=Paper=
{{Paper
|id=Vol-2670/MediaEval_19_paper_9
|storemode=property
|title=Pixel
Privacy 2019: Protecting Sensitive Scene Information in Images
|pdfUrl=https://ceur-ws.org/Vol-2670/MediaEval_19_paper_9.pdf
|volume=Vol-2670
|authors=Zhuoran Liu,Zhengyu Zhao,Martha Larson
|dblpUrl=https://dblp.org/rec/conf/mediaeval/Liu0L19
}}
==Pixel
Privacy 2019: Protecting Sensitive Scene Information in Images==
https://ceur-ws.org/Vol-2670/MediaEval_19_paper_9.pdf
Pixel Privacy 2019:
Protecting Sensitive Scene Information in Images
Zhuoran Liu, Zhengyu Zhao, Martha Larson
Radboud University, Netherlands
{z.liu,z.zhao,m.larson}@cs.ru.nl
ABSTRACT
Pixel Privacy task focuses on the protection of user-uploaded multi-
media data online. Specifically, it benchmarks image transformation
algorithms that protect privacy-sensitive images against automatic
inference. The image transformations should block automatic classi-
fiers that infer sensitive scene categories and increase (or maintain)
image visual appeal at the same time. The task in 2019 is to develop
image transformations under the condition that all information
of the attack model is available for transformation development.
Under this white-box setting, the decreased accuracy of the attack Figure 1: Examples of validation images in MediaEval Pixel
model and the visual appeal of the protected images are considered Privacy task 2019. Images are randomly selected from cate-
for protection evaluation. gory bedroom (top row) and closet (bottom row).
1 INTRODUCTION The Pixel Privacy task was introduced as a brave new task in the
MediaEval Multimedia Evaluation Benchmark in 2018 [8]. The task
The MediaEval Pixel Privacy task aims to promote the development focused on sensitive scene categories of social images, and required
of algorithms that protect the privacy-sensitive information of user- participants to protect images against an automatic scene classifier.
generated multimedia data online. To achieve this goal, participants Examples from the 2019 validation set are shown in Figure 1. In
are encouraged to develop image transformation algorithms that 2019, we again focus on the protection of sensitive scene categories
increase (or maintain) the visual appeal of images, while at the and use the same basic task formulation and source data. The task
same time protecting privacy-sensitive information in the images. has been refined in several ways in order to allow us to gain more
Ideally, Ideally, users should find that the transformed images are insight from the results. In 2019, we retain the whitebox setting,
interchangeable with the original image, for whatever purpose the meaning that the attacking classifier is known and all informa-
original image was intended. The transformed images should be tion of the attack model is available for protection development.
able to mislead automatic scene classifiers. Also, we retain the untargeted setting, meaning that there is no
The task is motivated by the potential risk of the privacy-sensitive particular target class into which the image must be misclassified.
information implicit in user-generated data, which is accumulated Instead, any misclassification counts as protection. The important
by large social networks. Accumulated social media data can be change for this year is that the test set only contains images that
misappropriated for commercial purposes that are not transparent the attacking classifier classifies correctly. For the purposes of eval-
to users [9]. Although algorithms [11, 13] have been developed uation, we find the images that the attacking classifier misclassifies
to improve the the situation of privacy protection in multimedia to be less interesting because they can be considered to already be
online, users themselves still do not have many choices to control protected. Also, this year, we pay closer attention to the pipeline.
the information implicit in their own multimedia data. In addition, Specifically, images are downsized before being fed into the attack
given the large amount of accumulated data, potential privacy risks classifier. Participants are required to protect the images in this
could be aggravated by massive data breaches [9]. Privacy-sensitive downsized format, to control for the impact of the downsizing on
information can be processed by automatic algorithms, allowing the protection.
malicious actors to select potential victims as the target for specific To achieve the goal of privacy protection and visual appeal im-
crimes, a practice known as cybercasing [4]. For example, based on provement, researchers participating in the task may consider re-
user-uploaded images, the trajectory of an individual can be cal- lated work on different multimedia technologies. Image enhance-
culated by geo-location prediction algorithms based on computer ment and style transfer [6] techniques can be exploited to increase
vision algorithms. This information can be exploited by a criminal visual appeal and protect privacy. Early work showed the basic
to plan a burglary by only accessing the visual contents of these ability of standard Instagram filters to block the inference of loca-
social photos. Combining mined information from different sources tion information [3]. Last year, one participant paper [2] pursued a
is also likely to aggravate online crimes, e.g., telecommunication color harmony based enhancement approach, which focused on im-
fraud [1] or blackmail. proving visual appeal and another investigated style transfer [10].
Copyright 2019 for this paper by its authors. Use
Image aesthetics assessment [14] and image quality assessment
permitted under Creative Commons License Attribution methods [5] could be helpful to control the visual quality of trans-
4.0 International (CC BY 4.0). formed images. Knowledge of adversarial examples in machine
MediaEval’19, 27-29 October 2019, Sophia Antipolis, France
�MediaEval’19, 27-29 October 2019, Sophia Antipolis, France M. Larson et al.
learning can also be applied for privacy protection purpose [10, 11]. For some creative image transformation ideas, it may not be
However, in 2018, participants did not fully exploit the whitebox feasible to develop fully automatic transformation algorithms. To
information, which we hope they will do in 2019. leverage participants’ creativity and explore unexpected new ways
in improving the visual appeal, we also provide a special test set
2 TASK DEFINITION AND DATA (MEPP19test_manual). It is a subset of test set and contains one
image for each category. Manual image transformations can be ap-
As stated above, the Pixel Privacy task 2019 focuses on the pro-
plied on this special test set, and these images can also be submitted
tection of privacy-sensitive scene category information of social
for evaluation.
images. A scene category can be understood to be the identity of
the setting in which a photo was taken. Participants are asked to
develop protection approaches on validation set to decrease the 3 EVALUATION
attack accuracy while increasing image appeal. Afterwards, these Participants submit the transformed test set for evaluation and each
developed approaches can be applied on test set images, and the team can maximally submit five runs. Submitted images will be
protected images are submitted for evaluation. evaluated with respect to protection and appeal. The performance of
The task provides 60 privacy-sensitive categories chosen from transformation approaches with respect to protection is evaluated
the original 365 scene categories from Places365-Standard dataset [15], by measuring the drop of prediction accuracy of the attack model.
which were original introduced in 2018. The task data set is a subset Once the prediction accuracy has reached a certain level of protec-
of this dataset. The Places365-Standard dataset contains 1,803,460 tion, performance of transformations with respect to appeal will
training images and 365 scene categories. The number of images be carried out with an automatic aesthetics assessment algorithm.
per category varies from 3,068 to 5,000. The attack algorithm is To this end, the automatic algorithm NIMA [14] trained on the
trained to detect all 365 categories. The attack classifier in the task AVA [12] dataset will be used for visual appeal evaluation, as was
is a PyTorch ResNet501 [7] classifier trained on the training set of also done in 2018. This evaluation method aligns with practical
the Places365-Standard dataset, as was also used in 2018. needs from users for multimedia protective technologies.
A validation set (MEPP18val) is provided to allow participants In order to gain further insight in the appeal of images, we will
to develop their image transformation algorithms. Figure 1 shows perform further manual assessment on cases in which the NIMA
examples of image from the validation set. We also provide a test scores for different protection algorithms diverge dramatically. We
set (MEPP19test) to evaluate the performance of the transforma- will select the images that have the highest variance of NIMA
tion algorithms. MEPP18val contains 3000 images (50 from each scores across runs submitted by all participating teams, and have
of the 60 classes), while MEPP19test contains 600 images (around these images inspected by a small panel of computer vision experts.
10 from each of the 60 classes). Note that if the original images The experts will choose the best and the worst examples from the
without modification can already block the attack model, no protec- pool of all protected versions. These examples will be qualitatively
tion transformation is needed. Further, images which the original analyzed in order to gain further insight into the relative strengths
version is incorrectly classified by the classifier, may be correctly and weaknesses of the different protection algorithms.
classified after transformation. To be able to measure protection
performance without interference from these effects, MEPP19test
is a subset of last year’s test set (MEPP18test), and contains only
4 DISCUSSION AND OUTLOOK
the images that were correctly classified by the attack classifier. One question remains is that whether changing the label of the
Pixel Privacy task 2019 is a simplified version of social image image from the proper one to an arbitrary one is enough to help
privacy protection, and in particular, uses an untargeted white-box users hide their privacy-sensitive information? From Figure 1, we
protection setting. Here, we provide some more details about what can imagine that if the label of an images is changed from bedroom
this means. The white-box setting is that all information of the to closet, the criminal may still be able to mine the information that
attack model is available for image transformation development, this image is took from home. In this case, protection by changing
which means the exact neural network architecture, pre-trained the ground truth label to an arbitrary one is not enough. Another
weights and related preprocessing details are available to partici- question is that in practical cases model information is not available,
pants. Untargeted setting defines no target categories for the pro- which means that the white-box setup may not be valid for image
tected images. In other words, if the predicted label is different from protection in real life.
the ground truth then the protection is successful. Pixel Privacy task is a highly simplified task that defines how to
Preprocessing the transformed images may have strong influ- protect users’ multimedia data online in a user-controlled manner.
ences on the protection performance evaluation. For this reason, in In practice, the social multimedia data may have different types,
the task setting, no resizing and cropping are be applied in the pro- e.g., text, video and speech data, and the threat models can be
cessing step. Normalization is the only preprocessing step carried complicated too. The goal of the task is to provide a foundation upon
out during evaluation. Small images (256*256) of Places365-Standard which solutions addressing progressively more realistic versions of
dataset are used as standard input, and they can be downloaded the problem may be developed in the future.
directly from the official website of places data set2 .
ACKNOWLEDGMENTS
1 http://places2.csail.mit.edu/models_places365/resnet50_places365.pth.tar This work is part of the Open Mind research program, financed by
2 http://places2.csail.mit.edu/download.html the Netherlands Organization for Scientific Research (NWO).
�Pixel Privacy MediaEval’19, 27-29 October 2019, Sophia Antipolis, France
REFERENCES
[1] 2017. Scammers still up to their tricks despite local efforts to stop them,
China Daily, 21 July. (2017). http://www.chinadaily.com.cn/opinion/
2017-07/21/content_30195232.htm, Online; accessed 8-Aug-2019.
[2] Simon Brugman, Maciej Wysokinski, and Martha Larson. 2018. Media-
Eval 2018 Pixel Privacy Task: Views on image enhancement. In Work-
ing Notes Proceedings of the MediaEval 2018 Workshop.
[3] Jaeyoung Choi, Martha Larson, Xinchao Li, Kevin Li, Gerald Friedland,
and Alan Hanjalic. 2017. The Geo-Privacy Bonus of Popular Photo En-
hancements. In ACM International Conference on Multimedia Retrieval
(ICMR). ACM, 84–92.
[4] Gerald Friedland and Robin Sommer. 2010. Cybercasing the Joint:
On the Privacy Implications of Geo-tagging. In Proceedings of the 5th
USENIX Conference on Hot Topics in Security (HotSec).
[5] Leonardo Galteri, Lorenzo Seidenari, Marco Bertini, and Alberto
Del Bimbo. 2017. Deep generative adversarial compression artifact
removal. In The IEEE Conference on Computer Vision and Pattern Recog-
nition (CVPR). 4826–4835.
[6] Leon A. Gatys, Alexander S. Ecker, and Matthias Bethge. 2016. Image
Style Transfer Using Convolutional Neural Networks. In The IEEE
Conference on Computer Vision and Pattern Recognition (CVPR). 2414–
2423.
[7] Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep
residual learning for image recognition. In IEEE Conference on Com-
puter Vision and Pattern Recognition (CVPR). 770–778.
[8] Martha Larson, Zhuoran Liu, Simon Brugman, and Zhengyu Zhao.
2018. Pixel Privacy: Increasing Image Appeal while Blocking Au-
tomatic Inference of Sensitive Scene Information. In Working Notes
Proceedings of the MediaEval 2018 Workshop.
[9] Sam Levin. 2017. Facebook Told Advertisers It Can Identify
Teens Feeling ’Insecure’ and ’Worthless’, The Guardian, 1 May.
(2017). https://www.theguardian.com/technology/2017/may/01/
facebook-advertising-data-insecure-teens, Online; accessed 12-Jul-
2019.
[10] Zhuoran Liu and Zhengyu Zhao. 2018. First Steps in Pixel Privacy:
Exploring Deep Learning-based Image Enhancement against Large-
scale Image Inference. In Working Notes Proceedings of the MediaEval
2018 Workshop.
[11] Zhuoran Liu, Zhengyu Zhao, and Martha Larson. 2019. Who’s
Afraid of Adversarial Queries? The Impact of Image Modifications on
Content-based Image Retrieval. In ACM International Conference on
Multimedia Retrieval (ICMR). ACM, 306–314.
[12] Naila Murray, Luca Marchesotti, and Florent Perronnin. 2012. AVA: A
large-scale database for aesthetic visual analysis. In Computer Vision
and Pattern Recognition (CVPR). IEEE, 2408–2415.
[13] Eleftherios Spyromitros-Xioufis, Symeon Papadopoulos, Adrian
Popescu, and Yiannis Kompatsiaris. 2016. Personalized Privacy-aware
Image Classification. In ACM International Conference on Multimedia
Retrieval (ICMR). ACM, 71–78.
[14] Hossein Talebi and Peyman Milanfar. 2018. Nima: Neural image
assessment. IEEE Transactions on Image Processing 27, 8 (2018), 3998–
4011.
[15] Bolei Zhou, Agata Lapedriza, Aditya Khosla, Aude Oliva, and Antonio
Torralba. 2017. Places: A 10 million image database for scene recogni-
tion. IEEE transactions on pattern analysis and machine intelligence 40,
6 (2017), 1452–1464.
�