Skip to content
adversarial-re-identification-attacks-on-privacy-preserving-behavioural-ai

Adversarial Re-Identification Attacks on Privacy-Preserving Behavioural AI


Techy graphic of a laptop computer

Many AI systems are now described as privacy-preserving because they avoid showing faces, use skeletons instead of images, blur video, reduce resolution or transform sensor data. These choices may reduce some obvious privacy risks, but they do not prove that the data is private. Human behaviour itself can be identifying. Gait, posture, timing, movement dynamics, physiological rhythms and interaction patterns may allow re-identification even when direct appearance cues are removed.

This project will develop adversarial re-identification attacks and red-team evaluation methods for privacy-preserving behavioural AI. The aim is to test privacy claims seriously, and subject claimed protections to controlled attack scenarios and use the results to guide stronger safeguards for behavioural AI representations. The student will examine whether identity, session membership, demographic attributes or sensitive information can be recovered from behavioural representations such as skeletons, silhouettes, pose graphs, gait embeddings, wearable features, transformed physiological signals and learned latent representations.

The project focuses on the general privacy problem underlying responsive AI: how do we know whether a representation still leaks identity? Without strong adversarial testing, privacy-preserving AI remains too easily reduced to reassuring language. This PhD will replace hand-waving with measurable attack resistance.

Aim  

  1. To substantially contribute to responsible AI by developing rigorous adversarial tests for behavioural privacy claims.
  2. To build attack models that quantify identity, membership, session and attribute leakage from behavioural AI representations.
  3. To produce benchmark protocols and mitigation guidance that allow researchers and organisations to compare privacy-preserving methods fairly.

Objectives 

Outcomes

  1. Identify the kinds of behavioural representations commonly claimed to be privacy preserving, including blurred or transformed video, skeletons, pose graphs, gait features, wearable-derived features and learned embeddings.
  2. Develop closed-set and open-set re-identification attacks across session, day, camera, environment and task changes.
  3. Develop membership inference, attribute inference and linkage attacks to test whether a person or session contributed to a dataset or can be connected across datasets.
  4. Compare privacy leakage across representation hierarchy: raw RGB, face-suppressed images, silhouettes, skeletons, pose graphs, temporal features, physiological features and latent embeddings.
  5. Assess the privacy-utility trade-off by testing whether and if so quantifying how much reducing identity leakage also damages state-inference utility for fatigue, stress, uncertainty, effort, engagement or impaired performance.
  6. Create a reusable red-team evaluation toolkit and reporting template for privacy-preserving behavioural AI.
  7. Where privacy leakage is found, identify concrete mitigation strategies, including representation redesign, feature suppression, adversarial training, noise calibration, domain randomisation and clearer reporting standards.

Computational techniques

  • Multimodal representation learning, metric and contrastive learning, sequence models, graph neural networks, temporal transformers and for behavioural re-identification.
  • Adversarial attack design for cross-session, cross-domain and cross-modality identification.
  • Membership inference, attribute inference, linkage analysis and representation inversion where ethically appropriate.
  • Privacy-utility evaluation comparing attack success against state-recognition performance.
  • Defensive baselines including feature suppression, noise injection, adversarial representation learning, domain randomisation, skeletonisation and privacy-constrained embeddings.

Significance 

Privacy-preserving AI is becoming a routine claim in human-centred computing, health, safety, transport, education and workplace analytics. The problem is that many claims are not stress-tested. A skeleton is not automatically private. A gait trace is not automatically anonymous. A learned embedding can carry identity even when a human cannot interpret it. This is a major blind spot for responsible AI.

The significance of this project is that it makes privacy claims falsifiable. A system should not be called privacy-preserving simply because it removes obvious visual identity cues, or some unquantified changes have been made to data. It should be evaluated against strong attack models, and the remaining leakage should be measured. The project therefore contributes a necessary foundation for trustworthy adaptive AI systems.

The expected outcomes will support safer deployment of behavioural AI in sensitive contexts, including transport, mining, defence, public infrastructure, remote health, online learning and human-machine interaction. The project also supports controlled state-identity factorisation by identifying where identity persists, which transformations actually reduce leakage, and what utility is lost in the process.

Ideal Candidate 

The applicant should have a strong computing background in machine learning, privacy, security, computer vision, signal processing, behavioural biometrics or multimodal AI. Experience with PyTorch, Python, experimental evaluation and quantitative modelling is expected. Knowledge of representation learning, graph neural networks, sequence modelling, adversarial machine learning, or human-centred computing would be valuable. The strongest candidate will be technically sharp and sceptical: the project suits a candidate interested in adversarial testing, red-teaming, and exposing residual identity leakage in supposedly protected behavioural data. Additionally, the applicants should meet the eligibility criteria for entry into a PhD program at Curtin University. 

This project is open to International and Domestic applicants. 

Internship

Through this project you will also have an internship opportunity.  

Scholarship  

If you are identified as the preferred candidate for this project, you may be considered for an RTP scholarship. 

Enquires and How to Apply 

For enquires about this opportunity contact Professor Tom Gedeon at 

To formally apply submit an Expression of Interest to Professor Tom Gedeon during the Central Scholarship round (July 1st – July 31st 2026) 

colind88

Back To Top