#Invisible Watermarks and Autoencoders

Hello,
First of all, of course I'm not going to do this. It's probably illegal? I dont know and I dont want to risk it. I just want to know if its possible at all since its been on my mind recently.

So basically, there are things that are called invisible watermarks. You cant see them at all, and when the owner takes this through their decoder, they see the watermark there. Blurs, transformations, none of these hides the watermarks and that makes sense. This is used to prevent leaks from what I gathered. A company's video about it: https://www.youtube.com/watch?v=alhQNgYC9gA&feature=emb_title
Here's a site you can test this on: https://invisiblewatermark.net/

So here's the part I'm curious about. These should be small values added to the certain color channels in a pattern given the watermark right. Wouldnt feeding these to an autoencoder break up this hidden information? Since the added pixel values are so small (a human shouldnt be able to differentiate between them) and because autoencoder wants to just keep the relevant information to reconstruct this, wouldnt this info be lost? But this feels way too easy and to be frank, a dumb solution. I'm pretty sure I'm missing something and I want to know.

Thank you beforehand

it can keep very encrypted ish info

u can perhaps look up Steganography

(may not even require any ai tbf)

interesting question
if the watermark is robust to transformation such as blurs and other transformations, what fundamentally different operations does an autoencoder do that would eliminate the watermark?

I guess even if it conserve the watermark through blur, it must only apply to small levels of blur, so then probably that the watermark is added multiple times at different frequencies, with an emphasis on small frequencies.
My guess is that yes, putting the image through an autoencoder probably makes the watermark fade or disappear completely because of the loss of information induced in the bottleneck that probably wipes out all high frequencies information in the original image

oh, i get what OP meant by the question now

they wanna remove the watermark

i thought they just wanted to understand how it works

I'm not very knowledged on the subject but for the blurs I thought it would make sense blurring itself is convolution, then probably the decoded watermark image is also blurry.
I'm really curious about how the decoder works though, it probably doesnt convolve it since the transformation still keeps the information... The free site I provided says that the watermark is found by simply checking if the colors channel corresponding to it is odd number or even number. Then its black or white corresponding to that. That way transformations would still keep the information, but then, would the autoencoder still work?
Also can you talk a little bit more about your second point, about "watermark added multiple times at different frequencies part". I didnt quite understand it.

If you are the watermark designer, you want the watermark to be robust to different types of transformation, including crop, so right from the start, you know you will have to have redundancies in the image so that the watermark is basically everywhere.
But, as you mention you want to have your watermark resist through some levels of blurring, but blur removes high frequencies information (details are removed).
So, if you want your watermark to survive this removal of high frequencies, you probably need to place your watermark at low frequencies too.
But low frequencies are less precise since the image is finitely sized, so I guess they put the watermark at different frequencies and overlap them all.

Regarding the reconsruction:
by design, the autoencoder is supposed to comprehend the "semantics" of the image and reconstruct plausible high frequencies from the semantic content of the original image. It is possible that the auto-encoder reproduce the subtle low frequencies that make up the watermark, if my hypothesis is correct. But as I said, the low frequencies allow for less information storage so I'm guessing most of the watermark is removed.

It also depends on if the watermark only signals a copyrighted image or if it also indicates who is the creator, in the former case more information has to be included in the image.

Okay I get it now, thanks for the nice explanation.
My line of thought was also the same, but then if its this easy to bypass it, it's weird that these invisible watermark companies still make money. Autoencoders were around since forever at this point. This is the main reason why I was and am contemplating. I'm going to guess that they are betting on people not knowing it.
Thanks for the detailed responses, learned a lot + became sure about what I thought about. I'm not going to put it into practice of course but I'm happy to know that at least in theory my line of thinking was correct.

I'm guessing that most people won't think of voluntarily going through the struggle of downloading and running an auto-encoder just to remove a watermark that they probably don't even know is there in the first place

I was not aware of this technology before your post

Also note that the better the auto-encoder reconstructs the image, the better it also probably reconstruct the watermark.
You still need to degrade the image at least a little to remove the watermark completely

From what I gathered while reading upon these, its mainly used to control leaks inside a company. If these leaks can be images, for example, in games where you can just leak a character, they use this kind of technology to know who leaked. Leaker can use the autoencoder so they can never be found, was how I thought about it.
I agree that autoencoder shouldnt be too good, you could manually end the training prematurely or maybe you can use L2 loss which results in blurry images compared to L1. Just guessing.
Regarding the degradation, I thought about it, since deep learning is computational heavy but they are all algorithms after all. Didnt think they would help in this case. What kind of degradation would delete the watermarks in your opinion?

Something that somehow decorrelates the pixels at different distances from each-other.
If the watermark is indeed some kind of wave that traverses the image, you decode the watermark by looking at subtle correlations between pixels at different frequencies of distances, so if you remove these correlations, you remove the watermark.
Perhaps the most efficient way would be to find the watermark first, and then invert the phase and apply it back to the image to cancel the waves

If someones know what the watermark looks like, even without having the precise parameters that were used to generate it, then I guess it is possible to estimate the most likely values of the watermark

Another possible solution would maybe to add more random watermarks to the image using the same method as the original, the decoding method probably doesn't handle this well.

Unfortunately how watermark works is definitely not known to the person that will be using it, he or she will not have access to the watermark encoder and watermark decoder. But still, reading your theories are very interesting to me. Much thanks again for the replies :))

Now I'm curious about making an invisible watermark. Especially with some kind of wave like you mentioned. I would also learn a lot about this.

If you are the watermark designer, you want the watermark to be robust to different types of transformation, including crop, so right from the start, you know you will have to have redundancies in the image so that the watermark is basically everywhere.
idk, there are ways to do this without redundancy (afaik) such as embedding it into the spectral information and not the image itself

that way, even if they crop a large part of the image, a large part of the spectral information persists and can be used for an exact match

that is what I described isn't it? It means the watermark can't be a localised modification of the image (say, in a corner)
Regarding the nature of the modification, I guess the only way have an idea of how it is done is to request a demo watermarking of an image and subtract the original image to find the added pattern.

u said there is redundancy

i dont think thats required

Regarding the nature of the modification, I guess the only way have an idea of how it is done is to request a demo watermarking of an image and subtract the original image to find the added pattern.
thats a good idea

tho idk if it would actually help too much, since it would be hard to tell the pattern regardless

also, invisible watermarking seems a bit scummy, people take images off of google all the time and theres no way to know which may be watermarked untill u get hit with lawsuit or something