Skip to content

Deepfake provenance

Deepfake provenance: proving media is real instead of chasing fakes

You cannot reliably spot a modern deepfake, and neither can most software built to do so. The durable answer is to invert the question: instead of trying to prove a piece of media is fake, cryptographically prove that authentic media is real, by signing it at the source and verifying the signature anywhere it travels. That approach is called content provenance, and it is now backed by an open standard (C2PA), shipping cameras, major AI generators, and platform support. Its one structural limit is coverage: provenance can only vouch for content that was signed when it was made.

This page is the hub for our deepfake pillar. It explains why detection alone is losing ground, how signed provenance works, what it genuinely cannot do, and where to go deeper: the detection vs provenance comparison and the step-by-step media verification workflow.

Why “spot the fake” is a losing strategy

Deepfake detection tools work by finding statistical artifacts that generators leave behind: unnatural blinking, frequency-domain fingerprints, lighting inconsistencies, voice-synthesis residue. The problem is that every one of those artifacts is a bug the generator’s authors are actively fixing. A detector trained on last year’s fakes is, by construction, a description of last year’s bugs.

The empirical record bears this out. Deepfake-Eval-2024, a benchmark built from real deepfakes that actually circulated on social media in 2024 (45 hours of video, 56.5 hours of audio, and 1,975 images across 52 languages), found that the AUC of state-of-the-art open-source detectors dropped by roughly 50% for video, 48% for audio, and 45% for images compared with their scores on older academic benchmarks. Fine-tuned open-source models reached only 61% to 69% accuracy on this in-the-wild material, and even the leading commercial detector in the study reached 82%: far better than chance, but nowhere near a standard you would wire money or publish a front page on. Security researchers summarizing this line of work describe detection as structurally losing ground to generative models.

Humans do not rescue the situation. A large PNAS study of deepfake detection by crowds and machines found ordinary viewers were about as accurate as a leading detection model, and a 2024 meta-analysis of 56 human-detection studies found performance that varies widely, degrades on high-quality fakes, and comes with persistent overconfidence.

The consequences are no longer hypothetical. In early 2024, a finance employee at the engineering firm Arup wired about US$25 million (HK$200 million) after a video call in which every other participant, including the CFO, was a deepfake. The employee was initially suspicious of the email. Seeing and hearing familiar faces on a live call is what defeated him. No plausible detection tool sits in that loop.

The provenance flip: authenticate the real, not the fake

Provenance reframes the trust question. Rather than asking “does this pixel pattern look synthetic?”, it asks “can this file prove where it came from?”. The mechanism is a cryptographically signed record, created at the moment of capture or generation, that travels with the media:

  1. A device or application (a camera, an editing suite, an AI generator) records assertions about the asset: when it was created, by what hardware or software, and what edits were applied.
  2. Those assertions are hashed and bound to the media itself, then signed with a certificate chained to a known issuer.
  3. Anyone downstream can validate the signature. If the pixels were altered after signing, the hash no longer matches and the credential reports tampering. If the signature validates, you know exactly which signer vouched for the file and what they claimed about it.

This is the model standardized by the Coalition for Content Provenance and Authenticity (C2PA), whose specification defines the manifest format, signing rules, and validation behavior, surfaced to users under the name Content Credentials. We cover the standard’s internals in C2PA explained.

The critical property: verification is deterministic, not probabilistic. A detector outputs a confidence score that decays as generators improve. A signature either validates against a trusted certificate or it does not, and generator progress does not weaken the math. Breaking it requires compromising keys or finding flaws in well-studied cryptography, not merely rendering more realistic skin texture.

The strategic weight behind this model is notable. In January 2025, the NSA, CISA, and international partners published a joint cybersecurity information sheet, Content Credentials: Strengthening Multimedia Integrity in the Generative AI Era, recommending provenance technology as a core defense for multimedia integrity.

The signing ecosystem is real, and growing

Provenance only matters if signing happens at scale, and the capture-to-publish chain has been filling in:

Capture. Leica shipped the first C2PA-native camera (the M11-P) and extended support across its line; Sony has rolled Content Credentials into flagship and pro bodies via firmware; Canon and Nikon have shipped or piloted support with news agencies. See this running list of C2PA-capable cameras for current coverage.

Generation. OpenAI adds C2PA metadata to images from its generation tools, and Google DeepMind’s SynthID embeds an invisible watermark in content from Google’s generative models, checkable through the SynthID Detector portal and the Gemini app. AI generators signing their own output matters because it makes the honest-path case legible: content that says what it is.

Distribution. TikTok became the first major video platform to read Content Credentials, using them to auto-label AI-generated content, and committed to attaching credentials to downloads. Anyone can inspect a file’s credentials with the free Verify tool.

For an organization, the practical upshot is that a provenance-first pipeline is now buildable end to end: sign at capture or creation, preserve credentials through the edit chain, validate at ingest, and display authenticity state to end users.

What provenance does not do

An honest provenance argument has to concede four limits, because attackers will find them even if your architecture diagram does not.

It only covers signed content. Provenance proves presence of authenticity, never absence. The trillions of photos and videos captured before signing existed, and everything from unsigned devices, carry no credential. An unsigned file is not fake; it is simply unvouched. Any workflow built on provenance needs a policy for unsigned media, which in practice means the manual verification techniques in our media origin verification tutorial.

Metadata can be stripped. C2PA manifests ride in the file, and re-encoding pipelines can discard them. OpenAI states this plainly: metadata “is not a silver bullet” and “can easily be removed either accidentally or intentionally.” The countermeasure is durable Content Credentials: pairing the signed manifest with an invisible watermark and a perceptual fingerprint so stripped credentials can be re-associated from a database. This is why watermark resilience matters; we analyze the attack surface in watermark robustness and attacks.

A valid signature is not truth. Provenance authenticates the chain of custody, not the honesty of the scene. A staged photograph signed by a real camera carries a perfectly valid credential. Signed provenance tells you who is accountable for an asset and what tooling touched it; editorial judgment still has to decide whether the content is misleading.

Trust anchors can fail. The whole scheme leans on certificate governance: who gets to sign, how keys are protected, how compromised signers are revoked. These are solved problems in the sense that PKI is a mature discipline, and unsolved in the sense that PKI incidents still happen. Provenance deployments need revocation checking and a trust-list policy, not just signature math.

Detection still has a job

None of this makes detection worthless. Detection is the only tool that says anything at all about the unsigned majority of content, and it remains useful as a triage signal, a fraud-screening layer, and a forensic aid, provided its output is treated as a probabilistic hint rather than a verdict. The right architecture is layered: provenance as the backbone for content you control or ingest from signing partners, detection and manual verification as the fallback for everything else. We weigh the two approaches criterion by criterion in detection vs provenance.

Adopting a provenance-first posture

For an organization that publishes, ingests, or monetizes media, moving to provenance-first is a sequencing problem more than a research problem:

  1. Sign what you create. Enable Content Credentials in your capture devices and creative tooling, and sign AI-generated assets at the point of generation. Your own output is the easy 100%-coverage case.
  2. Preserve credentials through the pipeline. Audit every transcode, CDN, CMS, and resizing step for metadata stripping; add durable-credential recovery (watermark plus fingerprint) where re-encoding is unavoidable.
  3. Validate at ingest. Check signatures, trust lists, and revocation status on incoming media automatically, and record the result alongside the asset.
  4. Define the unsigned-media policy. Decide in writing what happens to content without credentials: which items get the manual workflow, which get detection triage, and which are labeled unverified to end users.
  5. Surface authenticity state. A credential nobody can see changes nothing; expose signer and edit history in your product the way the Verify tool does.

Steps 1 and 3 are mostly integration work against open-source tooling. Steps 2 and 4 are where deployments actually succeed or fail, because they decide whether credentials survive contact with your infrastructure and what happens at the coverage gap.

Where to go next in this pillar

Webisoft designs and builds provenance and verification systems, from C2PA signing pipelines to media-ingest validation, for teams that need to prove what’s real.

deepfakeprovenancec2pacontent-credentialsauthenticity