I have found great success of getting rid of it by masking every 2nd pixel, regenerating missing pixels and then once again masking every 2nd pixel offset by 1.
Used an off the shelf model to fill in the pixels, but I also exported a depthmap first (before any alternations) and denoised it so generated masked pixels comform to the original content. The result was obviously not 100% perfect, but with more time and a model fine tuned for this specific use-case would be able to remove any kind of ai watermarking without too many issues.
Of course if you need to regenerate the image with an unwatermarked image-generation model to remove it, it more or less still serves its purpose.
Always amusing to see AI used against itself.
https://deepwalker.xyz/blog/bypassing-synthid-in-gemini-phot...
Can it be used to create something like nutritional labels for synthetic content? 10% synthetic text, 30 synthetic images.
Your reality was 15% synthetic today (75% mega corp, 25% open-weight neocloud).
Presumably the deployed version is meaningfully different.
https://github.com/swesterfeld/audiowmark
You can stuff per-item database unique IDs, user IDs, geohashes, and other nefarious things inside.
We need to protest this LOUDLY.
Our devices are being locked down, we're having attestation and trusted computing forced on us, the internet all over the world is undergoing age verification with full ID verification.
Just because this is on "ai images" today doesn't mean it won't be on all images - screenshots, your camera reel, etc. - in the fullness of time.
This is scary.
These are the tools of 1984. They've been boiling the water slowly, but in the last year things have really started to pick up pace. Please push back. Loudly.
Everyone at Google and OpenAI working on this: WHAT THE FUCK ARE YOU DOING. STOP.
We have laws and mechanisms to prevent revenge porn, CSAM, defamation, etc. They are robust and can be made even stronger. We do not need to sacrifice the security of our privacy and our speech to fight imagined harms when the real danger is turning into an authoritarian society.
As someone that creates things with tools with different media I would just hard avoid this tool that adds...
arbitrary metadata not of my choosing.
Should I seriously make a texture for a videogame with this weird DRM glorp in it?
How old is photoshop and why is it exempt?
If social media platforms started banning images with these watermarks seems like they'd be stripped out overnight.
I tested the day 1 when Nano Banana Pro was released and it worked. It still works today for Nano Banana 2.
I didn't post this anywhere because I (arrogantly) thought saying it publicly would make the internet worse. But it was pure arrogancy: if I came up with this the first day then of course other millions of programmers did too.
That being said, it'll introduce the typical artifacts from SD models and that might be detected by other methods (or just by zooming in a lot and looking carefully).
Never released it, but it was obvious to most people in the SD community that denoising using a diffusion model was a relatively trivial means to beat most steganographic watermarks.
Don't sell yourself short. I'm sure it was only hundreds of thousands.
In my tests the image looks clearly distinct. In other words, if you can tell the difference then it isn’t a good test.
So this is a big win IMO.
Well, they'll finally find out that no one wants to look at AI generated pictures or text. Once they do that, the tool will fail for the public and only work for the government.
C2PA is basically a signature that serves to prove it came from certain source.
It's useful in case you want to prove you got an image from AI model to someone who doesn't believe you.
It's trivially removable and not useful against people trying to pass off generated images as real.
Eventually it won’t matter when image generation is cheap. But few self-host today and few are willing to pay unsubsidized prices, so the vast majority are using the Gemini, OpenAI, and Midjourney. If all 3 adopted SynthID, only a small fraction would use something else.
This is antithetical to freedom and privacy.
There should be no way for anyone to track down who posted a political meme, anti-religious message, or any other legally protected speech. This will come back to bite us in the ass if we keep building it.
Soon every image or communication we make will be watermarked if we continue to let this shit seep into the commons. Everything from your phone photos, to your screenshots, to your social media posts.
One day soon Republicans or Democrats or whoever doesn't like your freedoms will use this tech to identify you and control you.
There are laws for harms - CSAM, revenge porn, etc. Social media platforms can identify, ban, and report abusers. The framework of the law can take care of the rest.
Our digital footprint should not be tracked and barcoded.
If I take a screenshot of an AI image, will that then be seen as an AI image? Is that 'hidden in the image' or as metadata?
I'm not all that worried about stripping it (I'm sure that's trivial).
The problem that I am worried about is that it can be copied (I'd bet $20 that's trivial, too). People WILL put this on images so that they can be "discredited".
I.e. it doesn't make sense for a purely white or black image, but as you gradually add colors or features, at some point they would want to add a watermark, but based on what? It's an interesting question.
It's certain now that most of the Western world has slid into fascism. Privacy and common decency advocates are all but lost.
I will say this, for everyone celebrating this as something that is "extremely beneficial to the cultural moment",
If I were an adversarial nation-state actor, I might be extremely interested in reverse engineering this and poisoning the well by applying it to real images.
Let's make the world impossible to understand.
> How old is photoshop and why is it exempt?
For one, it's not developed by Google or OpenAI. The barrier to entry to making realistic but deceptive images with Photoshop is far higher than with AI, and there are already techniques that can, imperfectly, be used to detect the use of traditional image editing.
If this actually works solidly, Google is in deep, deep, deep shit. It would mean that I can put a mark on my non-AI videos and demand that Google not allow upload of my identifiably copyrighted content.
This would completely obliterate YouTube.
I'm sure you can think of a couple things that differentiate gen AI from photoshop, I believe in you.
Its a tool with different modalties and affordances.
- you identify as an artist of sorts,
- you can't tell AI from human images, and
- you sound absolutely pissed off by this.
- those who can tell that an image was AI generated, instantly, even at thumbnail sizes, and manually drawn over
- those who can NOT, regardless of time or resource allotted. Tends to be perpetually angry(my prejudiced PoV).
What could be it? More/less exposure to older, simplistic examples? Prior exposure to human art? Childhood head traumas? Or something else?
ie. you would fail too.
Most people put so little effort into prompting them that they come out statistically "average" which makes them blatantly ugly.
Most of them are pretty bad just like 90% of everything is bad. Humans create bad art all day long too.
I gave a specific example of a making a texture for a videogame? How does that change what you actually said to me very specifically despite maybe not reading what I said?
To the extent that I'm upset its at peoples capitulation at this DRM nonsense over being overly reactive to ... internet images which dont matter.
SynthID would only be DRM if Google/OpenAI were claiming IP rights over their images. I don’t even know if that’s legal though.
So that you don't have to address any of the issues?
How does today’s maximum theoretical disinformation output per minute compare to 2021 Photoshop?
So weird images are a big problem? No they don't matter at all.
Also you: well, games go through some kind of distribution, which has plenty of telemetry and metadata. Whether it is App Store with notarization, or Steam or Itch who collect analytics and know a lot about you, or your ISP if you self host your eclectic WebGL game from home. Posting on an iPhone or Android phone, to hacker News which has your email address, on your cell network which has IPv6 globally unique addresses...
"But my choosing!" You'll say. It is extremely performative of you to say, "everything that would make me 200% wrong isn't valid."
I don't know. I really hate these vibes-driven reactions to (checks notes) content attribution. Every accusation is a confession in this frame of mind. How do you not see that?
I have an IP address so therefore this is all fine?
"Every accusation is a confession" also seems like an insinuation that I have something to hide but you have "nothing to hide, nothing to fear"ie the very generic privacy right fallacy.
As for "vibes driven"... this whole technical "fix" is a result of the reactionary "vibe" of the ai moral panic, your "notes" don't seem to be providing any perspective there?
Set up as a ComfyUI workflow that does a few things: it tries SDXL, Flux, and a couple of different denoising methods at the lowest possible strength (progressively incrementing) to avoid changing the image too much, while also running a SynthID check each time, and repeating this in a loop until the watermark is essentially gone.
At the same time, you’d probably want to add some kind of threshold based on a perceptual hash aka the maximum perceptual quality difference you’re willing to accept.
Writing a more detailed description does not make the models stick to it more.
I would layer two watermarks and let the public remove the most visible one.
Similar to your printer fingerprinting: https://en.wikipedia.org/wiki/Printer_tracking_dots
This blog post clearly shows that Deepwalker can break SynthID, which is a closed-source watermarking system.
> I immediately said yes, even though I wasn't entirely sure. They wanted to play games, so I decided to play along.
The article never says the generated images were used to make a fraudulent claim, but its implied by the juxtaposition.
A few words to indicate that the challenge to break SynthID was for their own amusement would break this implication.
If SynthID works, this would allow people to tag their own videos with a watermark that is invariant across various levels of compression and editing. It would enable automated scanning of YouTube videos for uploads and the consequent class-action lawsuits.
Because of that, I can fairly confidently say that this doesn't work. However, it will function to divert some attention for a while. And that's what Google and OpenAI intended in the first place.
Class action? Wouldn't you first have to attempt to follow the official process, filing a DMCA request? And I assume that Google would likely respect that since (unless I'm uninformed) it seems like they typically have so far? I really don't see how this escalates in a way that leaves Google at fault.
But on second thought it is not a bad idea to be able to have a quick tool to identify an image as AI generated.
And after reading your reaction to it, I am sure now that the watermark is for the best.
Only criminals and bad actors want private defaults?
The burden of proof is proving there is some harm or problem that needs solving and noone has managed that in this thread or generally.
No, but you are in the school that teaches that false equivalence is valid rationale.
> Only criminals and bad actors want private defaults
As I was saying.
> The burden of proof is proving there is some harm or problem that needs solving and noone has managed that in this thread or generally.
"Burden of proof" is a concept borrowed from legal practice where the accuser has to offer proof that the accused commited a crime.
No crime is being implied here. Watermarking is actually a useful feature so that people can easily identify images as AI generated.
Comparing Qwen-Image, Flux.2, ZiT, NB2, and gpt-image-2
If the powers-that-be want to enforce age verification, watermarking camera output is not the correct technology to do so. It would be something like HDCP, where camera manufacturers are given keys and a whole trusted media path is built so that the relying party can cryptographically enforce that a trusted camera is being used to capture live images.
You can still use traditional methods to manipulate images, too, so I don't think a "does not contain SynthID watermark" means you can trust that image more. In the other hand, encoding a lot of personal and other information in the watermark (136 bit is a lot) that can not be easily removed and most of the people are unaware of it seems really an 1984-like dystopia.
The same techniques used here can be applied in other domains for other purposes. That would not "defeat its only purpose". The danger is the normalization of watermarking for [ insert good reason here ] with regulation eventually making it mandatory once everyone is accustomed to it. Rinse and repeat to gradually boil the frog.
We live in a world where nearly all printers already watermark everything they print with their serial number. It wouldn't be at all surprising if the next modernized variant of that technology encoded personal and contextual data tied to the user.
and yeah exactly printers already watermark, why would they need synthid
It's a bogus claim (as I previously stated). Applying the same technique in another domain or for a different purpose does not defeat the original purpose for which a technique was developed. People can do both things.
No one said anything about printers using synthid. The modernized variant (at least one of them) would apply to digital media produced by the end user.
Although since you asked, if the synthid watermarking scheme is more resilient to transformations and conversions than the current one then switching might prove useful.
Watermark, by design, irreversibly modifies the original data, and is, by design, hard to remove without producing detectable artifacts (or rendering the data useless altogether).
In short, the answer is no.
Zero watermarks is a lot worse than semi-effective AI watermarks.
There is no case that any of its particularly harmful outside of things like CSAM which is illegal.
Unfortunately, simple statistics mean that you will get a lot more people than just "1" creating disinformation with AI assistance.
So what does a deepfake matter?
A national news story in the US tonight, Lyft driver caught faking photos of his messy car. Not the most intelligent fraudster as he left the Gemini logo on the corner of the image.
Providing these four examples in good faith :) also generally I _dislike_ DRM
What image is going to change your worldview so radically that the drm saves you?
edit - to be clear you are watermarking 100,000 fishes with mustaches because of your concern over 1 image that "matters" (and you don't even have an image that matters in mind)
https://www.nbcnews.com/tech/social-media/openai-sora-realis...
https://apnews.com/article/artificial-intelligence-elections...
It doesn't extend to just photos, but videos too:
https://en.wikipedia.org/wiki/Digital_rights_management#Wate...
> They are not complete DRM mechanisms in their own right, but are used as part of a system for copyright enforcement ...
Because watermarks in and of themselves are not, in fact, DRM. Even if I agree that their mass adoption by BigTech is a really bad sign for personal privacy and (eventually) freedom.
So strictly speaking brings a lot to the discussion when you actually think about it. Stating that DRM != SynthID is addressing issues where people seem to think that DRM == SynthID. Those people are wrong, and strictly speaking need to be corrected.
"this image made by OpenAI" is a drm assertion
You wont be able to assert copyright of the picture that you added an OpenAI red bowtie to, thats a DRM issue.
You should also think about whether, suddenly, courts can now trust images they see because this technology exists?
I think thats not even basically plausible.
Only the investigative or journalistically inclined will make use of this, and those people already fact check.
Where’s the en mass gain?
If you read my original point you'd see I said "weird DRM glorp" which you and other have tried, and failed to only closely parse "DRM" so that you could nitpick poorly.
It is integral and part of DRM systems and certainly "weird DRM glorp" for an actual close reader.
DRM is not just "I cant watch X movie because DRM" even if that is the statistically prevalent understanding of DRM.
Its a suite of technologies of which watermarking is one of.
Anyways, that's besides my point. The point of mine is that, it always turn into all-caps flamewars like this, with no middle ground or third camps, and that this has to be more of a phenomenon than regular disagreements. This isn't bikeshedding. This is Spanish bullfighting centered around a piece of red cloth.
1: https://news.ycombinator.com/item?id=42216694
2: I just asked Gemini "is 60% accuracy over 11k participant for a test statistically significant and why", it said "yes, it is overwhelmingly statistically significant" and "completely off the charts". They said p<0.05 figure would be 50.94%.
Also I'm not that worried about the adversarial conditions, any real life conditions are likely adversarial in the relevant sense. No one is one-shotting generation and serving you that, obviously output has been selected for quality. I would call Scott's test not adversarial, but fair.
> Social media platforms can identify, ban, and report abusers.
& do but Americans nonetheless argue with troll farms[1] every day & it hurts us
[1] 2013-2023, just one known company https://en.wikipedia.org/wiki/Internet_Research_Agency
When your average gullible person will fall for a jpeg and a quote, you don't even need deepfake content. You just need to say something and they'll take it at face value. Deep fakes aren't even necessary. AI literally does not even matter.
If there's such a thing as a "sophisticated actor", they'll be able to remove identifying marks. Not that they'll need to.
What you'll be left with is the 99% of society that has everything they do tracked, and eventually platforms that won't allow anything except for signed and attested communication to take place.
We're building our own mouse trap here. Why don't you see this?
> & do but Americans nonetheless argue with troll farms[1] every day & it hurts us
Again, you don't even need the specter of AI. You just need to say words and certain people will trust it. There's nothing you can do about that. Yellow journalism and propaganda has been a thing for longer than any of us have been alive.
The "fix" you're proposing is a tool to put us all into permanent shackles. It is a tool that will strip away our rights and put us all into shackles. Perhaps within our lifetimes.
Stop building and advocating for this shit.
when capability exists, there is no way to ensure it won't be exploited at some point in the future.
people are building software to kill other people, do you think they won't update the system to make it identifiable?
These laws need a method to know what is true and what is fake. Good luck with that if you can’t tell if neither images, audio or video are true.
This fakes will pave the way for fascists.
How much freedom and privacy will they allow?
Google or anyone else could start adding those unique tracking watermarks you're concerned about any time they want, regardless of whether they use this AI detection watermark, that to be clear can not track you in any way.
Have you been watching the headlines over the last year? It's like there's a global push towards locked down and verified computing (age verification, TPMs everywhere, Captchas that only work on non-rooted phones, ...).
You can look out the window and see movement in this direction happening right now. Governments and corporations around the world can't get enough of this shit. Privacy matters, advocating for it is not a "slippery slope."
> this AI detection watermark [...] that to be clear can not track you in any way.
Is that clear? We have no idea what metadata they are or aren't embedding in SynthID.
> Google or anyone else could start adding those unique tracking watermarks you're concerned about any time they want,
The point is that this is bad and should be denounced!
> to be clear can not track you in any way
All they have to do is encode enough entropy for a database unique identifier. Systems like this have been used to do it for audio:
https://github.com/swesterfeld/audiowmark
SynthID payloads work the same way, and the paper discusses encoding a "user identifier":
https://arxiv.org/html/2510.09263v1#S5
All you need to do is encode a database identifier, GeoIP, or other identifying information, and you've violated a person's privacy without their knowledge or consent.
Once these systems become popular, the intelligence agencies will "suggest" that Google adds it to their phone cameras. It will start seeping into everything.
The "slippery slope" is not a fallacy. We're on the verge of having device attestation and identity verification to use the internet. This is so beyond fucked.
Stop defending this.
Saying this is okay is EVIL.
You can go on living your life without it. I believe in you.
Would not have been on my bingo card.