Document Type


Date of Degree Completion

Spring 2021

Degree Name

Master of Science (MS)


Computational Science

Committee Chair

Razvan Andonie

Second Committee Member

Boris Kovalerchuk

Third Committee Member

Szilard Vajda


When talking about protecting privacy of personal images, adversarial attack methods play key roles. These methods are created to protect against the unauthorized usage of personal images. Such methods protect personal privacy by adding some amount of perturbations, otherwise known as "noise", to input images to enhance privacy protection. Fawkes in Clean Attack method is one adversarial machine learning approach aimed at protecting personal privacy against abuse of personal images by unauthorized AI systems. In leveraging the Fawkes in Evasion Attack method and through running additional experiments against the Fawkes system, we were able to prove that the effectiveness of perturbations added in privacy protection of images depends on how we stratify the input population based on demographic features such as race and gender, showing that we need to be able to quantify and take into account various potential areas of bias when leveraging adversarial attack methods to ensure optimal protection of all input images.

As it currently stands, the Fawkes system has a fixed set of hyper parameters for amount of perturbations added per image, which essentially means that they consider all users be treated identically in terms of amount of perturbations added. However, from testing our hypothesis through running various experiments, we found that the protection performance is statistically significantly different when the input images are from different groups of people based on demographic features like race and gender when applying the original parameter settings. For example, we found that for light skin toned females, the original Fawkes settings work well in ensuring privacy protection. However, the original Fawkes settings do not perform well with dark skin toned males in ensuring privacy protection of these images.

In order to ensure fairness from the system, we propose guidelines for taking into account these demographic differences in order to get optimized solution sets for hyper parameter tuning, making future users of the model aware of existing biases and how to mitigate and take them into account. Our proposed solution for hyper parameter tuning takes into account demographic features with internal system settings, aimed at improving the protection performance for all skin tones and gender. We categorized inputs based on demographic features (namely, race and gender) and then used the current Fawkes model to process the categorized input images with different parameters. In our experiments, the main metric we use to evaluate and determine the optimal hyper parameters is the output of custom classifier models (e.g., confidence values) built from Microsoft Cognitive Services Face API. From a high-level, we first test the effectiveness of the Fawkes model applied in Evasion Attack Scenario. Then we ran experiments with curated datasets to prove the existence of demographic bias in the current Fawkes model with its default parameters. Next, we performed experiments on changing the default parameters of Fawkes to analyze the influence of different parameters on different input images. Based on the previous experiment results, we propose guidelines and solution sets that optimize the internal settings to ensure Fawkes model takes into account potential demographic biases and ensure fair protection for all input images.

Our proposed solution and devised set of guidelines takes into account various demographic features (e.g., race and gender) and internal settings together by using grid-search like methods, namely pair-to-pair. By applying our proposed set of guidelines, we ensure optimal protection performance by all skin tones and gender, improving bias and enhancing fairness of the Fawkes model.