Siamese Generative Adversarial Privatizer for Biometric Data

  • Witold OleszkiewiczEmail author
  • Peter Kairouz
  • Karol Piczak
  • Ram Rajagopal
  • Tomasz Trzciński
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11365)


State-of-the-art machine learning algorithms can be fooled by carefully crafted adversarial examples. As such, adversarial examples present a concrete problem in AI safety. In this work we turn the tables and ask the following question: can we harness the power of adversarial examples to prevent malicious adversaries from learning identifying information from data while allowing non-malicious entities to benefit from the utility of the same data? For instance, can we use adversarial examples to anonymize biometric dataset of faces while retaining usefulness of this data for other purposes, such as emotion recognition? To address this question, we propose a simple yet effective method, called Siamese Generative Adversarial Privatizer (SGAP), that exploits the properties of a Siamese neural network to find discriminative features that convey identifying information. When coupled with a generative model, our approach is able to correctly locate and disguise identifying information, while minimally reducing the utility of the privatized dataset. Extensive evaluation on a biometric dataset of fingerprints and cartoon faces confirms usefulness of our simple yet effective method.



The work was partially supported as RENOIR Project by the European Union Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No. 691152 (project RENOIR) and by Ministry of Science and Higher Education (Poland), grant No. W34/H2020/2016. We thank NVIDIA Corporation for donating Titan Xp GPU that was used for this research.


  1. 1.
    Abadi, M., et al.: On the protection of private information in machine learning systems: two recent approaches. CoRR abs/1708.08022 (2017)Google Scholar
  2. 2.
    Aneja, D., Colburn, A., Faigin, G., Shapiro, L., Mones, B.: Modeling stylized character expressions via deep learning. In: Lai, S.-H., Lepetit, V., Nishino, K., Sato, Y. (eds.) ACCV 2016. LNCS, vol. 10112, pp. 136–153. Springer, Cham (2017). Scholar
  3. 3.
    Baluja, S., Fischer, I.: Adversarial transformation networks: learning to generate adversarial examples. CoRR abs/1703.09387 (2017)Google Scholar
  4. 4.
    Bromley, J., Guyon, I., LeCun, Y., Säckinger, E., Shah, R.: Signature verification using a “siamese” time delay neural network. In: Advances in Neural Information Processing Systems, vol. 6, pp. 737–744. Morgan-Kaufmann (1994)Google Scholar
  5. 5.
    Chen, J., Konrad, J., Ishwar, P.: VGAN-based image representation learning for privacy-preserving facial expression recognition. CoRR abs/1803.07100 (2018).
  6. 6.
    Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley Series in Telecommunications and Signal Processing. Wiley, New York (2006)zbMATHGoogle Scholar
  7. 7.
    Dwork, C.: Differential privacy: a survey of results. In: International Conference on Theory and Applications of Models of Computation, pp. 1–19 (2008)Google Scholar
  8. 8.
    Famm, K., Litt, B., Tracey, K.J., Boyden, E.S., Slaoui, M.: Drug discovery: a jump-start for electroceuticals. Nature 496(7444), 159–161 (2013)CrossRefGoogle Scholar
  9. 9.
    Finn, E.S., et al.: Functional connectome fingerprinting: identifying individuals using patterns of brain connectivity. Nat. Neurosci. 18(11), 1664–1671 (2015)CrossRefGoogle Scholar
  10. 10.
    Fisher, R.A.: The use of multiple measurements in taxonomic problems. Ann. Eugen. 7(7), 179–188 (1936)CrossRefGoogle Scholar
  11. 11.
    Fournier, N., Delattre, S.: On the Kozachenko-Leonenko entropy estimator. ArXiv e-prints, February 2016Google Scholar
  12. 12.
    Glasser, M.F., et al.: A multi-modal parcellation of human cerebral cortex. Nature 536(7615), 171–178 (2016)CrossRefGoogle Scholar
  13. 13.
    Goodfellow, I., et al.: Generative adversarial nets. In: Advances in Neural Information Processing Systems, vol. 27, pp. 2672–2680 (2014)Google Scholar
  14. 14.
    Gymrek, M., McGuire, A.L., Golan, D., Halperin, E., Erlich, Y.: Identifying personal genomes by surname inference. Science 339(6117), 321–324 (2013)CrossRefGoogle Scholar
  15. 15.
    Harmanci, A., Gerstein, M.: Quantification of private information leakage from phenotype-genotype data: linking attacks. Nat. Methods 13(3), 251–256 (2016)CrossRefGoogle Scholar
  16. 16.
    Hayes, J., Melis, L., Danezis, G., De Cristofaro, E.: LOGAN: evaluating privacy leakage of generative models using generative adversarial networks. ArXiv e-prints (2017)Google Scholar
  17. 17.
    Huang, C., Kairouz, P., Chen, X., Sankar, L., Rajagopal, R.: Context-aware generative adversarial privacy. CoRR abs/1710.09549 (2017)Google Scholar
  18. 18.
    Kairouz, P., Bonawitz, K., Ramage, D.: Discrete distribution estimation under local privacy. CoRR abs/1602.07387 (2016)Google Scholar
  19. 19.
    Kos, J., Fischer, I., Song, D.: Adversarial examples for generative models. CoRR abs/1702.06832 (2017)Google Scholar
  20. 20.
    Lee, H., Han, S., Lee, J.: Generative adversarial trainer: defense to adversarial perturbations with GAN. CoRR abs/1705.03387 (2017)Google Scholar
  21. 21.
    Liang, B., Li, H., Su, M., Li, X., Shi, W., Wang, X.: Detecting adversarial examples in deep networks with adaptive noise reduction. CoRR abs/1705.08378 (2017)Google Scholar
  22. 22.
    van der Maaten, L., Hinton, G.: Visualizing data using t-SNE. J. Mach. Learn. Res. 9, 2579–2605 (2008). Scholar
  23. 23.
    Mirjalili, V., Raschka, S., Namboodiri, A.M., Ross, A.: Semi-adversarial networks: convolutional autoencoders for imparting privacy to face images. CoRR abs/1712.00321 (2017)Google Scholar
  24. 24.
    Mirjalili, V., Ross, A.: Soft biometric privacy: retaining biometric utility of face images while perturbing gender. In: IJCB, pp. 564–573 (2017)Google Scholar
  25. 25.
    Narayanan, A., Shmatikov, V.: Robust de-anonymization of large sparse datasets. In: 2008 IEEE Symposium on Security and Privacy, SP 2008, pp. 111–125. IEEE (2008)Google Scholar
  26. 26.
    NIST: NIST 8-bit gray scale images of fingerprint image groups (FIGS)Google Scholar
  27. 27.
    Oh, S.J., Fritz, M., Schiele, B.: Adversarial image perturbation for privacy protection - a game theory perspective. CoRR abs/1703.09471 (2017)Google Scholar
  28. 28.
    Orekondy, T., Fritz, M., Schiele, B.: Connecting pixels to privacy and utility: automatic redaction of private information in images. In: The IEEE Conference on Computer Vision and Pattern Recognition (CVPR), June 2018Google Scholar
  29. 29.
    Rajpurkar, P., Hannun, A.Y., Haghpanahi, M., Bourn, C., Ng, A.Y.: Cardiologist-level arrhythmia detection with convolutional neural networks. ArXiv e-prints (2017)Google Scholar
  30. 30.
    Raval, N., Machanavajjhala, A., Cox, L.P.: Protecting visual secrets using adversarial nets. In: CVPR Workshop Proceedings (2017)Google Scholar
  31. 31.
    Sun, Q., Ma, L., Oh, S.J., Gool, L.V., Schiele, B., Fritz, M.: Natural and effective obfuscation by head inpainting. CoRR abs/1711.09001 (2017)Google Scholar
  32. 32.
    Sweeney, L., Abu, A., Winn, J.: Identifying participants in the personal genome project by name (a re-identification experiment). CoRR abs/1304.7605 (2013)Google Scholar
  33. 33.
    Tripathy, A., Wang, Y., Ishwar, P.: Privacy-preserving adversarial networks. CoRR abs/1712.07008 (2017)Google Scholar
  34. 34.
    Trzcinski, T., Lepetit, V.: Efficient discriminative projections for compact binary descriptors. In: Fitzgibbon, A., Lazebnik, S., Perona, P., Sato, Y., Schmid, C. (eds.) ECCV 2012. LNCS, vol. 7572, pp. 228–242. Springer, Heidelberg (2012). Scholar
  35. 35.
    Wang, Z., Bovik, A.C., Sheikh, H.R., Simoncelli, E.P.: Image quality assessment: from error visibility to structural similarity. IEEE Trans. Image Process. 13(4), 600–612 (2004)CrossRefGoogle Scholar
  36. 36.
    Zhao, H., Gallo, O., Frosio, I., Kautz, J.: Loss functions for neural networks for image processing. CoRR abs/1511.08861 (2015).

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Witold Oleszkiewicz
    • 1
    Email author
  • Peter Kairouz
    • 2
  • Karol Piczak
    • 1
  • Ram Rajagopal
    • 2
  • Tomasz Trzciński
    • 1
    • 3
  1. 1.Warsaw University of TechnologyWarsawPoland
  2. 2.Stanford UniversityStanfordUSA
  3. 3.TooplooxWrocławPoland

Personalised recommendations