The reviewed record of science sign in
Pith

arxiv: 2607.05996 · v1 · pith:ZLNK5LQR · submitted 2026-07-07 · cs.CV

Unlearnable Faces: Privacy Protection Surviving Extraction Pipeline

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-07-08 19:14 UTCglm-5.2pith:ZLNK5LQRrecord.jsonopen to challenge →

classification cs.CV
keywords extractionlpidattackerperturbationprotectionfacefacesimperceptible
0
0 comments X

The pith

Faces stay unlearnable after crop-and-resize

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Existing unlearnable-example methods add imperceptible noise to a photo so that any face-recognition model trained on it fails. But in practice, before training, the attacker crops out the face and resizes it to the recognizer's input resolution. The crop discards noise placed outside the face region, and the resize acts as a low-pass filter that attenuates the high-frequency noise these methods produce. The result is that the protection collapses: the attacker recovers near-normal accuracy. The paper proposes LPID, which builds the attacker's crop-and-resize operation directly into the perturbation's optimization objective. The perturbation is confined to the face box and optimized through a differentiable model of the crop-and-resize, so the gradient that shapes the noise is the same one the attacker's pipeline will apply. This concentrates the noise's energy in the low-frequency band that the resize preserves, rather than spreading it across frequencies the resize will discard. The paper shows that this coupling, not the spatial confinement alone, is what makes the protection survive.

Core claim

The central mechanism is coupling the perturbation generation to a differentiable model of the attacker's crop-and-resize transform. When the perturbation is optimized through this transform, the optimization receives no gradient for frequency components the resize will attenuate, so the noise energy concentrates in the surviving low-frequency band. The paper measures this concentration: 93% of the perturbation energy falls in the resize-surviving band when coupled, versus 33% when uncoupled. A factorized ablation confirms that coupling, not localization, is decisive: localization alone leaves the attacker at 25.4% accuracy, while coupling drives it to 2.3%. Because the robustness is a joint

What carries the argument

A differentiable crop-and-resize operator T, composed of a face-box crop and a bilinear resize, inserted into the standard unlearnable-example min-min objective so that the perturbation is optimized through it.

If this is right

  • Face-privacy perturbations should be evaluated under the attacker's full extraction pipeline, not at a single fixed resolution, since the crop and resize together neutralize existing protections.
  • Coupling perturbation generation to a differentiable model of the downstream transform is a general principle: any preprocessing the attacker applies could be modeled the same way, not just crop-and-resize.
  • Because the surviving frequency band is determined by the native face size rather than the attacker's target resolution, a defender can generate at a single resolution without knowing the attacker's input size.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The defender assumes knowledge of the face box location and native size at protection time. If the attacker's face detector finds a different box, the mask and crop will be misaligned, and the perturbation may not survive. The paper does not test sensitivity to this misalignment.
  • JPEG recompression at quality 85 degrades LPID to 20.8% attacker accuracy, suggesting that platform recompression remains an open challenge for any bounded perturbation.
  • The coupling principle could extend to other transforms an attacker might apply, such as grayscale conversion or blur, by adding them to the differentiable operator T.

Load-bearing premise

The defender knows the face box location and native size at protection time. In deployment, the attacker's face detector may find a different box, and the paper does not test what happens when the boxes are misaligned.

What would settle it

If an attacker's face detector produces a box significantly different from the one the defender assumed, the perturbation mask would be misaligned with the actual crop, and the protection could fail.

Figures

Figures reproduced from arXiv: 2607.05996 by Byunghoon Oh, Jaewoo Lee, Sunghwan Park.

Figure 1
Figure 1. Figure 1: The perturbation is imperceptible, yet only LPID’s survives extraction. Rows (Clean, UE, LPID): the original face, the protected face, and the perturbation ampli￾fied ×15. UE’s is high-frequency noise the resize attenuates; LPID’s is low-frequency structure that survives. Right: attacker clean test accuracy after crop+resize to 112 (Clean 72.8, UE 37.0, LPID 6.8; %, lower is better). Both are shown face-on… view at source ↗
Figure 2
Figure 2. Figure 2: LPID overview. Defender. LPID crafts a localized, imperceptible perturba￾tion δ by solving the unlearnable-example min-min objective through the attacker’s differentiable transform T(·): δ is added to the scene photo x, the composite x + δ is passed through T into a surrogate classifier fθ, and the error-minimizing loss L(δ, θ) is back-propagated through T to update δ; the optimized δ yields the published … view at source ↗
Figure 3
Figure 3. Figure 3: The coupling mechanism. (a) Radially-averaged perturbation spectrum, cou￾pled (red) vs. uncoupled (blue). The dashed line marks the native Nyquist cutoff s0/2 on the normalized axis; the shaded region below it is the resize-surviving band. Cou￾pling concentrates the energy there (ρLF = 0.93 vs. 0.33 uncoupled; Eq. (4)), whereas an uncoupled perturbation spreads it across the full band. (b) Factorized ablat… view at source ↗
Figure 4
Figure 4. Figure 4: Where each method places its perturbation, exposing the spatial mismatch that neutralizes whole-image UE. Columns: Clean, whole-image UE, face-only UE, and LPID; rows: the protected composite, the perturbation (×15), and a face-region zoom (×15). Whole-image UE spreads its budget across the scene, so the attacker’s crop discards most of it; face-only and LPID sit inside the kept box, where UE’s residual is… view at source ↗
Figure 5
Figure 5. Figure 5: Perturbation textures. Rows: the protected composite, the perturbation (×15), and a face-region zoom (×15); all are imperceptible at native resolution (top). The per￾sample UE and LSP are high-frequency grain the resize attenuates, and Segue a struc￾tured generator pattern, whereas LPID is low-frequency structure concentrated in the resize-surviving band—the only texture shaped to survive the crop+resize (… view at source ↗
Figure 6
Figure 6. Figure 6: Full-resolution control (no extraction, 50 unseen identities). Attacker clean test accuracy (%, lower is better; Clean 70.0). UE and REM protect strongly here (7.4, 18.0) yet collapse under extraction (Tab. 1), confirming that extraction, not a weak reimplementation, causes the collapse; TUE and LSP do not protect even here (69.7, 68.3); Segue (true label) and LPID protect throughout (3.4, 1.6). 6 Conclusi… view at source ↗
read the original abstract

Unlearnable examples keep publicly shared photos from being learned by unauthorized face-recognition models. An imperceptible perturbation, added before sharing, makes any model trained on the protected photos fail on clean faces. The perturbation is crafted on the shared image, however the attacker trains on the face it extracts, cropped and resized to the recognizer input, and under this extraction the protection collapses. We propose LPID, which builds the extraction into the unlearnable-example objective. LPID confines the perturbation to the extracted face region and optimizes it through a differentiable model of the extraction, concentrating its energy in the frequency band the extraction preserves. Because this robustness is a property of the transform rather than of any identity, LPID is re-optimized per album and protects even users it has never seen. LPID attains the lowest attacker accuracy of all methods in every setting we evaluate, holding the attacker below $10\%$ under crop+resize extraction on identities unseen at protection time, while remaining imperceptible at $32.7$\,dB PSNR and $0.161$ LPIPS.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 6 minor

Summary. The paper proposes LPID (Localized, Pipeline-coupled Identity Defense), a method for protecting facial privacy against unauthorized face-recognition model training. The key insight is that existing unlearnable example (UE) methods fail when the attacker applies a crop-and-resize extraction pipeline before training: the crop discards perturbation energy outside the face region, and the resize attenuates high-frequency content. LPID addresses this by (1) confining the perturbation to the face box via a binary mask and (2) optimizing the perturbation through a differentiable model T of the crop-and-resize operator, which steers perturbation energy into the low-frequency band that survives resizing. The method is evaluated under a subject-independent protocol (unseen identities), across four attacker architectures, and with a factorized ablation isolating the contributions of localization versus coupling. The central claim—that coupling the perturbation to the extraction transform is what enables protection to survive crop+resize—is supported by the spectral analysis (93% vs. 33% surviving-band energy) and the ablation (coupling drives attacker accuracy to 2.3% versus 25.4% for localization alone).

Significance. The paper addresses a well-motivated and practically important gap: prior unlearnable example methods are evaluated at fixed resolution, but real face-recognition pipelines crop and resize faces before training. The experimental design is strong in several respects. The subject-independent protocol (identities unseen at protection time) is the correct evaluation for a deployment scenario. The cross-architecture transfer table (Tab. 3: ResNet-18, MobileNet-V2, DenseNet-121, VGG-16) demonstrates that protection is not surrogate-specific. The factorized ablation (Fig. 3b) cleanly isolates coupling from localization. The full-resolution control (Fig. 6) confirms that baseline reimplementations are faithful—UE and REM protect strongly without extraction but collapse under it. The spectral argument is grounded in standard sampling theory and confirmed empirically. The method produces falsifiable predictions (energy concentration ratio, cross-resolution generalization). The JPEG85 limitation (20.8% attacker accuracy) is honestly reported.

major comments (1)
  1. Sec. 3.2, Eq. (3): The defender's transform T is defined using a known face box (x0, y0, s0). In deployment, the defender publishes the photo and the attacker's face detector determines the box. If the attacker's detector finds a different box, the crop S_box in T will be misaligned with the attacker's actual crop, and the perturbation—whose gradient is shaped through T's specific crop coordinates (Alg. 1, lines 6-7)—may arrive misaligned. The paper's composites (Sec. 5.1) give the defender exact knowledge of the box since the defender created it, and the attacker uses the same box. This is a best-case alignment that real deployments cannot guarantee. The spectral argument (Sec. 4.2) suggests some robustness to spatial shift (low-frequency content survives resize), but this is not verified. A sensitivity analysis to box misalignment (e.g., shifting the attacker's crop by a few pixels or
minor comments (6)
  1. Sec. 5.1: The composite construction (pasting CASIA-WebFace faces on Places365 backgrounds) is a simplification of real scraped photos. While the full-resolution control (Sec. 5.6) addresses the composite artifact concern for aligned faces, the small-face-in-scene regime could benefit from evaluation on a real-world dataset with naturally occurring small faces.
  2. Tab. 1: The '+blur' column applies Gaussian blur after resize but the kernel size and sigma are not specified in Sec. 5.1.
  3. Tab. 2: LSP's max|δ| = 43.7/255 is noted as larger, but the ℓ2 budget value itself is not stated, making the comparison to the ℓ∞ methods less precise.
  4. Sec. 5.1: The attacker's 30-epoch schedule (extended to 80 for Tab. 3) is stated but the rationale for the extension is not given. A brief note on why 80 epochs were needed for the cross-architecture study would help.
  5. Fig. 3a: The normalized radial frequency axis would benefit from explicit labeling of what 'normalized' means (relative to the native Nyquist).
  6. Sec. 4.2: The claim that 'energy placed below the native cutoff s0/2 is kept by any resize that preserves that band' should note that this holds for up-sampling but not for aggressive down-sampling below s0, which could occur if the attacker's target resolution is smaller than the native face size.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful and constructive review. The referee correctly identifies the core contribution and experimental strengths of the paper. The single major comment raises a valid concern about box misalignment between the defender's transform T and the attacker's actual crop in real deployment. We agree this is an important gap and will add a sensitivity analysis to box misalignment in the revision. Our spectral argument provides reason to expect partial robustness (low-frequency content is shift-invariant in its passband), but this must be verified empirically, and we will do so.

read point-by-point responses
  1. Referee: Sec. 3.2, Eq. (3): The defender's transform T is defined using a known face box (x0, y0, s0). In deployment, the defender publishes the photo and the attacker's face detector determines the box. If the attacker's detector finds a different box, the crop S_box in T will be misaligned with the attacker's actual crop, and the perturbation—whose gradient is shaped through T's specific crop coordinates (Alg. 1, lines 6-7)—may arrive misaligned. The paper's composites (Sec. 5.1) give the defender exact knowledge of the box since the defender created it, and the attacker uses the same box. This is a best-case alignment that real deployments cannot guarantee. The spectral argument (Sec. 4.2) suggests some robustness to spatial shift (low-frequency content survives resize), but this is not verified. A sensitivity analysis to box misalignment (e.g., shifting the attacker's crop by a few pixels or)

    Authors: The referee raises a valid and important point. In our current experimental setup, the defender and attacker use the same face box, which is indeed a best-case alignment that real deployments cannot guarantee. We agree that a sensitivity analysis to box misalignment is needed and will add it in the revision. Specifically, we will run experiments where the attacker's crop box is shifted by a random offset (e.g., ±5, ±10, ±15 pixels in each direction) relative to the box the defender used when constructing T, and report attacker accuracy as a function of misalignment magnitude. We note two reasons to expect partial robustness, though neither is a substitute for the empirical test the referee requests. First, LPID's perturbation energy is concentrated in the low-frequency band (ρ_LF = 0.93 vs. 0.33 uncoupled; Fig. 3a), and low-frequency content is comparatively shift-invariant—a small spatial offset changes the phase but not the frequency content, so the resize still preserves it. Second, the perturbation is confined to the face box by the mask m, and face detectors typically produce boxes that overlap substantially even when not identical, so a portion of the perturbation region is retained. However, we acknowledge that substantial misalignment could reduce the effective perturbation energy that survives into the attacker's crop, and the degree of robustness is an empirical question we have not yet answered. We will report the results honestly, including any degradation found, and will discuss the misalignment regime as a limitation if the protection degrades significantly. We will also clarify in the revised text that the current evaluation assumes box alignment and that this is a simplification of the real deployment scenario. revision: yes

Circularity Check

0 steps flagged

No significant circularity found; the derivation chain is self-contained against external benchmarks.

full rationale

The paper's derivation chain is not circular. The LPID objective (Eq. 2) modifies the standard UE objective (Eq. 1, from [23]) by inserting a differentiable crop+resize operator T (Eq. 3), defined using standard bilinear interpolation with no self-cited ansatz. The spectral argument in Sec. 4.2 — that optimizing through a low-pass filter concentrates perturbation energy in the passband — relies on standard sampling theory cited to [15,37], not to the authors' own prior work. The energy-fraction metric ρLF (Eq. 4) is a measurement of the resulting perturbation, not a prediction renamed from a fit. The main results (Tab. 1) evaluate against an external attacker trained from scratch on four architectures (Tab. 3) distinct from the ResNet-18 surrogate, with unseen identities, so the protection is not fitted to the test condition. The ablation (Fig. 3b) factorizes localization × coupling as an independent experiment. The full-resolution control (Fig. 6) confirms baselines are faithfully implemented. I find no step where a claimed prediction reduces to its inputs by construction, no load-bearing self-citation chain, and no uniqueness theorem invoked from the authors' own work. The one minor observation is that the spectral argument is nearly tautological (optimizing through a low-pass filter naturally places energy in the passband), but this is standard, externally-cited reasoning, not circularity. Score 1 reflects this minor note without any actual circular step.

Axiom & Free-Parameter Ledger

6 free parameters · 5 axioms · 0 invented entities

No new entities are postulated. The method uses standard components (PGD, ResNet-18, bilinear resize, binary mask). The differentiable transform T is a composition of standard operations, not a new entity. All axioms are domain assumptions or standard math; none are ad hoc to the paper.

free parameters (6)
  • ε (perturbation budget) = 8/255
    Standard for UE methods; not fitted to data but chosen by convention.
  • K (inner PGD steps) = 20
    Optimization hyperparameter; not fitted to attacker accuracy.
  • α (PGD step size) = 0.8/255
    Optimization hyperparameter.
  • E (epochs) = 60
    Training budget; not fitted to results.
  • η (outer learning rate) = 0.025
    Standard SGD learning rate.
  • T target resolution = 224
    Chosen as the surrogate input size; Sec. 4.2 argues a single resolution suffices because the surviving band is fixed by native face size.
axioms (5)
  • domain assumption The attacker applies a crop+resize transform before training.
    Sec. 3.2: every face recognizer requires a fixed input resolution, so crop+resize is unavoidable. This is well-supported by references [7,50].
  • domain assumption The defender knows the face box (x0, y0, s0) at protection time.
    Sec. 3.2 and Eq. 3: T is defined in terms of the face box. The paper assumes the defender can detect the face and knows its location and size.
  • standard math Bilinear resize is a low-pass filter with cutoff at half the smaller of input and output resolutions.
    Sec. 4.2: standard sampling theory [15,37]. Correct.
  • domain assumption The attacker trains from scratch (no pretrained model).
    Sec. 3.2: follows UE threat model [23,52]. If the attacker uses a pretrained model, the threat model changes.
  • domain assumption Platform recompression is at q≈70–85 JPEG quality.
    Sec. 5.2, citing [5]. Used to justify the JPEG85 column.

pith-pipeline@v1.1.0-glm · 15931 in / 2813 out tokens · 445995 ms · 2026-07-08T19:14:21.397419+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

53 extracted references · 53 canonical work pages · 3 internal anchors

  1. [1]

    In: ICML (2018)

    Athalye, A., Engstrom, L., Ilyas, A., Kwok, K.: Synthesizing robust adversarial examples. In: ICML (2018)

  2. [2]

    In: Proc

    Bottou, L.: Large-scale machine learning with stochastic gradient descent. In: Proc. COMPSTAT. pp. 177–186 (2010)

  3. [3]

    In: ICML (2026)

    Cai, J., Xu, G., Li, Z., Fang, R., Pu, R., Wu, D., Lao, Q., Ling, C., Wang, B.: FUSE: Full-spectrum unlearnable examples via spectral equalization. In: ICML (2026)

  4. [4]

    In: ICLR (2021)

    Cherepanova, V., Goldblum, M., Foley, H., Duan, S., Dickerson, J., Taylor, G., Goldstein,T.:LowKey:Leveragingadversarialattackstoprotectsocialmediausers from facial recognition. In: ICLR (2021)

  5. [5]

    IEICE Trans

    Chuman, T., Iida, K., Sirichotedumrong, W., Kiya, H.: Image manipulation spec- ifications on social networking services for encryption-then-compression systems. IEICE Trans. Inf. & Syst.E102.D(1), 11–18 (2019)

  6. [6]

    In: CVPR

    Deng, J., Guo, J., Ververas, E., Kotsia, I., Zafeiriou, S.: RetinaFace: Single-shot multi-level face localisation in the wild. In: CVPR. pp. 5203–5212 (2020)

  7. [7]

    In: CVPR (2019)

    Deng, J., Guo, J., Xue, N., Zafeiriou, S.: ArcFace: Additive angular margin loss for deep face recognition. In: CVPR (2019)

  8. [8]

    In: NeurIPS (2019)

    Feng, J., Cai, Q.Z., Zhou, Z.H.: Learning to confuse: Generating training time adversarial data with auto-encoder. In: NeurIPS (2019)

  9. [9]

    In: NeurIPS (2021)

    Fowl, L., Goldblum, M., Chiang, P.y., Geiping, J., Czaja, W., Goldstein, T.: Ad- versarial examples make strong poisons. In: NeurIPS (2021)

  10. [10]

    In: ICLR (2022)

    Fu, S., He, F., Liu, Y., Shen, L., Tao, D.: Robust unlearnable examples: Protecting data against adversarial learning. In: ICLR (2022)

  11. [11]

    Nature Machine In- telligence2(11), 665–673 (2020)

    Geirhos, R., Jacobsen, J.H., Michaelis, C., Zemel, R., Brendel, W., Bethge, M., Wichmann, F.A.: Shortcut learning in deep neural networks. Nature Machine In- telligence2(11), 665–673 (2020)

  12. [12]

    IEEE Trans

    Gong, X., Wang, Y., Chen, Y., Dong, H., Li, Y., Sun, M., Li, S., Wang, Q., Chen, C.: ARMOR: Shielding unlearnable examples against data augmentation. IEEE Trans. Pattern Anal. Mach. Intell.48(4), 3988–4004 (2026)

  13. [13]

    In: ICLR (2015)

    Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: ICLR (2015)

  14. [14]

    CVPR Workshops (2017)

    Günther, M., Cruz, S., Rudd, E.M., Boult, T.E.: Toward open-set face recognition. CVPR Workshops (2017)

  15. [15]

    In: UAI (2019)

    Guo, C., Frank, J.S., Weinberger, K.Q.: Low frequency adversarial perturbation. In: UAI (2019)

  16. [16]

    One-shot Face Recognition by Promoting Underrepresented Classes

    Guo, Y., Zhang, L.: One-shot face recognition by promoting underrepresented classes. arXiv preprint arXiv:1707.05574 (2017)

  17. [17]

    In: ECCV (2016)

    Guo, Y., Zhang, L., Hu, Y., He, X., Gao, J.: MS-Celeb-1M: A dataset and bench- mark for large-scale face recognition. In: ECCV (2016)

  18. [18]

    Nonlinear Transformations Against Unlearnable Datasets

    Hapuarachchi, T., Lin, J., Xiong, K., Rahouti, M., Ost, G.: Nonlinear transforma- tions against unlearnable datasets. arXiv:2406.02883 (2024)

  19. [19]

    In: CVPR

    He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR. pp. 770–778 (2016)

  20. [20]

    In: CVPR (2017)

    Hu, P., Ramanan, D.: Finding tiny faces. In: CVPR (2017)

  21. [21]

    In: CVPR (2017)

    Huang, G., Liu, Z., van der Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR (2017)

  22. [22]

    Huang, G.B., Ramesh, M., Berg, T., Learned-Miller, E.: Labeled faces in the wild: A database for studying face recognition in unconstrained environments. Tech. Rep. 07-49, University of Massachusetts, Amherst (2007) 16 B. Oh et al

  23. [23]

    In: ICLR (2021)

    Huang, H., Ma, X., Erfani, S.M., Bailey, J., Wang, Y.: Unlearnable examples: Making personal data unexploitable. In: ICLR (2021)

  24. [24]

    In: International Symposium on Visual Computing (ISVC)

    Hukkelås, H., Mester, R., Lindseth, F.: DeepPrivacy: A generative adversarial net- work for face anonymization. In: International Symposium on Visual Computing (ISVC). pp. 565–578 (2019)

  25. [25]

    In: IEEE FG (2021)

    Knoche, M., Hormann, S., Rigoll, G.: Cross-quality LFW: A database for analyzing cross-resolution image face recognition in unconstrained environments. In: IEEE FG (2021)

  26. [26]

    In: CVPR

    Liu, W., Wen, Y., Yu, Z., Li, M., Raj, B., Song, L.: SphereFace: Deep hypersphere embedding for face recognition. In: CVPR. pp. 6738–6746 (2017)

  27. [27]

    In: AAAI (2024)

    Liu, Y., Xu, K., Chen, X., Sun, L.: Stable unlearnable example: Enhancing the robustness of unlearnable examples via stable error-minimizing noise. In: AAAI (2024)

  28. [28]

    In: ICML (2023)

    Liu, Z., Zhao, Z., Larson, M.: Image shortcut squeezing: Countering perturbative availability poisons with compression. In: ICML (2023)

  29. [29]

    In: ICLR (2018)

    Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018)

  30. [30]

    In: CVPR (2020)

    Maximov, M., Elezi, I., Leal-Taixé, L.: CIAGAN: Conditional identity anonymiza- tion generative adversarial networks. In: CVPR (2020)

  31. [31]

    In: ICLR (2023)

    Ren, J., Xu, H., Wan, Y., Ma, X., Sun, L., Tang, J.: Transferable unlearnable examples. In: ICLR (2023)

  32. [32]

    In: CVPR

    Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.C.: MobileNetV2: Inverted residuals and linear bottlenecks. In: CVPR. pp. 4510–4520 (2018)

  33. [33]

    In: NeurIPS (2022)

    Sandoval-Segura, P., Singla, V., Geiping, J., Goldblum, M., Goldstein, T., Jacobs, D.W.: Autoregressive perturbations for data poisoning. In: NeurIPS (2022)

  34. [34]

    In: CVPR (2015)

    Schroff, F., Kalenichenko, D., Philbin, J.: FaceNet: A unified embedding for face recognition and clustering. In: CVPR (2015)

  35. [35]

    In: NeurIPS (2018)

    Shafahi, A., Huang, W.R., Najibi, M., Suciu, O., Studer, C., Dumitras, T., Gold- stein, T.: Poison frogs! targeted clean-label poisoning attacks on neural networks. In: NeurIPS (2018)

  36. [36]

    In: USENIX Security (2020)

    Shan, S., Wenger, E., Zhang, J., Li, H., Zheng, H., Zhao, B.Y.: Fawkes: Protecting privacy against unauthorized deep learning models. In: USENIX Security (2020)

  37. [37]

    In: IJCAI (2019)

    Sharma, Y., Ding, G.W., Brubaker, M.A.: On the effectiveness of low frequency perturbations. In: IJCAI (2019)

  38. [38]

    In: ICLR (2015)

    Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015)

  39. [39]

    In: ICML Workshop (2024)

    Sun, W., Liu, Y., Yan, Z., Xu, K., Sun, L.: Medical unlearnable examples: Secur- ing medical data from unauthorized training via sparsity-aware local masking. In: ICML Workshop (2024)

  40. [40]

    In: ICLR (2014)

    Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I.J., Fergus, R.: Intriguing properties of neural networks. In: ICLR (2014)

  41. [41]

    In: CVPR

    Wang, H., Wang, Y., Zhou, Z., Ji, X., Gong, D., Zhou, J., Li, Z., Liu, W.: CosFace: Large margin cosine loss for deep face recognition. In: CVPR. pp. 5265–5274 (2018)

  42. [42]

    Wang, H., Wu, X., Huang, Z., Xing, E.P.: High-frequency component helps ex- plainthegeneralizationofconvolutionalneuralnetworks.In:CVPR.pp.8684–8694 (2020)

  43. [43]

    IEEE Trans

    Wang, Z., Bovik, A.C., Sheikh, H.R., Simoncelli, E.P.: Image quality assessment: From error visibility to structural similarity. IEEE Trans. Image Process.13(4), 600–612 (2004)

  44. [44]

    In: CVPR (2016) Privacy Protection Surviving Extraction Pipeline 17

    Yang,S.,Luo,P.,Loy,C.C.,Tang,X.:WIDERFACE:Afacedetectionbenchmark. In: CVPR (2016) Privacy Protection Surviving Extraction Pipeline 17

  45. [45]

    In: ICCV

    Yang, X., Dong, Y., Pang, T., Su, H., Zhu, J., Chen, Y., Xue, H.: Towards face en- cryption by generating adversarial identity masks. In: ICCV. pp. 3897–3907 (2021)

  46. [46]

    Learning Face Representation from Scratch

    Yi, D., Lei, Z., Liao, S., Li, S.Z.: Learning face representation from scratch. arXiv:1411.7923 (2014)

  47. [47]

    In: IJ- CAI (2021)

    Yin, B., Wang, W., Yao, T., Guo, J., Kong, Z., Ding, S., Li, J., Liu, C.: Adv- Makeup: A new imperceptible and transferable attack on face recognition. In: IJ- CAI (2021)

  48. [48]

    In: NeurIPS (2019)

    Yin, D., Gontijo Lopes, R., Shlens, J., Cubuk, E.D., Gilmer, J.: A fourier perspec- tive on model robustness in computer vision. In: NeurIPS (2019)

  49. [49]

    In: KDD (2022)

    Yu, D., Zhang, H., Chen, W., Yin, J., Liu, T.Y.: Availability attacks create short- cuts. In: KDD (2022)

  50. [50]

    IEEE Signal Process

    Zhang, K., Zhang, Z., Li, Z., Qiao, Y.: Joint face detection and alignment using multitask cascaded convolutional networks. IEEE Signal Process. Lett.23(10), 1499–1503 (2016)

  51. [51]

    In: CVPR

    Zhang, R., Isola, P., Efros, A.A., Shechtman, E., Wang, O.: The unreasonable effectiveness of deep features as a perceptual metric. In: CVPR. pp. 586–595 (2018)

  52. [52]

    In: ICASSP (2025)

    Zhang, Z., Zhang, J., Zhang, K., Zhou, W., Zhang, W., Yu, N.: Segue: Side- information guided generative unlearnable examples for facial privacy protection in real world. In: ICASSP (2025)

  53. [53]

    IEEE Trans

    Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Trans. Pattern Anal. Mach. Intell. (2017)