UnMarker: Canadian Researchers Develop Tool to Remove AI Image Watermarks, Challenging Deepfake Defense Strategies

Image watermarks meet their Waterloo with UnMarker

Computer scientists with the University of Waterloo in Ontario, Canada, say they've developed a way to remove watermarks embedded in AI-generated images. To support that claim, they've released a software tool called UnMarker. It can run offline, and can remove an image watermark in only a few minutes using a 40 GB Nvidia A100 GPU. Digital image watermarking, the process of altering data in an image file to declare image provenance, has been proposed as a way to help people spot "deepfakes" or AI-generated images and videos. Back in mid-2023, before AI safety commitments had fallen out of fashion in the US, Amazon, Google, and OpenAI all talked up watermarking as a way to safeguard against harmful AI-generated imagery. Google has devised a system called SynthID for this purpose. Meta has its own system called Stable Signature. But according to Andre Kassis, a PhD candidate in computer science at the University of Waterloo, and Urs Hengartner, associate professor of computer science, digital watermarks of this sort can be erased, regardless of how they're encoded. They describe their work in a paper titled "UnMarker: A Universal Attack on Defensive Image Watermarking," which appeared in the proceedings of the 46th IEEE Symposium on Security and Privacy in May. Kassis in a phone interview with The Register cited the flood of AI content and its harmful impact in terms of scams, fraud, and non-consensual exploitative imagery for his interest in this research. "It's no secret that we're surrounded by AI wherever we go," he said. "And although it has many benefits, it also has a dark side unfortunately." Watermarking, he said, is a defense that has been proposed and supported with millions of dollars of investment. "So I think it is essential that we stop for a minute and ask ourselves, 'Is it worth the hype? Can it really protect us or are we still vulnerable?'" he said. UnMarker, according to Kassis and Hengartner, is the first watermark removal attack that works against all watermarking schemes, whether semantic (content-altering) or non-semantic (content-preserving). It doesn't require access to the watermark mechanism's parameters or internal details, extra data, or feedback from a watermark detector. Their key insight, the researchers explain in their paper, is that a universal carrier has to be used by any given marking scheme to embed a watermark in an image file and it has to operate on the spectral amplitudes of the pixels in the image. Carrier, Kassis explained, is an abstract term that refers to the set of attributes a watermark can influence. He likened it to the space allotted to the address on a postal envelope. "If you mess the address up, then the mailman won't be able to go and deliver the mail," he explained. "So this is the same idea. That's exactly how Unmarker does it. We don't need to know what the actual content of the watermark is. All we need to know is where it resides and then we basically distort that channel." The UnMarker code looks for spectral variations in images in order to alter the frequency without creating visual artifacts. The altered images look the same but no longer get recognized by watermark detection mechanisms most of the time. Consequently, systems set up to block or flag AI-generated content via watermark just won't work reliably. Kassis and Hengartner tested various digital watermarking schemes, specifically Yu1, Yu2, HiDDeN, PTW, Stable Signature, StegaStamp, and TRW. When images watermarked with these techniques were processed by UnMarker, the best watermark detection rate only reached 43 percent. And anything below 50 percent, they argue, is essentially worthless. Kassis said that when these tests were conducted, Google's SynthID was not available through a public API and could not be evaluated. But he said he had the opportunity to test SynthID later and UnMarker managed to drop its watermark detection rate from 100 percent to around 21 percent. "So the attack is also extremely effective against this commercial system as well," he told us. Other researchers have come to similar conclusions about the fragility of digital watermarks. Back in 2023, academics affiliated with the University of Maryland argued that image watermarking techniques would not work. More recently, in February this year, boffins affiliated with Google DeepMind and the University of Wisconsin-Madison concluded that "no existing [image-provenance] scheme combines robustness, unforgeability, and public-detectability." The DeepMind research also covers C2PA (Coalition for Content Provenance and Authenticity), a form of watermarking that involves adding digital signatures to image metadata rather than manipulating image pixel data; the Waterloo research does not specifically address C2PA, though the DeepMind paper deems it less robust than other watermarking methods. Despite the doubts voiced by Waterloo researchers about the viability of digital watermarking to address AI image concerns, there's a thriving industry promoting the technology. "It has become a huge industry," Kassis said. "And like once you let the genie out of the bottle, it's hard to put it back. The White House last year secured commitments from seven major tech players to invest and develop these watermarking technologies. Then there's attention from legislators and stuff like that. So it's kind of hard to right now just stop everything and take a step back and start from scratch." Kassis said the key message is that security should come first. "We always rush to develop these tools and our excitement overshadows the security aspects," he said. "We only think about it in hindsight and that's why we're always surprised when we find out how malicious attackers can actually misuse these systems." ®

Watermarks offer no defense against deepfakes, study suggests

New research from the University of Waterloo's Cybersecurity and Privacy Institute demonstrates that any artificial intelligence (AI) image watermark can be removed, without the attacker needing to know the design of the watermark, or even whether an image is watermarked to begin with. As AI-generated images and videos became more realistic, citizens and legislators are increasingly concerned about the potential impact of "deepfakes" across politics, the legal system and everyday life. "People want a way to verify what's real and what's not because the damages will be huge if we can't," said Andre Kassis, a Ph.D. candidate in computer science and the lead author on the research. "From political smear campaigns to non-consensual pornography, this technology could have terrible and wide-reaching consequences." AI companies, including OpenAI, Meta, and Google, have offered invisible encoded "watermarks" as a solution, suggesting these secret signatures can allow them to create publicly available tools that consistently and accurately distinguish between AI-generated content and real photos or videos, without revealing the nature of the watermarks. The Waterloo team, however, has created a tool, UnMarker, which successfully destroys watermarks without needing to know the specifics of how they've been encoded. UnMarker is the first practical and universal tool that can remove watermarking in real-world settings. What sets UnMarker apart is that it requires no knowledge of the watermarking algorithm, no access to internal parameters, and no interaction with the detector at all. It works universally, stripping both traditional and semantic watermarks without any customization. "While watermarking schemes are typically kept secret by AI companies, they must satisfy two essential properties: they need to be invisible to human users to preserve image quality, and they must be robust, that is, resistant to manipulation of an image like cropping or reducing resolution," said Dr. Urs Hengartner, associate professor of the David R. Cheriton School of Computer Science at the University of Waterloo. "These requirements constrain the possible designs for watermarks significantly. Our key insight is that to meet both criteria, watermarks must operate in the image's spectral domain, meaning they subtly manipulate how pixel intensities vary across the image." Using a statistical attack, UnMarker looks for places in the image where the pixel frequency is unusual, and then distorts that frequency, making the image unrecognizable to the watermark-recognizing tool but undetectably different to the naked eye. In tests, the method worked more than 50% of the time on different AI models -- including Google's SynthID and Meta's Stable Signature -- without existing knowledge of the images' origins or watermarking methods. "If we can figure this out, so can malicious actors," Kassis said. "Watermarking is being promoted as this perfect solution, but we've shown that this technology is breakable. Deepfakes are still a huge threat. We live in an era where you can't really trust what you see anymore." The research, "UnMarker: A Universal Attack on Defensive Image Watermarking," appears in the proceedings of the 46th IEEE Symposium on Security and Privacy.

Canadian researchers create tool to remove anti-deepfake watermarks from AI content

OTTAWA -- University of Waterloo researchers have built a tool that can quickly remove watermarks identifying content as artificially generated -- and they say it proves that global efforts to combat deepfakes are most likely on the wrong track. Academia and industry have focused on watermarking as the best way to fight deepfakes and "basically abandoned all other approaches," said Andre Kassis, a PhD candidate in computer science who led the research. At a White House event in 2023, the leading AI companies -- including OpenAI, Meta, Google and Amazon -- pledged to implement mechanisms such as watermarking to clearly identify AI-generated content. AI companies' systems embed a watermark, which is a hidden signature or pattern that isn't visible to a person but can be identified by another system, Kassis explained. He said the research shows the use of watermarks is most likely not a viable shield against the hazards posed by AI content. "It tells us that the danger of deepfakes is something that we don't even have the tools to start tackling at this point," he said. The tool developed at the University of Waterloo, called UnMarker, follows other academic research on removing watermarks. That includes work at the University of Maryland, a collaboration between researchers at the University of California and Carnegie Mellon, and work at ETH Zürich. Kassis said his research goes further than earlier efforts and is the "first to expose a systemic vulnerability that undermines the very premise of watermarking as a defence against deepfakes." In a follow-up email statement, he said that "what sets UnMarker apart is that it requires no knowledge of the watermarking algorithm, no access to internal parameters, and no interaction with the detector at all." When tested, the tool worked more than 50 per cent of the time on different AI models, a university press release said. AI systems can be misused to create deepfakes, spread misinformation and perpetrate scams -- creating a need for a reliable way to identify content as AI-generated, Kassis said. After AI tools became too advanced for AI detectors to work well, attention turned to watermarking. The idea is that if we cannot "post facto understand or detect what's real and what's not," it's possible to inject "some kind of hidden signature or some kind of hidden pattern" earlier on, when the content is created, Kassis said. The European Union's AI Act requires providers of systems that put out large quantities of synthetic content to implement techniques and methods to make AI-generated or manipulated content identifiable, such as watermarks. In Canada, a voluntary code of conduct launched by the federal government in 2023 requires those behind AI systems to develop and implement "a reliable and freely available method to detect content generated by the system, with a near-term focus on audio-visual content (e.g., watermarking)." Kassis said UnMarker can remove watermarks without knowing anything about the system that generated it, or anything about the watermark itself. "We can just apply this tool and within two minutes max, it will output an image that is visually identical to the watermark image" which can then be distributed, he said. "It kind of is ironic that there's billions that are being poured into this technology and then, just with two buttons that you press, you can just get an image that is watermark-free." Kassis said that while the major AI players are racing to implement watermarking technology, more effort should be put into finding alternative solutions. Watermarks have "been declared as the de facto standard for future defence against these systems," he said. "I guess it's a call for everyone to take a step back and then try to think about this problem again."