Google and other tech firms have been developing new ways to watermark AI-generated images. They designed these imprints to help distinguish between AI-made pictures and manmade ones, protecting artists from potential copyright issues. However, University of Maryland researchers say these methods do not work.
Artificial intelligence is becoming more adept at creating content that previously required humans. Consequently, artists fear people could use generative AI programs to create art that mimics their style, preventing them from earning money from their work. Hence, we should ensure available options provide reliable copyright protection.
This article will explain how the University of Maryland discovered watermarking AI pictures isn’t effective. Also, I will discuss available AI copyright protections like Google’s SynthID and the Glaze program.
Why is watermarking AI images ineffective?
University of Maryland researchers tested the effectiveness of AI watermarks and shared their findings in an arXiv paper titled “Robustness of AI-Image Detectors: Fundamental Limits and Practical Attacks.”
Soheil Feizi, associate professor of computer science, explained his team’s findings in an email to The Register. “In this work, we reveal fundamental and practical vulnerabilities of image watermarking as a defense against deepfakes,” he wrote.
“This shows current approaches by Google and other tech giants to watermark the output of their generative images as a defense is not going to work,” Feizi added. He and his team’s study indicated a trade-off between two important factors.
First is the evasion error rate, or the percentage of watermarked images detected as unmarked. The latter are called false negatives. The second is the spoofing error rate.
It is the percentage of unmarked images as watermarked, otherwise known as false positives. The Register explains watermark detection systems can have few false negatives or positives, but not both at once.
The paper’s authors developed an attack method for images with near-invisible watermarks called diffusion purification, originally proposed as a defense against adversarial examples.
These are inputs intended to cause machine learning models to make mistakes. It adds a Gaussian noise to images and then denoising them with diffusion models to eliminate added data.
You may also like: 10 ways to make money with ChatGPT
That enabled pictures with invisible watermarks to bypass detection. Also, the researchers made another spoofing mechanism to make non-watermarked images appear watermarked.
“Our [high-perturbation] attack functions by instructing watermarking models to watermark a white noise image and then blending this noisy watermarked image with non-watermarked ones to deceive the detector into flagging them as watermarked,” the paper explained.
The authors told The Register they did not analyze Google or OpenAI’s mechanisms, “but our attacks are able to break every existing watermark that we have encountered.”
What are the latest AI watermarking methods?
The study mentioned Google’s AI watermarking technique, so let’s discuss it briefly. The search engine company calls it SynthID, which lets users “add a watermark to their image, which is imperceptible to the human eye.”
Pushmeet Kohli, DeepMind research head, said the system modifies pictures so subtly “that to you and me, to a human, it does not change.” Moreover, he claims manipulating the image does not remove the watermark.
“You can change the color, you can change the contrast, you can even resize it, [and DeepMind] will still be able to see that it is AI-generated,” Pushmeet said. In contrast, editing a picture can remove conventional watermarks.
Google Cloud claims it “is the first cloud provider to offer a tool for creating AI-generated images responsibly and identifying them with confidence.” Consequently, it plans to expand to other AI models.
Glaze is another emerging AI watermarking technique made by University of Chicago researchers. It detects characteristics an AI generator would manipulate and then obscures them to protect a digital image. Here’s how it works:
- SAND (Security, Algorithms, Networking, and Data) Labs created Style Transfer algorithms similar to generative AI art models.
- Then, the researchers integrated those into Glaze.
- They cloaked an image with that software.
- The program uses Style Transfer algorithms to recreate that picture into a specific theme, such as cubism or watercolor, without changing the content.
- Next, Glaze identifies the characteristics that changed in the original photo.
- It distorts those features and sends them to the AI art generator.
- Consequently, the AI model leaves little to no alterations, keeping the original intact.
You may also like: The environmental impact of NFTs
We cannot confirm whether the Maryland researchers could fool these systems at the time of writing. Yet, they might be able to bypass Glaze because it uses adversarial examples, factors it was designed to evade.
Conclusion
University of Maryland researchers claim AI watermarking methods from Google and other prominent firms don’t work. They shared methods that can allegedly bypass these systems.
The Register says it asked Google and OpenAI to comment on these claims, but neither responded at the time of writing. Nevertheless, we need a way to distinguish between AI-generated and manmade materials.
Otherwise, the machines may dominate some of humanity’s deepest essences: self-expression and creativity. Learn more about the latest digital tips and trends at Inquirer Tech.