BlackHole - Your digital invisibility cloak

Project Story

Inspiration

We wanted to explore adversarial responses to human facial recognition. Bots can scrape services like instagram to learn information about you by tying you to your face, so we wanted to secure against this.

What it does

Black Hole is a privacy-preserving tool that protects your photos from facial recognition systems. Users upload a photo through our web interface, and receive back what appears to be an identical image. However, the returned photo contains a carefully crafted adversarial mask—imperceptible to the human eye—that disrupts facial recognition algorithms while maintaining visual quality.

Our project is built into a raspberry pi, and is supposed to reflect embedded hardware and software design on a camera. The prototype makes a request from our website (which emulates clicking a camera's click button), and the raspberry pi will take a photo, mask it, and return the photo to our front end, where we can download both the original and modified images.

Our backend first takes a photo using the raspberry pi’s webcam. Then, we generate bounding boxes to identify people’s faces in the photo. We then apply our algorithmically generated mask to each face in the image. We compare the accuracy of the modified image vs the original image, and we upload the image to the front end.

How we built it

We studied the behavior of facial recognition models (specifically Google’s FaceNet) over a large dataset of real-world images of faces, and searched for common patterns in what regions of the face were focused on by the AI to make its decision. We then designed a mask that maximally damaged the classification result, while remaining minimally perceptible to the human eye. The resulting mask can be applied very easily over all the faces in an image by embedded hardware (Raspberry Pi running ARM processor) with minimal compute costs. However, it causes severe damage to the performance of facial recognition models attempting to trace the face back to the person’s true identity. The mask is also generalized to every kind of face, background, lighting, etc.

Challenges we ran into

One of our main challenges, surprisingly, was that we could not get the Raspberry Pi to connect to Utexas Wifi. Once we did, we could not get SSH to work due to what seems to be a wide variety of annoying network protections. We got around this, by effectively using cloudflare to tunnel between the main pi and the validation script on the laptop on a local network.

Accomplishments that we're proud of

In this project, we were able to connect 3 layers of abstraction, build a universal mask that causes the facial recognition to fail at up to 90%, add additional features such as masking all faces in the photo, and implement a polished front end. We are also very proud of making the mask a single noise pattern that impacts all faces generally--allowing the system to work on even low-power ARM systems like Raspberry Pi--and transfers effectively to out-of-dataset faces (none of the team’s images were factored into creating the mask, but it worked on them anyway).

On the technical side,

What we learned

We learned about adversarial machine learning, neural network vulnerabilities, and the practical challenges of deploying ML models on edge devices. We also gained insights into the broader implications of facial recognition technology and the importance of privacy-preserving tools.

What's next for Black Hole - Your digital invisibility cloak

We will turn the camera into a fully functioning device that is purchasable and usable. Our hackathon project only demonstrates the core functionality, and we would like to turn this into something the average person can access to fight back against the growing threats posed by AI. This could be applied in multiple ways: an app to fuzz you're image prior to posting, a camera that automatically makes sure all images are fuzzed, or even a framework for CCTV footage to reduce tracking concerns related to privacy.