Invisible Watermarks for AI Images: How TrustMark Survives What C2PA Can't

The two approaches solve different problems. C2PA is a cryptographic signature — it tells you exactly who signed an image and when, and it's machine-readable by any compliant tool. But it lives in the file's metadata container, which gets discarded the moment a platform re-encodes the image. Invisible watermarks live in the pixels themselves. That makes them structurally harder to strip — not because they're secret, but because removing them requires re-processing the actual image data.

What "invisible" actually means

A visible watermark is a logo or text overlay on an image. Obvious. Croppable.

An invisible watermark is different: a pattern of tiny pixel-level changes — imperceptible to the human eye — that encodes a verifiable identifier directly into the image content. No metadata container. No separate sidecar file. The signal is distributed across the pixel values of the image itself.

When you look at a watermarked image, it looks identical to the original. PSNR above 40 dB — for reference, broadcast-quality video is typically considered acceptable at 30 dB. The human visual system doesn't register the difference. A detection algorithm does.

Why this matters for compliance

The EU AI Act's Draft Code of Practice (published December 2025) is explicit that a single marking technique isn't enough. That's not surprising once you look at what each layer actually survives:

Neither layer covers everything on its own. That's the point.

How TrustMark works

MarkMyAI uses TrustMark for invisible watermarking — an algorithm developed jointly by the University of Surrey and Adobe Research, published at arXiv in late 2023. We chose it because it's MIT-licensed, actively maintained, and — unlike a lot of watermarking research — was explicitly designed for arbitrary-resolution images from the start. Most earlier methods were trained on fixed-size inputs and degraded noticeably on high-resolution or unusual aspect ratios. TrustMark handles this natively.

Technically: TrustMark is a pair of neural networks — an encoder and a decoder. The encoder takes an image and a bit-string payload and outputs a visually identical image with the payload embedded in the pixel data. The decoder takes any processed version of that image and extracts the payload back. The encoder was trained to minimize perceptual distortion (SSIM above 0.99, meaning structurally indistinguishable to human eyes) while maximizing payload recovery after transformations.

In our case, the payload is a 61-bit string encoding the unique identifier of the image's proof record in our audit database. Not metadata about the creator or the model — just a reference. The metadata lives in the database, where it's safe. The watermark is the key that finds it.

What gets encoded — and what doesn't

When MarkMyAI watermarks your image, the encoded payload is a unique record ID — a reference to your entry in our audit trail. Not a name, not a timestamp, not a model label. Just an ID.

That's a deliberate design choice. If we tried to pack all the metadata into the watermark, we'd need a much larger payload — which degrades robustness under compression. Instead, we keep the payload minimal and let the database do what databases are for.

The consequence: if someone strips all the C2PA metadata, converts the format, and re-uploads the image somewhere — the watermark is still there. When the image is submitted to our detection endpoint, the decoder extracts the ID, looks it up in our database, and returns the full proof record. The watermark is the recovery path.

What TrustMark doesn't do

Worth being direct about this: invisible watermarking is not a cryptographic proof. The watermark tells you which image this is so you can look up the provenance record — it doesn't by itself tell you who published it or when. That information comes from the audit record the watermark points to.

It's also not indestructible. Significant cropping (removing more than ~30%), heavy sequential compression, or watermark-removal attacks specifically targeting TrustMark can degrade detection. No pixel-level watermarking system survives a sufficiently determined adversary who knows what they're doing.

This is exactly why the four-layer approach exists. C2PA handles cryptographic identity. The watermark handles accidental stripping. The perceptual fingerprint handles cases where the watermark degrades. The blockchain anchor outlasts all of them. Each layer covers the others where they're weak.

Where it fits in a MarkMyAI proof record

When you call POST /v1/mark, three things happen more or less in parallel:

The watermark and the fingerprint are related but serve different roles. The fingerprint is a hash of the image's visual content — it lets you find a record by submitting a similar image, even after modification. The watermark is an active payload inside the image — it survives transformations that would shift the fingerprint beyond the matching threshold. Together they cover more ground than either alone.

How this plays out in practice

If you're using the API, watermarking happens automatically as part of every mark call. Nothing to configure. If you're using the WordPress plugin, the watermark is applied at upload — before the image ever reaches a social network or CDN.

For detection, POST /v1/detect checks all four layers and returns a structured result with three possible outcomes:

The "recovered" status isn't a degraded result — it's exactly what the system was designed to produce. C2PA was always going to get stripped. The watermark keeping the proof accessible after that stripping is the whole point of having it.

The gap invisible watermarks fill

C2PA is not a bad standard. It's actually quite good at what it does — cryptographic publisher identity, machine-readable, C2PA open standard. The problem isn't C2PA. The problem is that the distribution infrastructure wasn't built with provenance in mind. Social platforms strip metadata because it saves bandwidth. CDNs re-encode images because it saves storage. CMSes generate thumbnails because that's what CMSes do.

Invisible watermarking doesn't fix that infrastructure — it routes around it. The pixel-level payload travels with the image regardless of what happens to the file container. When C2PA gets discarded at step two of a seven-step distribution chain, the watermark keeps the proof accessible through steps three, four, five, and six.

Together, the two layers give a compliance record a realistic chance of surviving the actual pipeline an AI image travels through — not the controlled, ideal pipeline you'd design if you got to build the whole internet from scratch.