Remove-AI-Watermarks Open-Source Tool: The AI Watermark Arms Race | May 21, 2026

Overnight, AI Watermarks Stop Being Reliable

Last Tuesday, an open-source tool called remove-ai-watermarks hit the front page of Hacker News. 376 upvotes, 239 comments. The discussion section was in flames.

What does it do? One sentence: it removes watermarks from AI-generated images — whether it's the sparkly Gemini logo, Google's invisible SynthID watermark, or "Made with AI" metadata buried in EXIF and C2PA — all with a single command.

How It Works

The tool's author, wiltodelta, broke watermark removal into three layers:

Visible watermarks. The sparkle logo that Google Gemini (internal codename Nano Banana) stamps in the bottom-right corner. The principle is straightforward — it's a semi-transparent PNG overlaid on the original image. Reverse the alpha channel math and you've got it back. 0.05 seconds per image, CPU only. The idea comes from Allen Kuo's GeminiWatermarkTool project.

Invisible watermarks. SynthID is the real challenge. Google embeds an imperceptible frequency-domain signal into images that survives cropping, resizing, and JPEG compression. To be fair, the technology itself is impressive. But remove-ai-watermarks takes a brute-force approach: encode the image into latent space with SDXL, add controlled noise, then regenerate. The diffusion process destroys the watermark signal, then upscales back to original resolution. This does lose detail, and it requires a GPU.

Metadata. C2PA Content Credentials, EXIF tags with prompts and seeds, XMP DigitalSourceType — social platforms use these to decide whether to slap on a "Made with AI" label. The tool nukes them in one go while preserving author and copyright info.

There's also an "Analog Humanizer" option — adds film grain and chromatic aberration to trick AI classifiers into thinking the image is a photo of a screen.

Ironic Timing

Scroll through the HN comments and you'll find a telling remark: "This article is directly above 'OpenAI Adopts SynthID Watermarks.'"

Yes. On the same day, OpenAI announced it was fully adopting Google's SynthID watermarking standard, stamping C2PA + SynthID on every image from ChatGPT Images 2.0 and DALL-E 3. Ars Technica reported that Google claims SynthID has already labeled 100 billion images and videos.

The watermark rollout and the removal tool arrived on the same day. This isn't a coincidence — it's inevitable.

The HN Debate

The comments split roughly into two camps. One side sees the tool as a good thing — "I don't want my every digital move barcoded." The other side argues it's eroding social trust.

User akersten made a sharp point: "Watermarking only really works when the scheme is secret. Putting ciphertext in high-frequency noise is old news."

Some users questioned the tool's effectiveness. Tiberium noted that SDXL regeneration destroys fine details, and with Gemini 3 Pro and GPT Image 2 supporting up to 4K output, SDXL's native 1024px resolution is inadequate. Another user, Tacite, tested the online version at raiw.cc and found the watermark detector merely shifted from Gemini 3 (99.9%) to Midjourney (64.7%) + SDXL (16.1%) — nowhere near fully cleaned.

Legal Risks

The project README explicitly lists the legal framework. The US COPIED Act criminalizes "removing provenance information with intent to deceive about content origin." The EU AI Act Article 50 requires marking on AI-generated content, effective December 2026. China's Deep Synthesis Regulation mandates visible AI labels.

The authors don't hide from this — they lay it out and let you decide. The threat model section is refreshingly honest: SynthID v2 embeds a 136-bit payload believed to encode user/session identifiers. If the original image ever passed through a Google-controlled system, they retain a server-side record. Removing the watermark from your copy doesn't erase Google's logs.

My Take

Honestly, I have mixed feelings about all this.

On one hand, an open-source project hitting 1,100 GitHub stars in a week shows that plenty of people aren't comfortable with tech companies fingerprinting their images. "Anything that can be detected can be removed" — that HN comment is basically correct in cryptographic terms.

On the other hand, watermarks were never meant to stop everyone. They stop ordinary users and automated moderation systems. People who really want to deceive will always find a way. This tool just lowers the bar from "you need a team" to "pip install."

What's more worth watching is OpenAI adopting SynthID. A few months ago, people were still debating whether watermarks should exist. Now the conversation has shifted to "how do we break them." This industry moves faster than most people realize.