body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 Twitter, Inc.

Conversation

Aleksander Madry

Last week on

,

asked

a (v. important) Q: how can we safeguard against AI-powered photo editing for misinformation? youtu.be/Ba_C-C6UwlI?t= My

students hacked a way to "immunize" photos against edits: gradientscience.org/photoguard/ (1/8)

An overview of our "immunization" methodology.

read image description

ALT

6:26 PM · Nov 3, 2022

Aleksander Madry

Replying to

Remember when Trevor shared (on Instagram) a photo with

at a tennis game? (2/8)

A photo of Trevor Noah and Michael Kosta at a tennis game.

read image description

ALT

1

15

Aleksander Madry

Using cutting-edge image generation models like #dalle2 and #stablediffusion, someone can easily manipulate the above photo to get this (fake) one: (3/8)

(Fake) photo of Trevor Noah and Michael Kosta ballroom dancing.

read image description

ALT

1

17

Aleksander Madry

Could Trevor have done anything to prevent this? My students

spent an enjoyable weekend hacking together a potential answer: adding small (imperceptible) noise to the original photo can make it “immune” to such edits! (4/8)

The original photo and its “immunized” version.

read image description

ALT

3

5

45

Aleksander Madry

After such “immunization”, the same edit of this photo looks much worse. So, Trevor could have applied such “immunization” to his photo before posting it to protect it against this kind of malicious edits. (5/8)

An (unrealistic) edit of the photo of Trevor Noah and Michael Kosta.

read image description

ALT

3

31

Aleksander Madry

And it is not only about Trevor’s and Michael’s photo. In fact, the lead student on this project

has a selfie with Trevor too. Now, Hadi is attempting to “deepen” his (imaginary) friendship with

by manipulating this selfie (and he succeeds!) (6/8)

A selfie of Hadi Salman and Trevor Noah.

read image description

ALT

(Fake) edited photos of Hadi Salman and Trevor Noah.

read image description

ALT

2

2

30

Aleksander Madry

However, again, had this selfie been “immunized”, this would not have been possible! Indeed, images generated from an immunized version of Hadi’s photo with Trevor are totally unrealistic. (7/8)

An (unrealistic) edits of “immunized” photos of Trevor Noah and Hadi Salman.

read image description

ALT

Another (unrealistic) edits of “immunized” photos of Trevor Noah and Hadi Salman.

read image description

ALT

1

1

27

Aleksander Madry

This works for other edits too (although, for now, might be specific to the photo-editing engine we had on our hands)! Check out our blog post gradientscience.org/photoguard/ for more examples and more details. And stay tuned for the paper! (8/8)

gradientscience.org

PhotoGuard: Defending Against Diffusion-based Image Manipulation

Inspired by an episode of the Daily Show, we hacked together a technique for

1

2

44

Aleksander Madry

Also, here is the code if you want to play with it: github.com/MadryLab/photo (9/8)

GitHub - MadryLab/photoguard: PhotoGuard: Defending Against Diffusion-based Image Manipulation

PhotoGuard: Defending Against Diffusion-based Image Manipulation - GitHub - MadryLab/photoguard: PhotoGuard: Defending Against Diffusion-based Image Manipulation

6

12

100

Replying to

Pretty neat, although it seems taking a screenshot of the image is all that's required to get around this immunized image.

1

Aleksander Madry

Replying to

Does it? It might—we indeed didn't focus on making it tamper-proof for now. Wanted first to show that this is even possible (and then there is a lot work to draw on to make it tamper-resistance). The key here is that organizations developing these models should want this to work.

2

1

Show replies