Sandcastles in the Storm: Revisiting the (Im)possibility of Strong Watermarking

TL;DR

This study empirically demonstrates that watermarks in AI-generated text are more robust than previously thought, due to slow mixing and imperfect quality detection, challenging existing theoretical assumptions about watermark erasure.

Contribution

The paper provides large-scale experiments showing slow mixing and flawed quality detection, revealing practical robustness of watermarks against theoretical attack models.

Findings

Watermark traces persist after hundreds of edits.

State-of-the-art quality detectors have 77% accuracy.

Automated attacks only remove watermarks 26% of the time.

Abstract

Watermarking AI-generated text is critical for combating misuse. Yet recent theoretical work argues that any watermark can be erased via random walk attacks that perturb text while preserving quality. However, such attacks rely on two key assumptions: (1) rapid mixing (watermarks dissolve quickly under perturbations) and (2) reliable quality preservation (automated quality oracles perfectly guide edits). Through large-scale experiments and human-validated assessments, we find mixing is slow: 100% of perturbed texts retain traces of their origin after hundreds of edits, defying rapid mixing. Oracles falter, as state-of-the-art quality detectors misjudge edits (77% accuracy), compounding errors during attacks. Ultimately, attacks underperform: automated walks remove watermarks just 26% of the time -- dropping to 10% under human quality review. These findings challenge the inevitability of watermark removal. Instead, practical barriers -- slow mixing and imperfect quality control -- reveal watermarking to be far more robust than theoretical models suggest. The gap between idealized attacks and real-world feasibility underscores the need for stronger watermarking methods and more realistic attack models.