The Provenance Layer
For the AI Era

Does the watermark survive AI regeneration?

Yes — and that’s the only reason we exist. The dominant laundering pattern in 2026 runs like this: capture a creator’s asset (screenshot, screen-record, phone-of-screen), run it through a generative pipeline (Sora, Runway, Veo, Magnific, Midjourney img2img), and re-upload the result as “original AI content.” Visible logos are stripped in step one. EXIF strips in step two. C2PA manifests strip in step three. SynthID never applied in the first place because the source wasn’t generated by Google.

Our extractor is trained adversarially against this exact pipeline. In our public benchmark the 256-bit signature is recoverable after Stable Diffusion-class img2img, video- diffusion proxies, and Magnific-style AI upscaling. Counter- intuitively, AI cleanup often improves bit recovery: in our captured-and-AI-enhanced test set, raw bit recovery measured 0.65 and rose to 0.75 after the AI-enhancement pass. The laundering process homogenizes the file in a way that sharpens the embedded signal.

Even when aggressive style transfer collapses pixel-level similarity to near zero, threshold-based detection holds at F1 ≥ 0.95 across our adversarial test set. We can still answer “does this file contain your signature?” with high confidence — even when the image no longer visually resembles yours.

Does the signature survive Instagram, TikTok, X, and the rest of the social web?

Yes — that was the second design constraint, after AI regeneration. Every social platform recompresses uploads. Instagram drops to JPEG quality ~75 and resizes to 1080px wide. TikTok re-encodes video at ~1.5 Mbps and 720p. X strips EXIF and applies subject-aware compression on every share. Telegram introduces dithering on screen-grab. These pipelines optimize for bandwidth, not provenance — and most existing watermarks do not survive them.

HALLMARK.AI is trained adversarially against the full menu: JPEG compression down to Q40, arbitrary resizing, color shifts, cropping, Gaussian blur, geometric warps, frame interpolation, and the lossy proxies that mimic each major platform. The 256-bit signature is distributed across the entire visual field rather than localized in a corner or a header — so as long as a meaningful fraction of pixel data survives the trip, the signature can be recovered on the other side. Our changes are imperceptible: typical PSNR exceeds 40 dB, below the threshold of human perception.

Concretely: our public benchmark covers the platforms creators actually post to and the laundering chains thieves actually use. If you screenshot a registered image from Instagram, run it through Magnific, and re-upload it to X, we still find it.

What if someone screenshots my work and re-uploads it elsewhere?

You still own it. The “analog hole” — point a phone at a monitor, screen-record a desktop, take a screenshot of a webpage — is the laundering trick that defeats every other provenance system. Each one is a fresh pixel-level recapture that erases EXIF, breaks C2PA manifests, and strips any platform-specific signal.

Pixel-level watermarking is the only approach that survives this class of attack. The signature is in the image data itself, so a faithful recapture preserves a faithful copy of the signature. We additionally apply perspective rectification on the verification side to undo phone-of-screen capture distortion — the most common laundering trick used immediately before AI re-generation.

In our benchmark, phone-of-screen, screenshot-and-recompress, and screen-recording all sit comfortably above the detection threshold. Combined with AI regeneration — the next step most thieves take — recovery still holds at F1 ≥ 0.95. Meaning we can still say with confidence whether this file descended from a registered work.

Why is pixel watermarking stronger DMCA evidence than metadata?

Section 1202 of the DMCA prohibits the intentional removal of Copyright Management Information (CMI). To win such a claim, the plaintiff must prove the defendant knowingly removed the CMI — a requirement known as “double scienter.”

Metadata fails that test. EXIF strips in a single click, on every upload to every major social platform, and even on some operating-system file transfers. There is no visible evidence anything was ever there. Proving intentional circumvention against an unsophisticated defendant is nearly impossible.

A neural watermark embedded in pixel data changes the equation. The signature is woven into the image itself. Removing it requires destructive transformation — aggressive blurring, extreme recompression, or pixel-level manipulation — that visibly degrades the file. That visible degradation is itself evidence of intentional tampering. The defendant cannot credibly claim the removal was accidental.

For photographers, artists, and publishers: a watermarked image is not just tagged. It carries forensic-grade evidence of ownership that survives every common form of redistribution — and the very act of trying to destroy it incriminates the person who tried.

How does HALLMARK.AI compare to C2PA, Google SynthID, and visible watermarks from Higgsfield, Runway, or Midjourney?

C2PA (Coalition for Content Provenance and Authenticity) is an open standard backed by Adobe, Google, Microsoft, and Sony. It attaches a cryptographically signed manifest to a file documenting origin, edits, and authorship — a tamper-evident logbook in the file header.

C2PA’s blind spot is its premise: the manifest lives in metadata. Instagram strips it. X strips it. A screenshot erases it. C2PA documents provenance — but only for as long as the metadata survives, which is rarely past the first upload. It is also forward-looking by design: most cameras and editing tools shipped before 2025 cannot sign C2PA manifests at all.

A pixel-embedded watermark closes the gap C2PA leaves open. The signal is in the image data itself; it survives screenshots, re-exports, platform uploads, and AI regeneration. Even if the C2PA manifest is stripped, the watermark remains as a second layer of proof.

The two are complementary, not competing. C2PA answers “what is the documented history of this file?” Pixel watermarking answers “who owns this image once the file is gone?” The first works for sealed-loop, post-2025 capture chains. The second works for everything else — which today is almost all content on the internet.

Google SynthID is closer in spirit — an invisible pixel-level signal — but it marks only Google’s own AI outputs (Imagen, Veo, Lyria). It is a producer-side signal: “this was generated by Google.” HALLMARK.AI is a creator-side signal: “this was made by this person, before any AI touched it.” SynthID does not protect a photographer from having her work captured, regenerated, and re-uploaded. We do.

Visible watermarks from Runway, Higgsfield, Pika, and Midjourney are corner logos that mark their outputs on free tiers and disappear on paid plans. They are brand marks, not provenance marks. They do not survive cropping, do not appear on paid output, and never apply to a creator’s original work. HALLMARK.AI is the layer the AI ecosystem has structurally chosen not to build.

Does HALLMARK.AI store my images or videos?

No. Files are processed entirely in memory — your image or video is never written to disk on our servers. Once the watermarked file is returned, the original is discarded.

What we do store is a compact mathematical fingerprint derived from the visual content (a vector embedding), plus the watermark metadata: your user ID and the timestamp of registration. That fingerprint is what lets us detect derivatives later — when someone uploads a suspect file to the Check endpoint, we compare its vector against stored embeddings to find matches.

The fingerprint cannot reconstruct the original image. Your actual media never leaves your control. This architecture is privacy-by-design and compatible with GDPR’s data-minimization requirements.

Who uses invisible watermarking?

How it works