Can AI-generated text be detected reliably?

Not reliably from the text alone. Statistical classifiers have high error rates, and any watermark survives only until the text is paraphrased or lightly edited. Treat detector output as a weak signal, never proof.

What is a statistical text watermark?

It is a method where the model subtly biases its random token choices toward a secret pattern (a green-list of tokens). A detector that knows the key can spot the statistical skew. Paraphrasing or heavy editing destroys it.

C2PA (Coalition for Content Provenance and Authenticity) is an open standard that attaches cryptographically signed metadata describing how a piece of media was created and edited. It proves provenance when present but can be stripped by re-saving or screenshotting.

SynthID is Google DeepMind's watermarking system that embeds an imperceptible signal into AI-generated images, audio and text. The signal survives many common edits better than metadata, but it is provider-specific and not universal.

Can watermarks be removed?

Yes, with effort. Metadata is trivially stripped by re-saving. Statistical text watermarks fall to paraphrasing. Robust image watermarks resist many edits but can degrade under heavy transformation, cropping or regeneration.

AI Watermark & Detection Explainer

How AI watermarking and detection actually work

As AI-generated text and images flood the web, watermarking promises a way to tell synthetic content apart from human-made. The reality is more nuanced than the headlines: some techniques are cryptographically strong, others are trivial to defeat, and text detection in particular remains unreliable. This explainer walks through the three main families of techniques — statistical watermarks, steganographic embeds and provenance metadata — with an interactive demonstration and an honest account of the limits.

How it works, by technique

Statistical text watermarks bias a model’s token sampling toward a secret “green list”. The output reads normally, but a detector holding the key can measure the skew and flag it as machine-generated. The catch: the signal is statistical, so it needs a reasonable amount of text, and paraphrasing or editing washes it out.

Steganographic / signal watermarks (for example, Google’s SynthID) embed an imperceptible pattern directly into image pixels, audio samples, or token choices. These survive more editing than metadata because the signal is part of the content itself — but they are provider-specific and degrade under heavy transformation.

Provenance metadata such as C2PA attaches a cryptographically signed record of how a file was made and edited. When present, it is strong evidence of origin. The weakness is that metadata is easily stripped — a screenshot, a re-save, or an upload that re-encodes the file removes it entirely.

The interactive demo shows a simplified statistical watermark biasing token choices, and lets you “strip” metadata to see how fragile that channel is.

Notes and limitations

Detection is not proof. Text detectors produce both false positives (flagging human writing, often disadvantaging non-native speakers) and false negatives. Never make a high-stakes decision on a detector score alone.
Provenance beats detection. A signed C2PA trail proving human origin is more useful than trying to prove AI origin after the fact.
No watermark is universal. Each scheme is tied to a provider or standard; content from a model that does not watermark carries no signal at all.
Combine signals — metadata, provider watermarks, and context — rather than relying on any single channel.