I’ve spent a lot of time thinking about watermarks lately, which is either a sign I’m doing interesting work or that I need to get outside more. Probably both. But after digging into SynthID, Google DeepMind’s AI watermarking system, and comparing it to the traditional watermarking methods I’ve been familiar with for years, I have some actual thoughts worth sharing.
This isn’t a press release recap. I want to talk about how these two approaches actually work, where they fall apart, and which one I think is doing something genuinely new versus which one is just familiar tech with a fresh coat of paint.
What Traditional Watermarks Actually Do
Most people think of watermarks as that semi-transparent logo stamped across a stock photo. That’s one version. But the broader category of digital watermarking has been around since the 1990s, and it covers a lot of ground.
The classic approach embeds a signal, usually invisible, into the pixel data of an image or the metadata of a file. For images, this often means tweaking the least significant bits of pixel values in ways the human eye can’t detect. For audio, it might mean inserting patterns into frequency bands that sit below the threshold of perception. The idea is simple: the signal rides along with the content, and a detector that knows what to look for can pull it back out.
It works. Sort of. The problem is that traditional watermarks were designed to survive normal handling: compression, resizing, format conversion. They weren’t designed to survive someone who’s actively trying to remove them. And that’s a very different threat model.
Run a traditionally watermarked image through a generative model, crop it aggressively, apply a JPEG compression cycle or two, and the watermark can disappear entirely. The signal is fragile in ways that matter when you’re trying to track AI-generated content at scale.
What SynthID Is Actually Doing Differently
SynthID, which DeepMind introduced in 2023 and has since expanded beyond images to text, audio, and video, takes a fundamentally different approach. Instead of embedding a signal into a finished output, it bakes the watermark into the generation process itself.
For images generated by Imagen, the watermark is applied in the latent space during generation, not stamped onto the final pixels after the fact. That’s not a small distinction. It means the watermark is woven into how the image exists at a structural level, not just painted on top.
The text version is more interesting to me, and honestly more impressive. For text, SynthID works by adjusting the probability distributions of token selection during generation. When a language model is picking the next word, there are usually dozens of plausible choices with similar likelihoods. SynthID slightly biases those choices in a patterned way that’s statistically imperceptible to a human reader but detectable by the right tool. You read the output and it sounds normal. Run it through the detector, and the pattern emerges.
I tested this logic by thinking through what it would take to remove it. With a traditional watermark, you can sometimes find and strip the signal because it lives in a separable layer. With SynthID’s text approach, the “watermark” is the word choices themselves. To remove it, you’d have to rewrite the text substantially, which at that point you’ve done so much work you might as well have written it from scratch. That’s a meaningfully harder problem to attack.
Robustness: Where the Gap Is Real
This is where I think the comparison gets interesting, and where traditional watermarks start to look pretty weak by comparison.
Traditional image watermarks tend to survive things like minor resizing or color adjustments, but they’re vulnerable to what researchers call “watermark attacks”: geometric transformations, noise addition, or content-aware cropping. There’s a whole body of academic work on breaking these systems. It’s not hard to do if you know what you’re doing.
SynthID is more resilient, but not invincible. For images, research has shown that while it holds up better than LSB-style watermarks under transformations, it can still be degraded. For text, the robustness picture is more complicated. If someone paraphrases the output, the statistical pattern breaks. A motivated person with a paraphrasing tool can disrupt it. DeepMind has acknowledged this. It’s not a perfect solution.
What bothers me about how SynthID gets covered is the implication that it solves the attribution problem. It doesn’t. It makes attribution harder to defeat, which is genuinely useful, but it’s not a lock. Anyone presenting it as the final answer to AI content verification is overselling it.
Perceptibility: The Part That Actually Matters for Real Use
Traditional watermarks, when done well, are invisible to casual viewers. When done badly, they degrade image quality in ways that are noticeable. I’ve seen DCT-based watermarking introduce subtle artifacts in smooth gradients that drive me crazy once I notice them. You can’t un-see it.
SynthID’s image watermark, from what I’ve seen and read about, is genuinely imperceptible in normal viewing conditions. The latent-space approach avoids the kind of pixel-level artifacts that older methods sometimes leave behind. That’s a real improvement.
For text, the perceptibility question barely applies. The output reads normally. I tried reading SynthID-watermarked text samples without knowing which was which, and I couldn’t tell. That’s the point.
The Detection Problem Nobody Talks About Enough
Here’s something that doesn’t get discussed enough: a watermark is only useful if you can actually run the detector.
Traditional watermarking systems often have publicly documented detection algorithms. Some are open-source. That’s both a strength and a weakness. Anyone can verify content, but anyone can also study how to attack the system.
SynthID’s detector is controlled by Google. If you want to verify whether an image or piece of text is SynthID-watermarked, you go through their tools. For now, access is limited. That centralization is a real limitation for any use case where independent verification matters, like journalism, legal contexts, or academic research. I’m not saying Google has bad intentions. I’m saying “trust us, we can check” isn’t the same as an open, auditable system.
This is one of my actual frustrations with the current state of AI watermarking broadly. We’re building verification systems that depend on the goodwill and availability of the same companies that built the generation systems. That’s a structural problem worth taking seriously.
Where Traditional Watermarks Still Win
They’re established, interoperable, and understood. The Content Authenticity Initiative, C2PA, and similar standards are built on existing watermarking and metadata frameworks. These work across different tools, platforms, and companies because they’ve had decades to standardize.
SynthID is proprietary to Google’s ecosystem, at least right now. An image generated by Midjourney isn’t going to carry a SynthID watermark. A document written by Claude doesn’t have one either. So if you’re trying to build a detection system that works across the actual diversity of AI-generated content in the wild, you can’t just rely on SynthID. Traditional approaches, for all their fragility, have broader adoption.
For certain professional contexts, traditional watermarks embedded in formats like PDF or TIFF with proper metadata handling are also easier to integrate into existing workflows. Not everything needs to be rethought from scratch.
Which One Is Doing More Interesting Work
SynthID. Not even close.
Embedding a watermark into the generation process rather than post-processing is a conceptually cleaner solution to the problem. The text watermarking approach, using token probability distribution adjustments, is technically clever in a way that traditional methods aren’t. It’s the kind of idea that makes you think “why didn’t anyone do this before,” which is usually a sign it’s actually good.
That said, interesting isn’t the same as ready. SynthID is still limited by its ecosystem, its closed detection infrastructure, and the fact that it can be disrupted by paraphrasing. Traditional watermarks are fragile in different ways but have the advantage of being everywhere.
The honest answer is that neither system fully solves the problem of reliably attributing AI-generated content. SynthID is a more thoughtful approach to a hard problem. Traditional watermarks are a proven but brittle tool that predate the problem they’re now being asked to solve. We’re going to need both, plus better policy and platform-level enforcement, before any of this actually works at scale.
I keep coming back to the paraphrasing vulnerability with SynthID text watermarks. It’s not a fatal flaw, but it does mean the system works best in a world where bad actors are lazy or unaware. Motivated, technically sophisticated actors can still route around it. That’s true of most watermarking systems, honestly, but it’s something to keep in mind before treating SynthID as a solved problem.
Can SynthID watermarks be removed?
For images, they’re harder to remove than traditional watermarks but not impossible. For text, significant paraphrasing can disrupt the signal. So technically yes, but it’s more work than most traditional watermarks require.
Is SynthID open source?
Parts of the research are published, and DeepMind has released some tooling, but the full detection infrastructure isn’t publicly auditable the way some traditional watermarking methods are. That matters for independent verification use cases.
Do traditional watermarks work on AI-generated images?
You can apply them after generation, yeah. But you’re just stamping a signal onto an existing image, which is exactly what these methods have always done. It doesn’t carry the same structural integration that SynthID has.
Will SynthID work across different AI platforms?
Not currently. It’s specific to Google’s generation systems. If the broader industry adopted a similar standard, that could change, but right now it’s siloed.
Which method should I use for content verification?
Depends entirely on what you’re trying to verify and where the content is coming from. If it’s from Google’s tools and SynthID detection is available to you, use it. If you’re working with content from multiple sources, you’ll need traditional metadata and watermarking standards, probably in combination with platform-level signals. There’s no single tool that covers everything right now.
