[JohnPDickerson]

Folks interested in this kind of work should check out an upcoming ICLR paper, "LowKey: Leveraging Adversarial Attacks to Protect Social Media Users from Facial Recognition", from Tom Goldstein's group at Maryland.

Similar pitch -- use a small adversarial perturbation to trick a classifier -- but LowKey is targeted at industry-grade black-box facial recognition systems, and also takes into account the "human perceptibility" of the perturbation used. Manages to fool both Amazon Rekognition and the Azure face recognition systems almost always.

Paper: https://arxiv.org/abs/2101.07922