Contents
Blurring or pixelating a face is a weak and frequently reversible form of anonymisation, because it only averages the identifying information rather than removing it, so when blur is not enough the answer is to remove or replace the face, not to obscure it. It looks anonymised to a human eye. That is a different thing from being unrecognisable to a machine.
What blurring a face actually does
Blur and pixelation are averaging operations. A Gaussian blur replaces each pixel with a weighted average of its neighbours, and pixelation replaces a block with its mean colour. Neither deletes the underlying structure, they smear it, and a smeared signal still carries much of the information it started with. To a person scrolling past, the face reads as hidden. To a recognition system, a great deal of the identifying pattern is still present in the averaged pixels. The strength of the blur only trades off against how the image looks, a heavier blur destroys more of the picture without ever crossing into true deletion of the identity signal.
That gap between “looks hidden to a human” and “is hidden from a model” is the whole problem with blur.
Why blur is often not enough
Two findings close the gap. First, obscuration is often reversible. Todt, Hanisch and Strufe’s Fantômas study (PoPETs 2024) tested a range of face anonymisations and found most of them at least partially reversible, with blur and pixelation among the weakest, precisely because averaging is not a one-way operation. Reversibility here does not require the original, it exploits the regular, invertible structure of the averaging itself. Their standard for a real defence is exacting: a protection “must be a one-way function for any arbitrary adversary.” Blur is not that.
Second, recognition is built for degraded inputs. Kim, Jain and Liu’s AdaFace (CVPR 2022) targets exactly the low-quality regime, observing that “Recognition in low quality face datasets is challenging because facial attributes are obscured and degraded,” and adapting its training so that matching still works when the face is not clean. A blurred face is a low-quality face, which is the case modern systems are engineered to handle. There is also a signalling cost: a visible blur announces that this face was meant to be hidden while still leaving a recoverable image behind, which can draw the exact scrutiny it was meant to avoid.
The face is dense identity, and even a hidden face leaks attributes
Underneath, a face is a dense identifier. Deng, Guo, Xue and Zafeiriou’s ArcFace (CVPR 2019) maps a face to an embedding designed so that two images of the same person land close together and different people land far apart, which is what makes large-gallery matching possible in the first place.
Worse, even a face you cannot cleanly recognise still leaks demographics. Tkachenko and Jedidi’s megastudy (Scientific Reports 2023) found that 82 of 349 personal attributes were predictable better than random from a facial image, and concluded that “facial analysis can strip away privacy.” This is why a name-level match and an attribute-level leak are two separate risks, and blur addresses neither cleanly.
When blur is not enough: remove or replace, not obscure
If the goal is genuine removal, the reliable moves do not average the face, they eliminate or overwrite it.
The simplest is to crop or mask the face out entirely, deleting the pixels rather than smearing them. The next is synthetic replacement: in the Fantômas results, the deep generative replacements DeepPrivacy and CIAGAN were the least reversible of the methods tested, because they substitute a different generated face rather than degrading the original.
For an image you still want to publish with the face in it, the active alternative is an adversarial perturbation. Cherepanova, Goldblum and Foley’s LowKey (ICLR 2021) is, in their description, “the first such evasion tool that is effective against commercial facial recognition APIs,” adding a carefully computed and near-invisible perturbation that breaks the match while the photo still looks normal. The reason that works where blur does not is that recognition is brittle to computed noise: Zhong and Deng show that a small, imperceptible perturbation can flip the decision of a commercial face API. That is a separate strategy, one covered in image cloaking for facial recognition, and it complements removal rather than replacing it.
What to do in practice
Match the method to the goal. If a face simply should not be in the frame, crop or mask it out. If the composition needs a face, replace it with a synthetic one rather than blurring the real one. If you are publishing your own face and want to resist automated indexing, an adversarial cloak is the tool designed for that, not a blur brush. There is no blur strength that is simultaneously light enough to keep the image usable and heavy enough to guarantee a machine cannot recover the face, which is the practical reason to stop treating blur as a privacy control at all. Blur has one honest use, hiding a face from a casual human viewer. For anything stronger, remove or replace. The wider workflow this fits into is how to make a photo untraceable.
Sources
- Todt, Hanisch, Strufe (2024). Fantômas: Understanding Face Anonymization Reversibility. PoPETs 2024.
- Deng, Guo, Xue, Zafeiriou (2019). ArcFace: Additive Angular Margin Loss for Deep Face Recognition. CVPR 2019.
- Kim, Jain, Liu (2022). AdaFace: Quality Adaptive Margin for Face Recognition. CVPR 2022.
- Tkachenko, Jedidi (2023). A megastudy on the predictability of personal information from facial images. Scientific Reports 13:21073.
- Cherepanova, Goldblum, Foley (2021). LowKey: Leveraging Adversarial Attacks to Protect Social Media Users from Facial Recognition. ICLR 2021.
- Zhong, Deng (2020). Towards Transferable Adversarial Attack against Deep Face Recognition.