In short: gaussian blur and pixelation don’t delete a face, they average it. Enough signal survives that a neural network can match it back to a person — 57.75% of the time on faces run through YouTube’s own blur, against 2.5% for random guessing (McPherson, Shokri & Shmatikov, 2016). A black bar or an emoji replaces the pixels outright. Nothing survives, so there is nothing to attack.
What “free” gets you here, precisely
You searched for free, so let’s not bury it. Blurring is unlimited and there is no signup. Automatic face detection is free. All four masking styles are free. The export comes out at the photo’s full original resolution, not a downscaled preview.
The catch, stated plainly: the free export writes a small make-blur.com wordmark into the bottom-right corner, and files are capped at 20 MB. Pro removes the wordmark and takes the cap to 60 MB. If a corner wordmark is a dealbreaker for you, you now know that before you’ve spent ten minutes masking twelve faces — which is more than most “free” blur tools will do for you.
Does blurring a face actually protect it?
Mostly not, and this has been public knowledge since 2016. Richard McPherson, Reza Shokri and Vitaly Shmatikov trained ordinary neural networks on obfuscated faces and asked them to name the person. The networks never had to “un-blur” anything. They just had to notice that a blurred face still correlates with the face underneath.
| Obfuscation | Dataset | Named on 1st guess | Top 5 | Baseline |
|---|---|---|---|---|
| YouTube’s own face blur | AT&T, 40 people | 57.75% | 85.75% | 2.5% |
| Pixelation, 16×16 windows | FaceScrub, 530 people | 57% | 72% | 0.19% |
| None (original photos) | AT&T, 40 people | 95% | 100% | 2.5% |
| None (original photos) | FaceScrub, 530 people | 75% | — | 0.19% |
Read those two middle numbers again. A blurred face was named correctly 57.75% of the time — 23 times better than chance — by a network the authors themselves describe as simple, on hardware from 2016. The same paper notes that pixelating a 224×224 face with 16×16 windows leaves 14×14 distinct pixels, and that “it is not surprising that the accuracy of recognizing mosaiced faces did not drop below 50%”.
Now the honest caveat, because the number is often abused
This is closed-set identification. The attacker already holds a list of candidates and training photos of each one, blurred the same way. It is not a magic button that un-blurs a stranger on the internet. If you blur a random passer-by and nobody has any idea who they might be, 57.75% does not apply to you.
But think about when someone does hold a candidate list. A class photo. A 40-person company. A protest where the police have a shortlist. A dating profile someone is trying to place. That is the exact situation where you were blurring the face in the first place. The threat model and the use case are the same picture.
The paper’s own related-work section points at Newton, Sweeney and Malin (2005), who reached roughly 99% recognition against several ad-hoc face de-identification techniques. This is a twenty-year-old problem. Blur was never the answer; it just looks like one.
The four masking modes, and what each actually does
We ship all four. Most online blur tools ship one or two, which quietly forces you into the reversible ones. Here is the difference in terms of what happens to the pixels — the only thing that matters.
| Mode | What it does to the pixels | Residual signal? | Re-identification risk | Reach for it when |
|---|---|---|---|---|
| Gaussian blurLeaky | Averages every pixel with its neighbours | Yes — the face is still in there, smeared | Demonstrated (57.75% re-identification) | Tidying up a background. Low stakes only. |
| PixelationLeaky | Averages fixed blocks down to one colour each | Yes — one average colour per block still tracks the face | Demonstrated (57% across 530 people) | Looks official, protects no better than blur. |
| Black barSafe | Fills the area with #000 | None — the original pixels are gone | Nothing left in the image to attack | Sources, minors, patients, witnesses, anything that matters. |
| EmojiSafe | Paints an opaque glyph over the area | None — the original pixels are gone | Nothing left in the image to attack | Social posts where a black bar looks like a crime scene. |
The design point. A black bar isn’t a stronger blur. It’s a different operation: deletion. Our engine fills the region with #000 and the emoji mode paints an opaque glyph over it. In both cases the original pixels are overwritten and never reach the exported file. There is no faint signal left to correlate, which is why no amount of model training gets it back. Blur intensity, by contrast, is a slider — and sliders can be losing battles.
Under the GDPR, a blurred face is still personal data
This is where the research stops being trivia and starts being your problem. The GDPR draws its line at identifiability, not at effort.
“Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.” […] “To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”
“Available technology at the time of the processing and technological developments” is the clause that does the damage. A pre-trained face model that runs in a browser tab is available technology. So:
- Blur and pixelation are pseudonymisation. The person can still be attributed with additional information, so the photo remains personal data. Retention limits, legal basis, subject access requests — all of it still applies to you.
- A black bar or emoji is anonymisation. The pixels are gone, the person is not identifiable from the image, and Recital 26 puts anonymous information outside the regulation entirely.
Which means the checkbox many teams tick — “we blurred the faces, we’re compliant” — is doing less work than they think. Blur is a courtesy. A black bar is a control.
How to blur a face here, step by step
- 1Open the tool and drop your photo in.JPG, PNG or WebP, up to 20 MB on free. It loads straight off your disk into a canvas — there is no upload step to wait for.
- 2Click Detect.The face model downloads once (about a two-second wait the first time, then it’s cached) and boxes every face it finds. On images 900 px or larger it also sweeps a 2×2 grid of overlapping tiles, which is what catches the small faces at the back of a group shot.
- 3Click any face to toggle it off — or back on.This is the part people miss. Detected faces are not a take-it-or-leave-it set. Click the bride to leave her sharp, leave the forty guests blurred. Click again to change your mind; nothing is destructive until you export.
- 4Draw regions for whatever the detector missed.Drag a rectangle or an ellipse over a licence plate, a badge, a screen, a street sign, a profile the model skipped. A hand-drawn region masks exactly as well as a detected one — the engine doesn’t distinguish.
- 5Pick your mode, then set the intensity.Black bar or emoji if it needs to actually hold. Gaussian or pixelation if it’s cosmetic. The intensity slider scales with the image, so a given setting looks the same on a phone snap and on a 24-megapixel raw export.
- 6Download at full resolution.The export is rendered fresh at the image’s natural size, so the masked file matches the original’s dimensions — and it arrives with no EXIF, no GPS, no camera serial, because a canvas re-encode carries none of it forward.
“No upload” — and how to check we’re not lying
Every blur tool on this SERP claims local processing. It’s become a checkbox nobody verifies, which is exactly why you should verify it. The photo you’re about to blur is, by definition, one you don’t want on a stranger’s server.
Two ways to test it yourself, in under a minute:
Open DevTools → Network and use the tool. You’ll see the page itself, the fonts, our analytics ping to kipstats.com (page views — no image data), and the model weights coming down from jsDelivr. What you won’t see is a request carrying your picture, because there’s no endpoint on our side that accepts one.
Or run one detection, then kill your wifi. Detect, blur, change modes, export — all of it keeps working offline. The model came to you; your photo never went anywhere.
Being straight about the one nuance: the detector weights are fetched from a public CDN (jsDelivr) the first time you hit Detect, so the first detection needs a connection. That request carries no image — it’s a plain file download, the same as a font. We could bundle the weights and skip it; we haven’t, because the CDN cache makes the page lighter for everyone who never clicks Detect.
Two things here that the other free blur tools don’t do
Faces detected and masked frame by frame, no upload, WebM out. The big online blur tools handle stills only — for video they send you to a desktop editor or a server queue. Free covers the first 20 seconds.
Blur a video →The video tool computes a 128-dimension descriptor per face and groups them into people, so you can keep your subject sharp and blur every other face across the whole clip — instead of re-masking strangers frame by frame.
The plain face-blur tool →Technical specs
Since we’ve asked you to distrust vague privacy claims, here’s ours in numbers.
| Detector | face-api.js SSD MobileNetV1 (@vladmandic/face-api 1.7.15) |
|---|---|
| Detection threshold | minConfidence 0.3 |
| Multi-scale pass | Full image + 2×2 tiles at 18% overlap when either side ≥ 900 px |
| Duplicate merging | Non-max suppression, IoU 0.3 |
| Region padding | +12% width, +18% height, ellipse by default |
| Input formats | JPG, PNG, WebP |
| File size cap | 20 MB free · 60 MB Pro |
| Export | Full natural resolution, PNG or JPG, re-encoded from canvas |
| Video (separate page) | 128-d face descriptors to keep one person sharp and blur the rest |
FAQ
Is it really free?+
Yes, with one string attached. Blurring is unlimited, face detection is free, all four styles are free, and the export is full resolution. The free export carries a small “make-blur.com” wordmark in the bottom-right corner, and files are capped at 20 MB. Pro removes the wordmark and raises the cap to 60 MB. No signup to blur your first photo.
Are my photos uploaded to a server?+
No. Detection and blurring both run on a canvas in your browser, and the download is produced locally. Open your browser’s Network tab while you use the tool: you will see the page, the fonts, our analytics ping and the face model downloading from jsDelivr. You will not see your image being sent anywhere, because there is no endpoint that accepts it.
How does the automatic detection work?+
An SSD MobileNetV1 face detector (face-api.js) loads into your browser the first time you click Detect. It runs over the whole image, and on anything 900 px or larger it also runs a 2×2 grid of overlapping tiles to catch small faces in group shots. Overlapping hits are merged with non-max suppression.
Why wasn’t one of the faces detected?+
Usually the face is too small, too dark, turned too far away, or partly hidden. We run at minConfidence 0.3, which is already permissive — pushing it lower would start boxing hands and lamps. When the detector misses one, draw the region by hand; it takes about two seconds and it is exactly as effective as an auto-detected box.
Blur, pixelate or black bar — which one should I use?+
Black bar or emoji if a real person’s safety, job or legal position depends on it. Blur or pixelation only if you are tidying up a photo and nobody would be harmed by being recognised. Blur and pixelation leave a residual signal that a neural network can match back to a person; a black bar leaves nothing.
Does blurring a face make a photo GDPR-compliant?+
Not by itself. Recital 26 says data is only outside the GDPR when the person is “no longer identifiable”, judged against technology available now and future developments. A reversible blur is pseudonymisation, so the photo is still personal data and still in scope. A black bar or emoji destroys the pixels and gets you to anonymisation.
Does the download still contain GPS and camera metadata?+
No. The export is re-encoded from a canvas, which means the file you download is built from pixels alone — EXIF, GPS coordinates, camera serial and timestamp do not survive the round trip. That is a consequence of how the export works rather than a feature we bolted on, but the result is the same: blurring a face while leaving the GPS tag intact would protect nobody.
Can I blur several images at once?+
Not yet — it is one image at a time. If you have a folder of 200 photos to process, we are the wrong tool today and we would rather say so than waste your afternoon.
Can I blur a video?+
Yes, and it is the thing we do that most online blur tools do not do at all. Faces are detected and blurred frame by frame in your browser, and you can keep one person sharp while blurring everyone else. Free covers the first 20 seconds with a watermark.
Can I use the blurred images commercially?+
Yes. The images are yours — they never reach us in the first place. The free tier’s wordmark is the only thing to consider, and Pro removes it.
Blur a face now — free, in your browser
If it’s cosmetic, use the blur. If someone’s safety depends on it, use the black bar. Either way, nothing leaves your device.
No signup · unlimited · full-resolution export
Sources
- R. McPherson, R. Shokri, V. Shmatikov, “Defeating Image Obfuscation with Deep Learning”, arXiv:1609.00408, September 2016.
- E. Newton, L. Sweeney, B. Malin, “Preserving Privacy by De-identifying Facial Images”, IEEE TKDE, 2005.
- Regulation (EU) 2016/679 (GDPR), Recital 26 — “Not applicable to anonymous data”.
Page written and maintained by the Make Blur team (KIPDEV). Last reviewed . Detection and rendering figures describe the engine currently in production and are updated when it changes.