Can watermarks stop AI deception?

Is it a real or AI-generated photo? Is it Drake’s voice or a computerized track? Was the essay written by a student or by ChatGPT? In the age of AI, provenance is paramount – a fancy way of saying we need to know where the media we consume comes from.

While generative AI promises to transform industries – from health care to entertainment to finance, just to name a few – it might also cast doubt on the origins of everything we see online. Experts have spent years warning that AI-generated media could disrupt elections and cause social unrest, so the stakes couldn’t be higher.

To counter this threat, lawmakers have proposed mandatory disclosures for political advertising using AI, and companies like Google and Meta, the parent company of Facebook and Instagram, are already requiring this. But bad actors won’t be deterred by demands for disclosures. So wouldn’t it be helpful if we had a way to instantly debunk and decipher what’s made by AI and what’s not?

Some experts say “watermarks” are the answer. A traditional watermark is a visible imprint — like what you see on a Getty image when you haven’t paid for it – or the inclusion of a corner logo. Today, these are used to deter theft rather than deception.

But most watermark proposals for AI-generated media center on invisible ones. These are functionally bits of code that tell third-party software that an image, picture, video, audio clip, or even lines of text were generated with AI. Using invisible watermarks would allow the audience to see art without it being visually altered or ruined — but, if there’s any confusion, in theory, the consumer of that media can run it through a computer program to see whether it was human-made or not.

Joe Biden’s administration is curious about watermarks. In his October executive order, the US president told the Commerce Department to “develop guidance for content authentication and watermarking to clearly label AI-generated content.” The goal: To protect Americans from “fraud and deception.”

It’s an effort many private companies are already working on — but solving the watermark issue has involved a lot of trial and error.

In August, Google released SynthID, a new method for embedding a watermark in the pixels of an image that’s perceptible to machine detectors but not the human eye. Still, it warns that SynthID isn’t “foolproof to extreme” methods of image manipulation. And last week, Meta announced it’s adding invisible watermarks to its text-to-image generator, promising that it’s “resilient to common image manipulations like cropping, color change (brightness, contrast, etc.), screen shots and more.”

There are more creative, cross-industry solutions too. In October, Adobe developed a special icon that can be added to an image’s metadata that both indicates who made it and how. Adobe told The Verge that it wants the icon to serve as a “nutrition label” for AI-generated images. But just like nutrition labels on food, the reality is no one can punish you for ignoring them.

And there are daunting challenges to actually making watermarks work.

Adam Conner, the tech policy lead at the Center for American Progress, said that watermarks need to transcend file format changes. “Even the best plans for watermarking will need to solve for the issue … where content is distributed as a normal file type, like a JPEG or MP3,” he said. In other words, the watermarks need to carry over from where they’re generated — say, an image downloaded on DALL-E — to wherever they are copied or converted into various file formats.

Meanwhile, researchers have poked holes in the latest and greatest watermarking tech. Researchers at Carnegie Mellon, for example, published a method for destroying watermarks by adding “noise” (basically, useless data) to an image and then reconstructing it. “All invisible watermarks are vulnerable to the proposed attack,” they wrote in July.

Others think that watermarking efforts might just be a fool’s errand. “I don’t believe watermarking the output of the generative models will be a practical solution,” University of Maryland computer science professor Soheil Feizi told The Verge. “This problem is theoretically impossible to be solved reliably.”

But there is clear political will to get watermarks working. Apart from Biden’s call, the G-7 nations are reportedly planning to ask private companies to develop watermarking technology so AI media is detectable. China banned AI-generated media without watermarks a year ago. Europe has pushed for AI watermarking, too, but it’s unclear if it’ll make it into the final text of its AI Act, the scope of which lawmakers agreed to last week.

The main limitation to achieving these goals is the elephant in the room: If Feizi is right, then watermarking AI will simply … miss the mark.

Please write in and tell us what you think – are watermarks on AI-generated images a good idea? Should they be legally required? Write to us here.