Contents
Cloak the photo before it leaves your device
To stop a face recognizer learning you from a photo, cloak it before you upload it. A cloak is an adversarial perturbation that looks like nothing to a human but pushes a recognition model toward the wrong identity, so a scraped copy of your picture teaches the system a face that is not yours. The catch is timing: cloaking only works on images you treat before posting, so this is a “do it first, every time” habit, not something you can apply after the fact.
This guide is the hands-on routine. For the strategic choice between cloaking and opting out of indexes that already hold you, see anti-facial recognition: cloaking vs opting out; to pull existing photos out of a face search, see how to stop reverse image search finding my face. And note the threat here is recognition, not synthesis: if you are worried someone will fabricate a deepfake of your face, that is how to protect your likeness from deepfakes.
Step 1: pick a cloaking tool for your situation
The tools do the same job by different routes, so choose on your constraint. Fawkes (Shan, Wenger, Zhang, Li, Zheng, Zhao, USENIX Security 2020) is the general-purpose consumer cloak, adding “imperceptible pixel-level changes (‘cloaks’)” before you post; in its robust setting it reports 100% protection against Azure, Rekognition and Face++, against just 34% for the non-robust setting on Rekognition, so pick the strongest mode a tool offers. LowKey (Cherepanova, Goldblum, Foley, Duan, Dickerson, Taylor, Goldstein, ICLR 2021) was built to beat commercial APIs, dropping Amazon Rekognition from 93.7% to 0.6% and Microsoft Azure from 90.5% to 0.1% in the authors’ tests. Ulixes (Cilloni, Wang, Walter, Fleming, PoPETs 2022) is the speed option, cutting recognition accuracy “by over 90%” and running “in less than 3 seconds on a low-end laptop without a GPU.” Chameleon (Chow, Hu, Huang, Liu, ECCV 2024) builds one reusable mask per person for “efficient and instant protection even for users with limited computing resources.” If you already edit before posting, StyleAdv (Le, Carlsson, PoPETs 2024) folds protection into an editing step through a “user-friendly interface with multiple editing options,” on the observation that “many users perform smaller edits before uploading” anyway.
| Tool | Best for | Note |
|---|---|---|
| Fawkes | General cloaking before posting | Robust setting reports 100% vs three commercial APIs |
| LowKey | Beating commercial APIs | Rekognition 93.7% to 0.6%, Azure 90.5% to 0.1% in tests |
| Ulixes | Speed on modest hardware | Under 3 seconds on a low-end laptop, over 90% accuracy drop |
| Chameleon | One reusable mask, low compute | Instant protection per the authors |
Step 2: keep your clean exposure low
Cloaking is undermined by the uncloaked photos of you already circulating. Fawkes’ authors report that once clean images leak into a training set, protection falls to an “80+% protection success rate,” so the fewer clean copies of your face are public, the more each cloak is worth. In practice: cloak every photo before it goes up, ask others not to post untreated pictures of you, and lock down or remove old uncloaked images. Face recognition is strong enough to punish sloppiness here, with Kim, Jain, Liu (2025) noting systems that “approach, and in many cases exceed, human performance.”
Step 3: plan around the JPEG limit
Cloaks are fragile to the exact thing every platform does: recompression. Guo, Zhou, Ling, Li, Liu (2024) show that “JPEG compression can significantly impair the performance of adversarial face examples,” and Fardin, Alam, Fahim (2026) find recompression can strip between 60 and 80 percent of a protective signal off comparable image defenses before the file is even downloaded. Two practical responses: use a tool that reports robustness to compression, and do not assume one pass of protection lasts. Which leads to the last step.
Step 4: re-protect as the tools age
Cloaks are a moving target. Recognition models retrain, and a perturbation that fooled last year’s API may not fool this year’s. Treat protection as maintenance, not a one-time setting: re-cloak with current tools periodically, and prefer tools that are still updated against live commercial systems, which is exactly the gap LowKey was built to close after earlier cloaks were shown to “fail on full-scale systems and commercial APIs.”
What this routine can and cannot do
Done consistently, cloaking before upload stops new photos from teaching a recognizer your real face, and the measured drops are large. What it cannot do is retract images already online or already sitting in an index, because those were never treated. That is a different job, handled by opt-out and removal rather than cloaking. So use this routine for everything you post from here on, keep your clean footprint small, and re-protect on a schedule. For an honest read on how far these defenses actually hold, see do AI poisoning tools actually work.
Sources
- Shan, Wenger, Zhang, Li, Zheng, Zhao (2020). Fawkes: Protecting Privacy against Unauthorized Deep Learning Models. USENIX Security 2020.
- Cherepanova, Goldblum, Foley, Duan, Dickerson, Taylor, Goldstein (2021). LowKey: Leveraging Adversarial Attacks to Protect Social Media Users from Facial Recognition. ICLR 2021.
- Cilloni, Wang, Walter, Fleming (2022). Ulixes: Facial Recognition Privacy with Adversarial Machine Learning. PoPETs 2022.
- Chow, Hu, Huang, Liu (2024). Personalized Privacy Protection Mask Against Unauthorized Facial Recognition. ECCV 2024.
- Le, Carlsson (2024). StyleAdv: A Usable Privacy Framework Against Facial Recognition with Adversarial Image Editing. PoPETs 2024.
- Guo, Zhou, Ling, Li, Liu (2024). Improving the JPEG-Resistance of Adversarial Attacks on Face Recognition by Interpolation Smoothing.
- Fardin, Alam, Fahim (2026). MetaCloak-JPEG: JPEG-Robust Adversarial Perturbation for Preventing Unauthorized DreamBooth-Based Deepfake Generation.
- Kim, Jain, Liu (2025). 50 Years of Automated Face Recognition.
New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.