Hello Adam Rose and Bots Don't Cry, I just saw this thread. C2PA is an Adobe-centric solution that does not validate content, metadata, or signatures. Because it is based on "trust", it does nothing to prevent forgeries or false attribution. - ThreadSky

hackerfactor.bsky.social • 168 days ago

Hello Adam Rose and Bots Don't Cry,
I just saw this thread.

C2PA is an Adobe-centric solution that does not validate content, metadata, or signatures. Because it is based on "trust", it does nothing to prevent forgeries or false attribution.

Comments

hackerfactor.bsky.social•168 days ago

In response to a challenge by C2PA's chief architect to come up with a different solution, I created SEAL. SEAL provides a tamper-proof signature, authenticates the signer, and prevents signature impersonations. SEAL is also smaller, faster, and supports more file formats than C2PA.

hackerfactor.bsky.social•168 days ago

SEAL is based on the publicly reviewed and widely adopted DKIM for securing email. There are few independent reviews of C2PA, and they are all negative -- C2PA does not provide validation. (My own blog repeatedly demonstrates weaknesses in the C2PA solution.)

hackerfactor.bsky.social•168 days ago

Sample external reviews:
https://spectrum.ieee.org/meta-ai-watermarks Article says Meta's AI Watermarking, but talks about C2PA's approach. "Flimsy, at best".

https://www.technologyreview.com/2023/07/31/1076965/ MIT Tech review says C2PA will "not stem the harm of machine-generated misinformation."

hackerfactor.bsky.social•168 days ago

More reviews:
https://hackaday.com/2023/11/30/falsified-photos-fooling-adobes-cryptographically-signed-metadata/. Hackaday describes how to use Adobe's C2PA solution to create authenticated forgeries.

hackerfactor.bsky.social•168 days ago

I just noticed that @adamrose.bsky.social is the COO of Starling Labs. Starling Labs' C2PA demonstration authenticated a picture that had alterations and inconsistent metadata. What they did by accident can easily be used for intentional fraud.
https://hackerfactor.com/blog/index.php?/archives/919-Closed-Standards.html

adamrose.bsky.social•167 days ago

Yes, that’s why I’m interested! Appreciate links, will review. In meantime, prototype mentioned in piece was a pre-1.0 version of C2PA. Predates me, I wonder if some concerns since addressed. Issue of “acceptable” (permissible?) edits is key, has a lot of nuance but ultimately should be transparent.

Comments

Posting Rules

Reply