watermarking.media
Ownership

How leak tracing works: from a few frames or a phone photo

By The watermarking.media team
4 min read
Contents

Leak tracing works by embedding a unique per-recipient watermark in each copy and building it to survive the messy real world, so that even a fragment, a few frames of a video or a phone photo of a screen, carries enough of the redundant mark to recover the recipient’s identifier.

The basic idea

Every recipient gets a copy that looks identical but carries a different hidden identifier. Recover the identifier from a leaked file and you know which copy it came from. This is the transaction-tracking job that Cox, Miller, Bloom, Fridrich and Kalker (2008) place at the center of the watermark taxonomy, and its modern form is per-user by construction: Fernandez, Couairon and Jégou (2023) fine-tune a diffusion model’s decoder for each account, so the mark is present in every image that account generates. The whole design goal is that you should not need the pristine original or the full file to read the mark. A piece should be enough.

Surviving a phone photo or a screen recording

The hardest case is the analog hole: someone points a phone at a screen, or records audio out of a speaker, and the clean digital signal never leaves the building. A mark that only lives in exact pixel or sample values does not survive that. Marks built for recapture do.

StegaStamp is the clearest published example. Tancik, Mildenhall and Ng (2020) trained an encoder and decoder so that images can be, in their words, “printed or displayed, recaptured by a camera,” and still decoded. The system “robustly retrieves 56 bit hyperlinks after error correction,” and the authors tested it by photographing an image off an OLED cellphone screen with a separate phone camera. That is exactly the leak-from-a-screenshot scenario. On the audio and video side, the Cinavia mechanism described in Petrovic (2011) embeds its payload into “an analog host or cover signal,” so it is designed to ride through the digital-to-analog-to-digital round trip that defeats fragile marks. Cinavia is a copy-control mark rather than a per-recipient one, and that durability is Verance’s own design claim rather than an independently benchmarked result, but it illustrates the principle a leak-tracing mark needs.

Tracing from just a few frames

Recapture survival and fragment survival come from the same two tricks: redundancy and error-correcting codes. The identifier is spread across the whole image or across many frames, and it is wrapped in an error-correcting code, so only a fraction of the signal has to survive for the payload to come back clean. StegaStamp uses BCH error correcting codes to pull its 56-bit payload back after the distortions of printing and recapture (Tancik, Mildenhall and Ng 2020). Cinavia carries a low-bit-rate payload repeated over time, which is how a short recorded clip is meant to still yield the mark (Petrovic 2011).

The caveat is that reliability degrades with the fragment. Fewer frames, heavier compression, or a worse camera angle all cut the odds of a clean read. A single blurry still from a moving scene may simply be too little signal. Leak tracing gives you a probability, not a guarantee, and a good system is engineered to keep that probability high on realistic captures. A recovered mark is best treated as an investigative lead tied to distribution records: it can say a leaked fragment matches a specific issued copy, but it does not by itself prove who uploaded the file or who controlled the device.

Where leak tracing breaks down

Two things defeat it. The first is collusion. If several recipients pool their differently marked copies, they can average or splice them to attack the mark. Cox, Kilian and Leighton (1997) defined this threat precisely, warning that “existing techniques are generally not resistant to collusion attacks by multiple documents,” and it remains the central limit of per-copy tracing as the number of colluders grows.

The second is regeneration and re-encoding. Hu, Jiang and Guo (2024) showed that fine-tuning a diffusion decoder and re-encoding can strip a per-user Stable-Signature mark entirely, and Zhao, Zhang and Wang (2024) showed that generative regeneration can remove an invisible pixel-domain watermark while keeping image quality at a PSNR of at least 30 decibels. Those results do not make leak tracing useless. They set the boundary: watermarking can raise the cost of a leak and support attribution, but it does not make a file impossible to launder.

Where to go next

If the leak is an audio track, the audio-specific walkthrough is trace who leaked my track. For the definitions behind all of this, see what is forensic watermarking. Whether a file’s provenance manifest can be stripped is covered in can C2PA be removed. If your goal is the opposite, to remove or defeat a trace on your own file, see can you remove SynthID from your file?.

Sources

  • Tancik, Mildenhall and Ng (2020). StegaStamp: Invisible Hyperlinks in Physical Photographs. CVPR.
  • Petrovic (2011). Embedding and Extraction of Information Using Replica Modulation. US Patent 8,085,935.
  • Fernandez, Couairon and Jégou (2023). The Stable Signature. ICCV.
  • Cox, Miller, Bloom, Fridrich and Kalker (2008). Digital Watermarking and Steganography, Second Edition. Morgan Kaufmann.
  • Cox, Kilian and Leighton (1997). Secure Spread Spectrum Watermarking for Multimedia. IEEE Transactions on Image Processing.
  • Hu, Jiang and Guo (2024). Stable Signature is Unstable.
  • Zhao, Zhang and Wang (2024). Invisible Image Watermarks Are Provably Removable Using Generative AI. NeurIPS.
#leak-tracing#forensic-watermarking#analog-hole#traitor-tracing