the shape of people's eyes since many wore masks under their noses.
As for modifying the shape of your eyes, I'm unsure how that could be done in a realistic manner. Wearing sunglasses might create obstacles, but using cosmetics or hiding your face with a mask doesn't count as changing your face—it's merely hiding it.
To imagine someone drastically altering their face to thwart facial recognition, think of plastic surgery. However, once the altered face is visible online or in public, it becomes easy for identification systems to recognize it. Furthermore, altering your appearance to the point where it no longer matches your official documents might make traveling difficult.
Walter Scheirer
Dennis O. Doughty Collegiate Professor of Engineering; Department of Computer Science & Engineering; University of Notre Dame
The difficulty of hiding your face from facial recognition algorithms depends on the specific application. In one-on-one identification, matching the input photo to a previously stored image in the database, it is challenging to evade this system, especially when quality conditions are met. Innovations in artificial neural networks have increased matching accuracy, and subtle changes to the facial appearance, even temporary ones like acne or swelling, can affect the system's performance.
In contrast, crowd surveillance, where the system matches unknown photos with a pool of potential identities, is more difficult to fool. Low-quality photos and insufficient facial pixels can hinder the algorithm's performance. Strategies to evade facial recognition in public settings include wearing scarfs, sunglasses, hats, or covering your face to minimize facial image quality. Additionally, moving quickly to cause motion blur or moving your head to avoid a frontal position can help dodge the system. However, these methods are not perfect and might not be sustainable in the long term.
Xiaoming Liu
Anil K. & Nandita K. Jain Endowed Professor; Computer Science and Engineering (CSE), College of Engineering; Michigan State University
Paraphrasing the text:
Our biometric data, such as facial features, can easily be obtained by anyone with the right AI tool and camera. Many common areas, like airports and pharmacies, now use facial recognition systems, making it hard to avoid. Experts suggest that the best solution might be federal laws to protect our biometric data due to increasing concerns about privacy.
There's a belief that wearing masks, scarves, and sunglasses can help evade such systems. However, during the pandemic, facial recognition algorithms started to rely more on the shape of people's eyes to identify them with masks. Changing your appearance through plastic surgery might actually make it easier to be recognized when your face is visible online or in public. Altering your appearance to the point where it no longer matches your official documents can make travel challenging.
Cynthia Rudin
Professor of Computer Science; Various Departments; Duke University
According to my perspective, it's highly challenging to change your face to trick state-of-the-art facial recognition systems. The pandemic saw an adjustment in these systems focusing more on people's eye shapes because many people covered their noses and mouths using masks.
Changing the shape of your eyes isn't realistic, and masking up or wearing cosmetics doesn't genuinely alter your face—it merely conceals it. Drastically altering your appearance through plastic surgery might make traveling difficult since alterations to official documents like driver's licenses or passports are required.
Walter Scheirer
Artificial Intelligence Researcher; University of Notre Dame
The feasibility of evading facial recognition relies on the context. While one-on-one identification with top-quality input images is challenging, systems that aim to match unknown faces with a pool of potential identities are simpler to deceive due to insufficient facial information.
Strategies for evading facial recognition in public settings include disguising yourself using items like scarfs, sunglasses, hats, or blocks to the face. Briefly moving quickly can cause motion blur, making it harder for the system to capture a frontal image. Adding obstacles in uncontrolled settings can make it harder for the facial recognition system to achieve a high matching accuracy.
Xiaoming Liu
Computer Science and Engineering Professor; Michigan State University
In summary, our biometric data, such as facial features, is easily accessible with advancements in AI and camera technology. Despite popular belief, covering elements of your face or diverting facial recognition algorithms through extreme measures like plastic surgery won't be long-term solutions to protect your identity. Federal privacy policies might be the most viable way to ensure proper protection for biometric data.
Here's a paraphrased version of the text:
Initially, when I mention "evade facial recognition," I'm referring to a scenario where a Facial Recognition System (FRS) fails to identify an individual's face when the person is captured by a camera.
There are several methods to deliberately trigger an FRS failure:
- Physically disruptive assaults on AI models are prevalent. Generally, AI models, including FRS, are susceptible to attacks involving minor alterations in the input data sample, which could potentially cause the AI system to fail. By learning a specific "minor adjustment," it's possible to create modifications that can defeat an FRS. For instance, Carnegie Mellon University has a paper detailing the design of special glasses that can do just that. Somebody could apply this concept to invent scarves, masks, or even mustaches that can also thwart FRS.
- Another technique is to alter your facial appearance to such an extent that the FRS recognizes you as someone else. Using makeup is a common method, but it's challenging to figure out the precise amount and placement of makeup necessary to fool the system. Some individuals may require minimal makeup alterations to confuse an FRS, while others may require more extensive modifications. An intriguing possibility could be the integration of an interactive smartphone app, which analyzes your face using the phone's camera and guides you on where to apply makeup to achieve maximum misrecognition with minimal effort. Alternatively, high-cost facial masks can be employed, although they may not be as common outside of Hollywood productions.
The probability of successfully evading an FRS can be influenced by the amount of effort invested by the subject. Approach 1 tends to be simpler but less reliable, especially when attempting to master a "general-purpose" adversarial attack, like a universal pair of glasses. Approach 2, on the other hand, is more personalized and effective, but requires more effort.
Kevin W. Bowyer
Schubmehl-Prein Family Professor of Computer Science & Engineering; University of Notre Dame
Translation: "The answer depends." The level of dependence includes various factors, such as the face recognition algorithm used and the recognition threshold established with that algorithm.
To better grasp the situation, remember that facial recognition operates by comparing two images and determining whether the faces in the images are (a) alike enough to belong to the same person or (b) dissimilar enough to come from different individuals.
Each facial recognition algorithm involves a specific method for calculating a "feature vector" (commonly known as an "embedding" these days) from an image of a face and a method for comparing these feature vectors to establish a similarity level. A single facial image can be condensed into a list of 512 numbers (representing the "feature vector" or "embedding"). When comparing two facial image feature vectors, a similarity score between 0 and 100 or between -1 and +1 may result, with 100 or +1 implying a strong similarity between the identical images.
If a state-of-the-art facial recognition algorithm and a similarity score in the -1 to +1 range are employed, the similarity values for comparing different individuals' faces might be close to 0, while those for comparisons between identical individuals might be slightly above 0. In well-controlled application scenarios, the average similarity value for two images of the same person might be greater. In contrast, with less controlled application scenarios, the average similarity value for two images of the same person might be lower.
An individual will select a threshold value for recognition. If a value of, for example, 0.7 is chosen, the system will declare that two images are from different people if their similarity value falls below 0.7. Two images will be recognized as belonging to the same person if their similarity value is equal to or greater than 0.7.
Now, you can rephrase the original question, "What adjustments must I make to my appearance to avoid facial recognition?" as "What steps should I take to lower the similarity value between my new and old images when they are compared?"
Multitudes of things could be done, such as wearing sunglasses and altering your hairstyle or employing exaggerated facial expressions. However, some modifications might not appear natural. Additionally, avoiding eye contact with the camera could result in an off-angle image. More drastic changes could include gaining or losing weight or using cosmetics to alter your appearance. None of these methods can guarantee a perfect match evasion, since you might not know which old photo of you will be used for comparison or which algorithm will be employed, or what threshold will be selected. If you were to know all of these factors, you could experiment with the most effective approach.
In light of the current advances in technology, tech companies might use more sophisticated facial recognition algorithms in the future, making it even more challenging to evade these systems. This could lead to increased concern about privacy and the need for stricter regulations to protect biometric data.
Even if you manage to alter your appearance to some extent, such as through cosmetic surgery or wearing masks, it may not be enough to avoid facial recognition entirely. In fact, facial recognition systems have become adept at accounting for minor changes in appearance and are continually improving to overcome evasion techniques.