Subverting Privacy-Preserving GANs: Hiding Secrets in Sanitized Images


  • Kang Liu New York University
  • Benjamin Tan New York University
  • Siddharth Garg New York University



Security and Privacy


Unprecedented data collection and sharing have exacerbated privacy concerns and led to increasing interest in privacy-preserving tools that remove sensitive attributes from images while maintaining useful information for other tasks. Currently, state-of-the-art approaches use privacy-preserving generative adversarial networks (PP-GANs) for this purpose, for instance, to enable reliable facial expression recognition without leaking users' identity. However, PP-GANs do not offer formal proofs of privacy and instead rely on experimentally measuring information leakage using classification accuracy on the sensitive attributes of deep learning (DL)-based discriminators. In this work, we question the rigor of such checks by subverting existing privacy-preserving GANs for facial expression recognition. We show that it is possible to hide the sensitive identification data in the sanitized output images of such PP-GANs for later extraction, which can even allow for reconstruction of the entire input images, while satisfying privacy checks. We demonstrate our approach via a PP-GAN-based architecture and provide qualitative and quantitative evaluations using two public datasets. Our experimental results raise fundamental questions about the need for more rigorous privacy checks of PP-GANs, and we provide insights into the social impact of these.




How to Cite

Liu, K., Tan, B., & Garg, S. (2021). Subverting Privacy-Preserving GANs: Hiding Secrets in Sanitized Images. Proceedings of the AAAI Conference on Artificial Intelligence, 35(17), 14849-14856.



AAAI Special Track on AI for Social Impact