The Efficacy of AI Watermarking: A Deeper Look into Its Strengths and Weaknesses

• AI Tool

Professor Soheil Feizi of the University of Maryland, an acclaimed figure in AI detection, has recently been forthright about the current state of AI watermarking, stating, “We don’t have any reliable watermarking at this point. We broke all of them.” In a new study conducted by Feizi and his colleagues, they examined the ease with which bad actors can evade watermarking attempts, a process they term “washing out” the watermark. The study demonstrates how attackers can add watermarks to human-generated images, leading to false positives. Although the preprint paper is yet to undergo peer-review, the findings merit attention due to Feizi’s significant contributions to AI detection.

The Emergence of Watermarking

Watermarking has emerged as a promising strategy to identify AI-generated images and text. Like physical watermarks on paper money and stamps, digital watermarks aim to trace the origins of images and text online, helping identify deepfaked videos and bot-authored books. This strategy has gained significance in light of the 2024 US presidential elections and the rising concerns over manipulated media. Case in point, former US President Donald Trump shared a fake video of Anderson Cooper, which had been AI-cloned, on his Truth Social platform.

Corporations and Watermarking Technology

Major AI corporations such as OpenAI, Alphabet, Meta, and Amazon, among others, have pledged to develop watermarking technology to combat misinformation. In August, Google’s DeepMind released a beta version of its new watermarking tool, SynthID. The expectation is that these tools will flag AI content as it’s being generated, mirroring how physical watermarking authenticates dollars as they’re being printed.

The Study and Its Implications

Despite its promise, this study, among others, highlights the significant shortcomings of watermarking. “It is well established that watermarking can be vulnerable to attack,” states Hany Farid, a UC Berkeley School of Information professor. In August, researchers from the University of California, Santa Barbara, and Carnegie Mellon co-authored a paper after conducting their experimental attacks, concluding, "All invisible watermarks are vulnerable.” Feizi’s study further asserts that even the so-called promising “high perturbation” watermarks can be manipulated.

However, the flaws in watermarking haven’t dampened the enthusiasm of tech giants who continue to offer it as a potential solution. However, those working within the AI detection space are cautious. "Watermarking at first sounds like a noble and promising solution, but its real-world applications fail from the onset when they can be easily faked, removed, or ignored," notes Ben Colman, the CEO of the AI-detection startup Reality Defender.

The Future of AI Watermarking

There are differing opinions on the future of AI watermarking. Some people believe it has a place in AI detection as long as we understand its limitations. Others, like Bars Juhasz, cofounder of Undetectable, a startup devoted to helping people evade AI detectors, state, "Watermarking is ineffective.” On the other hand, Farid believes robust watermarking is part of the solution, and using it in tandem with other technologies can make it more challenging for bad actors to create convincing fakes.

Some of Feizi’s colleagues think watermarking has its place, too. Yuxin Wen, a Ph.D. student at the University of Maryland who coauthored a recent paper suggesting a new watermarking technique, believes whether this study is a blow to watermarking depends significantly on the assumptions and hopes placed in watermarking as a solution. Computer science professor Tom Goldstein sees watermarking as a form of harm reduction, helpful in catching lower-level attempts at AI fakery, even if it can’t prevent high-level attacks.

In conclusion, while there are differing opinions on the future of AI watermarking, there is a consensus that it requires further development and refinement to be truly effective. The expectation, however, is that this technology will continue to evolve, adapt, and become a reliable tool in the fight against AI-generated misinformation.