Originally shared by Yonatan Zunger
This is a very interesting technical challenge. Pixelation blurring is a traditional way to conceal people’s identities in photos, and it works well because it interferes with the mechanisms our brains use to recognize faces — spotting the points of the eyes, nose, mouth, and so on.[1]
Like any other recognition system, natural or artificial, this is based on the system seeing a bunch of these things and learning which features differentiate one thing from another. If you were to start a recognizer by showing it faces both blurred and unblurred, and telling it which were the same, then it would learn a very different set of features to look at than our brains normally use — say, patterns of light and dark. And it turns out that these patterns are pretty good at identifying faces, too. They aren’t as good as the ones our brains use for telling each other apart, but what they are good at is recognizing someone even when they’ve been blurred.
The practical upshot of this is that it’s surprisingly easy to train a computer to recognize faces that have been blurred.
From a security perspective, this is very important, because we often rely on these kinds of obfuscation to conceal data — even life-or-death data, when concealing the identities of people like confidential informants or political dissidents.
But we shouldn’t focus too much on this one special case. Instead, we should look at this as a special case of a much broader phenomenon. In theory, things which look similar can be distinguished in all sorts of ways. I’ll bet that the pattern of pores on the back of your hand is unique, for example. Whenever we use some kind of “blurring” — that is, systematic information loss — to eliminate information, the right way to analyze it is not whether people can still extract the original information, but by truly information-theoretic approaches: does enough information exist anywhere to recover that data?
For example, if you’re trying to conceal identities: There are under seven billion humans on the planet, which means that in theory 33 bits of information is enough to uniquely identify anybody. In practice, a lot of information is noisy, but if you reduce an image of a person down to 64 bits, there’s probably enough information there that somebody (either now or in the future) could reverse the process and figure out who it was.
This kind of validation — of using mathematical approaches to validate that enough information has been destroyed to make something unrecoverable — is similar to the ways in which cryptography is validated. There, you’re trying to show that a certain minimum amount of computation would be needed to recover the plaintext; here, you’re trying to show that no computation can recover the original.
Various practical versions of this have been coming up. Recently, a Russian company started releasing a program which took pictures of people and searched over the Internet to find other pictures of them and figure out who they are. While it was billed as helping people spot celebrities, its primary use seems to be in identifying sex workers and similar people, and then either outing or blackmailing them. Why does it work? Because it’s suddenly possible to tie a picture taken today to a picture taken a decade ago, and show that it’s the same person, something which wasn’t easy to do a few years ago.
Today, I sometimes see news outlets cropping people’s heads in an effort to anonymize them. (Especially for victims of crimes, etc.) This feels like an example of the same mistake: bodies are just as distinctive as faces, it’s just that we don’t normally look at them that way. But it would be almost surprising if nobody could figure out a way to identify you by a picture of your torso.
And there will always be subtleties that you didn’t think of, unless you are literally attacking it from the perspective of “are there enough bits of information?” For example, if you were to completely remove a person from a picture and replace them with a region of perfect black, would the reflections off their skin on other objects in the picture be enough to figure out who they are? Certainly not to a human eye, but I wouldn’t rule it out in general without some serious computation. Likewise, your camera captures a lot more information than you see — by which I’m not talking about location metadata, but about different colors of light and pixel variation which is only in the RAW file, not in the jpg’s that normally circulate.
The moral of this story isn’t an easy one. It’s not “ban people from recognizing things,” because in general, people will. Instead, it’s a combined moral about treating information destruction with the same sort of seriousness which we do cryptography, and about recognizing that just because something is secure today doesn’t mean it will be secure forever.
More research needed, as they say.
[1] The human brain has an extraordinary fraction of its volume dedicated to nothing but face recognition, which is why we’re generally so much better at it than computers. This system trains during our youth, which is why people tend to be significantly better at remembering and distinguishing faces similar to the ones they’ve seen in early childhood. (Thus the “All X look alike” effect) It’s also helpful for distinguishing things that look sort of like human faces, such as dogs’ faces, but we aren’t nearly as good at that — and we’re downright terrible at telling jellyfish apart. Only they know the difference.
https://www.wired.com/2016/09/machine-learning-can-identify-pixelated-faces-researchers-show/