Skip to content

Watermarking

Can AI watermarks be removed? An attack taxonomy and a realistic durability assessment

Can AI watermarks be removed? Yes: against a motivated, technically capable adversary, every published watermarking scheme degrades, and several attack classes have peer-reviewed demonstrations, including regeneration attacks that provably strip pixel-level image watermarks and recursive paraphrasing that collapses text watermark detection. But “removable” is not the same as “useless.” Watermarks reliably survive the transformations content undergoes in normal distribution (compression, resizing, re-encoding), removal always costs the attacker compute, quality, or both, and schemes embedded in the generation process resist far more than marks stamped on afterward. The engineering question is not whether a watermark is unbreakable (none is) but how much effort it forces from your actual adversary.

This page gives the attack taxonomy, what published research verifiably shows per modality, and a durability assessment you can plan against. For how the schemes work in the first place, start at the AI content watermarking hub.

First, separate accidental from adversarial

Robustness gets discussed as one property, but it is two:

  • Robustness to benign transformation. Thumbnailing, JPEG compression, platform re-encoding, format conversion, light cropping, excerpting a paragraph. Nobody is attacking; the distribution pipeline is just lossy. Production schemes are engineered specifically for this: Google states SynthID’s image and video watermarks are designed to remain detectable through cropping, filters, frame-rate changes, and lossy compression (DeepMind).
  • Robustness to adversarial removal. Someone who knows a watermark is present and wants it gone. Here the published record is sobering, and it is the subject of the rest of this page.

Conflating the two produces both overconfidence (“the vendor says it survives compression, so it is robust”) and defeatism (“a paper broke it, so watermarking is pointless”). Your compliance posture under EU AI Act Article 50 mostly depends on the first; your trust-and-safety posture depends on the second.

The attack taxonomy

1. Geometric and signal attacks: crop, compress, rescale, re-encode

The oldest class: destroy the watermark by degrading or transforming the carrier signal. Cropping removes the region carrying signal, aggressive compression quantizes it away, rescaling and rotation break spatial alignment between embedder and detector, and chained re-encoding accumulates loss.

Against modern generation-time schemes, this class mostly fails at attacker-acceptable quality. Meta’s Stable Signature (ICCV 2023) reports detecting the origin of a generated image cropped to 10 percent of its content with over 90 percent accuracy at a false positive rate below one in a million. The practical reading: to defeat a well-built media watermark with signal degradation alone, you typically damage the content past the point of being worth stealing. This class remains effective against naive post-hoc watermarks and against schemes never tested on the deployment pipeline.

2. Regeneration attacks: noise, then reconstruct

The strongest published attack on invisible image watermarks. Zhao et al., “Invisible Image Watermarks Are Provably Removable Using Generative AI” (NeurIPS 2024), add random noise to a watermarked image to destroy the embedded signal, then reconstruct the image with a denoiser or pre-trained diffusion model. The result looks like the original; the watermark is gone. Critically, the paper proves a guarantee for pixel-level invisible watermarks: after enough noise-and-reconstruct, no detector can work, regardless of scheme. This is not a cat-and-mouse result that a patch fixes; it is a structural ceiling for the entire class of watermarks that live in imperceptible pixel perturbations.

The same authors point at the way out: watermarks that constrain the semantics of the image rather than its pixels. Schemes like Tree-Ring watermarking, which embed a pattern in the diffusion model’s initial noise vector so the watermark shapes the generation trajectory itself, survive regeneration far better, at the cost of only working inside the generation process (nothing post-hoc) and, in Tree-Ring’s case, marking with a zero-bit “made by this model” signal rather than a recoverable payload.

The audio analogue exists too: diffusion-based removal of audio watermarks is an active research line, which is one reason localized detection (sample-level flags, as in Meta’s Meta Seal audio work) matters: an attacker must scrub everywhere, not just on average.

3. Paraphrase and rewrite attacks (text)

Text has no pixels to regenerate, but it has an equivalent: rewrite the words while keeping the meaning. Sadasivan et al., “Can AI-Generated Text be Reliably Detected?”, showed that recursive paraphrasing (running text through a paraphrasing model repeatedly) sharply degrades detection across detector families, including sampling-based watermarks, at modest quality cost. Since the attack is itself just LLM inference, the skill barrier is near zero: any user with access to a second model can attempt it.

Watermark designers knew this. The SynthID-Text Nature paper states plainly that detection performance is weakened by edits to the text, and independent follow-up work such as the robustness assessment of SynthID-Text probes exactly how much perturbation the scheme absorbs. Two structural aggravators are worth naming. Translation is paraphrase in another language and generally destroys token-level watermarks. And low-entropy text (code, factual snippets, boilerplate) carries little watermark to begin with, because there is no sampling freedom in which to hide signal; short excerpts compound the problem since statistical detectors accumulate evidence per token.

The realistic posture: text watermarks are evidence against unmodified and lightly edited machine text, and they raise the cost of laundering at scale (every paraphrase pass costs inference and risks quality drift). They are not durable against a determined individual laundering one document.

4. Adversarial and oracle attacks

Where the attacker uses optimization rather than brute transformation. Variants that appear in the literature:

  • Detector-oracle attacks. If the attacker can query a detector (a public verification endpoint, for instance), they can iterate perturbations until the detector flips, using it as a gradient-free oracle. This is an architectural argument for gating detection APIs and rate-limiting, and it is why fully public detectors weaken the very watermarks they verify.
  • Spoofing (the inverse attack). Instead of removing a mark, forge one: make human content read as watermarked, or transplant a mark onto content the generator never produced. Sadasivan et al. also study spoofing against text watermarks. Spoofing turns a watermark from evidence of origin into a tool for framing, which is why keyed schemes and controlled detector access matter.
  • Model extraction and key inference. With enough watermarked samples, an attacker can attempt to learn the watermarking pattern (for example, approximating the green-list partition of a Kirchenbauer-style scheme) and then evade or spoof it. Schemes rotate keys and use context-dependent pseudorandomness precisely to raise this cost.

5. The analog hole and capture attacks

The attack that needs no math: screenshot the image, screen-record the video, photograph the display, retype the text. Re-capture re-synthesizes the carrier signal from scratch. Robust media watermarks are explicitly designed to survive some of this (SynthID and Stable Signature target survival under screenshots and re-compression to varying degrees), but repeated capture chains degrade any embedded signal, and retyping text destroys a sampling watermark completely. Metadata-based provenance (C2PA) dies even faster here, which is the core of the detection vs provenance trade-off.

Durability assessment: what to actually expect

AttackSkill and cost to attackerPost-hoc pixel/audio marksGeneration-integrated marks (decoder or sampling level)Text sampling watermarks
Compression, resize, re-encodeNone (happens by default)Often survivesSurvives by designUnaffected (text) or survives excerpting moderately
Cropping and excerptingTrivialWeak to severe cropsStrong (Stable Signature: 90+% at 10% crop)Weakens on short excerpts
Regeneration (noise + reconstruct)Moderate: one diffusion passProvably removableSubstantially more resistant (semantic-level schemes)Not applicable
Paraphrase / translationTrivial with any LLMNot applicableNot applicableSharply degrades detection
Adversarial optimization with detector oracleHighEffective if oracle exposedEffective if oracle exposedEffective if oracle exposed
Analog hole / re-captureTrivialUsually fatalPartially survivableFatal (retyping)

Four planning conclusions fall out of the table and the research record:

  1. Design for the benign pipeline first, and test on it. The overwhelming majority of watermark “failures” in production are not attacks; they are untested interactions with your own CDN, transcoder, or thumbnailer. This robustness is achievable and is what Article 50(2)‘s “robust and reliable as far as this is technically feasible” language, per the official text, most plausibly demands of providers.
  2. Prefer generation-integrated schemes over post-hoc ones. The regeneration result draws the line clearly: watermarks living in imperceptible pixel noise are structurally removable; watermarks constraining the generation trajectory or baked into decoder weights force the attacker toward full re-generation, which costs them the content’s fidelity to the original.
  3. Treat text watermarks as friction and evidence, not proof. They catch unmodified machine text at scale and raise laundering costs. Layer them with provenance metadata and behavioral signals rather than making them a single point of truth.
  4. Protect the detector. Key management and gated detection access are part of the watermark’s security boundary. A public oracle is a free attack service; controlled access with logging is a defensible one.

The honest summary for decision-makers: watermark removal is real, published, and in some classes provable, yet watermarking still does exactly what a compliance and integrity control should do. It makes machine origin verifiable by default, survives the ordinary life of content, forces adversaries into costly and quality-destroying workflows, and produces the documented, machine-readable marking the EU AI Act requires. Fragility against the top of the threat pyramid is an argument for layering, not for skipping the layer.

Webisoft stress-tests and builds watermarking pipelines against exactly these attack classes, so what you deploy is measured against your threat model rather than a vendor benchmark.

watermarkingrobustnessattackssecurity