Can AI Watermarks Be Removed? Testing Google’s SynthID Against Diffusion Post‑Processing

Diffusion-based post-processing and SynthID: what this Reddit claim says and why it matters

A recent post on r/ArtificialInteligence claims that diffusion-based post-processing can disrupt Google DeepMind’s SynthID image watermark in a way that makes common detection checks fail, while keeping the image visually similar. The author, /u/LiteratureAcademic34, frames it as responsible disclosure and invites the community to reproduce and strengthen detection methods.

They share before/after examples and detection screenshots: watermark detected pre-processing, not detected after. The write-up and artefacts are on GitHub, alongside an open Discord for people without GPUs or ComfyUI experience.

“Diffusion-based post-processing can disrupt SynthID in a way that makes common detection checks fail.”

Here’s a balanced look at what’s claimed, how it fits into the state of watermarking, and what UK teams should do today.

Quick primer: SynthID, diffusion, and re-diffusion post-processing

SynthID is Google DeepMind’s invisible watermarking system for AI-generated images. It embeds a signal into pixel values that a detector can later identify as “AI-made”. It’s designed to survive common transformations like resizing, cropping, and compression, but—like any watermark—has limits under adversarial edits. See the official SynthID page for scope and caveats.

Diffusion models are a class of generative models that iteratively denoise random noise into an image. Re-diffusion post-processing (informal term) means taking an existing image and running it through part of a diffusion pipeline to “launder” the pixels without drastically changing the visible content. If a watermark is subtly embedded in those pixels, that process can disturb the signal.

What the Reddit researcher did (at a high level)

According to the post, the author:

• Ran images with SynthID through a diffusion-based post-processing pipeline.
• Showed before/after images that look visually similar.
• Shared detector screenshots: watermark detected before, not detected after.
• Published a write-up, assets, and invites others to test and improve detection.

Hardware specs, exact prompts, and settings are not disclosed in the post body. The author references ComfyUI, and offers a hosted workflow for those without local compute.

Links:

• Reddit discussion: Evidence that diffusion-based post-processing can disrupt SynthID
• GitHub repo: SynthID-Bypass

How strong is this evidence?

It is a single community report with examples, not a peer-reviewed evaluation. That said, the claim is plausible: invisible watermarks are generally vulnerable to targeted transformations, especially those that modify the signal distribution without obvious visual changes.

DeepMind itself notes that no watermark is perfect. The open question is not “can a watermark be removed?” but “how costly is removal and how often does detection still work?” The post suggests a relatively low-cost route via diffusion post-processing, at least for some images and detector settings. The robustness envelope will vary by content, watermark strength, and pipeline parameters.

Why this matters in the UK: compliance, provenance, and trust

UK organisations are increasingly encouraged to label AI-generated content. Watermarking and provenance standards like C2PA are part of that toolkit. If invisible watermarks can be stripped with modest effort, it affects:

• Media and comms teams: Relying solely on a watermark for AI disclosure may be risky if assets travel beyond your control.
• Election integrity and mis/disinformation: Detection gaps raise the stakes for provenance metadata, cryptographic signatures, and newsroom verification workflows.
• Regulatory posture: UK policymakers support transparency measures around AI content. Organisations should combine multiple signals rather than treat any single watermark as a silver bullet.
• Enterprise governance: Procurement and risk teams should ask vendors about watermarking limits, red-teaming, and fallback strategies when detectors fail.

Watermarking vs provenance: complementary, not interchangeable

Two approaches are often conflated:

• Invisible watermarks (e.g., SynthID): embedded signals in pixels; can survive benign edits but can be disrupted by adversarial transformations.
• Provenance metadata (e.g., C2PA): cryptographically signed records of capture/edit history; stronger for authenticity when intact, but can be stripped if not enforced end-to-end.

Best practice is to use both where possible: sign content at source, preserve provenance through your toolchain, and add watermarking as a secondary signal. In risk-sensitive contexts, layer additional detection (e.g., model fingerprinting, behavioural analysis of generation patterns) and explicit human review.

Practical takeaways for teams

• Don’t rely on invisible watermarks alone for safety-critical decisions. Treat them as probabilistic signals with known failure modes.
• Adopt C2PA in your pipeline and ensure partner tools preserve signatures. Audit where metadata is lost.
• Maintain disclosure policies even when metadata may be stripped downstream. Combine visible labelling with backend provenance.
• Ask vendors for red-team results against diffusion-based attacks and for plans to harden detectors.
• Build incident playbooks for suspected deepfakes: escalation, forensics, and comms.

If you’re experimenting with AI workflows more broadly, you may also find this practical guide useful: How to connect ChatGPT and Google Sheets with a custom GPT.

A balanced view: useful, but not unbreakable

Invisible watermarks remain valuable: they can signal AI origin at scale and survive common non-adversarial edits. However, motivated actors can often degrade or remove them. This isn’t a failure unique to SynthID; it’s a general reality of steganographic techniques under adversarial conditions.

The research community is exploring stronger designs (e.g., content-dependent watermarks, robust training-time embedding, ensembles of detectors). In parallel, provenance standards and platform-level policies are maturing. Expect an arms race—progress on both attack and defence—and plan accordingly.

What to watch next

• Official updates from DeepMind on SynthID’s robustness and detector improvements.
• Independent evaluations comparing watermark schemes under diffusion-based post-processing.
• Toolchain support for C2PA across cameras, editors, CDNs, and social platforms.
• UK policy guidance on AI content labelling and recommended controls for high-risk sectors.

Resources and further reading

• Reddit post: Evidence that diffusion-based post-processing can disrupt Google’s SynthID (by /u/LiteratureAcademic34)
• Author’s write-up and artefacts: GitHub – SynthID-Bypass
• Google DeepMind SynthID overview: SynthID official page
• Provenance standard: C2PA – Coalition for Content Provenance and Authenticity

To be clear, this article does not endorse or provide instructions for watermark removal. The goal is to understand the limits of current tools and help organisations put resilient, layered provenance strategies in place.