2024-04-02 DMRWG Meeting Notes

Meeting Date

The DMRWG meets bi-weekly on Tuesdays at 12:00-13:00 PT / 16:00-17:00 UTC. Check the ToIP Calendar for meeting dates.

Zoom Recording & supporting material

Attendees

Main Goal of this Meeting

Discussion of the Adobe-led Coalition for Content Provenance and Authenticity (C2PA) work on verifiable data for media content (e.g., photos, videos and sound recordings, documents such as PDF files).

The discussion was based on a review of the C2PA specifications, using an understanding of ACDC and the ToIP approach to Authentic Data and Authentic Data Chaining. A separate review of C2PA was also used for reference:  C2PA's Butterfly Effect (The Hacker Factor Blog - written by Dr. Neal Krawetz, who runs FotoForensics - an online service for digital photo analysis)

Agenda Items and Notes (including all relevant links)

TimeAgenda ItemLeadNotes
5 min
  • Start recording
  • Welcome & antitrust notice
  • Introduction of new members
  • Agenda review
Chairs
  • Antitrust Policy Notice: Attendees are reminded to adhere to the meeting agenda and not participate in activities prohibited under antitrust and competition laws. Only members of ToIP who have signed the necessary agreements are permitted to participate in this activity beyond an observer role.
  • New Members:
55 minsDiscussionAll
  • Neil Thomson emphasized exploring the C2PA as a sophisticated mechanism for verifying information about predominantly media content, including texts, photos, and videos. He raised concerns about the comprehensiveness and clarity of the documentation, highlighting issues with model descriptions and the consistent use of terminology within the C2PA specifications.

  • Discussion on C2PA's Implementation and Concerns: The conversation critically evaluated the C2PA model's reliance on third-party certificate authorities for signing digital content, expressing worries over the potential for misuse, lack of direct provenance by all tools and persons who touch/change the media, and issues of trust and verification. The absence of direct actor (e.g., camera, transformation/editing applications, or individual) digital signatures on content was identified as a significant flaw in establishing indisputable content authenticity.

  • Potential for Content Manipulation and Privacy Risks: The group discussed the C2PA model's provisions for redaction, which could potentially allow for manipulation of the content verification trail while still maintaining a veneer of validity. Concerns were raised about privacy risks associated with accessing verification metadata stored externally, e.g., via URLs, which could inadvertently reveal the identities of those querying the data. The lack of discussion or tools to automatically assess the verifiability/provenance of a C2PA document was noted.

  • Technical and Ethical Implications: The discussion also touched upon the technical complexity of the C2PA's approach to documenting and verifying media transformations, as well as ethical considerations concerning who has the authority to verify content via cryptographic signing of components/sections of the document as well as the entire document, and the barriers to adoption due to potential patent encumbrances.

Agreed Actions and Considerations:

  • Further Analysis and Discussion: The participants agreed on the need for a deeper dive into the C2PA documentation and its implications for digital identity and media verification, suggesting a collaborative effort to critically evaluate the framework's utility and reliability.

  • Engagement with Broader Community: There was a consensus on the importance of engaging with the broader digital identity and security community to gather insights and feedback on the C2PA framework, particularly from those with experience in implementing similar systems.

  • Documentation and Sharing: Neil Thomson committed to compiling and sharing an analysis document, incorporating insights from the discussion and external expert opinions, to foster a broader understanding and critique of the C2PA model within relevant forums and groups.

  • Risk Assessment: It was suggested that the DMRWG do a formal ToIP Governance Framework Risk Assessment of C2PA, leveraging the mechanisms that are included in the ACDC specification/technology and its rationale (and risk discussions) with regards to Authentic Data and Provenance of Data where raw data may undergo multiple transformations over time. 

Supporting Material:

The discussion was based on a review of the C2PA specifications, using an understanding of ACDC and the ToIP approach to Authentic Data and Authentic Data Chaining. A separate review of C2PA was also used for reference: C2PA's Butterfly Effect (The Hacker Factor Blog - written by Dr. Neal Krawetz, who runs FotoForensics - an online service for digital photo analysis)

 -