Contents
SynthID survives everyday editing at high rates, but the answer has two sides its makers are explicit about: re-generation removes it, and a missing mark proves nothing. Google DeepMind’s SynthID is a post-hoc neural watermark that embeds a spectral pattern into an image’s pixels rather than its metadata, which is why it behaves very differently from a file tag under ordinary handling (Gowal, Bunel & Stimberg, 2025).
What it survives
Start with what it survives, because that part is genuinely strong. Because the mark lives in the pixels, it outlives the metadata-stripping that destroys a provenance tag: re-saving, screenshotting and re-hosting remove a metadata credential but not a pixel watermark. SynthID reports a 0.1% false-positive rate on worst-case transforms, and its external SynthID-O variant exceeds 99% detection on worst-case everyday transforms and stays above 98% under combinations of them (Gowal, Bunel & Stimberg, 2025). For resizing, cropping, JPEG compression and colour adjustment, the mark is designed to remain readable, and the published numbers support that.
The contrast with metadata provenance is the point most readers miss. A C2PA credential is a signed manifest whose hard binding means, in the words of the Content Credentials Technical Whitepaper (2025), that “any changes to the asset will invalidate the Manifest”, and which “may be routinely removed or corrupted by legacy or non-Content Credential capable platforms during distribution”. SynthID sits at the opposite end. It tolerates edits that break a signed manifest, because it degrades gracefully rather than failing on the first byte change.
What removes it
Now what removes it. SynthID’s own designers name re-generation attacks as a threat, and the general research on that class is unambiguous. Zhao, Zhang & Wang (NeurIPS 2024) prove that pixel-additive watermarks are removable by generative regeneration, stripping resilient schemes’ marks while holding a PSNR of 30 dB or better. Saberi, Sadasivan & Rezaei (ICLR 2024) show diffusion purification removes low-perturbation watermarks “by applying minimal changes to images”. The standardised WAVES benchmark from An, Ding & Rabbani (ICML 2024) ranks regeneration and rinse-then-diffuse among its top attacks. The consistent finding is that ordinary edits are survivable and a deliberate regenerate-the-image step is not. So the edits that defeat SynthID are not a sharpen or a colour filter, they are operations that re-synthesise the image, and those are now a few clicks away in any diffusion tool. The one-line reading of survival is yes to editing, cropping and compression, and no to re-generation.
What the check cannot see
There is a reading error that matters more than any attack. Google’s SynthID Detector recognises the SynthID watermark, which is present only on content produced or processed by a SynthID-enabled Google model. An image generated by a non-Google tool, or a real photograph, carries no SynthID mark, so a “not detected” result is the expected outcome for the large majority of images and says nothing about whether they are AI-generated. The check answers “is this watermarked by SynthID?”, not “is this AI?”. Treating a negative as evidence of authenticity is the most common misreading, and it is wrong by construction.
The structural reason
The structural reason SynthID can be re-generated away, while some research schemes resist, is where in the pipeline the mark lives. SynthID is post-hoc: it is applied to a finished image, so a fresh generative pass can overwrite it. Tree-Ring, by contrast, hides its pattern in the initial noise latent before the image is decoded, and Wen, Kirchenbauer & Geiping (NeurIPS 2023) show it is “invariant to convolutions, crops, dilations, flips, and rotations”. This is not a reason to distrust SynthID specifically. It is the reason every post-hoc watermark shares the same fragility against regeneration, and why robustness against everyday edits and robustness against an adversary are different properties. SynthID trades some of that deep robustness for the ability to watermark at scale across many models and billions of images.
How to read it
SynthID survives editing in the sense that matters for casual use: it is not removed by cropping, compression, resizing or ordinary adjustment, and it outlives the metadata layer that a single re-encode strips (Gowal, Bunel & Stimberg, 2025), in contrast to the C2PA manifest that the whitepaper concedes is “routinely removed” on social platforms. It does not survive an adversary who regenerates the image, by its makers’ own account. And a missing SynthID watermark is not evidence of anything, because most images never had one. A SynthID hit is strong evidence the content is Google-generated. A SynthID miss is weak evidence of anything, and neither should be read past what the detector was built to certify. If your goal is the reverse, keeping your own file from being traced back to you, see can you remove SynthID from your file?.
Sources
- Gowal, Bunel, Stimberg, et al. (2025). SynthID-Image: Image Watermarking at Internet Scale. arXiv:2510.09263.
- Zhao, Zhang, Wang (2024). Invisible Image Watermarks Are Provably Removable Using Generative AI. NeurIPS.
- Saberi, Sadasivan, Rezaei (2024). Robustness of AI-Image Detectors: Fundamental Limits and Practical Attacks. ICLR.
- An, Ding, Rabbani (2024). WAVES: Benchmarking the Robustness of Image Watermarks. ICML.
- Wen, Kirchenbauer, Geiping (2023). Tree-Ring Watermarks: Fingerprints for Diffusion Images that are Invisible and Robust. NeurIPS.
- Coalition for Content Provenance and Authenticity (C2PA) (2025) Content Credentials: C2PA Technical Whitepaper. Available at: https://c2pa.org/wp-content/uploads/sites/33/2025/10/content_credentials_wp_0925.pdf (Accessed: 27 June 2026).