Remove AI Watermarks

57 points by janalsncm an hour ago

There's an underappreciated comment in the other thread about SynthID and OpenAI [0] that captures what (IMO) the hacker ethos on this should be. We care about privacy, we should not accept tools that barcode our every digital move. (note that the counter of "well, they don't do that yet" is not particularly convincing)

[0]: https://news.ycombinator.com/item?id=48200060

int0x29 - 30 minutes ago

Accepting blindly destroying the concept of thruth should not be the hacker ethos either.
- streetfighter64 - a minute ago
  
  The concept of truth? A bit overblown don't you think? Because some guy can make a realistic looking fake videos that destroys the "concept" of truth? How?
- bonoboTP - 24 minutes ago
  
  It's already possible to lie with text. Pixels are pixels. If we can't blindly believe pixels to show the truth, we will be simply back to the pre-photography era which managed to have a concept of truth regardless.
- - 26 minutes ago
  
  [deleted]
- tptacek - 24 minutes ago
  
  It either works reliably or it doesn't; if it doesn't, it's better that everybody be clear about that.
  - xp84 - a few seconds ago
    
    Fair enough. While I would kind of wish AI could be reliably detected, deep down I know this is impossible and it would be pretty bad if we had, say, a prosecution that succeeded because "this 'provably-non-AI' photo places you at the scene of the crime" because only a few underground people know how to remove a watermark.
- 63stack - 25 minutes ago
  
  Nobody said that?
  - int0x29 - 13 minutes ago
    
    Saying that watermarking fake things is bad kinda strongly implies it
- 15155 - 22 minutes ago
  
  Stalin had no issues photoshopping images almost 100 years ago.
  - croes - a few seconds ago
    
    A good example why fake images are bad.
    Do you want to make it easier for the next Stalin?
  - int0x29 - 11 minutes ago
    
    Generating realistic video of arbitrary things and people at scale is quite a bit of a different game than retouching photos
  - tredre3 - 11 minutes ago
    
    Stalin had all the resources imaginables at his disposal.
    Now Nancy, a tech-phobic waitress who has a grudge against her coworker can make up an entire scenario with one prompt and her colleagues might blindly believe her.
    Let's not pretend they're the same thing.
    Gen AI is inevitable. Watermarking is likely futile. But in my opinion it is still very important to discuss how, as a society, we're going to live in a post-truth world now that anybody can, IN SECONDS, not only fabricate a story but also spread it to thousands of people through their social media.
j2kun - 36 minutes ago

Building a tool that tries (and probably fails) to remove the watermark (due to the arms race that large corporate machines will win) is tacitly accepting the barcode. The hacker ethos should be, first and foremost, to run open source models locally without relying on a corporation.
- akersten - 34 minutes ago
  
  > [fighting against the system] is tacitly accepting the barcode.
  I don't really see it. I think it's important to win on both fronts.

site-packages1 - an hour ago

I don't know I really like the definitive indicator that something is AI so I can completely ignore anything else that comes from them.

recursive - 34 minutes ago

If someone's doing something you don't like, you can't really count on them doing it the way you prefer.
sgarman - 40 minutes ago

I think the issue is it was never definitive. This is a great way to show people that.
- esafak - 35 minutes ago
  
  I have not read anyone claim that SynthID had a false alarm issue, so if it returned positive I would believe it is synthetic.

airstrike - 12 minutes ago

Regardless of one's opinion about this particular project, it seems obvious to me that the path forward is proving authenticity of non-AI resources rather than attempting to watermark all the AI-generated ones.

a-dub - 7 minutes ago

watermarking only really works when the scheme is secret.

putting cyphertext in high frequency noise is old news. in generative land would be far more interesting to use the generative flexibility to encode in macrostructure.

Tiberium - an hour ago

This is a bit misleading as for Gemini it only properly removes the visible watermark. To remove SynthID it has to regenerate the image at low noise with SDXL, which will likely destroy a lot of small details, plus won't work for higher res properly (NB2 and GPT Image 2 support up to 4K image outputs)

gpt5 - 40 minutes ago

Nano Banana 2 only supports 1K resolution (1024x1024) natively. Anything above that is upscaling. So this matches SDXL. GPT Image 2 does support 4k natively (but experimentally).
- vunderba - 31 minutes ago
  
  Where did you get that info from? According to Google's own docs as well as my own image generation tests via the API, it supports up to 4K natively for gemini-3.1-flash-image-preview (aka NB2).
  It just defaults to 1K. But I didn't see anything in the docs stating that it's just a simple upscale for larger resolutions.
  https://ai.google.dev/gemini-api/docs/image-generation#gener...

j2kun - an hour ago

> Use cases where the threat model fits: You are preserving art or historical record against false-positive "AI-generated" labels.

Sorry, how does using AI to generate images have anything to do with this? Image generators cannot insert watermarks into things they did not generate, and it seems highly unlikely that you will get a false-positive watermark on human-generated art, especially if, as the readme says, these watermarks have high enough fidelity to trace to a specific session id. Plus the modifications to the image needed to erase watermarks would necessarily change the thing being "preserved."

[edit]: the more I read the more I'm convinced, the claimed use cases in the README are bullshit and the real reason is to provide a tool that helps people bypass "AI-generated" labels on social media for AI slop.

Tiberium - an hour ago

I mostly agree about the justification in the repo being wrong, but wanted to engage about this point:
> Image generators cannot insert watermarks into things they did not generate
It's actually very easy to take a real image, ask Gemini/ChatGPT to modify some tiny part of it (could be something as silly as lighting/shadow/etc), and often the resulting image will be detected by their watermarking tools. This way you can easily present any real image as AI-generated.
- j2kun - 41 minutes ago
  
  Ignoring that a watermark removal tool does not help with this threat model, the claim is still true: the original image can not be changed, and instead a copy is created.
- rezonant - 40 minutes ago
  
  So what? I can also open an image in Photoshop and make sure it saves out some Photoshop specific EXIF data and try to claim the image was doctored. What I can't do is go and put my deceptive altered file up in place of the original in all the places on the Internet it exists.
  - Barbing - 24 minutes ago
    
    I had to think about it, how about if the claim were:
    If you take a photograph that is misidentified as AI generated, you can “preserve the historical record“ by using this tool before publishing the image.
    (Anyone know the false positive rate with watermark IDs, would’ve hoped it’s like zero)

sscaryterry - 12 minutes ago

Yin and yang.

gbraad - 13 minutes ago

I just saw the announcement about OpenAI or so going to use SynthID and all I thought was; what can d be read(located) can be removed. Seems the tool already exists, proving my point.

- 40 minutes ago

[deleted]

tamimio - 15 minutes ago

Amaze amaze amaze

- Rocky

grebc - 26 minutes ago

What’s wrong with showing off AI bro? Why the shame?

Barbing - 21 minutes ago

People don’t realize how hard it can be to throw an election or impugn an adversary with manipulated imagery
Then they ask us to do it by hand?!