PhotoGuard: This new tool could protect your images from AI manipulations
Remember that selfie you posted last week? Nothing currently prevents someone from grabbing it and manipulating it using powerful generative artificial intelligence (AI) systems. Worse still, thanks to the sophistication of these systems, it may be impossible to prove that the resulting image is fake.
Advertisement
The good news is that a tool called PhotoGuard (code published on github) developed by researchers at Massachusetts Institute of Technology (MIT) could prevent just that. PhotoGuard works like a protective shield, modifying photos in tiny ways that are invisible to the human eye but prevent them from being tampered with. The result: when someone tries to manipulate a PhotoGuard “immunized” image with editing software based on a generative AI model like Stable Diffusion, the result looks unrealistic or distorted.
“Right now, anyone can take photos of us, change them any way they want, put us in very bad-looking situations, and blackmail us,” says Hadi Salman, a graduate student at MIT who helped with the research. The study was presented at the “International Conference on Machine Learning” at the end of July.
Prevent deepfake pornography
PhotoGuard is “an attempt to solve the problem of our images being maliciously manipulated by these models,” says Salman. For example, the tool could prevent women’s selfies from being unintentionally turned into deepfake pornography.
The need to find ways to detect and stop AI-powered tampering has never been more urgent. Generative AI tools create such changes faster and easier than ever before. In a voluntary commitment with the White House, leading AI companies such as OpenAI, Google and Meta have committed to developing methods to prevent fraud and deception.
PhotoGuard complements one of these techniques: the watermark. While the watermark uses similar invisible signals to allow people to recognize AI-generated content once it’s created, Photoguard is designed to discourage others from using AI tools to manipulate images in the first place.
Advertisement
Encoder and Diffusion Attack
The MIT team used two different techniques to prevent images from being processed using the open-source Stable Diffusion imaging model. The first technique is what is known as an encoder attack. PhotoGuard adds imperceptible signals to the image, so the AI model interprets it as something else. These signals could, for example, lead the AI to categorize an image of, say, entertainer Trevor Noah as a block of pure grey. As a result, any attempt to use Stable Diffusion to put Noah in other situations would look unconvincing. As a result, the resulting photo will contain a washed out or gray background (see image below).
The second technique is called diffusion attack. The results here are more convincing, i.e. less usable (see figure below). It disrupts the way the AI models create images by encoding the images with secret signals that alter how the model processes it. By adding these signals to an image provided by Trevor Noah, the team was able to manipulate the diffusion model to ignore the prompt and produce the image the researchers wanted. As a result, all of the AI-edited images of Noah just looked gray.
(Bild: MIT CSAIL / Hadi Salman et al.)
The work is “a good combination of a concrete need and what can be done now,” says Ben Zhao, a computer science professor at the University of Chicago. He has developed a similar protection method called Glaze, which artists can use to prevent their works from being adopted into AI models.
So far it only works on Stable Diffusion
Tools like PhotoGuard are changing the economics and incentives for attackers by making it harder for them to use AI in malicious ways, says Emily Wenger, a research scientist at Meta who also worked on Glaze and developed methods to prevent facial recognition. “The higher the hurdle, the fewer people are willing or able to overcome it,” says Wenger.
One challenge will be seeing how this technique translates to other models, Zhao says. The researchers have published a demo on the Internet that people can use to immunize their own photos using an “encoder attack”. So far, however, it only works reliably with stable diffusion.
PhotoGuard can also make it more difficult to manipulate new images, but it does not offer complete protection against counterfeiting. Old, unimmunized images of users can still be misused, and there are other ways to create fakes, says Valeriia Cherepanova of the University of Maryland. The doctoral student has developed techniques that users of social media can use to protect themselves from facial recognition.
In theory, people could apply this protective shield to their images before uploading them online, says MIT’s Aleksander Madry, who helped with the research. However, it would be much more effective if tech companies automatically added this protection to the images that users upload to their platforms, he adds.
Arms race with the manipulators
The whole thing is an arms race. While tech companies have committed to improving protection methods, they continue to develop new, better AI models at a rapid pace that may be able to bypass new protections. The best-case scenario would be if the companies developing AI models also offered a way to immunize their images that works with any updated AI model, says Salman.
Trying to protect images from AI tampering at the source is a much more viable option than trying to use unreliable methods to detect AI tampering, says Henry Ajder, an expert in generative AI and deepfakes.
Every social media platform and AI company “needs to think about how to protect users from being targeted by [nicht-einvernehmlicher] become pornography or have their faces cloned to create defamatory content,” he says.
(jl)
To home page