Contents
Often they cannot. Ordinary JPEG and social-media compression collapse the faint fingerprint that most detectors rely on, and the failure runs both ways: an AI image can pass as real, and a real image can be flagged as AI. This matters because almost every image you actually encounter has already been compressed at least once. The clean, original file that detectors perform best on is the exception, not the rule.
What compression does to the signal
Most detectors read a high-frequency trace, and compression is in the business of throwing high-frequency detail away. Frank, Eisenhofer, Schönherr et al. (ICML 2020) tied the frequency-domain artifacts that detectors read to a generator’s upsampling steps. Those artifacts live in exactly the fine detail that JPEG discards first.
| Step | What it does to the fingerprint |
|---|---|
| JPEG re-save | Overwrites the high-frequency detail the detector reads |
| Downsizing | Removes the resolution the spectral statistics were fit to |
| Double compression | Confuses forensic readers of compression history |
Corvi, Cozzolino, Zingarini et al. (ICASSP 2023) measured the drop directly. A spectral detector’s average accuracy fell from 70.5% to 52.7%, and its AUC from 75.2% to 52.7%, once the images went through social-media-style compression and resizing. On the hardest diffusion families, whose traces are already fainter, the same compression pushed the detector’s AUC to between 44 and 49 percent on ADM, Latent Diffusion, and Stable Diffusion, which is chance. The signal did not weaken a little. For practical purposes it was gone.
It fails in both directions
The tempting reading is that compression only helps fakes hide. It does that. Bellingcat, testing a popular detector on ten compressed Midjourney images, found it wrongly called 7 of 10 “real.” But the same erosion also flags genuine work. When compression strips a real photo’s expected detail, or leaves patterns a detector confuses with a generation trace, the tool can call a real image fake. That is the false-positive side covered in AI image detector false positives, and it has the same root cause: the fingerprint is fragile, and compression is what breaks it.
Forensic detectors that read compression history rather than generation traces do not escape this. Kwon, Nam, Yu et al. (IJCV 2022) noted that a standard convolutional network “is inadequate because the convolution throws away the spatial coordinates, which are crucial for DCT coefficients,” which is why their CAT-Net reads the JPEG data directly. In that same work, standard RGB-pixel networks could not learn the double-JPEG task at all, collapsing to a 54.08% baseline that labeled essentially every image authentic, while the compression-aware stream could read the history a second round of encoding leaves behind.
The bias that makes it worse
Compression sensitivity is not only about lost detail. It is also about what detectors learned. Grommelt, Weiss, Pfreundt et al. (2024) found that standard detection datasets carry “biases related to JPEG compression and image size,” so detectors partly learn to associate a particular compression with real or with fake. Change the compression and you change the verdict for reasons that have nothing to do with whether the image was generated. When they removed those biases, cross-generator performance rose by more than 11 percentage points, which tells you how much of the original accuracy was resting on compression cues.
What can be recovered, and what cannot
The picture is not entirely bleak, but the fix belongs to the tool builder, not the person running a check. Frank, Eisenhofer, Schönherr et al. (ICML 2020) showed that a detector trained on deliberately perturbed images recovers much of its accuracy: a frequency classifier that scored about 61% on degraded inputs reached about 94% after training on perturbed data. Wang, Wang, Zhang et al. (CVPR 2020) similarly added blur and JPEG to training as a partial defense. The lesson is that robustness has to be built in ahead of time. A detector that was not trained for compression will not acquire the ability at the moment you hand it a compressed file.
So the answer to whether AI images can be detected after compression is: sometimes, with the right detector, and never with confidence from a tool that was not built for it. Downsizing is especially punishing for detectors whose statistics were fit to a fixed resolution, because a resized image no longer matches the reference they compare against. The practical rule is to test the highest-quality version of the file you can find, treat any single result on a compressed image as provisional, and corroborate with a signal off the pixels, the full routine set out in how to check an image for AI.
Sources
- Corvi, Cozzolino, Zingarini et al. (2023). On the Detection of Synthetic Images Generated by Diffusion Models. ICASSP 2023.
- Bellingcat (2023). Testing ‘AI or Not’: How Well Does an AI Image Detector Do Its Job?
- Kwon, Nam, Yu et al. (2022). Learning JPEG Compression Artifacts for Image Manipulation Detection and Localization. IJCV 2022.
- Frank, Eisenhofer, Schönherr et al. (2020). Leveraging Frequency Analysis for Deep Fake Image Recognition. ICML 2020.
- Grommelt, Weiss, Pfreundt et al. (2024). Fake or JPEG? Revealing Common Biases in Generated Image Detection Datasets.
- Wang, Wang, Zhang et al. (2020). CNN-generated images are surprisingly easy to spot… for now. CVPR 2020.