A novel artificial intelligence tool funded by the U.S. Defense Advanced Research Projects Agency (DARPA) may offer a surprising new form of digital camouflage in a world increasingly monitored by facial recognition systems.
Supported by DARPA’s Guaranteeing AI Robustness Against Deception (GARD) program, the technique uses cutting-edge generative AI to subtly alter a person’s face in a photograph— not to create an obvious mask or distortion, but to produce a new image that looks convincingly real and confounds the very systems meant to identify it.
In a peer-reviewed paper accepted in the May 2026 edition of Pattern Recognition, a team of researchers from Johns Hopkins University, City University of Hong Kong, and Advanced Micro Devices has unveiled a new tool called “DiffProtect,” which uses diffusion-based generative models—the same underlying technology behind AI image generators—to subtly alter a person’s face in a photograph.
The result is a remarkably realistic image that still looks like the original person to human observers, yet successfully fools even state-of-the-art facial recognition systems. In some cases, the tool boosts attack success rates by more than 24 percent compared to leading alternatives.
Researchers say that unlike previous adversarial techniques that created noisy, glitch-filled, or obviously manipulated photos, DiffProtect produces images that look completely natural—so natural, in fact, that a majority of human subjects in a user study preferred them over the outputs of competing privacy tools.
The method also succeeded against commercial facial recognition APIs, giving it real-world relevance.
“Extensive experiments demonstrate that DiffProtect produces protected face images of high visual quality, while achieving significantly higher ASRs than the previous best methods,” the researchers write.
The emergence of technologies like DiffProtect comes at a time when facial recognition has quietly become embedded in numerous aspects of daily life—from boarding an airplane to unlocking a phone to tagging photos uploaded online.
Billions of people have already uploaded their faces to social platforms, many without realizing they are feeding the datasets that companies and governments rely on.
The idea behind DiffProtect is not to help criminals evade law enforcement, the researchers stress, but to give ordinary users a way to protect themselves in spaces where they have little control over how their images are used.
At the core of DiffProtect’s innovation is its use of diffusion autoencoders, a generative AI architecture that first breaks down an image into a “semantic” identity representation and a noise component.
Rather than adding noise or pasting adversarial patches onto a face, the system encodes an image into two components: a high-level semantic code that captures identity features and a stochastic noise code that represents fine details.
From there, the model iteratively adjusts the semantic code just enough to confuse facial recognition systems during re-generation, while keeping the final image visually consistent with the original photograph.
This “on-manifold” approach—the idea of generating adversarial images that remain on the manifold of real photos—addresses a long-standing tension in prior privacy tools.
Traditional attacks either require obvious distortions that users would never willingly post online or produce subtle perturbations that humans can’t detect but models increasingly can.
DiffProtect attempts to strike a balance by using a diffusion autoencoder to produce changes that are meaningful to AI systems yet nearly invisible to the human eye. As shown in the study, the edits often amount to tiny shifts in facial expression, eye shape, or lighting.
Researchers also embed a “face semantics regularization” into the algorithm to prevent shifting the identity too far from the source. This ensures that the protected image still looks like the same person.
In user studies comparing DiffProtect’s outputs to those generated by other methods, participants preferred the DiffProtect images about 80% of the time when asked which they would be most likely to share publicly.
But the real test is whether today’s AI-based face detectors fall for the deception. In rigorous tests on well-known facial datasets such as CelebA-HQ and FFHQ, the DiffProtect method consistently outperformed competing approaches across multiple modern recognition architectures, including popular models used in both commercial and academic settings.
Its adversarial success held up even when combined with common defenses such as JPEG compression, feature squeezing, and a diffusion-based purification model, showing resilience that previous methods lacked.
DiffProtect also succeeded against commercial facial recognition APIs, including services such as Face++ and Aliyun, giving it real-world credibility beyond the lab. By generating images that these black-box systems confidently misidentify, DiffProtect demonstrates that even deployed recognition pipelines are vulnerable to cleverly generated adversarial inputs.
However, for all its strengths, DiffProtect is not yet a finished solution. Researchers emphasize that the tool is currently in its prototype stage, designed to explore the boundaries of privacy and security, and not a consumer product ready for general use.
Diffusion models also remain computationally intensive, requiring specialized hardware and expertise to run, limiting their practicality for immediate deployment in everyday applications.
Additionally, the researchers acknowledge that the long-term effectiveness of adversarial methods depends on how facial recognition technology evolves, particularly as defense strategies improve.
Still, the existence of a tool like DiffProtect highlights the dual-edged nature of generative AI. By leveraging technology originally designed for creative image synthesis, DiffProtect demonstrates how dual-use generative AI has become. The same algorithms that power online art tools can also disrupt large-scale biometric systems.
That duality raises its own ethical questions. However, it also hints at a future where individuals may have more control—however partial—over how their digital likeness is used.
DARPA’s GARD program, initially launched in 2019, was designed to investigate precisely these kinds of adversarial interactions between AI systems and deceptive inputs.
The initiative seeks to build a foundational understanding of how machine learning models can be robust against a wide range of attacks, and to foster tools and benchmarks that help researchers test and evaluate both offensive and defensive techniques.
For privacy advocates, DiffProtect offers a sort of technological counterbalance: a means by which individuals might preserve control over their biometric data in a landscape crowded with automated watchers.
For security professionals, it raises fresh questions about how far adversarial techniques can go and what it will take to harden AI systems against them.
For now, DiffProtect offers a glimpse into a potential shift in the privacy landscape, one where generative AI is not just the tool analyzing our faces—it’s also the tool protecting them.
“The user study indicates a clear preference for DiffProtect over the baselines, highlighting its excellent practical usability,” researchers conclude. “We believe DiffProtect can inspire future work on using diffusion models for adversarial attacks and defenses.”
Tim McMillan is a retired law enforcement executive, investigative reporter and co-founder of The Debrief. His writing typically focuses on defense, national security, the Intelligence Community and topics related to psychology. You can follow Tim on Twitter: @LtTimMcMillan. Tim can be reached by email: tim@thedebrief.org or through encrypted email: LtTimMcMillan@protonmail.com