Eventually this won't matter as open source models will be good enough to fool 99% of people.

if you tell it to generate the AI image with a black background you can visually see the synthid with a good enough monitor, it's just a repeating fuzzy pattern, nothing special.

I have found great success of getting rid of it by masking every 2nd pixel, regenerating missing pixels and then once again masking every 2nd pixel offset by 1.

Used an off the shelf model to fill in the pixels, but I also exported a depthmap first (before any alternations) and denoised it so generated masked pixels comform to the original content. The result was obviously not 100% perfect, but with more time and a model fine tuned for this specific use-case would be able to remove any kind of ai watermarking without too many issues.

• teravor

  today at 12:07 AM

  i wouldn't have any confidence in being able to remove a 0.5 bit watermark (presence/absence). what you see is probably a functional decoy.

  • huflungdung

    today at 12:44 AM

    [dead]

• userbinator

  today at 12:36 AM

  but with more time and a model fine tuned for this specific use-case would be able to remove any kind of ai watermarking without too many issues.

  Always amusing to see AI used against itself.

• cryptoegorophy

  today at 3:39 AM

  Can an image just be stretched or compressed a very tiny bit?

  • neom

    today at 4:27 AM

    No, to give you an example, it needed 51% gaussian noise over this image to prevent it from seeing it's watermark. Changing the proportions or compressing it will not do anything. This is what 51% gaussian noise looks like: https://gov.f9.is/r2s8UB7a - here is 49% where it can still detect it: https://gov.f9.is/FQi3AL2I

• m00dy

  today at 3:06 AM

  It’s definitely hackable, Some of our engineers worked on this long time ago

  https://deepwalker.xyz/blog/bypassing-synthid-in-gemini-phot...

• tantalor

  yesterday at 11:18 PM

  But why

  • noir_lord

    yesterday at 11:40 PM

    Because we are on Hacker News.

    • tantalor

      today at 12:01 AM

      good point

• sigbeta

  today at 3:02 AM

  [dead]

What information is included in the metadata or SynthID? How many bits can be encoded in a SynthID?

Can it be used to create something like nutritional labels for synthetic content? 10% synthetic text, 30 synthetic images.

Your reality was 15% synthetic today (75% mega corp, 25% open-weight neocloud).

• big_toast

  yesterday at 9:54 PM

  I guess the SynthID-Image paper from Oct 2025[0] was an encoder-decoder for which they tested checking a flag or a 136 bit payload in 512x512 images and the watermark's robustness after various transformations.

  Presumably the deployed version is meaningfully different.

  [0]:https://arxiv.org/html/2510.09263v1

  • echelon

    yesterday at 10:37 PM

    This is very similar to audiowmark

    https://github.com/swesterfeld/audiowmark

    You can stuff per-item database unique IDs, user IDs, geohashes, and other nefarious things inside.

    We need to protest this LOUDLY.

    Our devices are being locked down, we're having attestation and trusted computing forced on us, the internet all over the world is undergoing age verification with full ID verification.

    Just because this is on "ai images" today doesn't mean it won't be on all images - screenshots, your camera reel, etc. - in the fullness of time.

    This is scary.

    These are the tools of 1984. They've been boiling the water slowly, but in the last year things have really started to pick up pace. Please push back. Loudly.

    Everyone at Google and OpenAI working on this: WHAT THE FUCK ARE YOU DOING. STOP.

    We have laws and mechanisms to prevent revenge porn, CSAM, defamation, etc. They are robust and can be made even stronger. We do not need to sacrifice the security of our privacy and our speech to fight imagined harms when the real danger is turning into an authoritarian society.

    • tadfisher

      today at 12:51 AM

      The point of SynthID is to make generated images identifiable, in an attempt to prevent 1984-esque situations where you can't believe your eyes and ears. Applying it to screenshots and camera output defeats its only purpose.

      If the powers-that-be want to enforce age verification, watermarking camera output is not the correct technology to do so. It would be something like HDCP, where camera manufacturers are given keys and a whole trusted media path is built so that the relying party can cryptographically enforce that a trusted camera is being used to capture live images.

      • raron

        today at 1:16 AM

        > The point of SynthID is to make generated images identifiable, in an attempt to prevent 1984-esque situations where you can't believe your eyes and ears.

        You can still use traditional methods to manipulate images, too, so I don't think a "does not contain SynthID watermark" means you can trust that image more. In the other hand, encoding a lot of personal and other information in the watermark (136 bit is a lot) that can not be easily removed and most of the people are unaware of it seems really an 1984-like dystopia.

      • fc417fc802

        today at 2:42 AM

        You have missed the point by such a wide margin that I have to wonder if it wasn't intentional.

        The same techniques used here can be applied in other domains for other purposes. That would not "defeat its only purpose". The danger is the normalization of watermarking for [ insert good reason here ] with regulation eventually making it mandatory once everyone is accustomed to it. Rinse and repeat to gradually boil the frog.

        We live in a world where nearly all printers already watermark everything they print with their serial number. It wouldn't be at all surprising if the next modernized variant of that technology encoded personal and contextual data tied to the user.

    • Dylan16807

      today at 2:39 AM

      I'm going to save my protests for anyone trying to watermark real images.

      Zero watermarks is a lot worse than semi-effective AI watermarks.

      • fc417fc802

        today at 2:44 AM

        Is it? Given local models this delays the current cutting edge at any given time by what, 6 to 12 months at best?

        • Dylan16807

          today at 2:46 AM

          Well the person I replied to seems to think it'll be at least semi-effective.

          • fc417fc802

            today at 2:53 AM

            How effective something is as an authoritarian tool (or whatever arbitrary purpose) can be (and very often is) completely unrelated to its effectiveness for some other unrelated purpose. It isn't clear to me why even highly effective AI image watermarks would be better than zero watermarks given what I pointed out about local models.

    • Extropy_

      yesterday at 10:50 PM

      Most cameras already produce metadata. You can remove this metadata. Can you not also detect and remove watermarks?

      • big_toast

        yesterday at 10:58 PM

        The paper references some threat models they considered. They suggest someone might "possess paired information (both original and watermarked content)" and therefore be able to undo watermarking. Presumably it's fairly easy to get identity operations out of image APIs that would result in this situation. I'm not sure that addresses echelon's main concerns though.

      • alterom

        yesterday at 11:24 PM

        The metadata is kept separately from the original data, and is, by design, modifiable and removable.

        Watermark, by design, irreversibly modifies the original data, and is, by design, hard to remove without producing detectable artifacts (or rendering the data useless altogether).

        In short, the answer is no.

    • today at 1:11 AM

• gumby271

  today at 12:19 AM

  Or perhaps a user id or fingerprint to an individual. We added that to printers long ago, this would easily enable that for every photo and image you generate too.

• janalsncm

  yesterday at 10:21 PM

  Don’t think that would be possible. If I paste a synthetic piece into an otherwise organic image, the synth id isn’t going to know that.

  • animal_spirits

    yesterday at 10:44 PM

    Synth ID can detect parts of images with the watermark.

Interesting that it seems to be the case that SynthID has been totally busted open, but OpenAI's new watermark has not yet [1]

[1] https://github.com/wiltodelta/remove-ai-watermarks

This is just performative nonsense.

As someone that creates things with tools with different media I would just hard avoid this tool that adds...

arbitrary metadata not of my choosing.

Should I seriously make a texture for a videogame with this weird DRM glorp in it?

How old is photoshop and why is it exempt?

• ericpruitt

  yesterday at 9:53 PM

  Just because something isn't perfect doesn't mean it's not useful. I've already seen posts online that were able to be proven as falsified because someone ran the images through Google for SynthID checks.

  > How old is photoshop and why is it exempt?

  For one, it's not developed by Google or OpenAI. The barrier to entry to making realistic but deceptive images with Photoshop is far higher than with AI, and there are already techniques that can, imperfectly, be used to detect the use of traditional image editing.

  • WhatIsDukkha

    yesterday at 11:18 PM

    So 999 people that are just making an image need to be DRM'ed so that you might catch the 1 person making "realistic but deceptive" images... like this is some kind of special case of ... internet images.

    • space_fountain

      today at 12:01 AM

      This isn't DRM right? This is metadata attached to the image that makes it clear it was synthetically generated. The public has a huge incentive to know when images are AI generated and the harm to legitimate users seems pretty small: aka someone might complain online that you use AI

      • raron

        today at 1:25 AM

        Not yet, but it is easy to imagine many ways it would be used for DRM.

      • WhatIsDukkha

        today at 12:04 AM

        billions? of "fake" images not generated by ai but just photoshopped and ... not really harmful.

        There is no case that any of its particularly harmful outside of things like CSAM which is illegal.

  • nathancahill

    today at 1:28 AM

    I mean I see a lot of images online where people forget or don't care enough to remove/crop the Gemini watermark.

  • bsder

    today at 12:30 AM

    I guarantee this works poorly, at best.

    If this actually works solidly, Google is in deep, deep, deep shit. It would mean that I can put a mark on my non-AI videos and demand that Google not allow upload of my identifiably copyrighted content.

    This would completely obliterate YouTube.

    • fc417fc802

      today at 2:50 AM

      No, it wouldn't. ContentID is already used by Google for that exact purpose. They appear to be fully in favor of enforcing IP law provided the owning party raises a complaint.

• Jtarii

  yesterday at 10:14 PM

  >How old is photoshop and why is it exempt?

  I'm sure you can think of a couple things that differentiate gen AI from photoshop, I believe in you.

  • WhatIsDukkha

    yesterday at 11:17 PM

    The main difference is we are in the middle of a moral panic and people have lost perspective.

    Its a tool with different modalties and affordances.

    • surgical_fire

      today at 12:16 AM

      When I saw the article I was initially skeptical. I do look down on OpenAI, Google, and other such companies.

      But on second thought it is not a bad idea to be able to have a quick tool to identify an image as AI generated.

      And after reading your reaction to it, I am sure now that the watermark is for the best.

      • WhatIsDukkha

        today at 12:32 AM

        So you are in the"nothing to hide, nothing to fear" school of privacy rights?

        Only criminals and bad actors want private defaults?

        The burden of proof is proving there is some harm or problem that needs solving and noone has managed that in this thread or generally.

        • surgical_fire

          today at 3:32 AM

          > So you are in the"nothing to hide, nothing to fear" school of privacy rights?

          No, but you are in the school that teaches that false equivalence is valid rationale.

          > Only criminals and bad actors want private defaults

          As I was saying.

          > The burden of proof is proving there is some harm or problem that needs solving and noone has managed that in this thread or generally.

          "Burden of proof" is a concept borrowed from legal practice where the accuser has to offer proof that the accused commited a crime.

          No crime is being implied here. Watermarking is actually a useful feature so that people can easily identify images as AI generated.

        • dylan604

          today at 12:50 AM

          Not sure what's to hide here. The caveat depends on what data is encoded into the watermark. If it's as simple as the date generated and the system that generated it so that it is easily identifiable as AI generated, I'm fine with it. Hell, I'd even say it'd be cool to embed all of the prompts used to generate the image. If it's also including the name of the user or account ID, then we start getting into gray areas. Since I'm not really on the AI hype train, I'm not all that opposed to that info either. I'll never use it so it won't affect me mindset kicks in on this one, but I'd be okay either way for/against embedding user identifiable info.

• janalsncm

  yesterday at 10:25 PM

  Strictly speaking, DRM = digital rights management, which is related to intellectual property.

  SynthID would only be DRM if Google/OpenAI were claiming IP rights over their images. I don’t even know if that’s legal though.

  • WhatIsDukkha

    yesterday at 11:19 PM

    What value does "strictly speaking" bring to the discussion?

    So that you don't have to address any of the issues?

    • janalsncm

      today at 12:36 AM

      Words matter? DRM means digital rights management, not simply any kind of metadata a person doesn’t like.

      • WhatIsDukkha

        today at 12:46 AM

        Yes... they do matter, perhaps using care in your understanding before attempting to nitpick?

        https://en.wikipedia.org/wiki/Digital_rights_management#Wate...

        • fc417fc802

          today at 2:57 AM

          Perhaps bother to read what you linked before being snarky?

          > They are not complete DRM mechanisms in their own right, but are used as part of a system for copyright enforcement ...

          Because watermarks in and of themselves are not, in fact, DRM. Even if I agree that their mass adoption by BigTech is a really bad sign for personal privacy and (eventually) freedom.

          • WhatIsDukkha

            today at 3:10 AM

            Yes I did read it years ago and again today?

            If you read my original point you'd see I said "weird DRM glorp" which you and other have tried, and failed to only closely parse "DRM" so that you could nitpick poorly.

            It is integral and part of DRM systems and certainly "weird DRM glorp" for an actual close reader.

            DRM is not just "I cant watch X movie because DRM" even if that is the statistically prevalent understanding of DRM.

            Its a suite of technologies of which watermarking is one of.

    • dylan604

      today at 12:52 AM

      Because DRM is primarily used to ensure the content is not shared in a way the owner does not allow. That is not what SynthID is doing. All it does is allow people to know it is a generated image specifically for when it starts to be widely shared on the internet.

      So strictly speaking brings a lot to the discussion when you actually think about it. Stating that DRM != SynthID is addressing issues where people seem to think that DRM == SynthID. Those people are wrong, and strictly speaking need to be corrected.

      • WhatIsDukkha

        today at 1:03 AM

        You are making a category error --

        "this image made by OpenAI" is a drm assertion

        You wont be able to assert copyright of the picture that you added an OpenAI red bowtie to, thats a DRM issue.

    • drdeca

      today at 12:27 AM

      Accuracy is valuable.

• runarberg

  yesterday at 11:54 PM

  For the record: https://en.wikipedia.org/wiki/Printer_tracking_dots

• Barbing

  yesterday at 10:09 PM

  > How old is photoshop and why is it exempt?

  How does today’s maximum theoretical disinformation output per minute compare to 2021 Photoshop?

  • WhatIsDukkha

    yesterday at 11:21 PM

    Its 2026... people are deliberately choosing to live in their own realities with no care about objective facts or moral choices.

    So weird images are a big problem? No they don't matter at all.

    • Barbing

      yesterday at 11:29 PM

      Political deepfakes on the mind here more than weird stuff.

      • WhatIsDukkha

        yesterday at 11:31 PM

        "I could stand in the middle of 5th Avenue and shoot somebody and wouldn't lose any voters, ok? It's, like, incredible." — Donald Trump

        So what does a deepfake matter?

        • Barbing

          today at 1:35 AM

          Are there other politicians? Do disgruntled employees have bosses? Ex partners?

          A national news story in the US tonight, Lyft driver caught faking photos of his messy car. Not the most intelligent fraudster as he left the Gemini logo on the corner of the image.

          Providing these four examples in good faith :) also generally I _dislike_ DRM

          • WhatIsDukkha

            today at 3:13 AM

            Against MILLLIONS of legitimate uses which you don't seem to care to protect?

            You should also think about whether, suddenly, courts can now trust images they see because this technology exists?

            I think thats not even basically plausible.

    • surgical_fire

      today at 12:18 AM

      If they don't matter, neither does a watermark.

      • WhatIsDukkha

        today at 12:40 AM

        and you need the watermark to tell you the fish with the mustache is fake...

        What image is going to change your worldview so radically that the drm saves you?

        edit - to be clear you are watermarking 100,000 fishes with mustaches because of your concern over 1 image that "matters" (and you don't even have an image that matters in mind)

        • surgical_fire

          today at 12:45 AM

          Yes, let's pretend they are adding watermarks because of fishes with mustaches.

• doctorpangloss

  today at 1:17 AM

  You: "performative nonsense! Arbitrary metadata not of my choosing!"

  Also you: well, games go through some kind of distribution, which has plenty of telemetry and metadata. Whether it is App Store with notarization, or Steam or Itch who collect analytics and know a lot about you, or your ISP if you self host your eclectic WebGL game from home. Posting on an iPhone or Android phone, to hacker News which has your email address, on your cell network which has IPv6 globally unique addresses...

  "But my choosing!" You'll say. It is extremely performative of you to say, "everything that would make me 200% wrong isn't valid."

  I don't know. I really hate these vibes-driven reactions to (checks notes) content attribution. Every accusation is a confession in this frame of mind. How do you not see that?

  • WhatIsDukkha

    today at 1:30 AM

    You are asserting that the existence of metadata in other venues to be proof that this form of watermarking metadata is just fine with you and should be for everyone else because... nope don't see any reason listed here.

    I have an IP address so therefore this is all fine?

    "Every accusation is a confession" also seems like an insinuation that I have something to hide but you have "nothing to hide, nothing to fear"ie the very generic privacy right fallacy.

    As for "vibes driven"... this whole technical "fix" is a result of the reactionary "vibe" of the ai moral panic, your "notes" don't seem to be providing any perspective there?

Good. Despite people saying it will be removed, I have seen no reproducible repo demonstrating it.

• raincole

  yesterday at 8:32 PM

  Stable Diffusion with 10%~15% denoising strength. Done.

  I tested the day 1 when Nano Banana Pro was released and it worked. It still works today for Nano Banana 2.

  I didn't post this anywhere because I (arrogantly) thought saying it publicly would make the internet worse. But it was pure arrogancy: if I came up with this the first day then of course other millions of programmers did too.

  That being said, it'll introduce the typical artifacts from SD models and that might be detected by other methods (or just by zooming in a lot and looking carefully).

  • vunderba

    yesterday at 8:40 PM

    Yup, OOC a while back I put together a ComfyUI node that took in a NB image and start with the smallest amount of denoise strength using Flux.1 (but works with any model), then run img2img with a synthid check incrementing denoise in a loop until it was defeated.

    Never released it, but it was obvious to most people in the SD community that denoising using a diffusion model was a relatively trivial means to beat most steganographic watermarks.

    • londons_explore

      yesterday at 9:24 PM

      Yet is in itself fairly trivial to detect assuming you use some open-weight image model as a base.

  • zulban

    yesterday at 9:43 PM

    > if I came up with this the first day then of course other millions of programmers did too.

    Don't sell yourself short. I'm sure it was only hundreds of thousands.

  • amazingamazing

    yesterday at 8:44 PM

    Post a repro. I can do that too but then the similarity index is weak. The point is that it it looks indistinguishable then the integrity persists.

    In my tests the image looks clearly distinct. In other words, if you can tell the difference then it isn’t a good test.

• DonsDiscountGas

  yesterday at 10:32 PM

  Probably a lot easier to use a different model in the first place

• dvngnt_

  yesterday at 10:23 PM

  It will but many people won't as i've seen disinformation that could be detected by synth-id.

• post_it_loser

  yesterday at 9:18 PM

  [flagged]

Currently, this article is conveniently right next to it: https://news.ycombinator.com/item?id=48200569

First they verify whether a picture came from OpenAI, then they'll include subscriber data and geolocation.

Well, they'll finally find out that no one wants to look at AI generated pictures or text. Once they do that, the tool will fail for the public and only work for the government.

• Gigachad

  today at 1:16 AM

  Seemingly the only use for photo realistic ai generation is deception. We are already seeing AI generated video used in political ads in America.

Aren't these kinds of watermarks easy to remove or distort? Seems like they're only helpful as long as people are relying on them sparingly so it's not worth the effort to circumvent.

If social media platforms started banning images with these watermarks seems like they'd be stripped out overnight.

• amazingamazing

  yesterday at 8:15 PM

  No, they are very resistant to modification that can be done easily. That being said I doubt it is impossible

  • janalsncm

    yesterday at 10:29 PM

    Yeah cropping, color shifting, resizing and compression don’t remove it. That said, there’s pretty well known workarounds:

    https://github.com/wiltodelta/remove-ai-watermarks

    • surgical_fire

      today at 12:21 AM

      The sort of people that generate AI images that need a watermark are not exactly the kind of people prone for this sort of effort.

  • snissn

    yesterday at 8:20 PM

    I’m surprised! I guess I’m being naive but I would imagine you could pass an image to an image model without synthid and have it reconstruct the image in a net new way without the markers. I guess I’m wrong? That’s cool if the watermarks are so deeply ingrained that they persist

    • cephei

      yesterday at 8:27 PM

      As I understand it, they modify the image by applying a special Gaussian noise filter which affects each pixel in the image in subtle (possibly not reversible) ways. The detecting service will look for this noise pattern to flag it, so even a part of the image is enough to know it was generated by AI.

      • vitorgrs

        yesterday at 10:37 PM

        Yes, Gemini can actually say how much of the image is AI generated.

• Tiberium

  yesterday at 8:14 PM

  I still don't think there's a single GitHub repo that actually removes real SynthID watermarks from Nano Banana 2/NBPro outputs. Most of them are just some research projects that haven't achieved this. The only methods so far I've seen are weird tricks with transparency/overlaying the original image if you're using edits, and also using a diffusion model to regenerate the NB-generated image at low noise levels, but this also modifies the original.

  • vunderba

    yesterday at 8:44 PM

    Right I think that’s why you probably need to start with very low levels of denoising and experiment with different approaches.

    Set up as a ComfyUI workflow that does a few things: it tries SDXL, Flux, and a couple of different denoising methods at the lowest possible strength (progressively incrementing) to avoid changing the image too much, while also running a SynthID check each time, and repeating this in a loop until the watermark is essentially gone.

    At the same time, you’d probably want to add some kind of threshold based on a perceptual hash aka the maximum perceptual quality difference you’re willing to accept.

• programd

  yesterday at 8:40 PM

  Define easily. There is an approach that apparently works and is based on spectral analysis of the images.

  https://github.com/aloshdenny/reverse-SynthID

  • toraway

    yesterday at 9:44 PM

    FWIW there are a few people in the issues saying that the tool is giving false negatives and the output image gets flagged by the actual Gemini API as having SynthID. Most recently 3 weeks ago without a response.

• Arnt

  yesterday at 8:24 PM

  This one was released a few years ago and still seems unbroken. I'm sure it will be broken at some point, but if you have to wait a year or two from when you make a deepfake until you can post it on Facebook, maybe that's enough. Maybe even a month is enough.

• ZeWaka

  yesterday at 9:26 PM

  I imagine the technique of having AI recreate the image from scratch based on a very detailed description might work.

  • raincole

    yesterday at 9:36 PM

    That'd not work with today's technology. No open model's prompt adherence is anywhere remotely close to ChatGPT/NanoBanana. 'remotely' here is a funny understatement, as I don't have a strong enough word in my vocabulary to describe how far the open models are behind the closed ones.

    Writing a more detailed description does not make the models stick to it more.

    • vunderba

      yesterday at 9:42 PM

      Definitely. I run an entire site built around a series of benchmarks that focus on prompts of increasingly difficult complexity with a focus on adherence, and even the state-of-the-art local models are probably only about thirty percent as good as proprietary models like Gemini 3.1 Flash Image and GPT Image 2.

      Comparing Qwen-Image, Flux.2, ZiT, NB2, and gpt-image-2

      https://genai-showdown.specr.net/?models=qi,nbp3,f2d,g2,zt

Is it like metadata in mp3?

If I take a screenshot of an AI image, will that then be seen as an AI image? Is that 'hidden in the image' or as metadata?

• nojs

  today at 4:16 AM

  It’s in the image, designed to survive those kinds of operations

Seems inferior to C2PA, which is actually an open standard: https://contentauthenticity.org/

While these are great, isn’t the problem that malicious actors will create systems that do not use synthID

• nerdsniper

  yesterday at 8:56 PM

  It helps significantly in the current moment. A lot of people are lazy and are getting caught quickly by SynthID.

  Eventually it won’t matter when image generation is cheap. But few self-host today and few are willing to pay unsubsidized prices, so the vast majority are using the Gemini, OpenAI, and Midjourney. If all 3 adopted SynthID, only a small fraction would use something else.

  • yesterday at 9:04 PM

  • echelon

    yesterday at 9:39 PM

    These systems should be removed.

    This is antithetical to freedom and privacy.

    There should be no way for anyone to track down who posted a political meme, anti-religious message, or any other legally protected speech. This will come back to bite us in the ass if we keep building it.

    Soon every image or communication we make will be watermarked if we continue to let this shit seep into the commons. Everything from your phone photos, to your screenshots, to your social media posts.

    One day soon Republicans or Democrats or whoever doesn't like your freedoms will use this tech to identify you and control you.

    There are laws for harms - CSAM, revenge porn, etc. Social media platforms can identify, ban, and report abusers. The framework of the law can take care of the rest.

    Our digital footprint should not be tracked and barcoded.

    • Barbing

      today at 1:53 AM

      Any privacy-respecting way for these big labs to keep selling their generators while minimizing e.g. political deepfake harms?

      > Social media platforms can identify, ban, and report abusers.

      & do but Americans nonetheless argue with troll farms[1] every day & it hurts us

      [1] 2013-2023, just one known company https://en.wikipedia.org/wiki/Internet_Research_Agency

      • echelon

        today at 2:15 AM

        > minimizing e.g. political deepfake harms?

        When your average gullible person will fall for a jpeg and a quote, you don't even need deepfake content. You just need to say something and they'll take it at face value. Deep fakes aren't even necessary. AI literally does not even matter.

        If there's such a thing as a "sophisticated actor", they'll be able to remove identifying marks. Not that they'll need to.

        What you'll be left with is the 99% of society that has everything they do tracked, and eventually platforms that won't allow anything except for signed and attested communication to take place.

        We're building our own mouse trap here. Why don't you see this?

        > & do but Americans nonetheless argue with troll farms[1] every day & it hurts us

        Again, you don't even need the specter of AI. You just need to say words and certain people will trust it. There's nothing you can do about that. Yellow journalism and propaganda has been a thing for longer than any of us have been alive.

        The "fix" you're proposing is a tool to put us all into permanent shackles. It is a tool that will strip away our rights and put us all into shackles. Perhaps within our lifetimes.

        Stop building and advocating for this shit.

    • croes

      yesterday at 11:46 PM

      > There are laws for harms

      These laws need a method to know what is true and what is fake. Good luck with that if you can’t tell if neither images, audio or video are true.

      This fakes will pave the way for fascists.

      How much freedom and privacy will they allow?

    • toraway

      yesterday at 9:53 PM

      That's a lot of hyperbole, there's no cause/effect relationship I can think of here that could realistically produce your slippery slope.

      Google or anyone else could start adding those unique tracking watermarks you're concerned about any time they want, regardless of whether they use this AI detection watermark, that to be clear can not track you in any way.

      • akersten

        yesterday at 10:28 PM

        > That's a lot of hyperbole, there's no cause/effect relationship I can think of here that could realistically produce your slippery slope.

        Have you been watching the headlines over the last year? It's like there's a global push towards locked down and verified computing (age verification, TPMs everywhere, Captchas that only work on non-rooted phones, ...).

        You can look out the window and see movement in this direction happening right now. Governments and corporations around the world can't get enough of this shit. Privacy matters, advocating for it is not a "slippery slope."

        > this AI detection watermark [...] that to be clear can not track you in any way.

        Is that clear? We have no idea what metadata they are or aren't embedding in SynthID.

        > Google or anyone else could start adding those unique tracking watermarks you're concerned about any time they want,

        The point is that this is bad and should be denounced!

      • echelon

        yesterday at 10:24 PM

        I'm not going to mince words - what you're saying is dangerous and harmful.

        > to be clear can not track you in any way

        All they have to do is encode enough entropy for a database unique identifier. Systems like this have been used to do it for audio:

        https://github.com/swesterfeld/audiowmark

        SynthID payloads work the same way, and the paper discusses encoding a "user identifier":

        https://arxiv.org/html/2510.09263v1#S5

        All you need to do is encode a database identifier, GeoIP, or other identifying information, and you've violated a person's privacy without their knowledge or consent.

        Once these systems become popular, the intelligence agencies will "suggest" that Google adds it to their phone cameras. It will start seeping into everything.

        The "slippery slope" is not a fallacy. We're on the verge of having device attestation and identity verification to use the internet. This is so beyond fucked.

        Stop defending this.

        Saying this is okay is EVIL.

        • surgical_fire

          today at 12:28 AM

          You are not required to use AI generation for images.

          You can go on living your life without it. I believe in you.

          • echelon

            today at 2:13 AM

            Hatred for AI and cheering a loss of privacy are strange bedfellows.

            Would not have been on my bingo card.

            • surgical_fire

              today at 3:29 AM

              I don't really hate AI. You presume too much.

What if they use advanced evasion techniques like printing it out and scanning it or taking a photo with their phone?

• Retr0id

  yesterday at 9:54 PM

  SynthID is fairly resistant to this sort of thing, although not perfect.

I think this is a move by openai/google to prevent their own models from training on ai slop rather than some morally righteous public initiative.

Well that's not very useful. I think that can easily be hacked and many people were doing that frankly

Is there no way to do this without uploading it?

• woadwarrior01

  yesterday at 9:08 PM

  I'd built an on-device app for detecting C2PA and IPTC metadata in images, amongst other things. I might be able to add support for SynthID detection once it's been reverse engineered.

• duskwuff

  yesterday at 8:24 PM

  Currently, there is not. OpenAI has promised "public verification tooling" down the line, but I'll believe it when I see it.

While this is definitely one of the topics of the moment. I find these threads really just ragebait magnets. A bunch of people effectively talking past one another: privacy vs preserving the status quo.

It's certain now that most of the Western world has slid into fascism. Privacy and common decency advocates are all but lost.

I will say this, for everyone celebrating this as something that is "extremely beneficial to the cultural moment",

If I were an adversarial nation-state actor, I might be extremely interested in reverse engineering this and poisoning the well by applying it to real images.

Let's make the world impossible to understand.

I'm annoyed that Google is keeping it closed-sourced and limited to partners. Is there a negative externality about open-sourcing image watermark technology so anyone can use it and audit the watermarks independently? If not, then I may have a repository for an open-source invisible and tamper-resistant image watermarking approach that's feature complete...

• thisisthenewme

  yesterday at 9:07 PM

  potentially to stop bad actors from poisoning datasets by just adding the filter to real pictures?

• parhamn

  yesterday at 8:29 PM

  might be easier to strip it?

• bsder

  today at 12:20 AM

  The fact that they have to keep this closed source is a giant red flag. It means that you can copy it or strip it if you have the knowledge.

  I'm not all that worried about stripping it (I'm sure that's trivial).

  The problem that I am worried about is that it can be copied (I'd bet $20 that's trivial, too). People WILL put this on images so that they can be "discredited".

What happens if you generate an image with only a single pixel color or say two colors?

• akersten

  yesterday at 10:30 PM

  This was done in the past, Google saw it, and now either refuses to generate or doesn't emit the SynthID watermark for those images

• userbinator

  today at 12:35 AM

  You create an image so trivial that no one would care if it was AI-generated or not.

• SiempreViernes

  yesterday at 10:19 PM

  You waste a lot of compute on overhead?

so ? people wanting to make AI propaganda will just make tool to remove it. Possibly using AI to do it too

• pta2002

  yesterday at 8:36 PM

  I assume a selfish benefit is that OpenAI and Google don't want the models to train on their own data. There is just /so much/ AI generated content online that they definitely need to filter it out somehow when assembling the training data. This is a pretty effective way to do that, with the nice bonus of being mostly good from a PR standpoint.

  • sgc

    today at 12:09 AM

    I immediately thought that was the real reason. Their models will quickly break without some sort of consensus on how to reliably exclude them.

[dead]

[dead]

• bstsb

  yesterday at 8:41 PM

  always trust a vibe-coded website which uses a Discord bot as its backend

  (i'm sure there are countless bypasses out there, but please don't use something like this)

• amazingamazing

  yesterday at 8:48 PM

  You can tell the difference in the example with your bare eyes lol

  • Retr0id

    yesterday at 10:01 PM

    Why does this matter?