Google's SynthID system is designed to do one job: invisibly mark AI-generated images so they can be identified later, even after basic editing. A developer going by the username Aloshdenny says they've figured out how the system works from the outside - and published code on GitHub that, they claim, can both strip those watermarks from AI-generated images and inject them into regular photographs to make human-made images look AI-generated. Google says that's not what happened.
The implications of the claim, if true, would be significant in both directions. AI images could be laundered to appear human-made. Human-created images could be falsely flagged as AI-generated. Both scenarios gut the core use case of watermarking as a content authentication tool - which is the whole reason Google DeepMind built SynthID in the first place.
Google's response has been a flat denial, without a detailed technical rebuttal explaining specifically where the developer's methodology falls short.
What SynthID Embeds - and Why It's Hard to Verify
SynthID works by embedding invisible signals directly into an image's pixel data - patterns chosen to survive common editing operations like cropping, color grading, and JPEG compression. Unlike a visible watermark, you can't see it or scrape it off manually. Detection requires running the image through Google's system, which checks for the pattern.
The system is part of a broader push around AI content provenance - the idea that images, audio, and text generated by AI should carry traceable markers so platforms, publishers, and regulators can identify them. Asking people to self-disclose AI use hasn't worked. Technical watermarking has been the backup plan.
Tools like Adobe Firefly use a parallel standard called Content Credentials, which embeds metadata rather than pixel-level signals. Both approaches rest on the same assumption: that the embedding mechanism is robust enough that adversaries can't easily defeat it.
A Disputed Claim That Researchers Can Now Test
The problem with evaluating this story is that both sides are asserting without full independent verification. The developer published code. Google said it doesn't work as claimed. Neither has produced a rigorous, third-party-tested demonstration.
What the open-source release does establish is that someone studied SynthID's behavior closely enough to build tools that interact with it in some way. Whether those tools genuinely defeat the underlying watermark detection or just appear to while missing the actual signal is a question independent security researchers can now investigate. The code is on GitHub. Expect answers within days, not weeks.
This is how security research normally resolves: a researcher claims a break, the company denies it, the community tests it. SynthID may come out intact. But the fact that the claim is plausible enough to generate serious attention - and that Google's response was a denial rather than a technical explanation - is a reason to treat confidence in AI watermarking as provisional rather than settled.