Watermark Anything

Original Article ↗ Hacker News Discussion ↗

Perceived purpose and significance

  • Many see this as an invisible watermarking system aimed at generative AI images.
  • Claimed robustness to common transformations (cropping, rotation, brightness changes, recompression, inpainting, splicing) is viewed as the main technical advance.
  • Potential uses mentioned: provenance of AI content, copyright tracing, camera-origin signatures, and tracking leaks of proprietary media.

Robustness and attack surface

  • Past invisible watermarks were often broken by simple operations like resize, slight rotation, or re-watermarking (“double watermark” attacks).
  • If this system resists those, commenters consider it a noteworthy improvement.
  • There is skepticism that any method is unbreakable; references to existing “watermark attacker” tools and trivial “destroy it with noise” strategies.
  • Practical friction: some users report difficulty running the repo due to ML tooling (CUDA/PyTorch) issues, with suggestions to use Colab.

Use in AI training and provenance

  • One proposed driver: help AI providers filter out AI-generated images from future training data to avoid “model collapse” from self-training.
  • Others speculate about watermark schemes evolving over time, potential for latent watermark patterns to be learned by downstream models, and ideas like Merkle-tree-like registries.
  • A suggested strategy is to exclude watermarked inputs from training, which could conflict with upcoming cryptographically signed camera images.

Potential for misuse and governance concerns

  • Strong concern that robust, ubiquitous watermarking aids repressive or merely self-interested governments/corporations in deanonymizing leakers, whistleblowers, and dissidents.
  • Historical analogies: printer tracking dots and attempts to trace message forwarding chains.
  • Debate over whether even a “virtuous and transparent” government should want to identify leakers, with others arguing some secrecy and anonymous sources are essential to accountability.

Environmental and resource costs

  • Paper reportedly estimates 5000 GPU-days (120k GPU-hours) and ~20 tons CO₂-eq for all experiments.
  • Some compare this to emissions from dozens of long flights; others note this is small relative to large LLM training runs but still nontrivial.
  • Discussion around limitations of such metrics: variable energy sources, ignored embodied hardware emissions, human activity, and downstream usage.
  • Tension between doing impactful research vs. its environmental cost; some favor transparency and awareness over abstention.

Text vs. image watermarking and steganography

  • One commenter hoped for text watermarking; others argue text is too easily edited (e.g., postprocessing that strips simple patterns).
  • Counterpoint: probabilistic text watermarking schemes can bias token selection so that generated text statistically reveals origin, though they remain vulnerable to heavy editing.
  • Clarification that “invisible watermarking,” “steganography,” and “information hiding” are related but distinct: watermarking seeks robust, persistent linkage to content; steganography focuses on undetectability.
  • Side debate over whether such techniques amount to “security by obscurity,” with pushback emphasizing the difference between secret algorithms and secret keys.

Ecosystem and deployment considerations

  • Some predict large platforms (e.g., major social networks) can unilaterally standardize watermarking, undercutting smaller “authenticity badge” startups.
  • Others note parallels to long-standing DRM and fear legal/DMCA-style enforcement around watermarks.
  • Minor point that quantizing model weights might break embedded watermark modules, though the intended deployment is mostly at the API/service layer.