Contents
To a degree. SynthID is an invisible watermark, and research shows invisible watermarks can be removed by regenerating the file, but SynthID’s detector stays robust on unedited images, removal costs quality, and it does not touch the other signals, a C2PA manifest or the device fingerprint, that also mark the file.
What SynthID actually is
SynthID is Google DeepMind’s invisible watermarking system for AI-generated content. Gowal and colleagues describe the image version plainly: “We introduce SynthID-Image, a deep learning-based system for invisibly watermarking AI-generated imagery”, and their paper is about deploying exactly that at internet scale. It is not one tool but a family. Dathathri and colleagues, writing in Nature, extended the same idea to text with SynthID-Text, an injected statistical watermark on large language model outputs deployed on Gemini, and there is an audio variant as well. In every case the watermark is a pattern in the content, an image’s pixels, a model’s token choices, a waveform’s samples, read back by a detector, not a field in the file you can open and delete.
One piece of context matters before you try to remove it. As of May 2026, SynthID is no longer a Google-only mark. OpenAI now ships SynthID on its generated images alongside a C2PA manifest, having joined the C2PA steering committee. So a single AI image can carry more than one provenance signal at once, which is the crack in any plan to just remove SynthID.
Can you actually remove it
To a degree, yes, and the research says so directly. Zhao and colleagues titled their work “Invisible Image Watermarks Are Provably Removable Using Generative AI”, and demonstrated a regeneration attack showing that “pixel-level invisible watermarks are vulnerable.” More generally, research has shown that the SynthID pattern can be located and stripped from a file. There is no reliable public figure for how well that works against the current detector, and you should be suspicious of anyone who quotes one, but the direction of the finding is clear: an invisible watermark is not permanent.
It is worth being concrete about what “read by a detector” means, because the detector is usually not in your hands. Google’s SynthID Detector is gated behind a waitlist, so most people cannot check an image against it themselves, and the audio and text variants have their own separate readers. That asymmetry cuts against a removal plan in an unexpected way: you often cannot confirm that you have actually removed the mark, only that you have degraded the file trying to. Working blind against a watermark you cannot test is a poor trade when the degradation is the part you can see.
The three catches
That is where the wedge turns, because “removable” and “removed cleanly, with nothing left” are not the same claim.
First, the detector is built to survive casual handling. Gowal and colleagues designed SynthID-Image for robustness to common image perturbations, which means resizing, re-compressing or lightly editing an image does not knock the watermark out; how far that robustness extends is measured in does SynthID survive editing?. Real removal takes the kind of degradation or full regeneration that visibly costs quality, so you are trading detectability for fidelity, not getting both.
Second, removing SynthID does not remove the other provenance signal shipped next to it. When Google or OpenAI attach a C2PA manifest as well, that is a separate cryptographic record with its own logic, and stripping the invisible watermark leaves the manifest question entirely open. Breaking a manifest by editing is itself a tell that the file was altered. How C2PA signing works, and what a broken one reveals, is covered in what C2PA Content Credentials are.
Third, and this is the category error at the heart of the question, removing a watermark does not remove a fingerprint. A watermark is something a generator adds on purpose. A device fingerprint is something a camera or microphone leaves by physics. If any part of the file came from a real sensor, that trace remains. Lukáš, Fridrich and Goljan showed that a camera can be identified from “the sensor’s pattern noise” in the pixels, and Qamhan and colleagues identified source microphones from audio at between 97.6 and 99.98 percent accuracy. Neither of those cares whether a SynthID mark is present or gone.
What removing SynthID does and does not buy you
So: can you remove SynthID from your own file? Partly, and only at a cost, and only for that one signal. It will not make an AI image read as camera-real, it will not clear a C2PA manifest, and it will not touch the device fingerprint underneath. The tag is the label; the signal is the evidence. If your real question is whether a given file will be flagged as AI-generated regardless, that is a detection question, answered in is this image AI-generated?.
Sources
- Gowal, Bunel, Stimberg, et al. (2025). SynthID-Image: Image watermarking at internet scale.
- Zhao, Zhang, Vasan, Grishchenko, et al. (2024). Invisible Image Watermarks Are Provably Removable Using Generative AI. Conference on Neural Information Processing Systems.
- Dathathri, See, Ghaisas, et al. (2024). Scalable watermarking for identifying large language model outputs. Nature.
- Lukáš, Fridrich, Goljan (2006). Digital Camera Identification from Sensor Pattern Noise. IEEE Transactions on Information Forensics and Security.
- Qamhan, Alotaibi, Selouani (2023). Source Microphone Identification Using Swin Transformer. Applied Sciences.