poisoning.ai
Reliability

Does Fawkes still work in 2026?

By The Poisoning.ai team
5 min read
Contents

Fawkes worked impressively in its own 2020 tests, but whether it still protects your face against today’s deployed face-search engines is genuinely unmeasured, not proven either way. Unlike Glaze, which now has a published attack against it, there is no published “Fawkes is defeated” result. The problem is different: Fawkes was demonstrated against 2020-era systems, its protection erodes as models retrain, and nobody has re-measured it against 2026 deployments. Treat it as a deterrent with an expiry risk, not a guarantee.

What Fawkes claimed in 2020

Fawkes (Shan, Wenger, Zhang, Li, Zheng, Zhao, USENIX Security 2020) adds imperceptible pixel changes, which it calls “cloaks,” to your photos before you post them, so that a facial-recognition model trained on those photos learns the wrong features and fails to match you later. According to Shan, Wenger, Zhang, Li, Zheng and Zhao (USENIX Security 2020), the system “provides 95+% protection against user recognition regardless of how trackers train their models,” and it reached 100% success in their experiments against the state-of-the-art facial recognition services of the day. They also reported a genuinely strong worst-case result: “even when clean, uncloaked images are ‘leaked’ to the tracker and used for training, Fawkes can still maintain an 80+% protection success rate.”

Its stronger sibling, LowKey (Cherepanova, Goldblum, Foley, Duan, Dickerson, Taylor, Goldstein, ICLR 2021), degrades the accuracy of Amazon Rekognition and the Microsoft Azure Face Recognition API “to below 1%” in its own tests. A third approach, FoggySight (Evtimov, Sturmfels, Kohno, PETS 2021), protects faces a different way, by flooding the lookup database with adversarial decoy photos so a search returns the wrong identities. All three are real, peer-reviewed results, and all three were measured against the systems that existed when they were written.

Why 2020 results do not settle 2026

Here is the problem, and it is not the one most people assume. There is no published paper showing Fawkes has been broken the way Glaze has. What there is instead is a measurement gap. Fawkes, LowKey and FoggySight were tested against research-deployed face recognition and commercial APIs as they stood around 2020. The deployed face-search engines people actually worry about now, PimEyes, FaceCheck.id and Clearview AI, were not the systems these tools were measured against, and there is no public 2024-or-later measurement of whether cloaks survive them. Face recognition has also moved on: recognition models trained since 2020 were never tested against Fawkes, so nobody has published whether the cloak still fools them.

The expiry problem

Fawkes protects you against models trained after you cloak your photos. It does nothing about models already trained on clean images of you, and its own creators never claimed permanence. As companies retrain on fresh data and as recognition architectures improve, the protection a 2020 cloak provides can erode, and a determined tracker can in principle harden its pipeline against a known cloaking tool. This is the same arms-race pattern documented in neighbouring fields: in the art domain, Hönig, Rando, Carlini and Tramèr (ICLR 2025) and the LightShed attack (Foerster, Behrouzi, Rieger, Jadliwala, Sadeghi, USENIX Security 2025) both showed that imperceptible protective perturbations can be removed, and on the voice side Fan, Chen, Liu, Zhang and Yu (ICML 2025) showed the same. None of those studies tested Fawkes, but together they establish that perturbation-based protection is rarely permanent, which is exactly why a cloak untested since 2020 deserves caution.

What you can reliably say

QuestionAnswer
Did Fawkes work in its own paper?Yes, strongly, against the services it tested in 2020.
Is there a published Fawkes break?No, none exists.
Re-measured against 2026 face-search engines?Not publicly.
Should you treat it as permanent protection?No, treat it as a deterrent with expiry risk.

Do not import the Glaze story too aggressively either. Hönig, Rando, Carlini and Tramèr (ICLR 2025) showed several art protections could be weakened with cheap black-box removal, and warned that “all existing protective tools create a false sense of security and leave artists vulnerable to style mimicry.” That is important context for adversarial protection in general, but Hönig did not test Fawkes. A published Glaze break is not a published Fawkes break.

So should you use it?

As a deterrent, with clear eyes about what it is. If your worry is a future model scraping your newly posted photos, a cloak raises the cost of matching you and may help. It is weaker if clean images of you are already online, weaker if the attacker holds older photos, tagged albums, or video frames, and it does nothing about services that have already trained on your face. And if your worry is that your face is already in a search engine, cloaking new photos does nothing about the images already indexed. Removing your existing photos, or opting out of a service like PimEyes or Clearview, is a different job and a different site’s lane: that is passive concealment and removal, covered in remove photos from face-recognition sites, not the active cloaking this article is about.

The 2026 verdict: Fawkes worked in 2020 against 2020 systems, there is no published break, and its protection against current deployed face search is an open question because nobody has re-measured it. Treat it as a deterrent with an expiry date, layer it with other measures, and do not assume a cloak applied today will still hide you from the engines of two years from now.

For how cloaking works under the hood, see image cloaking for facial recognition and the how-to on protecting photos from facial recognition; for how it scores against every other tool, see do AI poisoning tools actually work?.

Sources

  • Shan, Wenger, Zhang, Li, Zheng, Zhao (2020). Fawkes: Protecting Privacy against Unauthorized Deep Learning Models. USENIX Security 2020.
  • Cherepanova, Goldblum, Foley, Duan, Dickerson, Taylor, Goldstein (2021). LowKey: Leveraging Adversarial Attacks to Protect Social Media Users from Facial Recognition. ICLR 2021.
  • Evtimov, Sturmfels, Kohno (2021). FoggySight: A Scheme for Facial Lookup Privacy. PETS 2021.
  • Hönig, Rando, Carlini, Tramèr (2025). Adversarial Perturbations Cannot Reliably Protect Artists From Generative AI. ICLR 2025.
  • Foerster, Behrouzi, Rieger, Jadliwala, Sadeghi (2025). LightShed: Defeating Perturbation-based Image Copyright Protections. USENIX Security 2025.
  • Fan, Chen, Liu, Zhang, Yu (2025). De-AntiFake: Rethinking the Protective Perturbations Against Voice Cloning Attacks. ICML 2025.
#fawkes#lowkey#facial-recognition#cloaking
Get new protection tests & guides

New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.