This work proposes a privacy-preserving crowd counting framework based on facial features to address the limitations of traditional device-identifier-based cross-spatiotemporal monitoring under increasingly stringent privacy regulations. The method extracts deep facial features via face detection, employs a fuzzy extractor to generate irreversible identifiers, and immediately discards the original images to prevent identity leakage. These identifiers are stored in a homomorphically encrypted Bloom filter, enabling oblivious set membership tests directly over ciphertext. By uniquely integrating fuzzy extractors with homomorphic encryption–based Bloom filters, the approach achieves accurate cross-location and cross-time counting without exposing individual identities. Preliminary experiments demonstrate the feasibility and practical potential of this scheme while providing strong privacy guarantees.

An important aspect of crowd monitoring is knowing how many people we are dealing with. Sometimes, knowing the size of a crowd in a single location and at a specific moment is enough. Matters become problematic when counting the same people across dif ferent locations or counting them over longer periods of time. In those cases, we need to identify and later reidentify a person, which immediately leads to privacy concerns. Until recently, solutions have been based on unique identification of carry-on devices, yet privacy improvements have caused transmitted information to be randomized, rendering this technique mostly useless. We propose to use biometric data instead. We introduce a pipeline that counts people based on face recognition, yet without ever being able to reveal the identity of individuals. To count, a camera initially detects a face, extracts its features, and derives an identifier using a fuzzy extractor. The original facial image is then deleted. Identifiers are inserted into homomorphically encrypted Bloom filters. This allows oblivious set membership testing directly on encrypted data, enabling the system to count across locations or across different moments, without revealing any identities. We provide an initial evaluation of our method that shows promising results.