So much for watermarks: UnMarker tool nukes AI provenance tags Computer scientists with the University of Waterloo in Ontario, Canada, say they've developed a way to remove watermarks embedded in AI-generated images. To support that claim, they've released a software tool called UnMarker. It can run offline, and can remove an image watermark in only a few minutes using a 40 GB Nvidia A100 …
From the standpoint of linear processors, presumably parallel processors too, an image is a collection of bytes processed individually and /or collectively, but not holistically. Operations applied to sequences of bytes can be understood only in terms of programmer intentions sewn into the software. Presumably, AI software, regardless of the underlying model, has a commonality of protocol that, intentionally or otherwise, permits some information encoded within a digital image to influence how closely an AI follows the instructions from a human operator, e.g. refuse to mess about with images registered as 'property'.
When a human examines a photograph, analogue or digital, the retinal optical image is converted into the equivalent of an organised digital encoding drawn from individual retinal cells: rods and cones. This information passes into biological neural networks, some properties of which are emulated by AI software. A human will be entirely unaware of hidden data within the image under examination.
Wouldn't this unawareness obtain for copies of the original taken by analogue or digital cameras? In the analogue instance, the image can be copied into the digital domain entirely independently of 'property protection' software digital camera makers could be legislatively obliged to bundle-in.
So, is it correct to assume that by the roundabout means mentioned above, an AI, or a Lora, can be trained on 'protected' images?
If so, can the work outlined in this article be considered equivalent, but more elegant than, the route suggested here?
Speculatively, can invisible watermarks be detected, and removed without detriment to the image, by applying technologies used for deblurring, etc?. Also, invisible watermarks, those deployed by any single source, e.g. a commercial photo repository, would require a base uniformity or pattern. Cannot analysis of many of these images by an AI refine means for ignoring distraction of this kind?
Devices that create original photos like smartphones and cameras need to cryptographically sign those originals as a way to prove the photo is genuine. Yes once you send it in a text message, post on Instagram or publish it in a news article it will have been modified, but what's important is that if anyone questions it you could make the original unmodified photo available to prove it was real. News sites might post those originals in an area on their web site that is linked from the modified photos (i.e. they've cropped it, compressed down the size, etc.) so people could immediately verify it isn't AI, when and where it was taken (if that information isn't removed for privacy reasons) and so forth.
Yes that will take a lot of work and require some sort of open standard for Apple, Samsung, Sony and so forth. So people better get cracking on that if they haven't already been, because the idea of marking AI generated stuff is so laughably stupid I can't believe anyone seriously tried.
That is - precisely - what C2PA is, and I was going to make the same point. Rather than add something to a file which bad actors want to strip out (a watermark), require the addition of some sort of certification that is desirable (a signature).
Maliciously removing the first is easy to do, maliciously adding the second is, for all practical purposes, impossible.
maliciously adding the second is, for all practical purposes, impossible
I wouldn't say "impossible", since it is being done on device and even Secure Element / security co-processor type stuff is not immune to compromise from those with sufficient incentive given that they'd have unlimited access to the hardware containing the key.
You could beef it up by passing a checksum (just that, not the whole photo/video) out "to the cloud" where it is further encrypted along with the time/date that happened (with the determination of the time/date made by the cloud server, i.e. it doesn't use the time/date in the photo/video file's metadata) Then if there is a compromise like someone hacks a Sony camera and extracts their private key so they're able to falsely sign AI generated stuff you could figure out the approximate day when that happened and not trust stuff cloud signed after that date but all the stuff before that date would still be trusted absent some proof of earlier compromise.
To handle that sort of thing you'd need to have a way of revoking a key and providing a new one, and people who know more about this sort of stuff than me would probably have some ideas about multiple levels of key, device specific vs vendor specific and so forth.
Thanks for the info about C2PA, I'm glad this is already being considered. I'll have to read up on it and see if it is what I hope it is. From looking at the list of members I notice that Apple, Samsung, Sony, and Mediatek are conspicuous in their absence. They aren't necessary to help develop the spec but for it to have any chance of success they will have to implement it.
> smartphones and cameras need to cryptographically sign those originals
Then you'll need some sort of way of verifying that. How granular will we need to go? Do we have Sony, Canon, Apple, Google, et al publish public keys for the devices they sell? Or does each device have a public key, so I know that pic was taken by Alice's Pixel 7 Pro, or Bob's Nikon D850?
Then how do we balance privacy? People already complain that color printers have the semi-hidden yellow ink pattern that identifies their printouts.
What do you do when Eve grabs Bob's camera and takes an upskirt of Alice and Bob gets cuffed? (Jeez, now I'm thinking of kinky adult-only XKCDs....)
Then you'll need some sort of way of verifying that. How granular will we need to go? Do we have Sony, Canon, Apple, Google, et al publish public keys for the devices they sell? Or does each device have a public key, so I know that pic was taken by Alice's Pixel 7 Pro, or Bob's Nikon D850?
There would be multiple keys, so you'd have an Apple etc. key that could be trivially validated (presumably there would be a website where you could dump the metadata information and it would look up the appropriate keys and tell you pass/fail for each bit of signed info in that metadata) Presumably there would also be device level keys but those would likely only come into play in court cases - to prove that I was the one who took a particular picture if I was a witness for example. But that would normally be data that's in the metadata but ignored, for example if CNN publishes a picture of a war crime neither they nor whoever took the picture would want it to be linked back to the photographer especially if it is a dissident rather than foreign journalist.
The editing body could resign the image as they are the ones attesting to he fidelity of it. And if you trust, say the WSJ, then their signature would be good enough... But if I posted one, you'd want the camera's signature and mine on top of that. There are also ways to embed the full image and have the cropped one visible in the document... Would just be features to handle authenticated content. Just need to get it integrated so folks can understand it... Because right now, I'd say less than 5% would even understand how to interpret a signature in a picture... Need a lock icon or something...
And if you trust, say the WSJ, then their signature would be good enough
Well when you have half the political establishment trying to smear any media that doesn't parrot exactly what Dear Leader claims to be the truth as "fake news" I think that provenance data needs to extend beyond the publisher to prove it was an ORIGINAL photo or video to start with, with the capability (which could enabled/disabled for each individual photo) to also pass along the exact date and time and GPS coordinates where it was taken. As the recent lawsuit against the WSJ shows all it takes is one story for a publisher to be branded "fake news". It also raises the bar for the news sources Dear Leader does approve of to provide proof of photos attacking his enemies. Because MAGA might trust certain media but the rest of us take their claims with a grain of salt so if they want to do more than just feed red meat to their side they'll have to be able to prove the provenance of their photos/videos beyond merely "signed by Fox News".
That way if you have a photo for example showing a congressman meeting with a widely acknowledged to be Bad Guy and when published the congressman cries "fake news!" and tries to claim it was AI generated or photoshopped and that he wasn't in that location at that time or maybe he was but he didn't meet with the other person in the photo it can be proven that it was 1) an original photo from an iPhone, 2) it was taken at the claimed date/time, 3) it was taken at the claimed location and it becomes a lot harder to deny. You'd have to fall back on the pre-digital defense of "that's not me its just someone who looks a lot like me" I guess.
With over $3000 of hardware.
I'm pretty sure that the average PC user does not have a $3K+ hardware setup, and the number of individuals with an A100 graphics card in their rig can probably be counted on the fingers of one hand.
So this is a nice research paper, to be sure, and I salute the fact that it is proven that watermarking is basically obsolete.
Now come back to me when you have the figures on a GeForce RTX 50, which I figure is a bit more available to the common public.
Sure it only takes minutes on a $3000 GPU, but if you wanted to do it on a $500 GPU im sure the technique will still work, even if it takes hours rather than minutes to get the results.
And today top of the range GPUs will be available on used on Ebay in a few years times for pocket change.
The sooner there's deepfake porn of EVERYBODY that can't be distinguished from real, the sooner the worthless prudes have no way to go after a schoolteacher whose private video leaked, or even one who does porn in her summers off.
The minute Karen starts whining about it, HER nudes show up, and when she whines about that, the video of her getting anal with a John Holmes dildo get Streisand effected all over the internet, and there's no way for her to prove it's fake without stripping down to show her malformed clit that isn't in the video.
