Watermarks do not provide protection against deepfakes, studies suggest

A new study from the Institute for Cybersecurity and Privacy at the University of Waterloo shows that attackers can remove watermarks from artificial intelligence (AI) images without the need for an attacker to know the design of the watermark, or if the image is already watering out.

As AI-generated images and videos become more realistic, citizens and legislators are increasingly concerned about the potential impact of “deepfakes” across politics, legal systems and everyday life.

“People want a way to verify what is real and not because it’s a lot of damage if we can’t,” said PhD Andre Cassis. Computer Science Candidates and Research Chief Author. “From political smear campaigns to unconsensual pornography, this technology can have awfully wide-ranging results.”

AI companies, including Openai, Meta and Google, offer invisible encoded “watermarks” as solutions, suggesting that these secret signatures can create public tools that can consistently and accurately distinguish real photos and videos from AI-generated content without revealing the nature of the watermark.

However, the Waterloo team created Markter, a tool that destroys the seer without knowing the details of the encoded method. Unmarker is the first practical and universal tool that allows you to remove watermarks in real settings. What sets Unmarker apart is its knowledge of the watermark algorithm, access to internal parameters, and no interaction with the detector. It works universally and removes both traditional and semantic watermarks without customization.

“Although schemes are usually kept secret by AI companies, two important characteristics must be met. To maintain image quality, they must be invisible to human users. This means they must resist manipulation of images such as cropping and reducing resolution.

“These requirements significantly limit the possible design of watermarks. Our key insight is that the watermarks need to operate in the image’s spectral domain to meet both criteria. This means subtly manipulating how pixel intensities differ across the image.”

Using statistical attacks, Unmarker searches for locations of images with abnormal pixel frequencies, distorts the frequency, and cannot recognize images against tools that recognize watermarks, but is not different from the naked eye. In testing, this method works over 50% on a variety of AI models, including Google’s SynthID and stable signatures, excluding existing knowledge of image origin or watermarking methods.

“If you understand this, malicious actors can do that,” Cassis said. “While watermarking is being promoted as this perfect solution, this technology has shown its fragileness. Deepfake remains a major threat.

The survey, “Unmarker: A Funivation Image Watering,” is featured in the minutes of the 46th IEEE Symposium on Security and Privacy.