arxiv: 2604.23688 · v1 · submitted 2026-04-26 · 💻 cs.CV

Recognition: unknown

Do Protective Perturbations Really Protect Portrait Privacy under Real-world Image Transformations?

Ruiqing Sun , Xingshan Yao , Zhijing Wu , Tian Lan , Chenhao Cui , Huiyang Zhao , Jialing Shi , Chen Yang

show 1 more author

Xianling Mao

Authors on Pith no claims yet

Pith reviewed 2026-05-08 06:36 UTC · model grok-4.3

classification 💻 cs.CV

keywords proactive defenseportrait privacypixel perturbationsimage transformationsprivacy protectiontalking face generationdiffusion modelsGAN models

0 comments

The pith

Pixel-level perturbations added to protect portrait privacy lose effectiveness under common real-world image transformations like scaling and compression.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper tests whether adding small pixel changes to portrait images can reliably block unauthorized AI editing or talking face generation once the images move through everyday sharing. It applies several existing defense approaches, spanning diffusion and GAN models, to both portraits and natural scenes, then subjects the protected images to transformations such as resizing and color compression that routinely occur across devices and platforms. The results indicate these perturbations often cease to work after such changes, allowing the original protections to be stripped away. This matters for anyone who shares photos online, as standard dissemination steps can silently undo the intended privacy safeguards.

Core claim

The paper shows that representative proactive defense methods relying on pixel-level perturbations do not preserve their protective power when images undergo typical real-world transformations such as scale changes and color compression. Systematic tests using qualitative and quantitative metrics on diffusion- and GAN-based models for both portrait and natural images demonstrate clear degradation in defense performance, and a simple purification framework is introduced that exploits the same transformations to remove the perturbations at low computational cost.

What carries the argument

Evaluation of pixel-level perturbation defenses against real-world image transformations, with a proposed purification method that leverages those transformations to strip the perturbations.

If this is right

Existing pixel-level proactive defenses carry a substantial risk of failure during normal image dissemination.
A low-cost purification approach can efficiently remove protective perturbations by using common transformations.
Privacy tools for portraits must account for post-capture processing steps that alter pixels.
Defense evaluations should include robustness checks against cross-device modifications.
The research community needs to address risks from transformations that were previously overlooked.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Future defenses could incorporate invariance to common transformations or shift to non-pixel features for greater durability.
The observed vulnerability may extend to other subtle-change privacy methods beyond the ones tested.
Platform operators might need to implement additional safeguards since per-image perturbations prove fragile.
Testing protocols for new defenses should prioritize compressed and resized conditions from the start.

Load-bearing premise

The chosen set of proactive defenses, image transformations, and metrics adequately represents the variety of real-world conditions to support a general conclusion about defense failure.

What would settle it

Demonstration that one or more of the evaluated defense methods retains its full protection success rate, per the paper's metrics, after the full sequence of applied transformations including multiple scales and compressions.

Figures

Figures reproduced from arXiv: 2604.23688 by Chenhao Cui, Chen Yang, Huiyang Zhao, Jialing Shi, Ruiqing Sun, Tian Lan, Xianling Mao, Xingshan Yao, Zhijing Wu.

**Figure 1.** Figure 1: Impact of real-world image transformations on de view at source ↗

**Figure 2.** Figure 2: Qualitative results of image editing defenses. JPEG view at source ↗

**Figure 3.** Figure 3: Qualitative results of TFG defenses. JPEG compres view at source ↗

**Figure 4.** Figure 4: The pipeline of the TIP-RSR framework. distribution, the step-wise reverse generation process introduces non-negligible computational overhead. Motivated by observation mentioned on chapter 3, we propose the training-free TIP-RSR framework, as illustrated in Fig.4, which exploits the spatial redundancy and local correlations among neighboring pixels in natural images under compression and resizing operati… view at source ↗

**Figure 5.** Figure 5: Illustration of the hybrid purification strategy. The view at source ↗

**Figure 6.** Figure 6: Qualitative results of purification images. view at source ↗

**Figure 7.** Figure 7: Qualitative results of image editing and talking face generation after image purification. view at source ↗

**Figure 8.** Figure 8: Qualitative comparison of purification results between TIP-RSR and vision foundation models (VFMs). TIP-RSR view at source ↗

read the original abstract

Proactive defense methods protect portrait images from unauthorized editing or talking face generation (TFG) by introducing pixel-level protective perturbations, and have already attracted increasing attention for privacy protection. In real-world scenarios, images inevitably undergo various transformations during cross-device display and dissemination--such as scale transformations and color compression--that directly alter pixel values. However, it remains unclear whether such pixel-level modifications affect the effectiveness of existing proactive defense methods that rely on pixel-level perturbations. To solve this problem, we conduct a systematic evaluation of representative proactive defenses under image transformation. The evaluated methods are selected to span different generation architectures such as diffusion and GAN-based models, as well as defense scopes covering both portrait and natural images, and are assessed using both qualitative and quantitative metrics for subjective and objective comparison. Experimental results indicate that defense methods based on pixel-level perturbations struggle to withstand common image transformations, posing a risk of defense failure in real-world applications. To further highlight this risk, we propose a simple yet effective purification framework by leveraging the vulnerabilities induced by real-world image transformations. Experimental results demonstrate that the proposed method can efficiently remove protective perturbations with low computational cost, highlighting previously overlooked risks to the research community.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Pixel perturbations for portrait privacy fail under routine image changes, with a straightforward removal method as the main addition.

read the letter

The paper's main point is that existing proactive defenses using pixel-level perturbations lose effectiveness when images go through everyday transformations such as scaling or compression. They test this on a set of representative methods that cover both diffusion and GAN architectures, plus both portrait-specific and general natural-image defenses. Results from qualitative visuals and quantitative metrics show the protections weaken noticeably, and the authors add a simple purification framework that removes the perturbations at low cost to illustrate the practical risk.

Referee Report

2 major / 2 minor

Summary. The paper claims that proactive privacy defenses relying on pixel-level perturbations fail to protect against unauthorized portrait editing and talking face generation (TFG) once images undergo common real-world transformations such as scaling and color compression. It supports this via a systematic empirical evaluation of representative diffusion- and GAN-based methods spanning portrait and natural-image scopes, using both qualitative and quantitative metrics, and introduces a low-cost purification framework that exploits the induced vulnerabilities to remove perturbations.

Significance. If the central empirical finding holds, the work is significant for the computer vision privacy community: it provides concrete evidence that current pixel-level defenses are brittle under dissemination pipelines and supplies a practical purification baseline that exposes the risk. The cross-architecture and cross-scope evaluation, together with the proposed framework, supplies a useful reference point for designing transformation-aware defenses.

major comments (2)

[Abstract and §3] Abstract and §3 (Evaluation Setup): the claim that the selected methods 'span different generation architectures such as diffusion and GAN-based models, as well as defense scopes covering both portrait and natural images' is load-bearing for the generalization to 'risk of defense failure in real-world applications,' yet the manuscript provides no explicit selection criteria, coverage table, or justification that the chosen set is representative rather than convenient; without this, the failure observation cannot be extrapolated beyond the tested instances.
[§4 and Table 2] §4 (Experimental Results) and Table 2: the quantitative metrics are described as 'subjective and objective comparison,' but it is unclear whether they include direct downstream success rates of TFG/editing models after each transformation; if the metrics only measure perturbation survival rather than privacy leakage, they do not fully substantiate the privacy-risk claim.

minor comments (2)

[Figures 3-4] Figure 3 and 4 captions should explicitly state the transformation parameters (scale factor, JPEG quality, etc.) used in each row so readers can reproduce the exact conditions.
[§5] The purification framework in §5 is presented as 'simple yet effective,' but the computational-cost comparison lacks a baseline implementation (e.g., standard denoising) to quantify the claimed efficiency gain.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments, which help clarify the presentation of our empirical findings on the brittleness of pixel-level portrait privacy defenses. We agree that explicit justification for method selection and clearer linkage between metrics and privacy leakage will strengthen the manuscript. We address each major comment below and will make the indicated revisions.

read point-by-point responses

Referee: [Abstract and §3] Abstract and §3 (Evaluation Setup): the claim that the selected methods 'span different generation architectures such as diffusion and GAN-based models, as well as defense scopes covering both portrait and natural images' is load-bearing for the generalization to 'risk of defense failure in real-world applications,' yet the manuscript provides no explicit selection criteria, coverage table, or justification that the chosen set is representative rather than convenient; without this, the failure observation cannot be extrapolated beyond the tested instances.

Authors: We selected the methods to reflect prominent proactive defenses from the recent literature, prioritizing architectural diversity (GAN vs. diffusion) and scope (portrait-specific vs. general natural-image defenses) while ensuring they are publicly available for reproducible evaluation. To address the concern, the revised manuscript will include an explicit selection criteria paragraph and a coverage table in §3, listing each method with its architecture, original scope, publication venue, and rationale for inclusion. This will better ground the generalization to real-world risk. revision: yes
Referee: [§4 and Table 2] §4 (Experimental Results) and Table 2: the quantitative metrics are described as 'subjective and objective comparison,' but it is unclear whether they include direct downstream success rates of TFG/editing models after each transformation; if the metrics only measure perturbation survival rather than privacy leakage, they do not fully substantiate the privacy-risk claim.

Authors: The current quantitative metrics (PSNR, SSIM, LPIPS) quantify perturbation survival after transformations, which we link to privacy failure because a destroyed perturbation no longer prevents editing or TFG. Qualitative results in §4 already illustrate successful downstream editing on transformed images. To make the privacy-leakage connection more explicit, we will add a new column or subsection in Table 2 and §4 reporting direct downstream success rates (e.g., face identity similarity scores and generation quality metrics for TFG/editing models applied post-transformation). revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical evaluation of existing methods

full rationale

The paper performs a systematic experimental evaluation of representative proactive defense methods (spanning diffusion and GAN architectures) under common image transformations, using qualitative and quantitative metrics. It then proposes a simple purification framework that exploits observed vulnerabilities. No derivations, equations, fitted parameters, or predictions are present that could reduce to self-definitions, self-citations, or ansatzes. All claims rest on direct experimental outcomes rather than any load-bearing logical or mathematical chain internal to the paper.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The paper is empirical and introduces no mathematical axioms, free parameters, or invented entities; the purification framework is a proposed practical method derived from observed experimental vulnerabilities.

pith-pipeline@v0.9.0 · 5532 in / 993 out tokens · 47543 ms · 2026-05-08T06:36:15.485613+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

51 extracted references · 8 canonical work pages · 3 internal anchors

[1]

Eirikur Agustsson and Radu Timofte. 2017. Ntire 2017 challenge on single image super-resolution: Dataset and study. InProceedings of the IEEE conference on computer vision and pattern recognition workshops. 126–135

2017
[2]

Tim Brooks, Aleksander Holynski, and Alexei A Efros. 2023. Instructpix2pix: Learning to follow image editing instructions. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition. 18392–18402

2023
[3]

Qi Cai, Yehao Li, Yingwei Pan, Ting Yao, and Tao Mei. 2025. HiDream-I1: An Open-Source High-Efficient Image Generative Foundation Model. InProceedings of the 33rd ACM International Conference on Multimedia. 13636–13639

2025
[4]

Bin Chen, Gehui Li, Rongyuan Wu, Xindong Zhang, Jie Chen, Jian Zhang, and Lei Zhang. 2025. Adversarial diffusion compression for real-world image super- resolution. InProceedings of the Computer Vision and Pattern Recognition Confer- ence. 28208–28220

2025
[5]

Lele Chen, Ross K Maddox, Zhiyao Duan, and Chenliang Xu. 2019. Hierarchical cross-modal talking face generation with dynamic pixel-wise loss. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition. 7832–7841

2019
[6]

Renwang Chen, Xuanhong Chen, Bingbing Ni, and Yanhao Ge. 2020. Simswap: An efficient framework for high fidelity face swapping. InProceedings of the 28th ACM international conference on multimedia. 2003–2011

2020
[7]

Yunjey Choi, Minje Choi, Munyoung Kim, Jung-Woo Ha, Sunghun Kim, and Jaegul Choo. 2018. Stargan: Unified generative adversarial networks for multi- domain image-to-image translation. InProceedings of the IEEE conference on computer vision and pattern recognition. 8789–8797

2018
[8]

Joon Son Chung and Andrew Zisserman. 2016. Out of time: automated lip sync in the wild. InAsian conference on computer vision. Springer, 251–263

2016
[9]

Jingyi Deng, Chenhao Lin, Zhengyu Zhao, Shuai Liu, Zhe Peng, Qian Wang, and Chao Shen. 2025. A survey of defenses against ai-generated visual media: Detection, disruption, and authentication.Comput. Surveys58, 5 (2025), 1–35

2025
[10]

Yuan Gan, Jiaxu Miao, Yunze Wang, and Yi Yang. 2025. Silence is Golden: Leverag- ing Adversarial Examples to Nullify Audio Control in LDM-based Talking-Head Generation. InProceedings of the Computer Vision and Pattern Recognition Con- ference. 13434–13444

2025
[11]

Martin Heusel, Hubert Ramsauer, Thomas Unterthiner, Bernhard Nessler, and Sepp Hochreiter. 2017. Gans trained by a two time-scale update rule converge to a local nash equilibrium.Advances in neural information processing systems30 (2017)

2017
[12]

Yubo Huang, Hailong Guo, Fangtai Wu, Shifeng Zhang, Shijie Huang, Qijun Gan, Lin Liu, Sirui Zhao, Enhong Chen, Jiaming Liu, et al. 2025. Live avatar: Streaming real-time audio-driven avatar generation with infinite length.arXiv preprint arXiv:2512.04677(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[13]

Jaehwan Jeong, Sumin In, Sieun Kim, Hannie Shin, Jongheon Jeong, Sang Ho Yoon, Jaewook Chung, and Sangpil Kim. 2025. Faceshield: Defending facial image against deepfake threats. InProceedings of the IEEE/CVF International Conference on Computer Vision. 10364–10374

2025
[14]

Jingyao Jiang, Chen Liang, Jing Yang, Guosheng Lin, Tao Zhong, and Yao Zheng
[15]

InProceedings of the Thirteenth International Conference on Learning Representations

Loopy: Taming Audio-Driven Portrait Avatar with Long-Term Motion Dependency. InProceedings of the Thirteenth International Conference on Learning Representations
[16]

Tero Karras, Timo Aila, Samuli Laine, and Jaakko Lehtinen. 2018. Progressive Growing of GANs for Improved Quality, Stability, and Variation. InInternational Conference on Learning Representations

2018
[17]

Prajwal KR, Rudrabha Mukhopadhyay, Jerin Philip, Abhishek Jha, Vinay Nam- boodiri, and CV Jawahar. 2019. Towards automatic face-to-face translation. In Proceedings of the 27th ACM international conference on multimedia. 1428–1436

2019
[18]

Tianqi Li, Ruobing Zheng, Minghui Yang, Jingdong Chen, and Ming Yang. 2025. Ditto: Motion-space diffusion for controllable realtime talking head synthesis. In Proceedings of the 33rd ACM International Conference on Multimedia. 9704–9713

2025
[19]

Wenjie Li, Heng Guo, Xuannan Liu, Kongming Liang, Jiani Hu, Zhanyu Ma, and Jun Guo. 2024. Efficient face super-resolution via wavelet-based feature enhancement network. InProceedings of the 32nd ACM international conference on multimedia. 4515–4523

2024
[20]

Chumeng Liang and Xiaoyu Wu. 2023. Mist: Towards improved adversarial examples for diffusion models.arXiv preprint arXiv:2305.12683(2023)

work page arXiv 2023
[21]

Xinqi Lin, Jingwen He, Ziyan Chen, Zhaoyang Lyu, Bo Dai, Fanghua Yu, Yu Qiao, Wanli Ouyang, and Chao Dong. 2024. Diffbir: Toward blind image restora- tion with generative diffusion prior. InEuropean conference on computer vision. Springer, 430–448

2024
[22]

Yixin Liu, Kai Zhang, Yuan Li, Zhiling Yan, Chujie Gao, Ruoxi Chen, Zhengqing Yuan, Yue Huang, Hanchi Sun, Jianfeng Gao, et al . 2024. Sora: A review on background, technology, limitations, and opportunities of large vision models. arXiv preprint arXiv:2402.17177(2024)

work page internal anchor Pith review arXiv 2024
[23]

Anish Mittal, Anush K Moorthy, and Alan C Bovik. 2011. Blind/referenceless image spatial quality evaluator. In2011 conference record of the forty fifth asilomar conference on signals, systems and computers (ASILOMAR). IEEE, 723–727

2011
[24]

Weili Nie, Brandon Guo, Yujia Huang, Chaowei Xiao, Arash Vahdat, and Ani- mashree Anandkumar. 2022. Diffusion Models for Adversarial Purification. In International Conference on Machine Learning. PMLR, 16805–16827

2022
[25]

Gaozheng Pei, Ke Ma, Yingfei Sun, Qianqian Xu, and Qingming Huang. 2025. Diffusion-based Adversarial Purification from the Perspective of the Frequency Domain. InForty-second International Conference on Machine Learning. https: //openreview.net/forum?id=Bm706VlAtU

2025
[26]

KR Prajwal, Rudrabha Mukhopadhyay, Vinay P Namboodiri, and CV Jawahar
[27]

In Proceedings of the 28th ACM international conference on multimedia

A lip sync expert is all you need for speech to lip generation in the wild. In Proceedings of the 28th ACM international conference on multimedia. 484–492
[28]

Zuomin Qu, Zuping Xi, Wei Lu, Xiangyang Luo, Qian Wang, and Bin Li. 2024. Df-rap: A robust adversarial perturbation for defending against deepfakes in real-world social network scenarios.IEEE Transactions on Information Forensics and Security19 (2024), 3943–3957

2024
[29]

Hadi Salman, Alaa Khaddaj, Guillaume Leclerc, Andrew Ilyas, and Aleksander Madry. 2023. Raising the Cost of Malicious AI-Powered Image Editing. InInter- national Conference on Machine Learning. PMLR, 29894–29918

2023
[30]

Rui-qing Sun, Xingshan Yao, Tian Lan, Hui-Yang Zhao, Jia-Ling Shi, Chen-Hao Cui, Zhijing Wu, Chen Yang, and Xian-Ling Mao. 2025. Efficient and Robust Video Defense Framework against 3D-field Personalized Talking Face.arXiv preprint arXiv:2512.21019(2025)

work page arXiv 2025
[31]

Antonio Torralba and Aude Oliva. 2003. Statistics of natural image categories. Network: computation in neural systems14, 3 (2003), 391

2003
[32]

Hanhui Wang, Yihua Zhang, Ruizheng Bai, Yue Zhao, Sijia Liu, and Zhengzhong Tu. 2025. Edit away and my face will not stay: Personal biometric defense against malicious generative editing. InProceedings of the Computer Vision and Pattern Recognition Conference. 23806–23816

2025
[33]

Run Wang, Ziheng Huang, Zhikai Chen, Li Liu, Jing Chen, and Lina Wang
[34]

Anti-forgery: Towards a stealthy and robust deepfake disruption attack via adversarial perceptual-aware perturbations.arXiv preprint arXiv:2206.00477 (2022)

work page arXiv 2022
[35]

Xintao Wang, Yu Li, Honglun Zhang, and Ying Shan. 2021. Towards real-world blind face restoration with generative facial prior. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition. 9168–9178

2021
[36]

Xintao Wang, Liangbin Xie, Chao Dong, and Ying Shan. 2021. Real-esrgan: Train- ing real-world blind super-resolution with pure synthetic data. InProceedings of the IEEE/CVF international conference on computer vision. 1905–1914

2021
[37]

Xintao Wang, Ke Yu, Shixiang Wu, Jinjin Gu, Yihao Liu, Chao Dong, Yu Qiao, and Chen Change Loy. 2018. Esrgan: Enhanced super-resolution generative adversarial networks. InProceedings of the European conference on computer vision (ECCV) workshops. 0–0

2018
[38]

Zhou Wang, Alan C Bovik, Hamid R Sheikh, and Eero P Simoncelli. 2004. Image quality assessment: from error visibility to structural similarity.IEEE transactions on image processing13, 4 (2004), 600–612

2004
[39]

Chenfei Wu, Jiahao Li, Jingren Zhou, Junyang Lin, Kaiyuan Gao, Kun Yan, Sheng- ming Yin, Shuai Bai, Xiao Xu, Yilei Chen, et al . 2025. Qwen-image technical report.arXiv preprint arXiv:2508.02324(2025)

work page internal anchor Pith review arXiv 2025
[40]

Mingwang Xu, Hui Li, Qingkun Su, Hanlin Shang, Liwei Zhang, Ce Liu, Jingdong Wang, Yao Yao, and Siyu Zhu. 2024. Hallo: Hierarchical audio-driven visual synthesis for portrait image animation.arXiv preprint arXiv:2406.08801(2024)

work page arXiv 2024
[41]

Haotian Xue, Chumeng Liang, Xiaoyu Wu, and Yongxin Chen. 2023. Toward effective protection against diffusion-based mimicry through score distillation. InThe Twelfth International Conference on Learning Representations

2023
[42]

Hu Ye, Jun Zhang, Sibo Liu, Xiao Han, and Wei Yang. 2023. IP-Adapter: Text Compatible Image Prompt Adapter for Text-to-Image Diffusion Models. (2023)

2023
[43]

Qiaosi Yi, Shuai Li, Rongyuan Wu, Lingchen Sun, Yuhui Wu, and Lei Zhang
[44]

InProceedings of the IEEE/CVF international conference on computer vision

Fine-structure preserved real-world image super-resolution via transfer vae training. InProceedings of the IEEE/CVF international conference on computer vision. 12415–12426
[45]

Changqian Yu, Jingbo Wang, Chao Peng, Changxin Gao, Gang Yu, and Nong Sang. 2018. Bisenet: Bilateral segmentation network for real-time semantic Conference’17, July 2017, Washington, DC, USA Trovato et al. segmentation. InProceedings of the European conference on computer vision (ECCV). 325–341

2018
[46]

Richard Zhang, Phillip Isola, Alexei A Efros, Eli Shechtman, and Oliver Wang
[47]

InProceedings of the IEEE conference on computer vision and pattern recognition

The unreasonable effectiveness of deep features as a perceptual metric. InProceedings of the IEEE conference on computer vision and pattern recognition. 586–595
[48]

Yibo Zhang, Weiguo Lin, Zhihong Tian, Geyong Min, Junfeng Xu, and Yikun Xu
[49]

doi:10.1109/TIFS.2025.3592565

Robust and Unstigmatized Imperceptible Perturbations for Rendering Face Manipulation Ineffective.IEEE Transactions on Information Forensics and Security 20 (2025), 7966–7981. doi:10.1109/TIFS.2025.3592565

work page doi:10.1109/tifs.2025.3592565 2025
[50]

Zhengyue Zhao, Jinhao Duan, Kaidi Xu, Chenan Wang, Rui Zhang, Zidong Du, Qi Guo, and Xing Hu. 2024. Can protective perturbation safeguard personal data from being exploited by stable diffusion?. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 24398–24407

2024
[51]

Chende Zheng, Chenhao Lin, Zhengyu Zhao, Hang Wang, Xu Guo, Shuai Liu, and Chao Shen. 2024. Breaking semantic artifacts for generalized ai-generated image detection.Advances in Neural Information Processing Systems37 (2024), 59570–59596. Do Protective Perturbations Really Protect Portrait Privacy under Real-world Image Transformations? Conference’17, July...

2024