Meta open source new AI image watermarking technology, but is it really reliable?

AI-powered image generation is booming, and for good reason: it’s fun and easy to use. While these models bring new creative possibilities, they may raise concerns about potential misuse by bad actors who may intentionally generate images to deceive people. Even images created for fun can go viral and potentially mislead people. Earlier this year, for example, images of Pope Francis wearing a flashy white puffer jacket went viral, and photos of Trump being arrested sparked heated debate. These images are not real photos, but many people are fooled because there are no clear indicators to distinguish whether this content is created by generative AI.

Meta researchers recently released a new research paper and technical code detailing a technique for adding invisible watermarks to AI images to distinguish when images were created by open source generative AI models. Invisible watermarks incorporate information into digital content. These watermarks are invisible to the naked eye but can be detected by algorithms - even if people re-edit the image. Although there are other research directions around watermarking, many existing methods create watermarks after generating AI images.

According to Everypixel Journal, users have created more than 11 billion images using models from three open source repositories. In this case, the invisible watermark can be removed by simply deleting the line that generated the watermark. Stable Signature proposes a way to avoid watermark removal.

How the Stable Signature method works

Paper address:

Github address:

Stable Signature eliminates the possibility of watermark removal by rooting it in the model and using a watermark that can be traced back to where the image was created.

Let’s see how this process works with the diagram below.

Alice trains a master generative model. Before distributing, she fine-tunes a small part of the model (called the decoder) to generate the given watermark for Bob. The watermark can identify the model version, company, user, etc.

Bob receives his version of the model and generates the image. The resulting image will have Bob’s watermark on it. Alice or a third party can analyze them to see if the image was generated by Bob using a generative AI model.

This is achieved in two steps:

**1. Jointly train two convolutional neural networks. ** One encodes an image and a random message into a watermark image, and the other extracts the message from an enhanced version of the watermark image. The goal is to make the encoded and extracted messages match. After training, only the watermark extractor is retained.

**2. Fine-tune the latent decoder of the generative model to generate images containing fixed signatures. **During this fine-tuning process, batches of images are encoded, decoded, and optimized to minimize the differences between extracted and target messages and maintain perceived image quality. This optimization process is fast and efficient, requiring only small batches and a short time to achieve high-quality results.

Evaluate the performance of Stable Signature

We know people love sharing and retweeting images. What happens if Bob shares an image he created with 10 friends, and each friend then shares the image with 10 other friends? During this time, someone may have made changes to the image, such as cropping, compressing, or changing colors. Researchers built Stable Signature to cope with these changes. No matter how one transforms the image, the original watermark is likely to remain in the digital data and can be traced back to the generative model that created it.

The researchers found two major advantages of Stable Signature over passive detection methods:

First, the ability to control and reduce the generation of false positives, which occur when a human-generated image is mistaken for an AI-generated image. This is crucial given the prevalence of non-AI-generated images shared online. For example, the most effective existing detection methods can detect about 50% of edited generated images, but still produce a false positive rate of about 1/100. In other words, on a user-generated content platform that receives 1 billion images per day, approximately 10 million images will be mislabeled, resulting in only half of the AI-generated images being detected.

**Stable Signature, on the other hand, detects images with the same accuracy with a false positive rate of 1e-10 (which can be set to a specific desired value). **Additionally, this watermarking approach allows for tracking images of different versions of the same model – a capability not possible with passive techniques.

If a large model has been fine-tuned,

**How does Stable Signature detect the image generated by the fine-tuned version? **

A common approach to large AI models is to take a base model and fine-tune it to handle a specific use case that is sometimes even tailored to a person. For example, the model can be shown an image of Alice’s dog, and Alice can then ask the model to generate an image of her dog at the beach. This is accomplished through methods such as DreamBooth, Textual Inversion, and ControlNet. These methods act at the underlying model level and do not change the decoder. This means that our watermarking method is not affected by these fine-tunings.

Overall, Stable Signature works well with vector quantized image modeling (such as VQGAN) and latent diffusion models (such as Stable Diffusion). Since this approach does not modify the diffusion generation process, it is compatible with the popular models mentioned above. With some adjustments, stable signatures can also be applied to other modeling methods.

**Is AI watermark really reliable? **

The technology of identifying AI-generated images by adding invisible watermarks has been subject to a lot of controversy recently. Google DeepMind recently announced the launch of SynthID, a tool for adding watermarks to image generation and identifying AI-generated images. By scanning digital watermarks in images, SynthID can evaluate the likelihood that the image was generated by an Imagen model.

But can AI watermarks be easily removed? According to foreign media reports such as Engadget and Wired, a research team at the University of Maryland in the United States studied the reliability of “digital watermarking” technology for AI-generated content and found that this technology can be easily cracked.

Soheil Feizi, a professor of computer science at the school, was blunt when faced with the current status of watermarks in AI-generated images: “Currently we do not have any reliable watermark technology, and we have cracked all watermarks.”

During testing, the researchers were able to easily circumvent existing watermarking methods and found it easier to add “fake watermarks” to non-AI-generated images. At the same time, the team has also developed a watermark technology that is “almost impossible” to remove from images without completely compromising the image’s intellectual property.

AI watermarking is still immature and cannot be a 100% effective tool. We need to look forward to the emergence of new technologies in the future to protect generative AI images, avoid the proliferation of false images, and avoid copyright infringement.

Reference: