Google AI watermarking system faces reverse‑engineering, researchers claim

The open‑source effort, posted on GitHub under the moniker “Aloshdenny,” hinges on a surprisingly low‑tech recipe: 200 Gemini‑generated “pure black” images, a handful of signal‑processing tricks, and “way too much free time,” the developer writes on Medium. By amplifying contrast and saturation, then denoising the result, the method isolates the faint sinusoidal patterns that SynthID embeds in each pixel at generation time. Averaging those patterns across the sample set yields a frequency‑domain map of the watermark’s magnitude and phase, which can be applied to other images to confuse Google’s decoder without visibly degrading the picture, according to the developer’s own breakdown (The Verge). The author even jokes that a little weed helped the process, underscoring the informal, hobbyist vibe of the project.

SynthID, Google DeepMind’s near‑invisible watermark, was introduced as a defensive layer against AI‑generated content misuse. It stamps every image produced by Google’s models— from the whimsical “Nano Banana” generator to the more serious “Veo 3” and even YouTube’s AI‑creator clones— directly into the pixel data. Google has claimed the watermark is “difficult to remove without degrading image quality,” positioning it as a cost‑raising deterrent rather than an unbreakable lock (The Verge). The developer’s experiments, however, reveal that while a complete erasure remains elusive, the watermark can be partially stripped enough to fool detection tools. Side‑by‑side comparisons posted by Aloshdenny show only minimal visual differences after the partial removal, suggesting the attack lowers the barrier for “script‑kiddies” who might otherwise be deterred.

Google’s response, as reported by The Verge, is that the claim of a full reverse‑engineering is “not true.” The company maintains that SynthID’s design still forces attackers to expend significant effort, and that the best results so far merely “confuse the decoder” rather than eliminate the signal entirely. This nuance matters: the watermark’s purpose is to raise the cost of misuse, not to be mathematically unbreakable. Aloshdenny’s own admission— “the best I could pull off was confuse the decoder enough that it gives up” — aligns with Google’s original intent, even as it highlights a potential weakness in the system’s robustness (The Verge).

The broader AI community is watching closely because SynthID represents one of the few widely deployed provenance tools in the generative‑image space. If a relatively simple pipeline can generate a usable “decoder‑confusing” key, other developers may adopt similar tactics, potentially eroding trust in watermark‑based attribution. Yet the technical barrier remains non‑trivial: the process requires a curated set of pure‑color images from the same model, careful frequency analysis, and manual tweaking of removal angles. As The Verge notes, “it’s not perfect. But it’s not trying to be unbreakable. It’s trying to raise the cost of misuse high enough that most people don’t bother,” suggesting that the current level of effort may still deter casual abusers.

Analysts have not yet quantified the impact on Google’s AI product ecosystem, but the episode underscores a recurring tension between watermarking as a defensive measure and the ingenuity of open‑source reverse‑engineering. For now, SynthID continues to appear on most Google‑generated media, and detection tools still flag many watermarked images. Whether the community will see a wave of refined removal scripts or whether Google will iterate on its watermarking algorithm remains to be seen. What is clear, per the developer’s Medium post, is that “every nonzero pixel is literally just the watermark staring back at you,” and that a determined hobbyist can at least make that watermark blink.