Contents
Which defense you need depends on whether they already have you
Which anti-facial-recognition defense you need comes down to a single question: do the systems tracking you already hold clean, uncloaked photos of your face? If they do not, you can cloak every photo you post from here on and stop a recognition model ever learning you. If they already have you, no cloak on your next upload pulls the older photos back out, and the only lever left is to opt out and request deletion.
That split matters because face recognition is now formidable. Reviewing the field, Kim, Jain, Liu (2025) note that modern systems “approach, and in many cases exceed, human performance,” citing a NIST evaluation with an “FNIR of 0.15 percent at FPIR of 0.001 on a gallery of over 10 million identities.” You are not defeating a weak classifier. And the indexes are already vast: as Chow, Hu, Huang, Liu (ECCV 2024) put it, “companies like Clearview and PimEyes have collected billions of online images and can recognize millions of citizens without their consent.”
This is a different problem from protecting your face against a deepfake. If your worry is that someone builds a synthetic video or image of you, see how to protect your likeness from deepfakes. Here the threat is recognition and tracking: a system matching your face across photos to identify or follow you.
Family A: cloak the photos you post from here on
A cloak adds adversarial perturbation to an image so a face recognition model reads the wrong identity, while the picture still looks normal to people. Fawkes (Shan, Wenger, Zhang, Li, Zheng, Zhao, USENIX Security 2020) introduced the idea for consumers, adding “imperceptible pixel-level changes (‘cloaks’)” to your photos before you post; in its robust setting it reports 100% protection against Azure, Rekognition and Face++, against only 34% for the weaker non-robust cloak on Rekognition, so use the strongest mode a tool offers. LowKey (Cherepanova, Goldblum, Foley, Duan, Dickerson, Taylor, Goldstein, ICLR 2021) was built specifically for commercial APIs, dropping Amazon Rekognition rank-1 identification from 93.7% to 0.6% and Microsoft Azure from 90.5% to 0.1% in the authors’ tests. Ulixes (Cilloni, Wang, Walter, Fleming, PoPETs 2022) applies “visually non-invasive facial noise masks” and reports cutting recognition accuracy “by over 90%.” Chameleon (Chow, Hu, Huang, Liu, ECCV 2024) builds one reusable mask per person for “efficient and instant protection even for users with limited computing resources.”
The catch is built into the method: a cloak only protects the photos it is applied to, before they are posted. It does nothing for images already online.
Family B: opt out and request removal
When an index already holds clean photos of you, the lever is opt out and deletion, not cloaking. Search services like PimEyes run an opt-out request form that removes your face from their results; Clearview AI processes access and deletion requests, particularly under EU, UK, and state privacy law. Data-broker and GDPR or CCPA deletion requests target the copies held by the collectors themselves. Remove photos from face-recognition sites on our sister site covers this opt-out and removal route in detail, service by service.
Be honest about what removal buys you. It is per-service, so a PimEyes opt-out does nothing about Clearview or Yandex. It is incomplete, because it acts only on what a service admits to holding. And it is reversible: the moment a new, uncloaked photo of you is posted somewhere public, you can be re-indexed.
| Do they already hold clean photos of you? | Right lever | What it can and cannot do |
|---|---|---|
| No, or not yet | Cloak every future upload | Stops new photos teaching a recognizer; cannot touch images already online |
| Yes | Opt out and request deletion | Clears a service’s current results; per-service, incomplete, undone by new photos |
| Both, which is most people | Opt out now, cloak from here on | Clears what is held, then stops the index refilling |
Why cloaking alone is not enough once you are indexed
Fawkes’ own authors found that once clean, uncloaked images of a person leak into a training set, protection falls to an “80+% protection success rate.” That figure is for someone training a model on a mix of your cloaked and leaked photos. A commercial index that already stored your clean face is worse still: it does not need to re-train on your cloaked uploads at all, so cloaking new posts leaves the existing match intact. The database, not your next photo, is the problem.
Research points at one way to fight an index rather than a single upload. FoggySight (Evtimov, Sturmfels, Kohno, PETS 2021) proposes “a community protection strategy where users acting as protectors of privacy for others upload decoy photos generated by adversarial machine learning algorithms,” diluting the index with false matches. It is a research prototype, not a consumer product, but it shows the shape of the real fix: you have to act on the database, not just your own camera roll.
Putting it together
For most people the answer is both, in order. Opt out and request deletion first, because that is the only thing that touches the photos already indexed. Then cloak everything you post from here on, so the index you just cleared does not immediately refill. Treat neither as permanent: recognition models and scraping keep improving, so re-check your opt-outs and re-protect with current tools periodically. If you only do one, do the one that matches your situation, and the deciding question is still the first one: do they already have you? For how well any of these tools hold up under pressure, see do AI poisoning tools actually work.
Sources
- PimEyes, Opt-Out Request Form (service under review; claims are the company’s own).
- Clearview AI, Privacy and Requests (service under review; claims are the company’s own).
- Shan, Wenger, Zhang, Li, Zheng, Zhao (2020). Fawkes: Protecting Privacy against Unauthorized Deep Learning Models. USENIX Security 2020.
- Cherepanova, Goldblum, Foley, Duan, Dickerson, Taylor, Goldstein (2021). LowKey: Leveraging Adversarial Attacks to Protect Social Media Users from Facial Recognition. ICLR 2021.
- Evtimov, Sturmfels, Kohno (2021). FoggySight: A Scheme for Facial Lookup Privacy. PETS 2021.
- Cilloni, Wang, Walter, Fleming (2022). Ulixes: Facial Recognition Privacy with Adversarial Machine Learning. PoPETs 2022.
- Chow, Hu, Huang, Liu (2024). Personalized Privacy Protection Mask Against Unauthorized Facial Recognition. ECCV 2024.
- Kim, Jain, Liu (2025). 50 Years of Automated Face Recognition.
New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.