In an era of deepfakes, bot-generated books and AI images created in the style of famous artists, the promise of digital watermarks to identity AI-generated images and text has been tantalizing for the future of AI transparency. Back in July, seven companies promised President Biden they would take concrete steps to enhance AI safety, including watermarking, while in August, Google DeepMind released a beta version of a new watermarking tool, SynthID, that embeds a digital watermark directly into the pixels of an image, making it imperceptible to the human eye, but detectable for identification.
Thus far, however, digital watermarks — whether visible or invisible — are not sufficient to stop bad actors. In fact, Wired recently quoted a University of Maryland computer science professor, Soheil Feizi, who said “we don’t have any reliable watermarking at this point — we broke all of them.” Feizi and his fellow researchers examined how easy it is for bad actors to evade watermarking attempts. In addition to demonstrating how attackers might remove watermarks, they showed how it to add watermarks to human-created images, triggering false positives.
When it comes to the ethics and values surrounding AI-generated images and text, she explained, one set of values is related to the concept of provenance. “You want to be able to have some sort of lineage of where things came from and how they evolved,” she said. “That’s useful in order to track content for consent credit and compensation. It’s also important in order to understand what the potential inputs for models are.”
It’s this bucket of watermarking users that Mitchell said she gets “really excited” about. “I think that has really been lost in some of the recent rhetoric,” she said, explaining that there will always be ways AI technology doesn’t work well. But that doesn’t mean the technology as a whole is bad.
“For a subset of the users or those affected it won’t be the right tool, but for the vast majority it will be right — bad actors are a subset of users, and then a subset of users within that will be those that have the the technical know how to actually perturb the watermark.”
New functions on Hugging Face allow anyone to provide provenance
Mitchell highlighted new functions from Truepic, which provides authenticity infrastructure to the internet, on Hugging Face, an open-access AI platform for hosting machine learning (ML) model — that allow Hugging Face users to automatically add responsible provenance metadata to AI-generated images.
First, Truepic added content credentials from the Coalition for Content Provenance and Authenticity (C2PA) to open source models on Hugging Face, allowing anyone to generate and use transparent synthetic data. In addition, it created an experimental space to combine the provenance credentials with invisible watermarking using technology from Steg.AI, a provider of “sophisticated forensic watermarking solutions” that uses Light Field Messaging (LFM), a process of embedding, transmitting, and receiving hidden information in video that is displayed on a screen and captured by a handheld camera.
Consensus on promise of watermarking
When asked if trying to tackle issues of provenance with watermarking tools feels like a drop in an ocean of AI-generated content, Mitchell laughed. “Welcome to ethics,” she said. “It’s always something good for one small use case and you build and iterate from there.”
But one thing that is particularly exciting about watermarking as a tool, she explained, is that it is “something that both people focused on human values broadly in AI, and then AI Safety with a capital S, have agreed that this is critical with their realms.”
Then, she added, interest in digital watermarking systems rose to the level of being a part of the White House voluntary commitments.
“So in terms of all the various things that various people think are worth prioritizing, there is consensus on watermarking — people actually care about this,” she said. “Compared to some of the other work I’ve been involved in, it doesn’t seem like a drop in the bucket at all. It seems like you’re starting to fill up buckets.”