What is the Coalition for Content Provenance and Authenticity (C2PA)?
The Coalition for Content Provenance and Authenticity (C2PA) is a project formed in 2021 as a response to legitimate societal questions about media origins and digital misinformation. C2PA oversees an end-to-end, open source technical standard used to verify the origin of media and that media's subsequent history.
Fully aware of artificial intelligence's (AI) massive and growing impact on the biosphere, Adobe and Microsoft, along with other business giants, such as Arm, Intel, BBC News and Truepic, acknowledged that AI-generated or AI-edited content is used, at times, to misinform. Worse, when used this way, it undercuts confidence in media's purity and accuracy in general. These industry leaders, among others, have banded together to champion transparency in response to these concerns.
C2PA provides content credentials, which is information attached to a file detailing its complete history, including the file's source of origin, or provenance, and all changes made to it over time.
C2PA consolidates the efforts of the Content Authenticity Initiative (CAI) and Project Origin. CAI creates and manages the open source tools that integrate C2PA content credentials into platforms and services, while Project Origin outlines the process for distributing media properly outfitted with provenance credentials. Given the developing technology is open source, C2PA is backed by the Joint Development Foundation (JDF), a nonprofit under The Linux Foundation. JDF backs organizations with their independent projects, providing legal and business acumen, while also making it easier for these companies to collaborate.
This is important since a project such as C2PA requires support from industry leaders across every phase of media creation and distribution to achieve its goals. Leica and Nikon, for example, now integrate content credentials into their cameras; Adobe and OpenAI do the same with their services for editing and AI-generated content. Moreover, media outlets, such as BBC News, embed content credentials into the images they disseminate. All of these are attempts to provide transparency.
Despite a recent spike of interest in the project due to AI's exploding popularity, C2PA has been at work -- and evolving -- since version 1.0 of its technical standard release in early 2022. The last major release, version 1.2, appeared later that year. Development on the standard continues as digital media choices expand and AI continues to advance.
How does C2PA work?
Whenever digital media, such as images or video, are created, a C2PA manifest -- aka content credentials -- can be attached. Anyone can view these credentials when they are attached to a file, learning about its origin and if or when it was edited. If attached, this "digital nutrition label," as CAI describes the manifest, offers greater transparency into the media people consume.
That's why the collaboration of content creation and distribution companies -- Nikon, Adobe and BBC News among them -- is crucial. By embedding content credentials into their products or presenting them in the media they distribute, they expedite widespread adoption of this technology, which is only effective to the extent people agree to use it.
If a C2PA manifest is attached to a file, it provides an ongoing audit trail of anything done to it throughout its life span. This includes any attempts to tamper with the data within the manifest. The C2PA standard uses a validator to "detect any complete or partial removal of data stored within C2PA manifests," according to the C2PA specifications.
Can C2PA be removed?
Yes, a C2PA manifest can be completely removed from a piece of digital media. C2PA specifications state the scenario could be as straightforward as someone downloading C2PA-enabled media from a social media site, stripping the manifest and then reposting the media. This issue is mitigated with manifest repositories -- in effect, a reference library of manifests and the assets associated with them. However, manifest repositories that can be publicly queried raise security and privacy issues.
The good news is, as mentioned, C2PA is tamper-evident. Even though complete removal of a C2PA manifest is both possible and problematic, any removal of metadata stored within a manifest is detected through validation checks -- provided the manifest remains attached.
Why is C2PA necessary?
The C2PA standard ensures consumers know where media comes from and if it has been modified in any way.
It's increasingly difficult to discern what is and isn't legitimate media, especially with the rise of AI. While C2PA stresses that its standard cannot help determine what is or is not true, it can reliably indicate if historical metadata is associated with a given asset and whether its provenance information is well formed and tamper-free.
Transparency such as this is invaluable because, once a consumer looks at the content credentials of any questionable media -- if a photo has been edited, if a video is a deepfake or if either or both remained virtually unchanged -- that person is then empowered to digest and interpret that media as an informed consumer.