poisoning.ai
Music

How to protect my music from AI training and cloning

By The Poisoning.ai team
5 min read
Contents

You cannot make a released track impossible to imitate, but you can make it expensive and unreliable to train on. The practical routine is short: cloak the audio with a HarmonyCloak-style unlearnable-noise tool before you release it, keep your raw stems and high-quality masters off the public web, and understand exactly where the protection stops. The rest of this guide is what each of those steps buys you, and what it does not.

What HarmonyCloak does

Meerza, Sun, Liu (IEEE S&P 2025) describe HarmonyCloak as “the first defensive mechanism … to prevent the exploitative use of artwork, specifically in the context of instrumental music, by generative AI models”. The mechanism is error-minimizing noise. The tool “employs imperceptible error-minimizing noise to make the model’s generative loss approach zero … tricking the model into believing nothing can be learned” from your track. A model that thinks it has already learned everything stops extracting anything useful. Tested across MuseGAN, SymphonyNet, and MusicLM, in both white-box and black-box settings, the target-genre classification of the generated output fell from 89.2% to 32.3%, and a listening study with 31 participants confirmed the added noise stays inaudible.

Why it survives MP3

Most audio protections die the moment a file is re-encoded. HarmonyCloak is engineered to live in the psychoacoustic masked region of the signal, the parts a lossy codec keeps because they matter to human hearing, so it is built to survive MP3 compression by design. Meerza, Sun, Liu (IEEE S&P 2025) also report that it resists SS, NMF, EPIc, and DP-InstaHide noise-removal baselines, which is the difference between a cloak that survives ordinary distribution and one that washes out on the first export.

The routine

  1. Cloak before release. Apply a HarmonyCloak-style tool to the final mix before it ever goes public. Protection only counts if it is on the file the scraper actually takes.
  2. Release only the cloaked version. Keep raw stems, multitracks, and high-quality masters private. Every clean copy you publish is a copy no cloak protects.
  3. Expect MP3 to be fine. The method targets lossy compression on purpose, so ordinary MP3 distribution should not strip it.
  4. Do not over-trust it. Read the gap below and plan around it rather than assuming the cloak is permanent.

A release-discipline checklist keeps the protected copy and the clean copy apart:

StagePublishKeep private
Finished releaseCloaked public audioThe clean master
PromotionShort protected previewsFull-resolution exports
CollaborationOnly the bounced files a partner needsRaw stems and session files
LicensingA protected review copyThe final delivery master

Every private row is a clean copy a purifier never gets to work on, which is why release discipline does as much work as the cloak itself.

Same idea, every medium

Music poisoning is not a special case. It is the same family of defense already used for images and voice. Glaze and Nightshade (Shan et al., USENIX Security 2023 and IEEE S&P 2024) cloak still images, and AntiFake (Yu, Zhai, Zhang, ACM CCS 2023) cloaks the speaking voice. All of them add an imperceptible, engineered perturbation that degrades what a model can learn, and all of them are deterrents that a determined purifier may strip rather than guarantees.

The gap

Two limits come straight from the HarmonyCloak paper’s own scope, and one comes from the wider field.

LimitWhere it comes fromWhat it means for you
Instrumental onlyHarmonyCloak was tested on instrumental musicTracks with vocals are untested ground
MP3 onlyOnly MP3 compression was testedStreaming and neural codecs are unproven
RemovableLightShed, De-AntiFakeA determined purifier may strip it

The scope limits are explicit: the method was demonstrated on instrumental music, because open-source vocal-music models are scarce, and only MP3 was tested, so streaming-specific codecs on YouTube, Spotify, and SoundCloud, along with neural-codec relay, were not. Removal is the cross-media threat. Foerster, Behrouzi, Rieger, Jadliwala, Sadeghi (USENIX Security 2025) strip image poisons with LightShed, and Fan, Chen, Liu, Zhang, Yu (ICML 2025) show with De-AntiFake that purification can “neutralize a considerable portion of the protective perturbations”, leaving a “false sense of security”.

Treat a music cloak as a lock, not a vault. It raises the cost and lowers the fidelity of training on your work, it is built to survive the one codec it was tested against, and it buys the most protection when paired with keeping your cleanest masters private. The moment a purifier or an untested codec enters, the guarantee weakens, so the most durable protection remains the copy you never publish. For the cross-media version of this argument, see anti-scrape data poisoning and opting out; for the voice equivalent, how to protect your voice from AI cloning; and for the landscape, do AI poisoning tools actually work.

Sources

  • Meerza, Sun, Liu (2025). HarmonyCloak: Making Music Unlearnable for Generative AI. IEEE S&P 2025.
  • Shan, Cryan, Wenger, Zheng, Hanocka, Zhao (2023). GLAZE: Protecting Artists from Style Mimicry by Text-to-Image Models. USENIX Security 2023.
  • Shan, Ding, Passananti, Wu, Zheng, Zhao (2024). Nightshade: Prompt-Specific Poisoning Attacks on Text-to-Image Generative Models. IEEE S&P 2024.
  • Yu, Zhai, Zhang (2023). AntiFake: Using Adversarial Audio to Prevent Unauthorized Speech Synthesis. ACM CCS 2023.
  • Fan, Chen, Liu, Zhang, Yu (2025). De-AntiFake: Rethinking the Protective Perturbations Against Voice Cloning Attacks. ICML 2025.
  • Foerster, Behrouzi, Rieger, Jadliwala, Sadeghi (2025). LightShed: Defeating Perturbation-based Image Copyright Protections. USENIX Security 2025.
#music#harmonycloak#unlearnable-audio#data-poisoning#generative-ai
Get new protection tests & guides

New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.