The Case for Going Beyond Chain-of-Custody
Why Media Verification Requires Federated Observations
This is part three in a series of posts addressing the requirements of a system for global media verification. Part Two, The Case for Modular Media Verification, discussed why our system must be adaptable to the needs of several different user communities.
In the summer of 2019 the President of Gabon, Ali Bongo, had fallen ill. By the Fall, rumors had begun to circulate of his death. He had not been seen in public in months, but the government (a long-running family dynasty) insisted he was alive and well. His New Year’s video address was released, and immediately there was chaos — was it a fake? Or did it simply show the symptoms of a recent stroke? The President’s opponent, Bruno Ben Moubamba, claimed the video was a deepfake, but attempts to prove this were inconclusive. A week later, there was an attempted military coup.
In order for verified media to useful in diplomacy, we need symmetry of confidence: every stakeholder must be able to rely equally on the accuracy and impartiality of the verification system. And when the impacts of such diplomacy cannot be higher, that confidence cannot be based solely on trust in the system operators.
Trust, but Verify.
Imagine a video of the Canadian Prime Minister, Justin Trudeau, calling for the surrender of Ukraine to the Russians. If such a video was stamped and signed as verified by Russia Today, would that provide much assurance to American allies? What if it was a call by President Biden for Taiwan to surrender to China — verified by Huawei?
Equally, there is no way to expect our allies or opponents around the globe to accept the verifications of Adobe or Microsoft at face value. In a global context, the host nation of any centralized system has an asymmetric opportunity to tamper with it.
All parties must have equal access to the mechanics of verification. This rules out systems that are based on provenance assertions provided by standalone entities, no matter how noble or well established. Even if we ignore wiretapping laws, national security imperatives and the potentially-questionable commitment to impartiality by the company’s executive team, as we learned from RSA, sooner or later all such trust is misplaced.
Tamper-Proofing through Observations of Change
When kidnappers contact you with a demand for ransom, the first thing any hostage negotiator will do is ask for a “Proof of Life”. Typically this is a photograph of the hostage, holding up today’s newspaper. While there’s no way to know ahead of time what tomorrow’s newspaper will look like, anyone in the world can verify what today’s newspaper looks like — so this ensures that your hostage is still alive; or at least they were at some point today.
Media verification requires the same thing — except that we need a unique newspaper cover for every frame of video (roughly every 30 milliseconds). These proverbial “newspapers” can be any unpredictable phenomena (weather, celestial events, even stock market prices) that can be independently observed by “enough” of the key stakeholders.
Much like photographs themselves give us the opportunity to “trust our own senses”, using independent observation as the basis for media verification will allow all parties to trust those mechanics.
Put a pin in it
Having established a “root of trust” in independent observation, we have avoided the trap of expecting our counterparties to trust our media chain-of-custody. What is left is to commit to immutability — providing a public guarantee that the media in question has not been edited since the verification was established. This is the only part of media verification for which a decentralized ledger is necessary (or even relevant). Any immutable ledger will do for this purpose, but preferably one with a high frequency of settlement. (The keyless blockchain developed by the Estonians and commercialized as GuardTime a year before the release of BitCoin would be adequate, for example).
What is left, now, is the “watermark” — how can we take critical metadata (the metaphorical newspaper cover, as well as the “address” of the camera) and inject it… not into the digital file (which could easily be done to pre-generated content), but into reality itself, at the moment of capture?
Stay tuned for part four.
