←back to thread

SynthID – A tool to watermark and identify content generated through AI

(deepmind.google)
110 points jonbaer | 10 comments | 30 Aug 25 03:29 UTC | HN request time: 0.001s | source | bottom
Show context
utilize1808 ◴[30 Aug 25 08:59 UTC] No.45073112[source]
I feel this is not the scalable/right way to approach this. The right way would be for human creators to apply their own digital signatures to the original pieces they created (specialised chips on camera/in software to inject hidden pixel patterns that are verifiable). If a piece of work lacks such signature, it should be considered AI-generated by default.
replies(3): >>45073155 #>>45073302 #>>45073834 #
1. shkkmo ◴[30 Aug 25 09:10 UTC] No.45073155[source]
That seems like a horrible blow to anonymity and psuedonymity that would also empower identity thieves.
replies(3): >>45073244 #>>45073831 #>>45074209 #
2. utilize1808 ◴[30 Aug 25 09:28 UTC] No.45073244[source]
Not necessarily. It’s basically document signing with key pairs —- old tech that is known to work. It’s purpose is not to identify the individual creators, but to verify that a piece of work was created by a process/device that is not touched by AI.
replies(2): >>45073863 #>>45076968 #
3. taminka ◴[30 Aug 25 11:45 UTC] No.45073831[source]
there's very likely already some sort of fingerprinting in camera chips, à la printer yellow dot watermarks that uniquely identify a printer and a print job...
replies(1): >>45077007 #
4. BoiledCabbage ◴[30 Aug 25 11:53 UTC] No.45073863[source]
And what happens when someone uses their digital signature to sign an essay that was generated by AI?
replies(1): >>45073997 #
5. utilize1808 ◴[30 Aug 25 12:21 UTC] No.45073997{3}[source]
You can’t. It may be set up such that your advisor could sign it if they know for sure that you wrote it yourself with using AI.
replies(1): >>45074751 #
6. xpe ◴[30 Aug 25 12:51 UTC] No.45074209[source]
Maybe as the direct effect, maybe not. Also think about second order effects: how would various interests respond? The desire for privacy is strong and people will search for ways to get it.

Have you looked into kinds of mitigations that cryptography offers? I’m not an expert, but I would expect there are ways to balance some degree of anonymity with some degree of human identity verification.

Perhaps there are some experts out there who can comment?

7. akoboldfrying ◴[30 Aug 25 13:59 UTC] No.45074751{4}[source]
> You can’t.

I like the digital signature approach in general, and have argued for it before, but this is the weak link. For photos and video, this might be OK if there's a way to reliably distinguish "photos of real things" from "photos of AI images"; for plain text, you basically need a keystroke-authenticating keyboard on a computer with both internet access and copy and paste functionality securely disabled -- and then you still need an authenticating camera on the user the whole time to make sure they aren't just asking Gemini on their phone and typing its answer in.

replies(1): >>45077091 #
8. shkkmo ◴[30 Aug 25 18:36 UTC] No.45076968[source]
> It’s basically document signing with key pairs —- old tech that is known to work.

I understand the technical side of the suggestion. The social and practical side is inevitably flawed.

You need some sort of global registry of public keys. Not only does each registrar have to be trusted but you also need to both trust every single real person to protect and not misuse their keys.

Leaving aside the complete practical infeasability that, even if you accomplish it, you now have a unique identifier tied to every piece of text. There will inevitably be both legal processes to identify who produce a signed work as well as data analysis approaches to deanonamize the public keys.

The end result is pretty clearly that anyone wishing to present material that purports to be human made has to forgo anonymity/pseudonymity. Claiming otherwise is like claiming we can have a secure government backdoor for encryption.

9. shkkmo ◴[30 Aug 25 18:44 UTC] No.45077007[source]
The way those work is primarily through a combination of obscurity (most people don't know they exist) and through a lack of real finacial incentive to break them at scale.

I would also argue that those techniques do greatly reduce privacy and anonymity.

10. shkkmo ◴[30 Aug 25 18:55 UTC] No.45077091{5}[source]
> for plain text, you basically need a keystroke-authenticating keyboard on a computer with both internet access and copy and paste functionality securely disabled -- and then you still need an authenticating camera on the user the whole time to make sure they aren't just asking Gemini on their phone and typing its answer in.

Which is why I say it would destroy privacy/pseudonymity.

> For photos and video, this might be OK if there's a way to reliably distinguish "photos of real things" from "photos of AI images";

I suspect if you think about it, many of the issues with text also apply to images and videos.

You'd need a secure enclave You'd need a chain of signatures and images to allow human editing. You'd need a way of revoking the public keys of not just insecure software, but bad actors. You would need verified devices to prevent allowing AI tooling the using software to edit the image....etc.

This are only the flaws I can think of in like 5 minutes. You've created a huge incentive to break an incredibly complex system. I have no problem comfortably saying that the end result is a complete lack of privacy for most people while those with power/knowledge would still be able to circumvent it.