Search papers, labs, and topics across Lattice.
This paper uncovers a critical vulnerability in audio deepfake detection systems that utilize provenance watermarking, revealing that detectors trained on watermarked synthetic speech misclassify unwatermarked human speech as fake. The authors demonstrate that this leads to significant performance degradation, with Equal Error Rates soaring from 16% to 75% when real voices are watermarked. Importantly, they propose a retraining method that mitigates this issue, allowing for effective detection without succumbing to the watermarking shortcut.
Watermarking synthetic speech can backfire, causing detectors to misidentify real voices as fakes, with error rates skyrocketing.
Provenance watermarking is increasingly treated as a safeguard for synthetic speech, whether built directly into speech-generation models such as Chatterbox, provided through dedicated techniques such as AudioSeal, or deployed by commercial platforms such as ElevenLabs. We identify a previously uncharacterized liability: when synthetic speech is watermarked and human speech is not, detectors trained alongside latch onto the watermark as a spurious "watermark => fake" shortcut. This single feature yields three coupled failures: generalization degradation (model performance deteriorates on unseen data), strip-to-evade (a watermarked fake escapes once unwatermarked), and mark-to-frame (watermarking a real voice flags it as fake). In a controlled white-box experiment, a watermark-trained detector shows all three (for example, mark-to-frame lifts Equal Error Rate from 16% to 75%). In a black-box test of a commercial API, we show that adding a watermark to real speech disguises it as fake. However, this shortcut is fixable: retraining with the watermark on both classes decorrelates it and restores clean behavior. We release experiment data as a paired clean-versus-watermarked corpus (WASP).