Figure 7 in the paper [0] shows something really important. The learned adversarial patch is not general at all and has to be held in a specific place with a specific orientation to function. This means it's not going to be generalizable to actual surveillance where you'll be viewed from a lot of different potential angles or say onto a shirt or jacket you can just wear.
From what I understand, all of these methods to fool image recognition systems have to be very specifically tailored to a very specific image recognition system, which makes them completely useless for any kind of practical use.
To really avoid image recognition, you need to create patterns that disrupt the actual patterns that these systems look for. For facial recognition, make your eyes and jawline hard to find, like Dazzle makeup does. To defeat full-body recognition systems, wear clothes with heavy patterns that make it hard to distinguish where your arms, legs and head are.
Even then, it's unlikely to work from all angles and against all backgrounds. You'd need something that adapts to the background you're likely to be seen against.
I think it's worth nothing that traditional camouflage aims to break up the transition between the object and the background so the outline of the object cannot be properly seen and therefore the object cannot be picked out from the background.
Dazzle works not to prevent detection of the shape/outline but to prevent any further information from being discerned (e.g. heading, precise shape and distance).
Depending on the kind of system you're trying to fool the former approach may be far easier.
I once saw a woman wearing black and white patterned leggings that perfectly replicated the intended effect of dazzle. I think that with clothing that isn't skin tight and therefore does not perfectly match the shape of one's body it would be even easier to pull off.
They have brightly patterned shells, and each one is different. One hypothesis for why this is is that it deprives the birds that eat them of a consistent pattern to look for.
Disco suit completely covered in mirrors. I can dig it!
More seriously: I got the book How to Survive a Robot Uprising many years ago, and it has all sorts of tips like this one for defeating various parts of a robot's sensory and locomotion systems.
This sounds very similar to "traditional", i.e., military, camouflage. Does camo gear help with making it hard for AI to see you, like it does with humans?
Basic image searches are looking for patterns so if you can have colors that break lines then you'd get the same effect. You would probably want to go with grey's and blue for city colors.
Head to toe camouflage in the city puts you on the radar in other ways.
But the other trick about camouflage is to look like everyone else.
Hence why all soldiers dress the same out field and rank insignia is displayed in very mute colors on uniforms. This has the effect of hiding the officers in with the herd. Just don't be the guy holding the radio :P
If you really wanted to go somewhere and be untrackable you could just wear religious clothing that covers your face and body. That way you blend in with the whole group without looking like a crazy person with facepaint.
> Does camo gear help with making it hard for AI to see you, like it does with humans?
Camo is all relative to the background. A gillie suit tailored for the local vegetation will fool literally every form of visible spectrum attempts at detecting the wearer (you need to look for heat or scent instead). It won't work very well at the mall though.
Military camouflage like Multicam is optimized for the outdoors (forest, desert, etc.) It's unlikely to work well in an urban environment where most facial recognition takes place.
It's commonly claimed that putting a pebble in your shoe is a good way to disrupt gait detection. (Presumably you shouldn't always use the same pebble in the same shoe!)
Yeah, it seems Islam tradition solved identity recognition ages ago. It certainly makes business negotiations difficult; the burka wearer has the advantage of emitting no body language. An advantage if they are being pitched to, that is.
Would it not be easier at some point to “simply” don a disguise ala mission impossible? The one issue is ensuring emergence is not detected (this disguise came out from this building/house).
CV Dazzle [0] is/was a style of makeup that defeated facial recognition, and it seemed to work from multiple angles. Unfortunately it was released something like 5 years ago so I'm certain it won't withstand today's state of the art techniques. Looks like it was never really tested to work against deep learning-based techniques.
That said, I think somebody could very easily come up with an adversarial makeup camouflage recommender. Imagine an interactive visualization of the regions of confidence of a facial recommendation system, hooked up to your webcam. You could have a visual overlay of where to apply make up to most damage the classifier's confidence of your identity.
thing is, when you walk around on the street looking like the people on their website you don't actually need surveillance camera's because every single person will remember seeing you.
I don't think that's true. I'm no expert on facial recognition, but I believe those systems look at more specific details, like the corners of your eyes and mouth, and where they are relative to your jawline. They're less interested in things like "could this be part of a cheek? does that hair cover a head? does the picture as a whole make sense?". They're very precise (more than we are) at measuring the exact locations of specific features, but less good at checking if the picture as a whole could be hiding a person.
So they're better than us at some things, but can still fail dramatically at things that seem trivial to us.
It's certainly not a way to stay stealthy, yeah. And frankly it's probably worse at defeating face recognition than wearing a bulky hoody and staring at your shoes while you walk. I don't think this will be identity-concealing except maybe at some cybergoth raves...
It's an awfully cool project, though; both artistic and a transformation-resilient adversarial input.
I guess the solution could eventually be digital paint which rapidly and randomly alters itself, something akin to the scramble suits from A Scanner Darkly. https://www.dailymotion.com/video/xqrvzb
That CV Dazzle project is fascinating. The link to the warship Dazzle camouflage is also hilarious in the sense that that is what people have to turn to in 2019.
It reminds me of the comic book The Private Eye by Brian K Vaughn. In that story the cloud "bursts" and online privacy evaporates overnight so everyone turns to intense camouflage to protect their identity. (https://en.wikipedia.org/wiki/The_Private_Eye)
Does face detection today use the same kind of trained neural nets that YoLo or others use? Watching this video [0] from their site it seems it's using a much more static algorithm trying to detect particular features which is what the CV Dazzle makeup aims to disrupt. As far as I understand one of the benefits of the neural net models is that they're less reliant on defined features than the older CV models.
On the website it talks about openCV and how to fool that, as well as the general techniques used. I still think from the tips shown that it would be very effective today. For exaple, it talks about how the most distinct features of a face are the nose and eyes, and that hiding or obscuring them works well.
Newer technology likely gets much better at spotting noses and eyes, but taking them entirely out of the picture probably helps. Also the asymmetry I can imagine helps a lot.
Another problem is that the minute that AI-proof clothing goes mass market is the minute it stops working (and for that reason, I suppose that you wouldn't want to have a product image, either.)
The minute clothing that is really effective against AI video surveillance is available when AI video surveillance is widespread is the minute it will become a criminal offence to sell or wear such clothing...
Will the book, "How To Make AI-proof Clothing" stop working the minute it is published, or will it teach generalizable skills.
It would seem unfair to pit a static object (prefab clothes) against a dynamic opponent (person detection AI). Better to compare two intelligent opponents.
I'm not 100% sure a static image on cloth will ever work well for that kind of general countermeasure. So far all adversarial stuff except the dazzle camouflage face paint require pretty precise position or view relative to the object being labeled.
It is already reasonably robust though: https://www.youtube.com/watch?v=MIbFvK2S9g8
It is not magic, but I can imagine the method being extended to be more robust to rotation/shearing (by improving the metric being optimized for).
I wouldn't call having to keep it mostly level and centered at hip height robust in the slightest. Check out around 0:35 in that video where he starts moving it around once he rotates it just a little out of orientation (both directly towards the camera which seems very important and also the slight <20 degree rotation) that breaks the patch and YoLo figures out it's a person. Or again at 0:55 approx where it's moved slightly to the side it again breaks pretty immediately.
He did once but it broken the patch and YoLo correctly labelled his torso so he put it back down. They say directly in the paper that it's quite sensitive to the position of the patch relative to the bounding box of the detected object.
More to the point, you won't have access to the actual surveillance network's AI, so you won't be able to train your patch adversarially in a reasonable amount of time.
[0] https://arxiv.org/pdf/1904.08653.pdf