AI / LLM

SynthID: How Google Watermarks AI Content

13 min readAILLM

A team ships a generative AI product in 2024. Within weeks, screenshots of its output circulate with no obvious way to tell what is real and what is not. Provenance becomes everyone's problem at once: regulators, publishers, courts, and the engineering team that shipped the model.

SynthID is Google DeepMind's answer to that problem. It is not a detector that guesses whether arbitrary content is AI-generated. It is a watermark embedded at generation time by Google's own models, and read back by a matching detector. As of Google I/O 2025, more than 10 billion pieces of content carry the signal, the text version is open source on Hugging Face, and a public detector portal is rolling out to journalists and researchers.

This article walks through what SynthID actually does, how the text version works in detail (it is genuinely clever), where each modality lives today, and the limitations the academic literature has been clear about. The intention is to understand the system, not to grade it.

What SynthID is

SynthID is a family of invisible, in-content watermarks. Same name, four different algorithms, one detector portal.

  • SynthID-Image perturbs pixels in the spatial frequency domain at generation time.
  • SynthID-Audio embeds a watermark in the spectrogram of generated audio, in regions humans cannot hear.
  • SynthID-Video applies the image watermark to every frame of a generated video.
  • SynthID-Text biases the LLM's token sampling toward a key-seeded pseudo-random pattern.

The unifying property: the watermark is in the content itself, not in the metadata. Cropping, screenshotting, lossy compression, and mild edits, the standard things that strip a C2PA manifest on upload to a social platform, do not destroy the signal within the limits the literature has established.

The detector returns one of three states: watermarked, possibly watermarked, or not watermarked. Crucially, "not watermarked" does not mean "human-made." It only means "no SynthID signature was found." If the content came from OpenAI, Midjourney, Black Forest Labs, or a locally finetuned Llama, SynthID has nothing to say about it.

Timeline

Date Event
Aug 2023 Launch on Vertex AI for Imagen. Image-only, beta.
Nov 2023 Audio support added with the Lyria music model.
Feb 2024 Google joins the C2PA steering committee.
May 2024 I/O 2024: text (Gemini) and video (Veo) added. Open-source SynthID-Text announced.
Oct 2024 Nature paper published; Hugging Face Transformers v4.46 integration shipped.
May 2025 I/O 2025: SynthID Detector portal launched. Veo 3, Imagen 4, Lyria 2 watermarked by default. Over 10 billion pieces of content marked.
Oct 2025 SynthID-Image paper posted to arXiv.
Feb 2026 Lyria 3 launches in Gemini with SynthID.

Two things are worth noticing about the trajectory. First, SynthID started as a Vertex AI feature, became a default on every consumer Google generative product, and ended up open source in one modality. Second, Google's framing has steadily moved from "we have launched a watermark" toward "this is one layer in a larger provenance stack." The C2PA membership and the explicit pairing with Content Credentials are the architectural admission.

How SynthID-Text actually works

The text version is the most technically interesting piece and the only one with a peer-reviewed paper, so it earns the longest section.

The setting

An LLM generates text one token at a time. At each step, the model produces a probability distribution P_LM over the vocabulary, and a sampler picks a token. SynthID-Text replaces the sampler. Nothing about training, the logits, or the temperature changes.

Tournament sampling

flowchart TD
    LM[LLM step t produces P_LM] --> CAND[Candidate tokens drawn from P_LM]
    CAND --> L1[Layer 1: pairwise g-value compare]
    L1 --> L2[Layer 2: winners advance]
    L2 --> Lm[Layer m: final winner]
    Lm --> OUT[Emit token]
    K[Watermark key plus rolling context] -.PRF.-> L1
    K -.PRF.-> L2
    K -.PRF.-> Lm

At each generation step, candidate tokens compete in m layers of pseudo-random elimination. The winner at each layer is decided by a g-value: a Bernoulli(0.5) bit produced by a pseudo-random function seeded by three things.

  • A secret watermarking key, a list of integers, one per layer. The open-source release uses around 30.
  • The candidate token id.
  • A rolling context of the previous few tokens (the default is the previous four).

Each layer pairs candidates and advances the one with the higher g-value at that layer. After m layers, one token is emitted.

The key property is in the marginals. Because candidates are drawn i.i.d. from P_LM and each layer only re-orders i.i.d. samples, the expected marginal distribution of the emitted token equals P_LM. There is no logit perturbation. The model never knows the watermark is happening.

Across many tokens, though, the emitted sequence is systematically enriched in tokens with high g-values for that specific (key, context) seed. The detector knows the key, computes the same g-values, and checks whether the sequence's g-values are higher than chance.

Detection

Detection is just statistical scoring, with no LLM inference required. The detector:

  1. Receives the candidate text and the watermarking key.
  2. Recomputes g-values for every token using the same PRF.
  3. Averages those g-values (mean detector) or runs them through a small learned classifier (Bayesian detector).
  4. Returns one of three states based on configurable thresholds.

The Nature paper reports TPR around 85% at FPR = 1% on 400-token outputs from Gemma 7B-IT with m = 30, roughly 12 points above the prior state of the art. AUC approaches 1.0 on the standard 200-token benchmark.

The cost on the generation side is small: plus 0.57% latency on Gemma 7B-IT with the 30-layer tournament, after integration with speculative decoding. On the detection side it is effectively free: a server can scan billions of strings with just a hashing PRF and a tiny classifier.

Why distortion-free matters

Earlier text-watermarking schemes shifted the model's distribution. Kirchenbauer et al. at Maryland (2023) split the vocabulary into "green" and "red" lists and add a fixed bias delta to green-list logits. That works, but it provably reduces output quality on tasks where the right answer is rigid (factual short answers, code).

SynthID-Text is distortion-free in expectation at the per-token marginal: the emitted token is statistically indistinguishable from a normal P_LM sample. Google ran a live A/B test on roughly 20 million Gemini conversations comparing watermarked and unwatermarked responses; there was no statistically significant difference in user ratings (thumbs-up rate, smaller-panel quality scores). This is why Gemini users did not notice anything change when the watermark was switched on.

The paper offers a distortionary mode too, where candidates are drawn differently to produce a stronger signal at the cost of measurable distribution drift. Most production traffic stays in the non-distortionary regime.

Open source

The reference implementation lives at google-deepmind/synthid-text. The production-friendly integration is in Hugging Face Transformers v4.46.0 and later.

from transformers import (
    AutoModelForCausalLM,
    AutoTokenizer,
    SynthIDTextWatermarkingConfig,
)

tokenizer = AutoTokenizer.from_pretrained("google/gemma-7b-it")
model = AutoModelForCausalLM.from_pretrained("google/gemma-7b-it")

watermarking_config = SynthIDTextWatermarkingConfig(
    keys=[654, 400, 836, 123, 340, 443, 597, 160, 57, 178, 401, 902, ...],
    ngram_len=5,
)

prompts = tokenizer(["Tell me a story."], return_tensors="pt", padding=True)
out = model.generate(
    **prompts,
    watermarking_config=watermarking_config,
    do_sample=True,
)
print(tokenizer.batch_decode(out, skip_special_tokens=True))

A separate BayesianDetectorModel ships with an end-to-end training script. A hosted demo is at huggingface.co/spaces/google/synthid-text.

How the non-text modalities work

SynthID-Image

Two networks trained jointly. An embedder perturbs the pixels of a generated image. A detector reads the perturbation back. The signal is spread across the spatial-frequency domain rather than the least-significant bits or the metadata; that design choice is what makes it survive JPEG compression, Instagram filters, color grading, screenshots, and moderate crops.

The detector is trained adversarially against common removal attempts, so attacks that try to strip the watermark tend to also degrade the image visibly. The October 2025 arXiv paper (Gowal et al.) documents a 136-bit payload at 512x512 resolution and robustness across roughly 30 transformations.

The model weights and code are proprietary. Only SynthID-Text is open sourced.

SynthID-Audio

The audio model converts a generated waveform to a spectrogram, embeds the watermark in spectrogram values inside psychoacoustic masking regions (frequencies the ear is least sensitive to at that moment), then inverts back to a waveform. The result is mathematically present but inaudible.

It survives MP3 encoding, additive noise, tempo and speed changes, and partial clipping. The detector reports which segments of the audio carry the watermark, useful when only part of a track is AI-generated.

In production, SynthID-Audio runs on Lyria 2 and Lyria 3, MusicFX, and NotebookLM Audio Overviews. It applies to both AI-generated music and AI-generated speech in Google's first-party products. The model is proprietary.

SynthID-Video

Despite Google's framing about "building on image and audio," SynthID-Video is the image watermark applied per frame. Each frame carries the full image-domain signal, so any retained frame is detectable; the detector aggregates across frames to localize the watermark temporally (which seconds of a clip are watermarked).

That choice makes the system robust to lossy video re-encoding (H.264 / H.265), frame-rate changes, screen recording, and frame extraction. The corollary: heavy stylization or content-aware warping degrades the watermark the same way it degrades the underlying image watermark.

Veo 3, announced at I/O 2025, additionally carries a visible "Veo" watermark in the lower right corner. Google's framing of the visible mark is a "first step" while the detector portal is still gated.

The SynthID Detector portal

Announced at Google I/O 2025, the SynthID Detector is a web portal where a user uploads a file and the system reports whether it carries a Google SynthID watermark, and which regions of the content do.

  • All four modalities are supported; image and audio at launch, text and video shortly after.
  • Three-state output: watermarked, possibly watermarked, not watermarked.
  • Waitlist-gated access for journalists, fact-checkers, media professionals, and academic researchers. Reported approval times are two to fourteen days.
  • A partnership with GetReal Security integrates SynthID detection alongside other deepfake-forensic signals.

The most important sentence Google publishes about the portal: "not watermarked" does not mean "human-made." It only means "no Google signature found." SynthID has nothing to say about non-Google outputs.

Limitations

The academic literature is unusually clear on this. Five concrete failure modes are worth knowing.

1. Strong paraphrasing breaks text watermarks

Zhang et al. (Watermarks in the Sand, ICML 2024) proved an impossibility result: under reasonable assumptions, no watermarking scheme survives a computationally bounded attacker armed with a quality oracle (another LLM). Empirically, detection rates of state-of-the-art schemes drop below 0.3 after a single GPT paraphrasing pass. Independent SynthID-Text robustness studies (arXiv 2508.20228) confirm the pattern: back-translation and full paraphrasing degrade detection significantly.

2. Watermarks can be stolen and forged

Jovanović, Staab, Vechev (Watermark Stealing in LLMs, ICML 2024) reverse-engineered state-of-the-art watermarks by querying APIs. They reported roughly 80% spoofing success and 85% scrubbing success for under $50 in API calls. The forging side is the more dangerous one: an attacker can frame human-written disinformation as "SynthID-verified Gemini output."

3. Image watermarks fall to UnMarker

Kassis and Hengartner (UnMarker, IEEE S&P 2025) demonstrated a universal black-box spectral attack that removes roughly 79% of SynthID image watermarks without access to the detector or knowledge of the scheme. The structural argument: any robust invisible watermark must embed energy in predictable spectral bands; a generic spectral attack will eventually find them.

4. Single-vendor coverage

SynthID only marks Google output. Llama, Qwen, DeepSeek, Stable Diffusion, Midjourney, ElevenLabs, Black Forest Labs: none of them carry SynthID. Open-source models give attackers white-box access to the decoding process, so even if a watermark were applied to an open-source model, the attacker could simply disable it. This is the existential limitation of any single-vendor scheme.

5. Low-entropy content has nowhere to hide a watermark

The Nature paper is explicit. When the model is near-deterministic, "The capital of France is Paris," code with one correct completion, short factual answers, there is no probability mass for the tournament to exploit. SynthID-Text drops the watermark on these tokens. Which is exactly the high-stakes case (medical, legal, news) where provenance matters most.

The analogous failure for SynthID-Image is low-information regions: pixel art, line drawings, near-uniform images. Less detail, less room for spectral perturbation.

The honest framing

Even Scott Aaronson, who designed OpenAI's earlier text watermark, calls watermarking an "endless cat-and-mouse game" (Shtetl-Optimized, Feb 2024). OpenAI declined to ship his version; the Wall Street Journal reported in August 2024 that internal data suggested watermarking reduced ChatGPT engagement by around 30% in user surveys. Google's choice to ship SynthID is partly an architectural one (it is genuinely lower-distortion than the alternatives) and partly a strategic one (regulatory and reputational pressure under the July 2023 White House commitments and the EU AI Act).

The strongest case against watermarking-as-the-solution: it is mathematically fragile (paraphrasing), operationally fragile (stealing and forging), structurally fragile (single-vendor), and politically dangerous. The political risk is the liar's dividend: once the public believes watermarks exist, authentic content can be dismissed as "probably AI," and spoofed watermarks carry false authority. The Nature editorial accompanying the SynthID paper put it directly: "AI watermarking must be watertight to be effective."

SynthID and C2PA: the layered stack

Two systems get conflated. They solve different problems.

flowchart TD
    GEN[Google generative model] --> SID[SynthID embedder]
    GEN --> C2P[C2PA manifest signer]
    SID --> CONTENT[Output: pixels, audio, text, frames]
    C2P --> META[Signed metadata sidecar]
    CONTENT --> NET[Open internet]
    META -.often stripped on upload.-> NET
    NET --> DETSID[SynthID Detector]
    NET --> DETC2P[C2PA verifier]
    NET --> CLF[Classifier-based detectors]
    DETSID --> JURY[Provenance verdict]
    DETC2P --> JURY
    CLF --> JURY
SynthID C2PA Content Credentials
What it is Invisible signal in the content Cryptographically signed metadata manifest
Lives where In the pixels, spectrogram, or token distribution In a sidecar or EXIF-like attachment
Survives stripping Yes (it is the content) No (most social platforms strip metadata)
Survives heavy editing No (paraphrase, stylize, regenerate) Invalidated by edits, can be re-signed
Cryptographic guarantees No (statistical) Yes (PKI-signed)
Cross-vendor coverage No (Google only) Yes (Adobe, OpenAI, Microsoft, Sony, BBC)
Primary failure mode Erodes under edits and paraphrase Stripped on upload

Google joined the C2PA steering committee in February 2024. The two systems are explicitly complementary: SynthID handles "the content was edited but the signal survives." C2PA handles "the content has a verifiable origin if the manifest is intact." Production provenance pipelines combine both, plus classifier-based detectors, plus visible labels.

The EU AI Act, Article 50, requires generative AI providers to mark outputs in a machine-readable format that is "effective, interoperable, robust and reliable." The European Commission's 2026 Code of Practice explicitly says no single technique meets all four criteria. The legal answer is the multilayered stack, not SynthID alone.

The shape of the recommendation

Three takeaways for someone building or evaluating an AI product in 2026.

  • Use SynthID where it is free and default. If you generate with Google models (Gemini, Imagen, Veo, Lyria) on the consumer apps or Vertex AI, every output is already watermarked. There is no integration cost. The watermark is one piece of evidence in your provenance pipeline.
  • Do not rely on it as a deepfake detector. SynthID identifies Google content, not "AI content." A regulator, journalist, or product surface that interprets "not watermarked" as "human-made" is making a mistake the system was never designed to support.
  • Pair invisible watermarks with cryptographic metadata. C2PA signed manifests, SynthID invisible signal, classifier-based detectors, visible labels for high-stakes surfaces. The watermark covers the case where metadata is stripped; the metadata covers the case where the content is heavily edited.

The technically interesting part of SynthID is the algorithm. Tournament sampling is genuinely elegant: a watermark that does not move the model's marginal distribution and that can be detected without running the model. The honest part is the framing. This is one layer in a stack, not the solution. The trajectory of Google's own messaging, from "we launched a watermark" in 2023 to "we are a C2PA member integrating multiple signals" in 2026, is the most accurate summary of where the field actually is.

References and Good Reads

Primary sources

Implementation

Attack and limitation literature

Standards and governance

Critical commentary

synthidwatermarkingprovenanceai-safetydeepfakesc2pageminiimagenveolyriaaillm
← Back to all posts