Watermarks

As AI becomes more prolific, it's increasingly important for people and for platforms to be able to differentiate between generated content and human-created content. For consumers, this helps you sort through the bombardment of online content with more confidence and agency. For creators, this protects the rights of your content from reproduction and counterfeits. For researchers and platform owners, this protects the quality of the inputs into your work.

Watermarks help us by adding or identifying tracers into text, images, sounds, and video when it's created digitally by a model.

[Note: For the sake of simplicity in terms, this will combine the two approaches of digital watermarking and content provenance into one term]

Watermark types

Overlay watermarks are visual symbols or text added superficially to the content as a post-processing technique. They can be added by generators or assigned by platforms for the content is seen. Overlay watermarks are not integrated into the structure of the content and can therefore be easily removed.

Steganographic watermarks embeds patterns into the content that are imperceptible to humans. These might include subtle changes to pixels in video and images, additional spaces in text, or slight note changes in audio files. While slightly better protected than overlay watermarks, these can be masked intentionally or by bad actors through small changes to the file such as adding a gaussian blur.

Machine learning watermarks user a new approach that relies on machine learning models to add a distinct key to the content that can only be read by other models. This is the process Meta is using in their SynthID approach. They are stronger than the first two types, but can be degraded as the image is modified.

Statistical watermarks are random patterns injected into the image, audio, or text by the generator itself. While still impacting the content at the surface level (and not the foundational structure of the content), the randomness of this approach makes it far more difficult to crack or mask, especially for the average use.

Compared to content provenance

This alternative approach embeds data into the origin (or provenance) of the content itself, creating a digital fingerprint on the content's metadata. Content provenance requires the cooperation of content generators and digital platforms to create and enforce these standards.  Many large tech platforms have signed onto a pledge to incorporate standards developed by the Coalition for Content Provenance and Authenticity (C2PA), which defines a common format that is cannot be tampered with without leaving traces of manipulation. This data could then be read by any platform that adopts the protocol, including the full history of modifications.

Regulatory landscape

Early steps are being taken by many governments to enforce watermarks in both scenarios.

• China requires source-generated watermarks, as well as the footprint pattern of including metadata in the filename when downloaded.
• The European Union's AI Act imposes similar standards regarding labeling generated content, and also imposes requirements on foundation models to ensure transparency and compliance with copyright law.
• In the United States, a 2023 Executive Order established standards for watermarking and regulation, but requires action by Congress to codify these standards for enforcement.

The implications of this regulatory tapestry remain to be seen. If you are working on a foundational model or generative tool, you can prepare by developing principals and standards to evaluate the product experience. If you are working on a platform, think through how to label this content in different scenarios.

There is not a conventional approach established that mitigates the conflicting risk to this issue, and most likely it will need to be solved through a combination of regulation and source code. Additional innovation is being pursued through other means, like MIT's work on PhotoGuard, which essentially blocks generative tools from manipulating certain aspects of an image.

Designers can lean in to help establish human-centered principles and conventions, and carefully construct copy and caveats to help users be as informed as possible.

If you want to track the progress of this issue, here are some resources to get started:

Articles and Explainers

• MIT Technology Review: Clair Leibowicz on the ways watermarks can (and cannot) instill trust in consumers
• EU Parliament: Whitepaper on Generative AI and Watermarking
• Hugging Face: On AI watermarking
• Brookings Institute: Detecting AI fingerprints
• Deepmind: How watermarking works
• UofM Research: Invisible Image Watermarks Are Provably Removable Using Generative AI
• Content Authenticity Initiative: The three pillars of provenance that make up durable Content Credentials

Policies, Protocols, and Tools

• White House: Executive Order on AI
• AI Act: European Union AI Act‍
• Partnership on AI: Synthetic media standards‍
• Coalition for Content Provenance and Authenticity (C2PA): Open protocol for AI generated content‍
• SynthID - Tool by Google intended to add watermarks to AI Generated content‍
• Stable Signature - Technology by Meta to catch AI Generated content‍
• Truepic: Platform technology enabling synthetic content identification using C2PA

Watermarks need to be accessible to be useful, but their form may change depending on the use.

• Watermarks can be visible to the user or imperceptible, depending on the use
• Give users some way to verify the authenticity of content if watermarks are not visible to the naked eye
• Consider ways to offer additional context such as caveats to inform them of the risk from false negatives and false positives in watermarking
• Where possible, use the emerging standards like the CR mark to decrease the cognitive load on users