FACE-AUDITOR: Data Auditing in Facial Recognition Systems


Min Chen, CISPA Helmholtz Center for Information Security; Zhikun Zhang, CISPA Helmholtz Center for Information Security and Stanford University; Tianhao Wang, University of Virginia; Michael Backes and Yang Zhang, CISPA Helmholtz Center for Information Security


Few-shot-based facial recognition systems have gained increasing attention due to their scalability and ability to work with a few face images during the model deployment phase. However, the power of facial recognition systems enables anyone with moderate resources to canvas the Internet and build well-performed facial recognition models without people's awareness and consent. To prevent the face images from being misused, one straightforward approach is to modify the raw face images before sharing them, which inevitably destroys the semantic information and is still prone to adaptive attacks. Therefore, an auditing method that does not interfere with the facial recognition model's utility and cannot be quickly bypassed is urgently needed.

In this paper, we formulate the auditing process as a user-level membership inference problem, and propose a complete toolkit FACE-AUDITOR that can carefully choose the probing set to query the few-shot-based facial recognition model and determine whether any of a user's face images is used in training the model. We further propose to use the similarity scores between the original face images as reference information to improve the auditing performance. Extensive experiments on multiple real-world face image datasets show that FACE-AUDITOR can achieve auditing accuracy of up to 99%. Finally, we show that FACE-AUDITOR is robust in the presence of several perturbation mechanisms to the training images or the target models. The source code of our experiments can be found at https://anonymous.4open.science/r/FACE-AUDITOR.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {291050,
author = {Min Chen and Zhikun Zhang and Tianhao Wang and Michael Backes and Yang Zhang},
title = {{FACE-AUDITOR}: Data Auditing in Facial Recognition Systems},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {7195--7212},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/chen-min},
publisher = {USENIX Association},
month = aug

Presentation Video