Billions of people are sharing their daily live images on social media everyday. However, malicious collectors use deep face recognition systems to easily steal their biometric information (e.g., faces) from these images. Some studies are being conducted to generate encrypted face photos using adversarial attacks by introducing imperceptible perturbations to reduce face information leakage. However, existing studies need stronger black-box scenario feasibility and more natural visual appearances, which challenge the feasibility of privacy protection. To address these problems, we propose a frequency-restricted identity-agnostic (FRIA) framework to encrypt face images from unauthorized face recognition without access to personal information. As for the weak black-box scenario feasibility, we obverse that representations of the average feature in multiple face recognition models are similar, thus we propose to utilize the average feature via the crawled dataset from the Internet as the target to guide the generation, which is also agnostic to identities of unknown face recognition systems; in nature, the low-frequency perturbations are more visually perceptible by the human vision system. Inspired by this, we restrict the perturbation in the low-frequency facial regions by discrete cosine transform to achieve the visual naturalness guarantee. Extensive experiments on several face recognition models demonstrate that our FRIA outperforms other state-of-the-art methods in generating more natural encrypted faces while attaining high black-box attack success rates of 96%. In addition, we validate the efficacy of FRIA using real-world black-box commercial API, which reveals the potential of FRIA in practice. Our codes can be found in https://github.com/XinDong10/FRIA.

翻译：数十亿人每天在社交媒体上分享日常生活图像。然而，恶意收集者利用深度人脸识别系统轻易地从这些图像中窃取生物特征信息（如人脸）。现有研究通过引入人眼不可感知的扰动生成对抗性加密人脸照片，以减少人脸信息泄露。然而，现有方法在更强的黑盒场景可行性及更自然的视觉外观方面仍存在不足，这制约了隐私保护的实用性。为解决上述问题，我们提出一种频率限制的身份不可知（FRIA）框架，在无需访问个人信息的情况下，对未授权人脸识别系统实现图像加密。针对黑盒场景可行性不足的问题，我们观察到多个不同人脸识别模型中平均特征的表征具有相似性，因此提出利用从互联网爬取数据集中提取的平均特征作为生成目标。该特征对于未知人脸识别系统的身份信息具有不可知性；此外，低频扰动更易被人眼视觉系统感知。受此启发，我们通过离散余弦变换限制低频人脸区域的扰动幅度，从而保证视觉自然性。在多个主流人脸识别模型上的大量实验表明，FRIA在生成更自然加密人脸的同时，实现了高达96%的黑盒攻击成功率。进一步地，我们通过真实商业黑盒API验证了FRIA的有效性，揭示了其实际应用潜力。本论文的代码可在https://github.com/XinDong10/FRIA 获取。