Where does the photo come from? C2PA metadata as a key to content provenance

Not all AI-generated images and videos aim to look realistic. But those that do are getting better and better. They are often indistinguishable from real photos or videos. Unfortunately, they are therefore used specifically for deception, e.g. for disinformation campaigns or identity theft. It can also be assumed that the majority of media distributed online will soon be AI-generated. This development harbors risks for society’s trust in digital content. Reliable proof of origin for digital media has therefore become a key concern in industries where authenticity is a high priority.

What is the C2PA standard?

With the aim of creating an open, industry-wide metadata standard for the provenance of digital content, the C2PA (Coalition for Content Provenance and Authenticity) was launched in 2021 with the participation of leading software companies and camera manufacturers. As a result, a process was developed to document the origin and processing of digital content in a transparent and tamper-proof manner. It enables the cryptographic storage of information such as time of creation, author, processing steps and authentication data in image and video files using the JUMBF format. Some new camera models and image editing programs such as Adobe Photoshop or Lightroom already support the C2PA standard. They insert the required digital signatures in accordance with the guidelines. Overall, however, the adaptation phase is still in its infancy.

What are Content Credentials?

An important step towards broader adoption is certainly the implementation of the C2PA standard in an end-user solution that provides uncomplicated access to the metadata and presents it in such a way that it can be interpreted without prior technical knowledge. Such a solution was introduced in 2024 under the name Content Credentials. It enables users to independently check the authenticity of a medium.

How do I use Content Credentials?

End users who want to check media currently have two options for interacting with Content Credentials: via platforms that have already implemented the corresponding functions or directly via a page of the provider.

The career network LinkedIn, which belongs to the Microsoft Group, already supports Content Credentials. Uploaded content is automatically checked for C2PA metadata. If provenance data is available, a small “cr” icon is displayed in the top left-hand corner. Clicking on it displays information such as the signature date, the author, the camera or AI application used, possible editing steps and the associated software.

Alongside Microsoft and Google, Meta is also planning to integrate Content Credentials into its platforms and services. The cr icon will therefore soon be a widely used identifier.

The verify tool

Now we come to the second usage option: As already mentioned, the functions can also be used directly via a page of the C2PA. The address is: contentcredentials.org/verify.* Individual images or videos can be uploaded or linked there for analysis. The following file formats are supported: AVI, AVIF, DNG, HEIC, HEIF, JPEG, M4A, MOV, MP3, MP4, PDF, PNG, SVG, TIFF, WAV, WebP.

After the upload, the verify tool displays existing source data. In the example shown here, a relatively genuine-looking image was unmasked as AI-generated.

* Alternatively, you can also use this page from Adobe: contentauthenticity.adobe.com/inspect

Screenshot from the verify tool – You can also access the image directly in the tool via this URL.

The tool also visualizes all documented content sources and editing steps. Of course, the prerequisite is always that the data has been saved in a C2PA-compliant manner.

You can also search for possible matches with other content. However, only content that is listed in the Adobe Content Credentials Cloud (ACCC) is (so far) taken into account. This leads us to a fundamental question …

What are the limits of C2PA technology?

The proof of origin via digital signatures is subject to similar limits as other documentation or DRM measures. As soon as screenshots or screen recordings of content are made, conversions to other formats are carried out or the corresponding metadata is deliberately removed, the resulting file can be redistributed on the Internet without any reference to its source.

Nevertheless, the oldest online source can often be found via a reverse search. E.g. for an image of which it is not known whether it is a real photo or not. If this file contains valid C2PA camera data, all the better. However, this does not mean that you can trust the information found one hundred percent. The cryptographic integrity of a signature simply does not provide any proof that an authentic representation of reality exists. With camera firmware developed according to C2PA specifications, it would also be possible to store and sign AI-generated images, for example. Metadata could also be freely invented and properly signed. Strictly speaking, an intact C2PA structure simply means that the file and its metadata have been signed by the specified entity and have not been altered since.

Conclusion: C2PA technology makes targeted manipulation more difficult, but of course cannot prevent it completely.

C2PA data in the DAM sector

Whether commissioned work or purchased stock photos – valid C2PA data helps to minimize legal uncertainties, for example with regard to copyright or personal rights. C2PA metadata will therefore also become increasingly important in the DAM sector*. After all, companies that work professionally with media also have an economic interest in knowing the origin and processing history of their digital assets and documenting them in a tamper-proof manner.

Some DAM providers have already taken the first steps towards integration and at least support the display of C2PA-compliant data in their products. This allows users to check the authenticity of assets directly in their own system. As a result, compliance and quality assurance processes are accelerated. In the future, however, solutions for writing C2PA data will certainly also be integrated into DAM systems.

* DAM stands for digital asset management, the technical term for professional media management.

Test the Media Hub from teamnext

If we have aroused your curiosity and you would like to find out more about the possibilities of a professional DAM solution, you are welcome to make an appointment for an individual online demo with one of our experts. You will then have the opportunity to try out the Media Hub for yourself during a free 14-day trial period.

For further information, please do not hesitate to contact us personally. You can find our contact details at teamnext.com/en/contact.