1. Introduction
I spent the last few days trying to understand how Google’s text watermarking works, and honestly, most explanations I found were either too technical or too vague. So I built a visual explainer to make sense of it for myself—and hopefully for you too.
Let me walk you through what I learned.
HTML Version of Visual Explainer
2. The Basic Problem
We’re generating billions of words with AI every day. ChatGPT writes essays, Gemini drafts emails, Claude helps with code. The question everyone’s asking is simple: how do we tell which text comes from an AI and which comes from a person?
You can’t just look at writing quality anymore. AI-generated text sounds natural, flows well, makes sense. Sometimes it’s better than what humans write. So we need something invisible, something embedded in the text itself that only computers can detect.
That’s what SynthID does.
3. Starting With How Language Models Think
Before we get to watermarking, you need to understand how these models actually generate text. They don’t just pick the “best” word for each position. They work with probabilities.
Think about this sentence: “My favorite tropical fruits are mango and ___”
What comes next? Probably “bananas” or “papaya” or “pineapple,” right? The model assigns each possible word a probability score. Bananas might get 85%, papaya gets 10%, pineapple gets 3%, and something completely random like “airplanes” gets 0.001%.
Then it picks from these options, usually choosing high-probability words but occasionally throwing in something less likely to keep things interesting. This randomness is why you get different responses when you ask the same question twice.
Here’s the key insight that makes watermarking possible: when multiple words have similar probabilities, the model has flexibility in which one to choose. And that’s where Google hides the watermark.
4. The Secret Ingredient: A Cryptographic Key
Google generates a secret key—basically a very long random number that only they know. This key determines everything about how the watermark gets embedded.
Think of it like a recipe. The key tells the system exactly which words to favor slightly and which ones to avoid. Without this key, you can’t create the watermark pattern, and you definitely can’t detect it.
This is important for security. If anyone could detect watermarks without the key, they could also forge them or remove them easily. The cryptographic approach makes both much harder.
5. Green Lists and Red Lists
Using the secret key, SynthID splits the entire vocabulary into two groups for each position in the text. Some words go on the “green list” and get a slight boost. Others go on the “red list” and get slightly suppressed.
Let’s say you’re writing about weather. For a particular spot in a sentence, the word “perfect” might be on the green list while “ideal” is on the red list. Both words mean roughly the same thing and both sound natural. But SynthID will nudge the model toward “perfect” just a tiny bit.
How tiny? We’re talking about 2-3% probability adjustments. If “perfect” and “ideal” both had 30% probability, SynthID might bump “perfect” up to 32% and drop “ideal” to 28%. Small enough that it doesn’t change how the text reads, but consistent enough to create a pattern.
And here’s the clever part: these lists change based on the words that came before. The same word might be green in one context and red in another. The pattern looks completely random unless you have the secret key.
6. Building the Statistical Pattern
As the model generates more and more text, it keeps favoring green list words. Not always—that would be obvious—but more often than chance would predict.
If you’re flipping a coin, you expect roughly 50% heads and 50% tails. With SynthID, you might see 65% green words and 35% red words. That 15% difference is your watermark.
But you need enough text for this pattern to become statistically significant. Google found that 200 words is about the minimum. With shorter text, there isn’t enough data to separate the watermark signal from random noise.
Think of it like this: if you flip a coin three times and get three heads, that’s not surprising. But if you flip it 200 times and get 130 heads, something’s definitely up with that coin.
7. Detection: Finding the Fingerprint
When you want to check if text is watermarked, you need access to Google’s secret key. Then you reconstruct what the green and red lists would have been for that text and count how many green words actually appear.
If the percentage is significantly above 50%, you’ve found a watermark. The more words you analyze, the more confident you can be. Google’s system outputs a score that tells you how likely it is that the text came from their watermarked model.
This is why watermarking isn’t perfect for short text. A tweet or a caption doesn’t have enough words to build up a clear pattern. You might see 60% green words just by chance. But a full essay? That 65% green word rate across 500 words is virtually impossible to happen randomly.
8. Why Humans Can’t See It
The adjustments are so small that they don’t change which words the model would naturally choose. Both “perfect” and “ideal” sound fine in most contexts. Both “delicious” and “tasty” work for describing food. The model is just picking between equally good options.
To a human reader, watermarked and unwatermarked text are indistinguishable. Google tested this with 20 million actual Gemini responses. They let users rate responses with thumbs up or thumbs down. Users showed absolutely no preference between watermarked and regular text.
The quality is identical. The style is identical. The meaning is identical. The only difference is a statistical bias that emerges when you analyze hundreds of words with the secret key.
9. What Actually Works and What Doesn’t
Google’s been pretty honest about SynthID’s limitations, which I appreciate.
It works great for:
- Long-form creative writing
- Essays and articles
- Stories and scripts
- Open-ended generation where many word choices are possible
It struggles with:
- Factual questions with one right answer (What’s the capital of France? It’s Paris—no flexibility there)
- Short text under 200 words
- Code generation (syntax is too rigid)
- Text that gets heavily edited or translated
The watermark can survive light editing. If you change a few words here and there, the overall pattern still holds up. But if you rewrite everything or run it through Google Translate, the pattern breaks down.
And here’s the uncomfortable truth: determined attackers can remove the watermark. Researchers showed you can do it for about $50 worth of API calls. You query the watermarked model thousands of times, figure out the pattern statistically, and then use that knowledge to either remove watermarks or forge them.
10. The Bigger Context
SynthID isn’t just a technical demo. It’s the first large-scale deployment of text watermarking that actually works in production. Millions of people use Gemini every day, and most of that text is now watermarked. They just don’t know it.
Google open-sourced the code in October 2024, which was a smart move. It lets researchers study the approach, find weaknesses, and build better systems. It also gives other companies a working example if they want to implement something similar.
The EU AI Act is starting to require “machine-readable markings” for AI content. Other jurisdictions are considering similar rules. SynthID gives everyone something concrete to point to when discussing what’s actually possible with current technology.
11. My Takeaway After Building This
The more I learned about watermarking, the more I realized it’s not the complete solution everyone wants it to be. It’s more like one tool in a toolkit.
You can’t watermark everything. You can’t make it unremovable. You can’t prove something wasn’t AI-generated just because you don’t find a watermark. And it only works if major AI providers actually implement it, which many won’t.
But for what it does—allowing companies to verify that text came from their models when it matters—it works remarkably well. The fact that it adds almost no overhead and doesn’t affect quality is genuinely impressive engineering.
What struck me most is the elegance of the approach. Using the natural randomness in language model generation to hide a detectable pattern is clever. It doesn’t require changing the model architecture or training process. It just tweaks the final step where words get selected.
12. If You Want to Try It Yourself
Google released the SynthID code on GitHub. If you’re comfortable with Python and have access to a language model, you can experiment with it. The repository includes examples using Gemma and GPT-2.
Fair warning: it’s not plug-and-play. You need to understand how to modify model output distributions, and you need a way to run the model locally or through an API that gives you token-level access. But it’s all there if you want to dig into the details.
The Nature paper is also worth reading if you want the full technical treatment. They go into the mathematical foundations, describe the tournament sampling approach, and share detailed performance metrics across different scenarios.
13. Where This Goes Next
Watermarking is just getting started. Google proved it can work at scale, but there’s still a lot to figure out.
Researchers are working on making watermarks more robust against attacks. They’re exploring ways to watermark shorter text. They’re trying to handle code and factual content better. They’re designing systems that work across multiple languages and survive translation.
There’s also the question of whether we need universal standards. Right now, each company could implement their own watermarking scheme with their own secret keys. That fragments the ecosystem and makes detection harder. But getting competitors to coordinate on technical standards is always tricky.
And of course, there’s the bigger question of whether watermarking is even the right approach for AI governance. It helps with attribution and accountability, but it doesn’t prevent misuse. It doesn’t stop bad actors from using unwatermarked models. It doesn’t solve the fundamental problem of AI-generated misinformation.
Those are harder problems that probably need policy solutions alongside technical ones.
14. Final Thoughts
I worked on this visual explainer because I wanted to understand how SynthID actually works, beyond the marketing language and vague descriptions. Building the visual explainer forced me to understand every detail—you can’t visualize something you don’t really get.
What I came away with is respect for how well-engineered the system is, combined with realism about its limitations. It’s impressive technical work that solves a real problem within specific constraints. It’s also not magic and won’t fix everything people hope it will.
If you’re interested in AI safety, content authenticity, or just how these systems work under the hood, it’s worth understanding. Not because watermarking is the answer, but because it shows what’s actually possible with current approaches and where the hard limits are.
And sometimes those limits tell you more than the capabilities do.
