None of Your Pixelated or Blurred Information Will Stay Safe On The Internet

The University of Texas at Austin and Cornell University are saying blurred or pixelated images are not as safe as they may seem. As machine learning technology improves, the methods used to hide sensitive information become less secure. Quartz reports: Using simple deep learning tools, the three-person team was able to identify obfuscated faces and numbers with alarming accuracy. On an industry standard dataset where humans had 0.19% chance of identifying a face, the algorithm had 71% accuracy (or 83% if allowed to guess five times). The algorithm doesn't produce a deblurred image -- it simply identifies what it sees in the obscured photo, based on information it already knows. The approach works with blurred and pixelated images, as well as P3, a type of JPEG encryption pitched as a secure way to hide information. The attack uses Torch (an open-source deep learning library), Torch templates for neural networks, and standard open-source data. To build the attacks that identified faces in YouTube videos, researchers took publicly-available pictures and blurred the faces with YouTube's video tool. They then fed the algorithm both sets of images, so it could learn how to correlate blur patterns to the unobscured faces. When given different images of the same people, the algorithm could determine their identity with 57% accuracy, or 85% percent when given five chances. The report mentions Max Planck Institute's work on identifying people in blurred Facebook photos. The difference between the two research is that UT and Cornell's research is much more simple, and "shows how weak these privacy methods really are."

Re:Why?

[Big Hairy Ian]

I'm just reminded of the case (About a decade ago) of a pedophile who published photo's of himself abusing children with his face obfuscated by the photoshop swirl tool. The police desperately wanted to ID him but couldn't deobfuscate the photos so they published them minus the abuse sections hoping that members of the public might identify the man based on his surroundings. Of course the public not being utter fucknuggets quickly deswirled the photo and published it on the internet. I never did find out how long the guy survived.

Re:

[wonkey_monkey]

It was the police who deswirled the photographs.

Re:

[Anonymous Coward]

The guy was caught in Thailand. The German police "deswirled" his photograph:

https://en.wikipedia.org/wiki/Christopher_Paul_Neil

he has his own wikipedia page

[Alien54]

Surprisingly he's not dead yet

https://en.wikipedia.org/wiki/... [wikipedia.org]

news report

http://thelede.blogs.nytimes.c... [nytimes.com]

etc

Re:

[epine]

Surprisingly he's not dead yet

It always shocks me how many people choose to publicly indulge their innermost vigilante compulsion in response to any report of a pedophilic compulsion. But then, I'm from Canada (exactly the same number of vigilante wannabees, but far more easily shocked when wannabees self-actualize).

There's this meme that suicidal ideation is just a mouldering hair shirt until you begin to fantasize an actual, concrete plan.

After Tony learns of the soccer coach's affair with his student, h

Re:

[Blaskowicz]

Why kill a pedophile when we find jail to be enough for murderers, and people like Rudolf Hess, Albert Speer and Slobodan Milosevic?
A few children getting raped isn't that big of a deal.
Go kill a pedophile, then we'll jail you for the murder, hopefully with an exemplary long sentence.

Re:

[lgw]

It always shocks me how many people can remain detached from their desires when confronted with the actual evidence that children are actually physically molested and yet no physical punishment occurs to the perpetrator beyond jail time. Or, better spoken, why WOULDN'T you want to put a bullet through the brain of a serial pedophile? Maybe you need to be able to think if it was YOUR kid that happened to. Maybe if it happened to YOU. Then you can ask why wouldn't the desire to become a vigilante be natural?

It must be the norm, given the problem the UK had with immigrants grooming underage girls, progressing to basically making sex slaves of them, which affected hundreds of girls, and was ignored for a year because the police didn't want to accuse immigrants of crimes: it's still happening. Oh, the police are finally policing, after the scandal broke, but the problem hasn't been solved. This is exactly the sort of situation where I'd expect vigilante justice:a heinous crime, and the police not helping.

But do

Re:

[anarcobra]

Why do they need more punishment than just jail time?
The whole point of courts and a justice system is that it's justice, not revenge.
Otherwise we might as well do away with the pretense and let vigilantes mete out "justice".

Re: he has his own wikipedia page

[Blythe Bowman]

We shouldn't kill him. Instead, lets just stick the bastard in a supermax windowless isolation cell 24hr lockdown for the next 20 years. Make sure there is nothing he can kill himself with in his cell. Death is too easy for monsters like these, they need to SUFFER and go complety mad.

The correct term is "differently resolved".

[Pseudonymous Powers]

Why would you show a blurred photo anyway? Show the face in full, or don't show it at all. There is no compromise here.

That's no image filter, that's just the way my face naturally looks, you insensitive clod!

Re:

[Salgak1]

Hey, glasses seem to work as an effective disguise for Clark Kent. . .

. . .oh, nevermind. . .

Re:

[lgw]

Oh, all the super villains know his secret identity. But it's not like he's weaker at work or anything, and they want him to spend 8 hours a day working a normal job!

Re: Why?

[Blythe Bowman]

Why blur at all, instead of just putting a solid black oval over the face, including hair? Then there is ZERO chance of anyone or any machine being able to retrieve or reconstruct anything?

Re:

[Anubis IV]

I'd suggest that the obvious next step is to produce a device and corresponding software that will allow a user to see through frosted glass or the wavy glass blocks that are frequently used in the bathrooms of homes. Both are intended to let natural light in while providing privacy by breaking up/diffusing the image in ways that make it impossible for the human brain to reconstruct, but there's no reason (I can see) that a computer shouldn't eventually be able to reconstruct the original image, allowing so

Re:

[Gorobei]

The wavy glass block inverter was done at least 10 years ago. Can't remember the paper, sorry, it was before arxiv was standard.

Re:

[Anubis IV]

Well. That's terrifying.

This is my shocked face.

[Anonymous Coward]

This is my shocked face: https://upload.wikimedia.org/wikipedia/en/d/d8/Mr_Swirl.jpg

Putting a big black square over your face in Paint is the only surefire method.

Anyway, using social media and simultaneously demanding privacy is pure silliness to begin with. The real question is how much of an illusion of privacy needs to be maintained to keep you from complaining.

Re:

[anarcobra]

Only if you also make sure that the file format doesn't support EXIF of some other metadata that contains your address or an unmodified thumbnail.

Re:

[anarcobra]

Of course it's trivial. But how many people actually think to do this?
I think that many people, probably even most, think that the picture is all there is, and never even consider that there might be other data stored in the file.

Re:

[Mashiki]

Putting a big black square over your face in Paint is the only surefire method.

Only works if you're applying it to the same layer. Otherwise some programs will save it as a new layer, making it trivial to uncover and that's that.

Re:

[Cinnamon Beige]

You...do know that jpeg, gif, and png--the image formats most often seen on the internet--all require you flatten the layers in the process of saving, right? It's only trivial to remove the black square when it's still in its own layer. Still, the easiest tool to use for applying that black square is the most simple pixel-pushing program on the machine you're using, which probably will never ever support layers. Something like GIMP or Photoshop is fussy and overkill.

Basically, it looks like the article p

I felt a disturbance in the force.

[Hognoxious]

The algorithm doesn't produce a deblurred image

I felt a great disturbance in the force, as if a million Japanese porn fans cried out in disappointment.

Re:

[Anonymous Coward]

Ah, was about to comment about Japanese porn. Technically, it's brute-forceable, "these combination of pixels generated this large square with the following color.", and at 30 samples per second one could reverse engineer that combination.

Not that it'd be worth it. And if it's just some calculated pixels, is it still a photo of that actress' naughty bits?

Re:

[Anonymous Coward]

A lot of Japanese porn used to be obscured with a few well-known reversible filters. That practise disappeared with the increase of the export market, as they'd then sell the uncensored versions at inflated prices abroad for grey-import back to Japan.

Re:

[TheRaven64]

Exactly. Adding noise... adds noise. If you have a relatively small data set, then the edit distance between the blurred image and one or two of the originals is likely to be smaller than the others, which is what this kind of system determines. If you have a very large dataset, then you're going to end up with far more false positives.

To give a simple example, consider a data set of four people: two white, two black, and of those one each with blond hair and one with dark. You add a lot of noise, bu

Re:

[fustakrakich]

I wonder if this can be used to attack steganography...

Re:

[dublin]

Ten years ago, I was CTO for a company making smart touchscreen devices for restaurant and bar tabletops. We didn't have a camera in any of the ones we fielded (people were still to weirded out by that idea, then), but I did some serious technical investigation on whether we could use an intentionally low-res image to determine basic demographics of the diners w/o voilating their privacy.

In my research, I found an really interesting paper (from France, IIRC, it's been a while) showing that even a 16-pixel

Re:

[TheRaven64]

In my research, I found an really interesting paper (from France, IIRC, it's been a while) showing that even a 16-pixel (!) image could still be used to determine the age and sex of a person to around 80-90% accuracy, and recognize the same person again over half the time

There was some research from DERA a while ago (back when DERA still existed, so a good 15 or so years back) trying to put biometric information on magstripe cards. They managed to put enough information in the 50 bits of space that they had to uniquely identify all of the faces that they tested it with (a few million) with no false positives. That's not really surprising, when you think that 50 bits gives you 2^50 combinations (about one quadrillion). With perfect encoding, you'd only need around 34 bits

Not too surprising...

[orlanz]

For a computer, most algorithms behind comparing two pictures is already a blurred picture of both. Most of these algorithms take samples/pixels of the pictures and see if the relationships of both sets of samples are the same or within a margin of deviation. There is little value in comparing pixel by pixel for exact matches. Similar to human finger prints.

A blurred picture is similar to taking less samples on one picture and setting the margin of deviation wider.

But for computers, 57% is pretty bad. 85% is also very bad and that's when you are telling the machine the answer. At those rates, this is kind of hard to do mass comparisons... the false positives would be far too high for any human to weed through. This will apply more for targeted searches where an investigator wants the 5 most probable matches to a blur. Unlike the researchers here who know the answer before hand, he still needs to take the guess on which one it actually is.

In a criminal investigation, if we had a database of likely suspects, this would work. But we are all about mass collection of data data data. With a large population of pictures, the blur will probably match a lot more than 5.

Re:Not too surprising...

[AmiMoJo]

That pixelated images are insecure has been known about for years. I seem to recall it was even mentioned on Slashdot. There are many other attacks, for example if you have text (like a number plate) you can just try running a dictionary attack of images through a pixelation filter and select the closest matching result.

Black bars have always been the preferred method.

Re:

[phayes]

The /. old article I think the the gpp is referring to wasn't using neural networks to match a small dataset of blurred pictures as in this example but that the "spiral" Photoshop filter (take a circle, rotate the outmost pixels X degrees, move 1 pixel inward, repeat) that was used to hide the faces of adults pedophiles in pictures seized in a number of raids is mostly reversible. I suppose you could use a program to do so but back then it was just people applying a reverse spiral tool in Photoshop.

Re:

[ausekilis]

Somehow I don't think European censorship [reuters.com] is going to really help out here.

Re:

[im_thatoneguy]

Yeah, the problem with this research is that you need a small dataset. Characters are pretty easy with just 26. With a small sunset of faces it should be easy to identify blurred faces but start adding variables and this attack vector gets absurd: Pixel blur radius, filter type, 6 billion people as options, lighting etc. If you are deciding "which of these hundred people" is this, I guess it's useful but I cant see this being useful to deanonymize a random person on Facebook.

Re:

[Solandri]

Interpol reversed the (deterministic) Photoshop swirl filter [wikipedia.org] a child molester had been using to hide his face in the child porn pics he published.

Black bars are the obvious method for hiding someone's identity. But then idiot producers who didn't understand security or math decided they weren't aesthetic, and ordered their media compnies to use pixelation or blurring instead. Even recording video of the person in a darkened room isn't enough - the camera can pick up enough low light data to yield a pas

Re:

[Script Cat]

This is just another false evidence generator. Give me a pixelated image and I'll paint any number of an infinity of images that will average out to that patch of squares.
There's data missing if you add data that's false evidence.
There's dogs everywhere!

Old school censoring....

[wkwilley2]

Just do like I do. If you put a picture of your car online, put a black bar over the license plate.

Re:

[RobinH]

Actually, I was wondering: what kind of risk do you have from your license plate being visible in an online photo? Obviously I see them blurred out all over the place, and even blurred out the plates on my pictures when I sold my last car, but I'm not really sure why it's so important. What can someone do with my license plate number?

Re:

[110010001000]

With a database (police, credit agencies, etc) they can link that plate number to you and see everything about you that they have collected. You can assume most bad guys have access to that kind of database at this point, considering network security is non-existent.

Re:

[Coisiche]

Well somewhere there will be a database that ties the number plate to your name and address. Actually probably several databases not all subject to the same degree of security. Then the absence of the vehicle outside said address would be a good indicator of the premises being empty.

And security breaches aren't the only problem for these databases, in the UK those permitted to access the official database have been known to access it unofficially [slashdot.org].

And I would also expect that people well versed in scams and

Re:

[coinreturn]

Well somewhere there will be a database that ties the number plate to your name and address. Actually probably several databases not all subject to the same degree of security. Then the absence of the vehicle outside said address would be a good indicator of the premises being empty.

I have two ways of defeating that - a garage and a second car. If I'm selling a car, I can guarantee you I have at least one other fucking car.

Re:

[radish]

Then the absence of the vehicle outside said address would be a good indicator of the premises being empty

As would knocking on the door and getting no response. In fact, that would be a much better indicator of the premises being empty assuming the possibility that more than one person lives there.

Re:

[AHuxley]

Depends who is after the info and what contacts they have and at what price.
Law enforcement, ex or former law enforcement, private detective might all have their contacts.
The other issues is state police, federal agencies and the mil just seeking all pics online for matching faces, passenger faces and plate numbers in case they are ever seen near any sensitive site.
The private sector will often have their own security walk out and take a picture, use facial recognition, try and find a plate number.
A pro

Different tasks

[Anonymous Coward]

Blurring is a technique reversible with Wiener filtering. Basically the quality of recovery very much depends on subsequent quantization/compression. Pixelation is more complete information loss.

However, the article talks about video filters. In that case, per-frame pixelization will let a lot of image detail become recoverable through motion compensation (straightforward blurring is less suscetible to this recovery strategy). So if you really want to inhibit recovery, blot out the information hard. Th

Re:

[lxs]

Paste in a different face and then pixelate.

It's the perfect crime!

Blurred Lives Matter

[turkeydance]

Pixelated too

Sensationalist blabber....

[Anonymous Coward]

It is a fundamental law of computer science that you cannot increase the amount of information in a given dataset. In this case the combined dataset of the blurred image and the learned statistical averages of a human face.

Once an image has been blurred (information has been deleted) it cannot be recreated. What you can do is to apply statistical averages in the hopes of getting something which might resemble the original information. It will - however - be just that, cosmetic improvements based on statisti

Re:

[Blaskowicz]

Though if you have many blurred pictures of a face or license plate, you might get on something. There might be quite a lot of information in a minute-long video that includes a blurred face.

Re:

[dublin]

It's not necessary to reconstruct the image to perform a good recognition on it.

Re: Re:

[wkwilley2]

You know, you raise a good question.

I've just always been told it's a good practice, but yeah, what would someone actually be able to do with someone else's plate numbers?

"Deep learning"

[110010001000]

Can we stop with this "deep learning" bullshit now? It is just algorithms. Every moron has to interject "AI" or "deep learning" or "neural nets" into their program description. This is really stupid "research" anyway. Is this what passes for research in CS now?

Re:

[MrKaos]

Can we stop with this "deep learning" bullshit now? It is just algorithms. Every moron has to interject "AI" or "deep learning" or "neural nets" into their program description.

Aren't you a clever slashbot.

Re:

[MrKaos]

wow, no one has a sense of humour today

Re:

[Anonymous Coward]

"Deep learning" is a configuration of a neural network. Historically we couldn't have nested neural networks because we didn't know how to train them in any reasonable amount of time. Then we figured out how, and discovered nested nets work far better than traditional neural networks.

So you get more specific and descriptive going from: algorithms -> AI -> reinforcement learning -> neural networks -> deep learning.

Re:

[K. S. Kyosuke]

There's no reason to exclude the last three from the old-school generic description of AI, which is trying to teach computers to do things that humans currently do better.

Re:

[K. S. Kyosuke]

So had they said "Using algorithms, the three-person team was able to identify obfuscated faces and numbers with alarming accuracy", that would make the sentence so much more informative, right? :D

Re:

[yes-but-no]

Is 'machine learning' ok?

Re:

[clodney]

Can we stop with this "deep learning" bullshit now? It is just algorithms. Every moron has to interject "AI" or "deep learning" or "neural nets" into their program description. This is really stupid "research" anyway. Is this what passes for research in CS now?

Of course it is just algorithms - that is what all computer science is. And in some cases those algorithms were known 20 or 30 years ago, but things that were computationally infeasible at that time are now trivial.

And it is important to note that some of these algorithms work in ways that are very different than human vision, where humans are almost unable to understand how neural nets arrive at an answer.

One fascinating example I saw on TV (I think it was 60 minutes) was that humans are unable to recogni

Adobe Photoshop

[campuscodi]

I remember a demo of Photoshop from two years ago when they managed to reverse lens blur off a photo. It was only a matter of time.

Re:

[MayeulC]

Actually, I think he was talking about this: http://www.dailymail.co.uk/sci... [dailymail.co.uk]

And to OP: This is quite a bit more complex. Motion or lens blur is predictable, but it's harder to predict the blurring algorithm here. Plus, they do not technically "unblur" the picture. Unblur would probably work with some deconvolutional neural network (or other), provided you have access to a large enough database of a specific blur algorithm. And then, you would be able to unblur only this specific algorithm.

Re:

[K. S. Kyosuke]

But that's not a blur. That's a simple geometric transformation. All it does is to put the same image points into different places. Removing it is in principle no more difficult than correcting a distorted perspective, once you know a few important parameters.

Lens blur is easy

[Solandri]

The lens has a certain unchanging point spread function (how a point of light is spread into a blur) which scales linearly with distance away from (and closer than) the focal plane. You estimate the size of the blur, then apply an inverse of this PSF. The process is similar to tomography [wikipedia.org] used in CT scans (Computer-assisted Tomography) and MRIs. Likewise, camera shake simply adds a linear smear component to this PSF. Heck, technically you don't even need a lens. The light shining through a window which

Limited usefulness

[hackertourist]

They had a photo with an obscured face and the same photo with unobscured face in their training set. It seems obvious a computer can match those two. The solution would be to use unique photos, not uploaded anywhere, as the source for obscuration and only publish the obscured version.

Of course pixelation can be reversed

[Oswald McWeany]

Most Asian women I see in the US are no longer pixelated.

That's why you don't blur.

[Jason1729]

If you care about security, you shouldn't be using blur, you should be putting a nice black circle over it. A yellow smiley face works just as well.

Cut/past

[p51d007]

If I take a photo that has license plates, street addresses etc...I CUT them out, PAST another image of the photo in place. If you don't just blur it, but REMOVE it, how would they figure it out?

Your privacy

[JustAnotherOldGuy]

It's gone.

Between social media mining, NSA/CIA/FBI operations, license plate readers, Stingray gadgets, the GPS in your phone, cell tower triangulation, TPMS scanners, and the video cams on every power pole and stop light, the concept of 'privacy' or anonymous behavior is pretty much gone.

I'd wager it would be nearly impossible to travel between any to major cities or buy anything in a store without leaving a trackable signature.

You'd basically have to travel by bicycle with your head covered (leaving your

ENHANCE!

[ilsaloving]

Wait... you mean that's an actual thing now?

Use a fake blur

[davidwr]

Either mask the face/license plate/whatever entirely or replace it with a "fake blur" that was made from another image.

For license plates, use a sample plate like ABC-123 to generate the blurred image.

Faces will be a little harder to do: Either 1) you will only have a few "sample faces" and things will look creepy even if you use the best-matching sample, 2) you will have a few thousand and you will, in effect, leak information, or 3) you will be in between and it will look creepy and leak information.

Perh

Just enhance the image!

[Tony Isaac]

That's what they do on all the crime scene investigation shows!

Old technique

[cellocgw]

Turns out someone's been fixing blurred lines [google.com] for a while now

Let's see it indentify a black box

[kheldan]

Let's see their 'deep learning tool' identify something that's got a featureless black box over it, or someone's face that's got a black box or oval over it.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[dublin]

True, the lack of layers in Paint makes it a good choice for this kind of thing - perhaps the only thing it's really good at...

It's stunning how many people do this kind of thing in Photoshop or Acrobat, but leave the layers intact, so you can remove the obscuration with a little advanced editing...

Try unpixelating this

[TomOTooleNZ]

http://www.martinbackes.com/pixelhead-limited-edition/ [martinbackes.com]