Last week on , asked a (v. important) Q: how can we safeguard against AI-powered photo editing for misinformation? youtu.be/Ba_C-C6UwlI?t=
My students hacked a way to "immunize" photos against edits: gradientscience.org/photoguard/ (1/8)
Conversation
Replying to
read image description
ALT
1
15
Using cutting-edge image generation models like #dalle2 and #stablediffusion, someone can easily manipulate the above photo to get this (fake) one: (3/8)
read image description
ALT
1
17
Could Trevor have done anything to prevent this? My students spent an enjoyable weekend hacking together a potential answer: adding small (imperceptible) noise to the original photo can make it “immune” to such edits! (4/8)
read image description
ALT
3
5
45
After such “immunization”, the same edit of this photo looks much worse.
So, Trevor could have applied such “immunization” to his photo before posting it to protect it against this kind of malicious edits. (5/8)
read image description
ALT
3
31
And it is not only about Trevor’s and Michael’s photo. In fact, the lead student on this project has a selfie with Trevor too. Now, Hadi is attempting to “deepen” his (imaginary) friendship with by manipulating this selfie (and he succeeds!) (6/8)
read image description
ALT
read image description
ALT
2
2
30
However, again, had this selfie been “immunized”, this would not have been possible! Indeed, images generated from an immunized version of Hadi’s photo with Trevor are totally unrealistic. (7/8)
read image description
ALT
read image description
ALT
1
1
27
This works for other edits too (although, for now, might be specific to the photo-editing engine we had on our hands)! Check out our blog post gradientscience.org/photoguard/ for more examples and more details. And stay tuned for the paper! (8/8)
1
2
44
6
12
100
Pretty neat, although it seems taking a screenshot of the image is all that's required to get around this immunized image.
1
Does it? It might—we indeed didn't focus on making it tamper-proof for now. Wanted first to show that this is even possible (and then there is a lot work to draw on to make it tamper-resistance). The key here is that organizations developing these models should want this to work.
2
1
Show replies

