No More Watermarks: UnMarker Tool Erases AI Provenance Tags

The Limitations of AI Image Watermarking

Computer scientists from the University of Waterloo in Ontario, Canada, have raised concerns about the effectiveness of digital watermarking as a tool to detect AI-generated images and videos. Their research reveals that watermarks embedded in such media can be easily removed, undermining their intended purpose.

The team developed a software tool called UnMarker, which is capable of removing watermarks from AI-generated images without needing access to the internal mechanisms or parameters of the watermarking system. This process takes only a few minutes when using a 40 GB Nvidia A100 GPU, and it can be performed offline.

Digital image watermarking involves altering data within an image file to indicate its origin. It has been promoted as a method to identify deepfakes or AI-generated content. However, according to Andre Kassis, a PhD candidate at the University of Waterloo, and Urs Hengartner, associate professor of computer science, these watermarks are not as secure as they seem.

In a paper titled "UnMarker: A Universal Attack on Defensive Image Watermarking," published in the proceedings of the 46th IEEE Symposium on Security and Privacy in May, the researchers describe how UnMarker can effectively remove watermarks regardless of the encoding method used. They argue that this makes the technology vulnerable to attacks.

Kassis explained that the key insight behind UnMarker is the use of a universal carrier, which any marking scheme must use to embed a watermark. This carrier operates on the spectral amplitudes of the pixels in the image. He compared the concept of a carrier to the space allotted for an address on a postal envelope. If the address is altered, the mailman cannot deliver the mail. Similarly, UnMarker disrupts the channel where the watermark resides without needing to know its actual content.

The UnMarker code identifies spectral variations in images and alters the frequency without creating visual artifacts. As a result, the modified images appear the same but are no longer recognized by most watermark detection systems. This means that systems designed to block or flag AI-generated content through watermarking may not function reliably.

The researchers tested UnMarker against several digital watermarking schemes, including Yu1, Yu2, HiDDeN, PTW, Stable Signature, StegaStamp, and TRW. The results showed that the best watermark detection rate was only 43 percent, which the researchers argue is essentially ineffective. When tested against Google's SynthID, the detection rate dropped from 100 percent to around 21 percent, demonstrating the tool's effectiveness even against commercial systems.

Other researchers have also questioned the reliability of digital watermarks. In 2023, academics from the University of Maryland argued that image watermarking techniques would not work. More recently, a study by Google DeepMind and the University of Wisconsin-Madison concluded that no existing image-provenance scheme combines robustness, unforgeability, and public-detectability.

While the Waterloo research does not specifically address C2PA (Coalition for Content Provenance and Authenticity), which involves adding digital signatures to image metadata, the DeepMind paper deems it less robust than other methods. Despite these concerns, there remains a thriving industry promoting watermarking technologies.

Kassis noted that the industry has grown significantly, with major tech companies investing in these tools. The White House secured commitments from seven major tech players to develop watermarking technologies, and there is ongoing interest from legislators. However, he emphasized that security should be the top priority.

"We always rush to develop these tools and our excitement overshadows the security aspects," Kassis said. "We only think about it in hindsight and that's why we're always surprised when we find out how malicious attackers can actually misuse these systems."