Sandcastles in the Storm: Revisiting the (Im)possibility of Strong Watermarking
Watermarking AI-generated text is critical for combating misuse. Yet recent theoretical work argues that any watermark can be erased via random walk attacks that perturb text while preserving quality. However, such attacks rely on two key assumptions: (1) rapid mixing (watermarks dissolve quickly under perturbations) and (2) reliable quality preservation (automated quality oracles perfectly guide edits). Through large-scale experiments and human-validated assessments, we find mixing is slow: 100% of perturbed texts retain traces of their origin after hundreds of edits, defying rapid mixing. Oracles falter, as state-of-the-art quality detectors misjudge edits (77% accuracy), compounding errors during attacks. Ultimately, attacks underperform: automated walks remove watermarks just 26% of the time -- dropping to 10% under human quality review. These findings challenge the inevitability of watermark removal. Instead, practical barriers -- slow mixing and imperfect quality control -- reveal watermarking to be far more robust than theoretical models suggest. The gap between idealized attacks and real-world feasibility underscores the need for stronger watermarking methods and more realistic attack models.
View on arXiv@article{harel-canada2025_2505.06827,
title={ Sandcastles in the Storm: Revisiting the (Im)possibility of Strong Watermarking },
author={ Fabrice Y Harel-Canada and Boran Erol and Connor Choi and Jason Liu and Gary Jiarui Song and Nanyun Peng and Amit Sahai },
journal={arXiv preprint arXiv:2505.06827},
year={ 2025 }
}