Back

@Techmeme See .

I've been yelling for a couple years now that C2PA is a big freaking deal and also the only plausible defense I've seen against the incoming tsunami of generative-AI-based disinformation.

In the not too distant future, any media object without C2PA provenance should be assumed a malicious deepfake.

@timbray @Techmeme @gvwilson this sort of thinking is what the propagandists want. “Flood the zone with shit” as Bannon put it, or the “firehose of falsehood” from Russia https://www.rand.org/pubs/perspectives/PE198.html

“You can’t know what the truth is” reinforces this effort, and it’s just wrong.

We’ve been able to fabricate images and sounds for a hundred years. And yes, cost decreases for the bullshit vendors are going to present unique challenges, but Cryptographic DRM shit is no substitute for media literacy.

@glyph @Techmeme @gvwilson
I'm pretty sure it's really wrong to think of it as DRM. It only works if it's freely readable. It's automated verifiable provenance; provenance is not a new or exotic idea. An important component of “what to believe” is “who to believe” and this could help a lot with that.

@timbray @Techmeme @gvwilson This strikes me as a case of blockchain brain. The *problem* here is that we have a sensationalized media ecosystem with poor sourcing, low trust in institutions and expertise, rampant disinformation, and low media literacy. The *solution* to that problem is not some cryptographic gewgaw that establishes a tenuously-understood notion of provenance that chains back to an authority which nobody understands or trusts anyway.

@timbray @Techmeme @gvwilson In order to combat that, we need society-wide media education, including a set of technological elements that were not previously necessary. A prerequisite for this sort of technology being useful at all is for a normal person to be able to read a parsed X.509 certificate for their TLS connection and understand the significance of the domain name. That is way lower sophistication on the part of the reader than understanding what C2PA is doing with pixel hash values.

@timbray @Techmeme @gvwilson So, I think we can agree that "provide the information so that sophisticated consumers can understand the significance of its cryptographic proof to its factual basis" is a nonsense non-starter. But the tech is there, hashing pixels and doing signatures and whatever. So what *can* it be used for? To prevent you from posting images with missing or incorrect provenance: in other words, "DRM".

@glyph @timbray @Techmeme @gvwilson As far as I can see, requirements for verified chains of provenance will entirely take out open source digital photo developing and editing software. Photograph in RAW? You had better use Adobe tools to process it (on OSes that they support), or your developed photos will be without C2PA and so unclean in this theoretical world.

I'm sure Adobe would love this.

@cks @glyph @Techmeme @gvwilson

Not sure why. The protocol is open and unencumbered (last time I checked) and pretty simple. Implementing it should b straightforward.

Hmm… but you're going to need some sort of registry so if your copy of Darktable signs its output, there's a place to look up the public key.

@timbray @glyph @Techmeme @gvwilson The core problem isn't key registry, it's trust. If C2PA is to mean 'this image is real', then practical use of it can't allow arbitrary signatures; they must be vetted and approved. Otherwise, it's trivial to sign a bad image with a random key (even if it gets 'registered' by being sent somewhere) and say 'this is a legitimate photo-edit of some picture, trust me'.

Any authentication requires trust roots. Who is a trust root is political and excludes OSS.

@cks @timbray @glyph @Techmeme @gvwilson

> Who is a trust root is political and excludes OSS.

I don’t think that’s a foregone conclusion. A certificate approach excludes decentralization, not necessarily OSS. See, for instance, Let’s Encrypt.

@chucker @timbray @glyph @Techmeme @gvwilson The Let's Encrypt software is OSS (I believe), but LE itself is not. You cannot stand up an instance of the software yourself and start signing website certificates that browsers will accept.