[HN Gopher] Watermark Anything
___________________________________________________________________
Watermark Anything
Author : zerojames
Score : 117 points
Date : 2024-11-12 08:08 UTC (1 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| turbocon wrote:
| Is this a big deal? I'm a layman here so this seems like a needed
| product but I have a feeling I'm missing something.
| clueless wrote:
| this is one of the primary communication methods of oversea
| agents in CIA, interesting to have it be used more broadly
| </joke>
| bagels wrote:
| Do you have a source? I'd be interested in reading more about
| this.
| edm0nd wrote:
| of course not, check their username.
| cozmorado wrote:
| It's a form of Steganography
| https://en.wikipedia.org/wiki/Steganography
| mintplant wrote:
| My assumption is that this will be used to watermark images
| coming out of cloud-based generative AI.
| jsheard wrote:
| And they'll say it's to combat disinformation, but it'll
| actually be to help themselves filter AI generated content
| out of new AI training datasets so their models don't get
| Habsburg'd.
| muppetman wrote:
| I wondered why they'd be doing this NOW and this makes
| perfect sense!!
| Y_Y wrote:
| > their models don't get Habsburg'd.
|
| You mean develop a magnificent jawline, or continue to
| influence Austrian politics?
| Animats wrote:
| Why? Those are not copyrightable.
| xd1936 wrote:
| Because downstream consumers of the media might want to
| know if an image has been created or manipulated by AI
| tools.
| Jerrrrrrry wrote:
| hardware self-evident modules to essentially sign/color
| all digital files
|
| now we need more noise
| Moru wrote:
| They would not want to train their next model on the output
| of the previous one...
| Jach wrote:
| Various previous attempts at invisible/imperceptible/mostly
| imperceptible watermarking have been trivially defeated, this
| attempt claims to be more robust to various kinds of edits.
| (From the paper: various geometric edits like rotations or
| crops, various valuemetric edits like blurs or brightness
| changes, and various splicing edits like cutting parts of the
| image into a new one or inpainting.) Invisible watermarking is
| useful for tracing origins of content. That might be copyright
| information, or AI service information, or photoshop
| information, or unique ID information to trace leakers of video
| game demos / films, or (until the local hardware key is
| extracted) a form of proof that an image came from a particular
| camera...
| mananaysiempre wrote:
| ... Ideal for a repressive government or just a mildly
| corrupt government agency / corporate body to use to identify
| defectors, leakers, whistleblowers, or other dissidents.
| (Digital image sensors effectively already mark their output
| due to randomness of semiconductor manufacturing, and that
| has already been used by abovementioned actors for the
| abovementioned purposes. But that at least is difficult.)
| Tell me with a straight face that a culture that produced
| Chat Control or attempted to track forwarding chains of chat
| messages[1] won't mandate device-unique watermarks kept on
| file by the communications regulator. And those are the more
| liberal governments by today's standards.
|
| I'm surprised how eager people are to build this kind of
| tech. It was quite a scandal (if ultimately a fruitless one)
| when it came out colour printers marked their output with
| unique identifiers; and now that generative AI is a thing
| stuff like TFA is seen as virtuous somehow. Can we maybe not
| forget about humans?..
|
| [1] I don't remember where I read about the latter or which
| country it was about--maybe India?
| baltimore wrote:
| > ... for a repressive government ...
|
| Why shouldn't a virtuous and transparent government (should
| one materialize somehow, somewhere) be interested in
| identifying leakers?
| Jerrrrrrry wrote:
| Both can be true! This is essentially making it easier to
| do [x] argument, which itself is essentially security
| through obscurity.
|
| It was always possible to do watermark everything: any
| nearly-imperceptible bit can be used to encode data that
| can be used overtly.
|
| Now enabling everyone everywhere to do it and integrate
| it may have second-order effects that were opposite of
| one's intention.
|
| It is very convenient thing, for no one to trust what
| they can see. Unless it was Validated (D) by the Gubmint
| (R), it is inscrutable and unfalsifiable.
| palata wrote:
| The parent comment says that it has dangerous use-cases,
| not that it does not have desirable ones.
| mananaysiempre wrote:
| That's like asking why a fair and just executive
| shouldn't be interested in eliminating the overhead of an
| independent judiciary. Synchronically, it should.
| Diachronically, that's one of the things that ensures
| that it _remains_ fair and just. Similarly for
| transparency and leakers, though we usually call those
| leakers "sources speaking on condition of anonymity" or
| some such. (It does mean that the continued transparency
| of a modern democratic government depends on people's
| continued perpetration of--for the most part--mildly
| illegal acts. Make of that what you will.)
| willcipriano wrote:
| If they are transparent, what is leaking?
| Jach wrote:
| I stopped myself from making the printer analogy, but of
| course it's relevant, as is the fact that few seem to care.
| I personally hope some group strikes back to sanitize
| images watermarked this way, with no more difficulty than
| removing exif data.
| wkirby wrote:
| Link to the paper in the README is broken. I _believe_ this is
| the correct link to the referenced paper:
| https://arxiv.org/abs/2411.07231
| Jaxan wrote:
| There is some nice information in the appendix, like:
|
| "One training with a schedule similar to the one reported in
| the paper represents [?] 30 GPU-days. We also roughly estimate
| that the total GPU-days used for running all our experiments to
| 5000, or [?] 120k GPU-hours. This amounts to total emissions in
| the order of 20 tons of CO2eq."
|
| I am not in AI at all, so I have no clue how bad this is. But
| it's nice to have some idea of the costs of such projects is.
| svilen_dobrev wrote:
| so say i have a site with 3000 images, 2M pixel each. How
| many GPU-months it would take to mark them? And, what
| gigabytes i would have to keep for the model?
| hnuser123456 wrote:
| That amount of compute was used for training. For inference
| (applying the watermarks), hopefully no more than a few
| seconds per image.
|
| Llama 3 70B took 6.4M GPU hours to train, emitting 1900
| tons of CO2 equivalent.
| Jaxan wrote:
| Thanks! I was not at all aware of the scale of training!
| To me those are crazy amounts of gpu time and resources.
| pierrefdz wrote:
| The amounts of gpu time in the paper are for all
| experiments, not just training the last model that is OSS
| (which is usually reported). People don't just oneshot
| the final model.
| GaggiX wrote:
| The embedder is only 1.1M parameters, so it should run
| extremely fast.
| pierrefdz wrote:
| Yes, although the number of parameters is not directly
| linked with the flops/speed of inference. What's nice
| about this AE architecture is that most of the compute
| (message embedding, and merging) is done at low
| resolution, same idea as behind latent diffusion models
| azinman2 wrote:
| It's very interesting this is gpu time based because:
|
| 1. Different energy sources produce varyings of co2
|
| 2. This likely does not include co2 to make the GPUs or
| machines
|
| 3. Humans involved are not added to this at all, and all of
| the impact they have on the environment
|
| 4. No ability to predict future co2 from using this work.
|
| Also if it really matters, then why do it at all? If we're
| saying hey this is destroying the environmental and care,
| then maybe don't do that work?
| TeMPOraL wrote:
| > _1. Different energy sources produce varyings of co2_
|
| Yes.
|
| > _2. This likely does not include co2 to make the GPUs or
| machines_
|
| Definitely not, nobody does that.
|
| Wish they did, in general I feel like a lot of beliefs
| around sustainability and environmentalism are wrong or
| backwards precisely because embodied energy is discounted;
| see e.g. stats on western nations getting cleaner, where a
| large - if not primary - driver of improved stats is just
| outsourcing manufacturing, so emissions are attributed to
| someone else.
|
| Anyway, embodied energy isn't particularly useful here.
| Energy embodied in GPUs and machines amortizes over their
| lifetimes and should be counted against all the things
| those GPUs did, do and will do, of which the training in
| question is just a small part. Not including it isolates
| the analysis to contributions from the specific task per
| se, and makes the results applicable to different
| hardware/scenarios.
|
| > _3. Humans involved are not added to this at all, and all
| of the impact they have on the environment_
|
| This metric is so ill-defined as to be arbitrary. Even more
| so with conjunction with 2, as you could plausibly include
| a million people into it.
|
| > _4. No ability to predict future co2 from using this
| work._
|
| Total, no. Contribution of compute alone given similar GPU-
| hours per ton of CO2eq, yes.
| _Algernon_ wrote:
| >Definitely not, nobody does that.
|
| Except every proper Life-cycle assessment on carbon
| emissions ever.
| Jerrrrrrry wrote:
| >proper
|
| doing Scotsman-like lifting when the point was that these
| things are not considered, or are "externalities"
| albumen wrote:
| not sure how that invalidates Algernon's point. These
| things should be considered, and are in a lot of LCAs.
| Jerrrrrrry wrote:
| >should be considered, and are
|
| Not as much as they should be, was his point. Saying
| something is not proper is the No True Scotsman fallacy.
| pierrefdz wrote:
| 1. yes, this is the default co2 eq/ watts from the tool
| that is cited in the paper, but it's actually very hard to
| know the source of energy that aliments the cluster, so the
| numbers are only an order of magnitude rather than "real"
| numbers 2. 4. I found that
| https://huggingface.co/blog/sasha/ai-environment-primer
| gives a good broad overview (not only of the co2 eq, which
| is limited imo) of AI environmental impact
|
| > Also if it really matters, then why do it at all? If
| we're saying hey this is destroying the environmental and
| care, then maybe don't do that work?
|
| Although it may not the best way to quantify it, it gives a
| good overview of it. I would argue that it matters a lot to
| quantify and popularize the idea of such sections in any
| experimental ML papers (and should in my opinion be the
| default, as it is now for the reproducibility statement and
| ethical statement). People don't really know what an AI
| experiment represents. It may seem very abstract since
| everything happens in the "cloud", but it is pretty much
| physical: the clusters, the water consumption, the energy.
| And as someone who works in AI, I believe it's important to
| know what this represents, which these kinds of sections
| show clearly. It was the same in the DINOv2 paper or in the
| Llama paper.
| barbazoo wrote:
| > This amounts to total emissions in the order of 20 tons of
| CO2eq.
|
| That's about 33 economy class roundtrip flights from LAX to
| JFK.
|
| https://www.icao.int/environmental-
| protection/Carbonoffset/P...
| kube-system wrote:
| 33 seats on a flight maybe. It's about one passenger
| aircraft flight, one way.
| Onavo wrote:
| What if the watermark becomes a latent variable that's indirectly
| learnt by a subsequent model trained on its generated data? They
| will have to constantly vary the mark to keep it up to date. Are
| we going to see Merkle tree watermark database like we see for
| certificate transparency? YC, here's your new startup idea.
| thanksgiving wrote:
| I think there should be an input filter that if it sees a
| watermark refuses to use that input and continues with the next
| input
| jerf wrote:
| There's many reasons why people are concerned about AI's
| training data becoming AI generated. The usual one is that the
| training will diverge, but this is another good one.
| nickpinkston wrote:
| I can imagine some kind of public/private key encrypted
| watermark system to ensure the veracity / provenance of media
| created via LLMs and their associated user accounts.
| matrixhelix wrote:
| Now we need a link to the "Unwatermark Anything" repo
| pierrefdz wrote:
| https://github.com/XuandongZhao/WatermarkAttacker
| rodneyg_ wrote:
| Does this watermark still work if someone screenshots an image?
| dangoodmanUT wrote:
| try running the code to find out
| yawnxyz wrote:
| oh I was kind of hoping this would also watermark text
| imperceptibly... alas this doesn't do that
| doctorpangloss wrote:
| I wonder what will come of all the creative technologists out
| there, trying to raise money to do "Watermarking" or "Human
| Authenticity Badge," when Meta will just do all the hard parts
| for free: both the technology of robust watermarking, and
| building an insurmountable social media network that can adopt it
| unilaterally.
___________________________________________________________________
(page generated 2024-11-13 23:00 UTC)