Social media users unintentionally expose private information when sharing photos online [ 12 ], such as locations a user visited etc., which can be automatically inferred by state of the art methods [ 2 ]. The focus of Pixel Privacy task of MediaEval 2019 workshop [ 10 ] is to protect user uploaded multimedia data online. The task objective is to use image transformation algorithms for blocking the automatic inference of scene class by convolutional neural network (ConvNet) based ResNet50 classifier [ 6 ] trained on Places365standard dataset [ 15 ]. The proposed methods should also either increase (or maintain) the visual appeal of an image. Additional details of the task can be found in [ 10 ].

We propose to combine image style-transfer and image enhancement with adversarial image perturbations to increase the visual appeal of the images, in addition to blocking the automatic inference of scene class information by the classifier. We also apply white-box (where the attacker has access to the model’s parameters) adversarial perturbations alone to compare the performance to the fusion based approaches. Finally, we use simple euclidean operations like image translation and rotation to show how they are also able to fool the classifier. The proposed approaches are evaluated on the basis of reduction in the top-1 classifier accuracy and Neural Image Assessment (NIMA) [ 13 ] score is used to evaluate the image quality of the transformed images. The motivation behind proposing fusion based approaches is to incentivize the social media users to use such methods for not only protecting the privacy-sensitive information in the photos, but also to enhance their photos as an added bonus. CartoonGAN style transfer and Iterative least-likely class adversarial attack: In the first approach, we use an image style transfer method based on Generative Adversarial Networks (GANs) [ 4 ] called CartoonGAN [ 1 ], which enhances the image by applying cartoon style efects. On these enhanced set of images, we then apply a white-box targeted adversarial attack called the Iterative least-likely class method [ 7 ], which is a variant of the Fast Gradient Sign Method (FGSM) proposed by [ 5 ]. The Iterative least-likely class method tries to make an adversarial image by adding noise to the clean image, so that it will be classified as the class with the lowest confidence score for clean image. For choosing optimal ϵ (limit on the perturbation size), instead of doing binary search on each example because of the computational expense, we choose the value of ϵ to be 8/255 on the basis of experimental results on a subset of validation set images. When enhancing the images using CartoonGAN, Hayao style is chosen because it results in the largest increase of mean aesthetic score among diferent CartoonGAN styles on the validation images.

CartoonGAN style transfer and PGD: In a slightly modified version, we now apply Projected Gradient Descent (PGD) [ 11 ] adversarial attack after enhancing the images with CartoonGAN style transfer. Here, we apply an untargeted adversarial attack, unlike in the previous method where the target class is the least-likely class of clean image. For the PGD adversarial attack, we chose the value of ϵ to be 2/255 and the stepsize is chosen as 1/ϵ on the basis of empirical results on a subset of validation images.

Inspired from the center crop and random crop operations in [ 9 ] to fool the classifier, we choose to explore other simple geometric operations on images, which are often overlooked in favor of adversarial attacks to fool the classifier. We consider two basic euclidean transformations i.e. image translation and rotation. To choose the optimal translation and rotation value to fool the classifier, we use the robust optimization method proposed by [ 3 ], instead of the computationally expensive grid-search. For majority of the images, we constrain translation to be within 20% of image size in each spatial direction and rotation up to 20°, and fill the resulting empty image spaces with zero pixel value. 3

In the Pixel Privacy task of the MediaEval 2019 workshop, the participants are allowed to submit five runs for the task, which are evaluated on the basis of top-1 classification accuracy (lower is better) and NIMA score [ 13 ] (higher is better), as shown in Table 1. Figure 1 shows the original image and the transformed images by diferent approaches and the corresponding top-5 class prediction. Fusion based approaches: The performance of CartoonGAN + Iterative least-likely class adversarial method is good in terms of the top-1 accuracy, however it has the worst NIMA score of 4.37 among all runs. CartoonGAN + PGD adversarial method has the best NIMA score of 4.77 among all runs, but considerably higher classifier accuracy of 14%, which it is still less than 50%.

For Contrast Enhancement + Iterative least-likely class run, we get the lowest 0% top-1 accuracy and 4.47 NIMA score. The images enhanced using contrast enhancement method [ 14 ] look visually more appealing to the naked eye, however the NIMA score after applying only contrast enhancement is still slightly less than that of the clean images which is unexpected.

In this paper, diferent approaches have been proposed for the Pixel Privacy task of MediaEval 2019 workshop. The fusion based approaches combining style transfer/image enhancement with adversarial attacks are chosen to increase the image appeal score beforehand, as reducing the classifier accuracy through adversarial perturbations decrease image appeal score, due to addition of noise.

In future, increasing image appeal by using the state of the art deep learning based image enhancement methods for image denoising, color/contrast/exposure adjustment etc. and then applying adversarial perturbation in our opinion will yield better results.