A few days ago Google released its new algorithm able to erase all visible watermarks from photographs on the web. It sparked a furious controversy. Yet solutions exist to counter Google’s new offensive.  Imatag has asked Teddy Furon — its watermarking expert and Researcher at INRIA— to assess the situation and to provide answers.

By Teddy Furon

Now that the storm is over, let us step back and react with calm to the series of events that shook the picture industry last week.


From 21st to 26th July, the scientific conference IEEE CVPR (Computer Vision and Pattern Recognition) took place in Hawaii. CVPR is one of the best annual conferences in image processing and computer vision.

A team from Google presents there its research work entitled On the Effectiveness of Visible Watermarks. This papers explains how to remove visible watermarks with examples from Adobe Stock, fotolia, 123RF, and CanStock.

Mid august, this team added a video on Youtube and a post on Google research blog:


And this created the buzz. Many photo websites (such as Petapixel, DPreview) mentioned this work followed by long series of comments.

Shutterstock (adding visible watermark on preview images) reacted: since August 22nd its visible watermarks are modified so that the Google removal method no longer works. According to this source, Google warned Shutterstock before the publication of the article. Shutterstock designed its counter-attack thanks to a collaboration with Google.

On the other hand, Adobe Stock, fotolia, CanStock, and 123RF did not modify their visible watermark embedding (as far as we know).


Technically, the Google team leverages the following weaknesses:

  • Visible watermarks are visible! They introduce strong but local distortions. These distortions are independent of the visual content of the photos. Our brain can split these informations and the future buyer can see the visual content and quality of the picture despite the visible watermark.
  • Visible watermarks are constant. On all the pictures it is the same logo embedding in the same deterministic way in the same location.

From the ethical point of view, the Google team does take precautions like “white hat” hackers. Its goal is to reveal a flaw in the design and to propose a countermeasure. The Google team warned Shutterstock before the publication and Shutterstock has implemented the countermeasure quickly with the collaboration of Google.


Technically, this research work is good, certainly better than the previous scientific papers dealing with visible watermark removal. But it is quite exaggerated to say that it is an IA paper per se (as we read on the Internet). It is classical image processing.

This article does not cite the literature on invisible watermarking where this kind of attacks is known since 15 years ago. So, nothing new under the sun.

This is for us the sign that visible and invisible watermarking do not aim at the same purpose.

Invisible watermarking is a technical protection mean. Hence, the security level of this protection mean has been analysed a long time ago. Adding always the same watermark is a big flaw.

On contrary, visible watermarking is not a technical protection mean. Its purpose is to warn that this picture is copyrighted. Hence, attacking a method which is not a protection mean is not difficult. Victory without risk is triumph without glory.

From the ethical point of view, it is quite surprising that a scientific paper explicitly attacks commercial products upfront. The Google team should have used a reference image dataset (there are many in the scientific community), to watermark the images with a detailed process in order to benchmark their attack. They did this but only in the experimental body of the article. Figure 6 of their paper with examples from Adobe Stock, 123RF, CanStock, and Fotolia is clearly there to create the buzz outside the scientific community. Funny that Shutterstock is not mentioned in the paper.

Google and professional photographers (especially concerning their rights) have complicated relationships and this paper will not help.

The reaction from Shutterstock and the photographers’ community is also surprising. Were those who shout now really thinking that visible watermarking was meant to be secure?

Shutterstock has modified its visible watermark embedding by introducing a slight geometrical warping. This makes the attack ineffective. Yet, simple adaptations of the method will come soon. The mouse and cat game has just started. And there is a big chance that the cat Google will win that game.


Imatag has nothing to do. The security level of our invisible watermarking is much higher than that of visible watermarks. Our technique does not suffer from the weaknesses above-mentioned:

  • Our invisible watermark spreads all over the image to achieve excellent robustness.
  • It has the same statistical distribution than the visual content of the image to prevent any filtering.
  • Each photo is protected by its own watermark. There is no repetition. Even if an attacker succeeds to estimate the invisible watermark signal of one photo, this information is useless for attacking other pictures.

In brief, the Google attack does not work at all on images tagged by Imatag. Though nothing is easier than to remove the visible copyright below Patrick Robert’s famous Liberian war photography illustrating this article, the invisible Imatag watermark tagged in its pixels will remain forever.