Editor’s Note:

The analysis presented in this article is based on the author’s experience supporting The Carter Center’s election mission in Venezuela. The views and observations expressed are solely those of the author and do not necessarily reflect the official stance of The Carter Center.

Context:

The Digital Threats Initiative at The Carter Center investigates the impact of new technologies on electoral processes and the practice of election observation. In the context of its work on generative AI, in 2024, the initiative piloted the use of digitally credentialed media in the Carter Center's election observation missions. The following is an attempt to share the learnings with fellow practitioners and make recommendations for others who wish to likewise experiment with the technology.

Digital Provenance:

AI-generated "deepfakes" are increasingly used for misinformation in political campaigns; there are different approaches in trying to distinguish them from authentic media and mitigate their impact on elections. One is detection, using tools that analyze properties of audiovisual media to identify anomalies resulting from the AI generation process. Another is digital provenance, a technique that adds temper-evident, digitally signed metadata to images when they are created. These "content credentials" can later be read to check the media origins.

Such credentials can be used to identify AI-generated media. But content credentials can also be embedded into images taken by physical cameras and smartphone apps, adding information asserting that they were captured using this specific recording device, from light hitting a camera sensor pointed at an event in real life, at a specific place and time, and have not been altered since. They can thus provide evidence that a photo or video represents an authentic record of real-world events.

Being able to demonstrate media authenticity this way should be valuable for organizations deploying Election Observation Missions (EOMs) as they document election-related events as they unfold on the ground, often in scenarios of low trust and high polarization. Being able to prove that documenting media were truly recorded by the organization, where and when they say they were, and have not been altered since, should add credibility to monitoring work.

Origins and key actors:

Digital provenance pre-dates Generative AI. It has been used both by human rights organizations and in the corporate sector. Human rights activists have used credentialed media when documenting rights violations on their smartphones. Corporations have deployed the technology to combat piracy of digital media. The Coalition for Content Provenance and Authenticity (C2PA), currently the most visible actor in the digital provenance space, is a corporate initiative originally founded with that objective. In the Carter Center's pilot, media capture tools that have emerged from both these non-profit and the corporate spaces were used.

Evaluation of available tools before the mission

There are a number of observations and lessons learned from the Center’s experience using the tools that are shared here. The digital provenance field is growing quickly and there are different tools that can generate media with embedded credentials, including

• smartphone camera apps and digital cameras that generate credentialed media at capture

• software that can add credentials ex-post to conventionally captured media

For the field test, the Center discarded the use of dedicated digital cameras because of their high cost, nor did it further explore tools designed to add credentials to media ex-post, for reasons detailed below.

Two smartphone apps were eventually selected for field testing:

• one commercial app originating from the corporate ecosystem around the C2PA, and

• one free open-source app originating from the human rights sector.

The apps were used side-by-side to allow for comparative evaluation.

App deployment and staff training in the field

The Center developed a specific training session for its field staff and observers demonstrating how to use both apps and explaining the rationale behind the pilot program. Both apps were pre-installed on work phones provided by the Center.

A lesson learned was that the barrier to adoption and usage of the apps was still notable. Staff will often opt to use their phones' native camera function over starting a different camera app to capture credentialed media, especially in time critical situations.

Evaluation of tools in the field in the run-up to and during eDay

App start-up time from "sleep"

When an observer encounters a situation needing media capture, they will usually pull their phone out of their pocket and activate it. Even if the app had been open last, it takes time until it "wakes up" and is ready to capture. Some apps are ready faster than others, and if the app takes too long, the moment that the observer wanted to capture may have passed. Rather than losing important photos, observers may choose to revert to their phones' native cameras, foregoing credentialling altogether. Startup time is critical.

Does the app require an internet connection to work?

Some apps require a working internet connection to function properly. But such connectivity is not always available in the field. Apps that work reliably offline are preferable for the EOM usecase.

Does the app limit video recording length?

Some apps limit the length of videos captured. Yet some situations emerging during observation may take longer than the limit permits, leading to truncated records of events. Apps that don't impose such restrictions are preferable.

Does the app provide cloud storage for media?

Some apps provide for cloud storage space to upload and store all images taken by the user. This assures that the media, with their credentials intact, is always safely backed-up and quickly available to the core team in the capital. Apps that only store media locally on the phone require field staff to manually share them with mission HQ, which can cause delays as well as damage the credentials when done incorrectly (see "the fragility challenge" below). Therefore, apps that provide cloud storage are preferable.

It is recommended to make sure that the cloud provided is private, either because the app permits users to configure their own cloud storage provider, or because the storage is in a private cloud provided by the app maker that only the EOM has access to. Some apps offer public cloud storage, where images are shared with the community of other app users, which is unsuitable for EOM usage.

Which provenance formats does the app support for the credentials?

The C2PA has defined a standard that has been gathering a lot of adherence and media attention. Digital Provenance is often simply implied to mean "C2PA credentialed". However, other standards exist. The open-source app tested by the Carter Center, for example, was able to add credentials in two different formats:

1. its own, native format (consisting of the original image file and auxiliary proof files, all packaged into a ZIP archive) and

2. C2PA-compliant provenance embedded in the image itself

The commercial app focused on producing C2PA compliant credentialed images only.

Different standards have technical advantages and disadvantages. However, choosing the standard will also depend on where and how the EOM intends to publish the credentialed materials. A more popularly adopted standard like C2PA's may be superior for EOMs simply because it offers more verification and display options. For a more detailed discussion see "The display challenge" below.

Does the app allow for organization-specific signatures?

None of the capture apps evaluated by the Carter Center allowed for import and usage of the organization’s own digital certificate for signing the images. All apps use signatures issued by the maker of the app. Even the dedicated digital cameras excluded because of their cost use certificates issued by the camera manufacturer.

While using an organization's own institutional certificate does add technical complexity, it also strengthens the credibility of the credentials. Seeing that an image is institutionally signed by The Carter Center is likely to generate more trust than seeing that it was signed by an app maker. The latter only indicates that a specific app was used to take the image, but not that Carter Center observers operated the app. It would be desirable for app makers to support import of institutional signature certificates.

At the time of the pilot, the only option available for signing images with the Carter Center's own institutional certificate was using the C2PA's command line tools to sign conventionally captured images ex-post. An option to sign its images -at capture time- with the Center’s own certificate would have been preferable, but no app evaluated supported this at the time.

Adding credentials at capture vs ex-post

In its pilot, the Carter Center focused on apps that embed credentials at the same moment the image is taken. Some leverage different security frameworks provided by the phone's hardware and operating system to prevent certain types of deception (e.g. spoofing GPS locations) and may also push information identifying the recording device and the image to a trust broker service, e.g. on a blockchain, immutably recording the time of creation of that exact image. Such techniques make it more likely that the signed metadata is authentically describing the image or video they accompany.

There are also tools that can add credentials at a later stage to images previously taken in conventional ways. However, adding credentials ex-post lacks the assurances that at-capture credentialling can provide, as both the image itself and its unsigned metadata could have been modified between capture and signature. The value of images signed ex-post for asserting authenticity of the image itself, and thus serve as evidence is limited.

Images signed ex-post are suited to proving that the image was "last touched" by the signatory and has not been modified since. However, in a context of high polarization, it is of limited value. If an actor distrusts the Carter Center as a credible source, they will also distrust its credentialed media if they are signed ex-post. If an actor does trust the Carter Center, they don't need the credentials to trust the images. Therefore, the Carter Center decided to not further explore ex-post signing for the time being.

The fragility challenge

Sending C2PA credentialed media through instant messengers like WhatsApp, Telegram or Signal will permanently strip the credentials. On iPhones, just saving them to the phone's regular camera roll will also destroy the credentials. Importing them into media managers like Windows Photos will also break them. Basically, any tool or software that modifies the image, including reencoding for size, will destroy the credentials.

Uploading credentialed media to cloud storage will usually preserve the credentials, as will sharing them as email attachments.

A lesson learned is that extreme caution must be taken in "handling" C2PA credentialed images -- they are very easily damaged. Here again, training staff and observers is paramount.

The display challenge

Provenance credentials are invisibly embedded in photos and videos. The platforms on which audiovisual media are consumed must extract them and display the information to media consumers. For most EOMs, the media captured during a mission are likely to be used

• on social media

• on their organization's website as part of the publication of their reports

• as embedded images in PDF files

Each of these channels currently presents non-trivial challenges.

Social media

Unfortunately, most social media platforms in 2024 do not display provenance credentials at all. Not only that; most popular platforms (Facebook, Instagram, Twitter/X, YouTube) strip metadata when media are uploaded and with that, credentials are also stripped. At the time of writing, only LinkedIn and TikTok conserved metadata during upload, and extracted and displayed C2PA credentials in a limited manner.

As adoption of C2PA by industry advances, it is likely that social media platforms will increasingly preserve and display C2PA credentials; several initiatives to that end have been announced. Yet for now, EOMs are limited in their options to publish their credentialed materials on social media.

Institutional Websites

To work around limitations of social media, EOMs can host the material on their institutional website, where media can be uploaded with the credentials intact. EOMs need to add extra code (e.g. a JavaScript library) to the pages where the images would be displayed, which when encountering C2PA credentials in an image, adds a visual logo overlay to the image. Upon hovering over that logo, the credentials are displayed to the website reader in a sidebar.

Adding code requires some knowledge of programming and will usually need to be handled by IT staff managing the institutional website.

PDF embedding

The C2PA is working on embedding credentialed images into PDF files and displaying the credentials when displaying them in readers such as Adobe Acrobat Reader. Since EOM reports are often published in PDF format, embedding credentialed images this way could be useful.

However, these implementation efforts appear to be at an early stage and are not yet available in practice. PDFs should provide an interesting publishing avenue once the feature becomes available.

Provenance checker sites

The possibility reaching consumers with credentialed EOM media through peer-to-peer distribution channels other than social media or instant messengers with credentials preserved was also considered. Savvy media consumers with knowledge of the provenance concept may check for the presence of credentials by uploading them to a checker site, such as Microsoft's https://contentintegrity.microsoft.com/check, Adobe's https://contentcredentials.org/verify or Proofmode's https://proofcheck.gpfs.link/.

When material was tested on these sites, the results were mixed. Not all sites displayed all information (e.g. location, capture date) from all media correctly. Microsoft's and Adobe's sites also displayed warnings regarding the "unknown" origin of the credentials generated by the open-source app because its certificate was not whitelisted. Such inconsistent display would likely have confused media consumers and caused distrust. Site operators should improve interoperability to advance the utility and adoption of digital provenance as a concept.

The future – comprehensive social media display and native smartphone integration

For digital provenance to really take off, social media sites must solve the "display challenge" by preserving, verifying and correctly displaying content credentials when present in an image or video.

As for capture, there are efforts underway to integrate provenance functionality into iOS and Android to automatically add C2PA credentials to all media captured natively. If the technology becomes thus "baked into" the operating system, digital provenance could become ubiquitous. Integrating the technology at operating system level should also make it more robust against manipulation by leveraging security hardware in phones to cryptographically protect the credentialling process. EOMs should make themselves familiar with the technology now, so that they are prepared when wider adoption occurs.

Persecution through metadata

With wider adoption does rise the threat of persecution through metadata, which can contain information identifying a specific smartphone and its owner. Providence signatures could be used by authoritarian governments to conveniently mass identify activists capturing evidence of repression. Each person taking a photo but wanting to keep their identity private would need to take

great care and correctly configure their phone's C2PA settings to only include non-compromising data. The value of the evidence of authenticity provided by a C2PA signature must be carefully weighed against the threat to human rights generated by potentially providing a predatory regime with a convenient list of targets.

Conclusion

The Carter Center's pilot for using digital provenance credentialed images in Election Observation Missions resulted in a wealth of learnings. The technology shows promise for enhancing the credibility of media captured by EOMs, especially considering the increasing polarization of political spaces and the continued threat of AI generated deepfakes.

That said, the technology is far from mature. Capture apps could benefit from improvements in usability, and ideally support usage of institutional certificates to sign the media created. More importantly, the fragility of credentials and the scarcity of reliable display options, particularly on social media platforms, must be addressed before digital provenance's potential for defending online truth can be fully realized.

Ingo Boltz has worked on the issues of electronic voting and biometric voter registration systems since 2006. He has been a core team member of international electoral observation missions and technical assistance projects of organizations such as the Carter Center, the OAS, UNDP, OSCE/ODIHR and DI. He has been a speaker at conferences, writes occasionally, and is a member of the Election Verification Network (EVN). His current focus is on Generative Artificial Intelligence in the context of political misinformation and election campaigns. He is helping The Carter Center design a program around these issues.