No reliable watermarking for AI-generated images, say researchers

As it stands, it’s still too easy for bad actors to bypass watermarks.

A significant breakthrough has been achieved by a team of researchers from the University of Maryland by devising a method to bypass all watermark protections embedded in AI-generated images.

Speaking with Wired, computer science professor Soheil Feizi said that are no reliable ways to watermark AI-generated images, and that his team managed to break, “all of them”.

Also read | Tom Hanks warns people against dental ad using an AI likeness of him

As it stands, it’s still too easy for bad actors to bypass watermarks. Not only that, it’s also possible to add watermarks to human made images, so that they trigger a false positive.

Digital watermarks have been championed by various AI companies as a feature that allows users to know if an image was generated with the help of AI. The problem is we still don’t have foolproof watermarking technology that can’t be manipulated.

Feizi and his team have catalogued their findings in a pre-print paper. In it, the researchers say that watermarking methods that use subtle image perturbations can be easily broken with a diffusion purification attack.

The way this works is that when an image is generated using AI, a specific pattern of noise is applied to it, that is not visible to the human eye. The problem is this pattern can be modified or removed quite easily with minimal changes to the overall image.

Also read | YouTube launches AI-powered tools for customised ad campaigns in India

Similarly, watermarking techniques that use a high amount of perturbation, i.e. where major changes are applied to images, can be broken using a model substitution adversarial attack that can easily remove said watermarks.

Moreover, bad actors can use watermarking techniques against genuine artists by tagging their images with a pattern that will lead to them being falsely identified as AI-generated. This could potentially damage the reputation of the artist.