Contents
A face cloak works by changing numbers you cannot see. Modern face recognition does not compare pictures directly. It converts each face into a vector of features, an embedding, and decides that two photos show the same person when their embeddings sit close together. A cloak adds a small, engineered perturbation to your image that pushes that embedding somewhere else, so the system either files you under the wrong identity or fails to cluster your photos together at all. The picture still looks like you. The math no longer does.
How a recognizer decides two faces match
The target a cloak has to beat is a well-tuned distance test in a high-dimensional space, and that test is strong. Kim, Jain, Liu (2025) report that face recognition “approach[es], and in many cases exceed[s], human performance”, citing a NIST result of an “FNIR of 0.15 percent at FPIR of 0.001 on a gallery of over 10 million identities”. In plain terms, a good recognizer rarely misses a match and rarely raises a false one, even across ten million faces. A cloak has to move your embedding far enough to cross the recognizer’s decision boundary while leaving the image looking untouched to a human eye.
What the cloak actually changes
The perturbation is designed to be invisible. Shan, Wenger, Zhang, Li, Zheng, Zhao (USENIX Security 2020) describe their Fawkes system as adding “imperceptible pixel-level changes (‘cloaks’)” that shift the face’s feature-space embedding. The pixels you can see barely move; the embedding moves a lot. Everything else about cloaking is a variation on that one lever: perturb the input so the learned representation lands in the wrong place.
Two flavors: poison the model, or evade the matcher
There are two distinct ways to apply that lever, and they fail differently.
| Flavor | What it targets | Example tool | When it works |
|---|---|---|---|
| Poison the model | The training set | Fawkes | Cloaked photos are scraped in before a clean one is |
| Evade the matcher | A live query | LowKey, Ulixes | The recognizer you face is the kind cloaked against |
Poison at training time. If cloaked photos of you are scraped into a model’s training set, the model learns a wrong template for your face. A robust Fawkes cloak reached 100% protection against Azure, Rekognition, and Face++, and even when some clean photos leak into the same training set the authors still report an “80+% protection success rate”.
Evade at query time. Here the goal is to break a live match now, not to corrupt future training. Cherepanova, Goldblum, Foley, Duan, Dickerson, Taylor, Goldstein (ICLR 2021) drove Amazon Rekognition from 93.7% down to 0.6% and Azure from 90.5% to 0.1% with their LowKey cloak, and note that earlier tools “fail on full-scale systems and commercial APIs”. Cilloni, Wang, Walter, Fleming (PoPETs 2022) attack the clustering step directly with Ulixes, “preventing the formation of identifiable user clusters in the embedding space of facial encoders”, reporting an accuracy drop above 90% and running in under 3 seconds on a low-end laptop without a GPU.
Variants that change who does the protecting
Two designs move the work off the individual. Evtimov, Sturmfels, Kohno (PETS 2021) propose FoggySight, an index-side “community protection strategy” that seeds a lookup service with “decoy photos” so a search returns a crowd instead of you. Chow, Hu, Huang, Liu (ECCV 2024) take the opposite route with a single personalized mask per user, reused across images. Ulixes also names the boundary of the crowd-based approach: Fawkes is “effective only when a person is disguised among a large number of other individuals”.
Why “robust” is the whole game
A cloak that only works on the exact file you uploaded is close to useless, because every platform resizes and re-encodes what you post. Guo, Zhou, Ling, Li, Liu (2024) show that “JPEG compression can significantly impair the performance of adversarial face examples”. A robust cloak is engineered to survive that recompression; a non-robust one is not, and Fawkes’ own numbers show the split, with the robust variant holding near-total protection while a non-robust cloak fell to 34% against Rekognition.
Where the mechanism fails
Three failure modes are built into how cloaking works. Recompression and resizing degrade the perturbation, as Guo, Zhou, Ling, Li, Liu (2024) demonstrate. Leaked clean photos undercut the whole scheme, because a single un-cloaked image already public lets a recognizer learn the real you; that is why Fawkes’ protection drops toward its “80+%” floor rather than staying at 100%. And model updates matter: a recognizer retrained or swapped after you cloaked may not share the embedding geometry your cloak was tuned against.
Read a cloak as a probabilistic nudge in embedding space, not an invisibility spell. Its success rides on the tool’s robustness, on whether you cloaked before your first public exposure, and on whether a clean image of you already exists somewhere you do not control. It raises the cost of recognition; it does not remove the possibility. For where this sits among the other defenses, see do AI poisoning tools actually work, the face-specific routes cloaking vs opting out, how to protect photos from facial recognition, and how to stop reverse image search finding my face, and the deepfake angle in how to protect your likeness from deepfakes.
Sources
- Shan, Wenger, Zhang, Li, Zheng, Zhao (2020). Fawkes: Protecting Privacy against Unauthorized Deep Learning Models. USENIX Security 2020.
- Cherepanova, Goldblum, Foley, Duan, Dickerson, Taylor, Goldstein (2021). LowKey: Leveraging Adversarial Attacks to Protect Social Media Users from Facial Recognition. ICLR 2021.
- Cilloni, Wang, Walter, Fleming (2022). Ulixes: Facial Recognition Privacy with Adversarial Machine Learning. PoPETs 2022.
- Evtimov, Sturmfels, Kohno (2021). FoggySight: A Scheme for Facial Lookup Privacy. PETS 2021.
- Chow, Hu, Huang, Liu (2024). Personalized Privacy Protection Mask Against Unauthorized Facial Recognition. ECCV 2024.
- Guo, Zhou, Ling, Li, Liu (2024). Improving the JPEG-Resistance of Adversarial Attacks on Face Recognition by Interpolation Smoothing.
- Kim, Jain, Liu (2025). 50 Years of Automated Face Recognition.
New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.