Watermarking AI-generated content has the potential to address various problems that generative AI threatens to aggravate — misinformation, impersonation, copyright infringement, web pollution, etc. However, it is also controversial with many researchers and users worrying about reduced quality and questioning whether watermarking actually works and helps. In this article, I want to share some of my thoughts on how well watermarking works and whether it can actually help with our problems.
Over the past two years, I’ve been asked repeatedly at conferences and talks about my general opinion on watermarking AI-generated content. This is usually coupled with various concrete concerns that I like to categorize into three problems: misinformation at internet scale through social media, impersonation and deep fakes, and copyright issues. Of course, there are many other concers that might not perfectly fit these three categories, but I feel these are three big problems that researchers but also the public is afraid of. At this point, it is worth noting that these are already problems on the internet, but many researchers believe that generative AI can make them significantly worse.
When it comes to watermarking in the context of these problems, there are two key questions to answer:
- Does watermarking work?
- Can it solve the above problems?
The former usually asks whether watermarking works technically, that is, whether we can successfully watermark generated content and reliably detect it when it pops up in unexpected places on the internet. The latter then asks whether, assuming watermarking works, it already solves any of the above problems. So in this article, I want to share my opinion on both of these questions.
Does Watermarking Work?
The short answer is yes. The long answer is yes, but it depends — it depends on who you ask and what assumptions you make.
In the ML security community, for example, we thrive towards a fully-secure watermarking system. This means that and adversary with a given budget of compute and time and a specific level of knowledge (access) to the generative model cannot produce false positives or false negatives — meaning forging a watermark where there was none or removing the watermark from watermarked content. Current methods for watermarking are usually not secure in this sense unless you constrain the knowledge and budget of the adversary significantly and make assumptions on which technologies an adversary has access to. For example, a common argument is that, given a piece of watermarked content, an adversary can just use another generative AI that is not producing watermarked content to re-generate the content and thereby remove the watermark. This is true. However, it is a rather circular argument. If I have access to a powerful generative AI that can re-generate arbitrary content to high enough quality, I do not need to use a proprietary generative AI that produces watermarked content in the first place. Moreover, watermarking methods are difficult to secure when assuming that the attacker has access to the watermarking method/model itself.
The question is whether we need a fully secure watermarking system in order for it to be useful on internet scale. In my opinion, we do not, we just need to make it “secure enough”. Here, with secure enough I mean making it difficult enough to forge or remove a watermark such that 99%+ of the users on the internet are either unable to do so or lose interest because it is not worth the effort. Often, this translates to making the model (adversarially) robust enough to deal with every-day use cases such as post-processing of the content or rather simple attacks on the model via a limited number of queries. This level of security and robustness is then balanced by requiring the watermark to be invisible (not reducing quality). This then makes a watermarking system useful and I believe that according to these requirements, watermarking works very well across all major modalities.
Can it solve our problems?
Here, unfortunately, there is no short answer. Watermarking has the potential to solve our problems, but it’s not sufficient.
The first thing to realize is that problems such as misinformation, impersonation or copyright issues are not purely technical. These are complex problems at the intersection of AI, ethics, economics, society, regulation, etc. However, I think that watermarking can be a key technology contributing to potential solutions. For this to work, watermarking has to be adopted widely — across the industry and open-source models. This also includes new technical challenges for watermarking, like watermarking open-source models, making sure watermarks do not “overlap” between models, keeping watermarks consistent with model updates and architecture changes, and many more. Beyond that, it is also a regulation and policy problem. Similar to C2PA, there would need to be standards for watermarking, sharing keys and detectors.
For example, to tackle misinformation, all major models need to be watermarked and social media companies need to detect these watermarks and flag content appropriately before presenting it to users. For this use case, the technology is, in my opinion, mature enough. However, coordination and integration lacks behind.
For many problems such as copyright issues, it is also important to realize that it is not “just” about detecting AI-generated content via watermarks. More often than not, we need to establish provenance, meaning the actual origin of the content. This means finding out who created it using which model at which time and ho it was shared and processed or altered. At this point, watermarking becomes a rather complex multiclass problem with many unknown classes. Also, security and robustness concerns become more complex since multiple watermarks can be applied and various attacks are possible – we don’t just care about false positives or negatives but about actually attributing content to the right model and user.
Conclusion
Watermarking has the potential to help alleviate many societal problems that are aggravated with generative AI such as misinformation, impersonation, and copyright-related issues. However, solving these problems is not purely a technical problem. I believe that watermarking as a technology works well enough to tackle these problems, but coordination and collaboration around watermarking in the industry lacks behind.
Source link
lol
