GAN-Invert: Unveiling Vulnerabilities in Privacy-Preserving Facial Transformations
Authors: Umesh Kashyap (Indian Institute of Technology Bhilai), Sk. Subidh Ali (Indian Institute of Technology Bhilai)
Volume: 2026
Issue: 2
Pages: 76–91
DOI: https://doi.org/10.56553/popets-2026-0037
Abstract: Face recognition is now widely used in authentication, surveillance, and social media, but it also raises serious privacy risks. Face recognition models enable unauthorized identification of individuals from publicly shared images, support mass surveillance and tracking without consent, and allow inference of sensitive personal attributes such as age, gender, or health conditions. Since biometric data cannot be revoked like a password, once facial embeddings are leaked, they can be exploited for identity theft and cross-platform re-identification. To address these challenges, many deep learning based methods have been proposed to alter facial images so that identity is concealed while the images remain useful for deep learning tasks such as age estimation, attribute recognition, expression analysis, and face recognition for an authorized system. These methods include pixel-level manipulation, generative adversarial makeup, feature disentanglement, and key-based reversible encryptions. However, most of them follow the idea of bounded distortion, where the image is slightly altered for privacy preservation while keeping the image quality and the corresponding deep learning task accuracy intact. In this paper, we perform a detailed security analysis of these deep learning based privacy-preserving methods and show that these defense mechanisms are fundamentally insecure. Using theoretical as well as extensive experimental analysis, we demonstrate that a conditional GAN model can be trained to reconstruct the original image from the privacy-preserving protected image. Our attack analysis on the ten best-known privacy-preserving methods recovers the original from the protected image with high accuracy. Our results expose the key limitations of existing deep learning based privacy preserving methods and stress the need for privacy-preserving solutions based on stronger principles, such as information theory or cryptography, while still ensuring functionality for deep learning tasks.
Keywords: Privacy-Preserving, GAN-Invert, Face-Recognition, Facial Attribution
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
