CausalVE: Face Video Privacy Encryption via Causal Video Prediction

• Application. The proposed method is positioned as a way to protect user privacy on public platforms. However, this presents an inherent contradiction: if users genuinely wish to protect their privacy, they wouldn’t need to upload videos to a public platform. The only scenario where this might make sense is if users intentionally want to share hidden information through public platforms, which raises potential societal concerns.

• Security. While the use of a reversible neural network ensures video embedding and decoding with minimal loss of quality, the symmetric encryption method itself lacks strong security guarantees.

• Experiments: The paper lacks metrics evaluating video smoothness and realism. The authors are encouraged to use metrics such Fréchet Inception Distance to provide a more detailed assessment of their method’s performance.

1. Motivation of the Work is Ambiguous: The rationale behind the need for reversibility is unclear. Specifically, I do not see the significance of restoring the original video. The primary purpose of privacy protection is to eliminate sensitive information. In particular, "irreversibility" would more effectively enhance the strength of privacy protection. The authors need to clarify the scenarios in which reversibility is applicable.

2. Implementation Approach is Unreasonable: The authors propose hiding a secret video within a cover video to protect facial privacy. However, I find this approach difficult to accept. This is because the secret video and the cover video share highly similar content (i.e., attributes other than identity), making it unnecessary to hide the secret video directly. In other words, since the only difference between the secret and cover videos is the identity, would it not be more feasible to simply hide the identity instead?

3. Technical Innovation is Weak: The authors have integrated techniques such as face swapping, video prediction, and video steganography to construct the CausalVE framework, which makes it hard to identify any significant technical innovation in this work. The three contributions mentioned in the "primary contributions" section are all achievable by existing methods; this paper merely applies these techniques to facial privacy protection.

4. Insufficient Experimental Evaluation: (1) Incorrect Comparison Trials: This work aims to protect facial privacy, and it should be compared with existing facial privacy protection methods rather than video steganography, like [1] or [2]. (2) Robustness Evaluation: Videos encoded in different formats may lose some information. Can this framework still achieve reversibility under such conditions?

[1]The UU-Net_ Reversible Face De-Identification for Visual Surveillance Video Footage. [2]IdentityMask_Deep_Motion_Flow_Guided_Reversible_Face_Video_De-identification

5. Practicality of the Work is Poor: The proposed framework incorporates various technologies and losses, making it difficult for users to understand. Additionally, the use of time-consuming techniques such as diffusion models results in high energy consumption and latency for CausalVE, complicating its integration into practical applications.

Some major comments:

• The manuscript lacks some visual results display and qualitative evaluation.

• The framework proposed in this manuscript integrates multiple tasks, resulting in incomplete introduction of each task.

Some other minor comments:

• The author's summary of innovation is too confusing. I need to spend time reading the full text to understand it. The author still needs to strengthen his writing of the manuscript.

• The drawings in this manuscript are too rough, and the author still needs to improve in this aspect.

• There are too many redundant descriptions in the manuscript.

• There is no description of relevant work in the main text. Although the author provides relevant descriptions in the supplementary materials, it is only a list of some work.

• One of the primary weaknesses of the paper is its editorial limitation. The paper is hard to read and follow. For example, a significant amount of information is missing or not adequately presented. For instance, in line 094, what physical information has been used? What is the role of a pseudo-video (line 100)? At line 100, what form of frequency is used to divide frames?

• The motivation for using the diffusion model is not clear. The field of steganography is not new and several research works have used the image-hiding technique to generate adversarial examples.

[1] Zhang Y, Zhang W, Chen K, Liu J, Liu Y, Yu N. Adversarial examples against deep neural network-based steganalysis. In Proceedings of the 6th ACM Workshop on information hiding and multimedia security 2018 Jun 14 (pp. 67-72).

[2] Agarwal A, Ratha N, Vatsa M, Singh R. Crafting adversarial perturbations via transformed image component swapping. IEEE Transactions on Image Processing. 2022 Sep 12;31:7338-49.

[3] Din SU, Akhtar N, Younis S, Shafait F, Mansoor A, Shafique M. Steganographic universal adversarial perturbations. Pattern Recognition Letters. 2020 Jul 1;135:146-52.

• Apart from image-hiding techniques, literature extensively uses adversarial noises for privacy-preserving face recognition where the authors mask the sensitive information. The authors must compare with these existing works and along with that perform experiments showcasing the impact on face recognition and soft attribute prediction to better reflect the solution of privacy concerns.

[4] Chhabra S, Singh R, Vatsa M, Gupta G. Anonymizing k-facial attributes via adversarial perturbations. In Proceedings of the 27th International Joint Conference on Artificial Intelligence 2018 Jul 13 (pp. 656-662).

• The ablation studies concerning frequency decomposition techniques such as FFT, DCT, and DWT can be compared. The role of a cover image can be effectively studied. How the change in a cover image can affect privacy?

• The authors have used several metrics, but which one metric is most appropriate is not clear. Further, a statistical test is needed to showcase whether the proposed values are significantly better than the existing values, especially from LF-VSN.

• The paper utilizes a technique proposed in 2014 for steganalysis (line 366). I suggest the use of any recent and state-of-the-art model.

1. The paper could mislead readers into believing that the entire video frame is processed and hidden rather than just the facial region. Since the facial region occupies only part of a frame, the data requirements for concealing and generating only the face differ substantially from handling the entire frame. Clarifying this distinction early on would improve readability and prevent misunderstandings.

2. Due to the potential for confusion about the processing scope, it’s unclear whether the paper makes fair comparisons with other methods. For example, did it use the same cropped facial region as a hidden element for fair benchmarking with other baselines?

3. The paper's references to 3D-based deepfake techniques are somewhat outdated. Incorporating recent literature such as those in [*] would provide a more current perspective on related methodologies.

4. The framework’s computational demands are significant, which could limit accessibility and scalability for resource-limited settings.

[*] Pei, Gan, Jiangning Zhang, Menghan Hu, Zhenyu Zhang, Chengjie Wang, Yunsheng Wu, Guangtao Zhai, Jian Yang, Chunhua Shen, and Dacheng Tao. "Deepfake generation and detection: A benchmark and survey." arXiv preprint arXiv:2403.17881 (2024).