Contents
Content watermarks work as a probabilistic signal inside a narrow envelope, and they fail as a tamper-proof seal. That is the finding across the peer-reviewed record for the three systems most people actually meet: Google DeepMind’s SynthID for images, the C2PA Content Credentials standard for provenance, and Meta’s AudioSeal for speech. Each proves something real. None survives an adversary who wants the mark gone. This review reads the published evidence for each, asking what it proves, where it holds, and where the research shows it breaking.
Two different things called a watermark
A watermark and a provenance manifest are not the same mechanism, and they fail under opposite conditions. A manifest such as C2PA is structured metadata cryptographically bound to the file. A watermark such as SynthID or AudioSeal is a signal hidden in the pixels or the audio samples themselves. The manifest is precise but brittle, the watermark approximate but harder to wash off. Reviewing a deployment means first knowing which of the two is in front of you.
SynthID: a scale deterrent, not a lock
SynthID is a post-hoc neural watermark that embeds a spectral pattern carrying a 136-bit payload, read by a conformal p-value test that gives distribution-free false-positive control (Gowal, Bunel & Stimberg, 2025). Inside its design envelope the numbers are strong: the paper reports a 0.1% false-positive rate on worst-case transforms, and an external SynthID-O variant that exceeds 99% detection on worst-case everyday transforms and stays above 98% under combinations of them (Gowal, Bunel & Stimberg, 2025). The framing matters as much as the numbers. Google DeepMind states the goal as making black-box attacks “computationally infeasible at scale”, not defeating “a determined white-box adversary”, and the same paper names re-generation attacks as a threat. The system “has been used to watermark over ten billion images and video frames” across Google’s services, so these are deployment numbers, not lab-only ones. SynthID survives ordinary handling and deters at population scale. It is not a seal against someone determined to strip it.
C2PA: real tamper-evidence, easily stripped
C2PA takes the opposite approach. It is container-level provenance, not a pixel signal: a signed manifest binding a SHA-256 content hash and an x509 signature inside the file, backed by Adobe, Microsoft and OpenAI. Its strength is genuine tamper-evidence. The Content Credentials Technical Whitepaper (2025) describes a hard binding tied to the asset so that “any changes to the asset will invalidate the Manifest”. That same strictness is its weakness for everyday use. The whitepaper concedes the credential “may be routinely removed or corrupted by legacy or non-Content Credential capable platforms during distribution”, and that this is “common, for example, on social media platforms”. C2PA proves who signed an untouched file, and says nothing once a platform re-encodes the pixels. Its own answer, Durable Content Credentials, falls back to a watermark to re-find a stripped manifest, which moves the reliability question onto the watermark layer below.
AudioSeal: holds against handling, falls to re-synthesis
AudioSeal is Meta’s watermark for speech, described by San Roman, Fernandez & Elsahar (ICML 2024) as “the first audio watermarking technique designed specifically for localized detection of AI-generated speech”. It carries a 16-bit payload with a two-head detector that localises a mark to a single sample. It holds against ordinary audio handling and fails against re-synthesis. Yao, Huang & Wang (AAAI 2026) report a single overwriting attack, re-embedding a forged mark over the original, driving AudioSeal, WavMark and TimbreWatermarking to a “nearly 100% attack success rate” across white-box, gray-box and black-box settings in their own tests, concluding that surrogate embedders converge on the same strategy so model secrecy provides no security. That figure, and the neural-codec and scheme-blind results beside it, are each source paper’s own reported result, not independently replicated. The benchmark picture agrees: neural-codec round-trips through EnCodec or DAC drive AudioSeal’s bit-error rate to 98% or higher (Liu, Guo & Jiang, NeurIPS 2024), while classical MP3 inside the training envelope survives. O’Reilly, Pardo & Jin (ICLR 2025 Workshop) generalise it, showing state-of-the-art post-hoc audio watermarks can be removed “with no knowledge of the watermarking scheme and minimal degradation in audio quality”. So “survives MP3” is not the same claim as “survives re-encoding”.
Where the research says they break
The image side tells the same story from a different angle. Zhao, Zhang & Wang (NeurIPS 2024) prove pixel-additive watermarks are removable by generative regeneration, and empirically strip more than 99% of resilient schemes’ marks with a variational-autoencoder-plus-diffusion round-trip while holding quality at a PSNR of 30 dB or better. The WAVES benchmark, built by An, Ding & Rabbani (ICML 2024) because earlier numbers used “inconsistent image quality measures, statistical parameters, and types of attacks” that gave “an incomplete picture”, ranks regeneration and rinse-then-diffuse among the top attacks even against latent schemes. The one structural exception is Tree-Ring, which embeds the mark in the initial noise latent before decoding. Wen, Kirchenbauer & Geiping (NeurIPS 2023) call it “far more robust than watermarking alternatives that are currently deployed” and report a 0.974 detection rate averaged over attacks. Even that robustness is mostly to same-model round-trips, and WAVES still ranks regeneration among the strongest attacks against it.
The verdict
So do content watermarks work? For their honest job, they do. A watermark or a signed credential is a reliable signal that ordinary handling leaves in place, useful for soft flagging and for provenance on files that were not re-processed. For the job people imagine, a mark that survives someone who wants it gone, the evidence is consistent across image and audio: they do not. The reliable reading is probabilistic. A detected mark is real evidence. A missing mark proves nothing, because removal is cheap and, in the pixel-additive case, provable. Watermarking is a layer in an evidence stack, strong against casual handling and weak against a motivated remover, and it should be weighed as exactly that.
Sources
- Gowal, Bunel, Stimberg, et al. (2025). SynthID-Image: Image Watermarking at Internet Scale. arXiv:2510.09263.
- Coalition for Content Provenance and Authenticity (C2PA) (2025) Content Credentials: C2PA Technical Whitepaper. Available at: https://c2pa.org/wp-content/uploads/sites/33/2025/10/content_credentials_wp_0925.pdf (Accessed: 26 June 2026).
- San Roman, Fernandez, Elsahar (2024). Proactive Detection of Voice Cloning with Localized Watermarking. ICML.
- Yao, Huang, Wang (2025). Yours or Mine? Overwriting Attacks Against Neural Audio Watermarking. AAAI 2026.
- Liu, Guo, Jiang (2024). AudioMarkBench: Benchmarking Robustness of Audio Watermarking. NeurIPS Datasets and Benchmarks.
- O’Reilly, Pardo, Jin (2025). Deep Audio Watermarks are Shallow: Limitations of Post-Hoc Watermarking Techniques for Speech. ICLR Workshop.
- Zhao, Zhang, Wang (2024). Invisible Image Watermarks Are Provably Removable Using Generative AI. NeurIPS.
- An, Ding, Rabbani (2024). WAVES: Benchmarking the Robustness of Image Watermarks. ICML.
- Wen, Kirchenbauer, Geiping (2023). Tree-Ring Watermarks: Fingerprints for Diffusion Images that are Invisible and Robust. NeurIPS.