Demuxed 2019: Is now the time to solve the deepfake threat? (video)
Co-founder Roderick Hodgson on solutions to malicious deepfakes
Roderick Hodgson: Good morning, everyone. So yeah, my name is Roderick. I’m a co-founder at Amber Video and I’ve spent the last two and a half years looking at fake video and fake audio, specifically machine-generated fakes. Today, I want to talk to you guys about a type of machine-generated fake video, deepfakes.
So is now the time to solve the deepfake threat? Yes! Yes, it is. Yes is the correct answer. All right, you’ve been great, thanks.
So why the sense of urgency? Why are we addressing this now or why am I talking about this now and what can we do? What tech can we use to try and combat some of that? I’ll take you through some of what we’ve experimented with and discovered over the past couple of years and also show you how some of that can be applied by looking at a practical application.
So let’s start with deepfakes, what are they. I’m sure many of you have seen a lot of these deepfakes already online, but for those who may not be aware, it is the use of machine learning, deep neural networks, to synthesize fake imagery with neural networks trained on the visual appearance of people. So here’s one I prepared earlier.
Roderick Keanu: Hello, Demuxed. This is Keanu Reeves…
Roderick Hodgson: Can we get sound?
Roderick Keanu: … coming to you from the airport. It’s not actually Keanu Reeves. This is Rod here, demoing while I’m waiting for my flight.
Roderick Hodgson: So there we go. I’ll grant you, it’s not the best deepfake. If you’ve seen some other ones, they’re probably a little bit more convincing. But the point of this one is that I was able to put it together in about 30 minutes while I was waiting for my flight at the gate. This was in Hong Kong. I flew from Hong Kong to here over the weekend and I was waiting for a while at my gate and created this video.
I downloaded some free open-source software, the latest version of the Face Swap open-source software, I used footage of Keanu Reeves I found online, and I put it all on a cloud computing instance that I was able to run for free because I had some free credits. Thanks, Google. I know you’re here. So yeah, the total cost for me was zero dollars and about 30 minutes of my time. Obviously, the instance was running for about 24 hours, but that was happening behind the scenes.
So that’s one of the big changes that are driving this concern, is that it’s getting better and it’s getting cheaper. The GPUs are getting cheaper, the software is getting better. It’s increasingly automated as well. What you saw there is the raw output of the algorithm. I didn’t load it up in a video editor, change some levels, blur the edges of the splicing of the fake face into the real video, didn’t have to do anything. That’s just the raw output. Again, that automation, that unsupervised nature of these deepfakes is getting better and better. And finally, distribution. Thanks to social media, we can send out this content in a way that’s global, that’s instant, and that’s micro-targeted.
So what are the implications? Well, deepfakes, at the end of day, they’re a tool and, like any tool, they can be used for good and evil. I’ve just realized this is a terrible illustration to point tools can be used for good or evil. The Death Star is definitely not morally neutral. That can only be used for evil. Yeah, a planet destroyer cannot be used for good, but deepfakes can.
We can think of deepfakes as being a really interesting tool for us to make creative content to delight audiences, to do all sorts of interesting stuff. And to illustrate this, you might have seen this if you watched Star Wars Rogue One, where Grand Moff Torkin, who is played by Peter Cushing. Peter Cushing, obviously, passed away a while ago, but here he’s playing a character from beyond the grave and he looks no different from any other actor, that’s the point. You can’t tell. Now, obviously, actually, this isn’t a deepfake; this was special effects, but that shows you one of the applications of this type of technology and how we can do very interesting things with it.
Roderick Hodgson: But it can also be used for evil and there’s different ways it can be used for evil, different applications. There’s two I want to focus on in particular and you’ll see why. The first is disinformation. Now, I don’t know if some of you might recognize that image on the top left. Jordan Peele, who is a sketch show comedian and also a film director, worked with Buzzfeed to create a demo deepfake. He impersonates former President Barak Obama as part of some of the sketch shows he does, so he did a voiceover of so-called Barak Obama insulting the current president and he did this… He worked with BuzzFeed to then get them to do a deepfake synthesis of the former president. So the end result was the appearance of Barack Obama saying things that he really probably shouldn’t.
Of course, they were doing this to highlight the problem, but this definitely could happen. We can imagine political campaigns microtargeting certain groups of people that are on the fence and using an appeal to authority by getting someone they trust to say something even though they would never say it, and just enough to shift public perception and call sort of a knock-on effect.
And so he who controls the best deepfake technology controls society in a way. The same with — it doesn’t have to be politics — you can imagine the CEO of a big, multinational corporation waking up and finding his or her likeness all over the Internet saying something terribly racist, say. They never said this, of course. It was maybe one of their competitors who created that footage or maybe even a state actor. The idea here is he who controls the best deepfakes then controls the economy. So, yeah, no biggie I guess.
Roderick Hodgson: But then there’s another application which is not really talked about so much in the press and maybe has a more immediate concern, which is the falsification of evidence. We know that body-worn camera footage, CCTV camera footage, citizen journalism footage can often be used in court cases, for example. What happens, then, when someone is sentenced to maybe life in prison based on some footage that shows them doing something when, actually, they were never there, the CCTV footage has been faked? Or maybe flip it the other way round, could someone get acquitted now for a crime they committed by saying, “Deepfakes exist. That looks like me. How do you know? How do you know that’s me?” and we don’t; that’s the problem.
But the key thing is, with both these examples, we’re talking about videos of criticality. We’re not looking at if you think of all the videos that are shared online, for broadcast everywhere, the majority probably isn’t at risk of deepfakes. There’s all the video that’s there to entertain, for humor. That’s not necessarily an issue. I guess I’m not worried about the deepfake of someone faking their dog skateboarding or something like that. Where it is concerning is these videos of criticality where someone’s making a decision and it could be a matter of life and death, like in the previous example. It could be military intelligence, there could be wars coming out of these critical videos. And so what I really want to do is focus on those and forget, for a moment, the levity side — the people creating fakes for a joke.
So what can we do about it? There’s several solutions we can think of to combat deepfakes. I put them in two broad categories, there’s one which is detecting when fakes are… They’re already online, they’re already being distributed and you know they’re out there and you’re trying to find them and trying to find if a video is fake or not.
And then on the other side, there’s the idea of authenticating video from the moment it’s created so that, when you watch it, you know that it hasn’t been faked along the distribution chain. If you think about the example of the court case, would you prefer to know that there’s an 80% chance or a 70% chance that the video is faked or would you like sort of a green tick to say this is authentic, 100%? And so those are kind of the two approaches I’d like to talk about.
So let’s talk about detecting deepfakes for a second. So we know that deepfakes are synthesizing. It’s AI synthesizing new content, building content with various building blocks, and they’re leaving behind artifacts, patterns that we can try and detect, and there’s different ways we can do that. One thing we experimented with was training an AI on the deepfake. So if you’re familiar with image classification using neural networks, we used an existing model for classification, called ResNet, which is used quite often for saying this is a car, this is a dog, this is a person, and then we gave it some extra training materials in saying this is a real person and this is a faked person and how to look at what the outcome of that was.
Of course, to do that, you need to give it a lot of training material, you need to give it a lot of deepfakes and the problem is, right now, there aren’t really enough out there. Like I was saying with those three points, that immediacy, we’re kind of at the tipping point where we’re almost there and they’re coming. Those deepfakes, they’re just north of the wall. They’re coming but we don’t have them yet, so what we did is we generated a whole bunch of fakes, fake videos, and trained an AI on that. That has some problems of its own and we’ll get to that in a sec.
What else can we do? This is a new idea, detecting splicing in general. So forget the neural networks for a moment, we can detect when there’s content that’s been copied into an existing video using a whole bunch of different algorithms. It’s a pretty advanced area of research. There’s been quite a lot of really interesting developments in the last few years, actually, in this area. Some of the things we were looking at was modeling camera-specific signatures and anomalies and seeing discrepancies in the color filter array and how that gets translated to 42 lines and discrepancies there and misalignments there, but also detecting anomalies in the frame residuals.
That’s one of the other approaches, so that’s what you’re visualizing here where you’re looking at the gradients of the colocation of the residuals in your encoded data and looking for sudden jumps, sudden anomalies in that gradient. Especially if it’s on the X and Y axis, like it is there, that’s a good sign of the algorithms that are in use today.
The other thing we can look at is we’re talking about the automation of deepfakes and they use more and more advanced ways of merging and smoothing the effects of introducing a synthetic image into your existing content, and so we can look at things like the blur function that they apply. We know the blur function that all of these existing algorithms apply and we can try to detect that. We can look at the color matching, like if we know the hue is the same from one pixel to the other but everything else is changing and that’s happening on interesting axes, like along the X or Y axes, in nice straight lines, then we know there’s something going on there, so we can do that kind of detection.
But fundamentally, we’ve seen, with all these experiments that we’ve done, that there are some sort of systemic challenges. When we’re talking about automated deepfakes, we can detect some of the patterns I was mentioning before, but as soon as you do any sort of post-processing and any sort of professionally created deepfake where they’re tweaking and they’re altering the final output, a lot of that kind of flies out the window, and so the algorithms we trained on the direct output didn’t really hold up with that Jordan Peele/Barack Obama example.
Also, transcoding, we found that if we upload the videos onto social media, download them again, upload them again, download them and try our AI classifier, it often told us, “That looks like a deepfake to me,” which is weird. I guess it’s a false-positive. Or maybe it isn’t — I don’t know what you guys are doing to my poor videos.
And then the most important one is the idea that this is an arms race at the end of the day. If you’ve got two AIs fighting each other, they’re going to learn from each other. The one that’s creating the fake is going to see, “OK, that didn’t fool this deepfake prevention algorithm. I’m going to learn from that.” And so there’s always going to be that… It’s a neverending cycle and it’s… I’m not saying detection doesn’t have its place and it can be a really useful tool, but we were thinking how can we do something a little bit stronger? How can we create a trust layer, something a little bit like TLS, how we trust the little green padlock on a website, how can we do something like that but for video?
I like TLS’s analogy here because you might not want [HDBS] when you’re visiting the website of your favorite restaurant, but you definitely want it when you’re doing your online banking. And so it’s the same sort of idea — not every video needs to have sort of a green tick saying this hasn’t been altered, but for the ones that matter — the ones in court, the ones that have a political consequence — you definitely do.
So how can we do that? Well, we can think of existing approaches to securing files, which is you take the file, hash it, apply a hash function on the file, store it somewhere like a blockchain ledger where it’s immutable and everyone can access it, and then when someone consumes the file, they download the hash and they compare the hash and if someone’s altered anything, then that comes up as a missed hash.
But there’s a problem here, which is that these type of hashes really don’t work for the way video is used and video is produced. You can imagine a scenario where you’re a news broadcaster and you’re out there filming an event. You’re filming maybe 10 hours of footage and you take in maybe ten shots of B-roll, four or five shots of A-roll, a few pieces to camera, and you combine all that into your final file, you distribute that on your online platform or you upload it to social media. If someone hashes what you uploaded and hashes the original rushes that you created, those aren’t ever going to match.
So what can we do? What’s the smarter way that we can do that? Well, if we have a look at the structure of video files and, here, I took an existing file I had and put it into MKV to XML just so we can sort of visualize it. I’ll buy a drink to anyone who can tell me what codec that is from the preamble. We can look at those blocks of data. Well, we know that these video files are arranged in blocks, so we’ve got one block for each frame in most video formats, and a block for each packet of audio, and we can apply a hash function on each one of those so now we have a hash per a frame and a hash per audio pocket. That’s a lot of hashes. If we’re talking about hours of content, that’s millions of hashes and that’s not something we’re going to want to store on something like the blockchain. It’s going to be a very expensive operation.
So what can we do? Could we create a hash per minute or a hash per second, say? Well, we can look at some other hash construction techniques. Those of you might be familiar with how the blockchain works, just to take it as an example, there’s this idea of Merkle trees, you can combine hashes into… You take two hashes, combine them together, apply the hash on that, and you can create these trees of hashes. That works really well for that application because if you change one of the hashes in the leaf nodes, that propagates up but the other hashes stay the same and so you can say, oh OK, this is where it changed.
But for video, that’s not going to work that well because what you’re doing with video, you’re not changing a value — you’re removing content, you’re splicing content in, adding stuff at the end, bringing in other clips. So here, like my example where we’re removing some of the content on one side, adding some content on the other, and now the alignment of this type of hashing is completely changed, so the entire tree is invalidated. It’s pretty much useless for us now.
Roderick Hodgson: So what’s another approach? How can we do hashes of hashes in a way that survives the specific way that video tends to be edited and used? So this is the idea that we came up with, which is let’s apply a hash function to every frame but then apply a modulus function on the value of the hash. So say you do a [mod30] on each hash, you know that, because something [that’s shot out to 5/6] has a normal distribution of hash values, so if you’re doing mod30 on that, you know that, on average, you will get a value of zero as an output to the function every 30 frames. So now you’ve got a zero value for every second, on average, let’s say. It’s a normal distribution, so you’ll sometimes get the zero value more frequently — you’ll get it every 10 frames maybe once and you’ll get it every 40 frames occasionally. It’ll be a nice bell curve with 30 right down the middle, so you can expect, on average, to get a zero value every second in that particular case. Or you could do much more than mod30 and do it every minute if you wanted to.
And then you use that value, you know which hashes have a value zero, and you use that as a boundary to do your hash of hashes. Instead of a Merkle tree, you’re taking all of these hashes of that particular span and you’re applying another hash function, and now you’ve got a hash of hash that’s invariant to trimming, splicing, anything else. If you add stuff at the beginning or at the end of that region, that region is not going to change.
So what does that look like? Coming back to the original, the Jordan Peele/Barack Obama fake, we used this algorithm on that video to see what it might look like and we highlighted when the hashes don’t match anymore by having an orange box. I think this is, on average, one hash per second on this one.
Roderick Hodgson: So I don’t know if you noticed the switch between the real video and the deepfake, and then we’ve got the border showing that, illustrating that so that we can have that information. So yeah, deterministic, invariant time windows. They’re great. I may be biased; this was my idea, so yeah. I like it.
So how would that look like in practice? Some of you may be familiar with something that happened six months ago where Jim Acosta — or there’s a video of the journalist, Jim Acosta, who looked like he was karate chopping a White House intern and there was a huge debate, or a discussion, around this footage of people asking, OK, has someone faked this content? Is it authentic? And if we had something like this, then we would have known.
So how would that have worked? Say you record on your camera, you generate the hashes as you’re recording, so we’re getting as close to the glass as possible. We can sign the hashes with a cryptographic key, a camera key, store the hashes in the blockchain, and then once you go back to your newsdesk and you’re ingesting all of that footage, you’re editing those recordings, you create a final file. You can store the reference to the original hashes in the metadata of that file and then publish to your platform — maybe to social media, maybe through your own internal video sharing system — and then that platform can retrieve the hashes from the blockchain, validate the signature of that hash, re-hash the video that it has access to, this heavily edited video, and then validate the portions of it that match the original recording.
So this is about giving a green tick saying this is authentic and it’s not just about saying this video came from the person that claimed to come from, but is validating it right from the source, saying this is what the camera recorded, so nobody in that chain could have interfered with it.
So what should we do? Where do we go from here? So I think there’s three things that we, as a community, could start doing because, as I said, we’re at that tipping point where it’s just around the corner that we’re going to get an explosion of this kind of technology. And so there’s three things I think we should do as a community, which is when we’re building new platforms, new hardware, new software, new encoders, whatever it may be, think about should this be a good place? Is this where I can bring in some detection, some fake video detection, and get ahead of this problem?
The other thing we can do is let’s start sharing knowledge about the known deepfakes that we’ve come across. There’s already this approach, this framework for sharing objectionable material, sharing knowledge about objectionable material; let’s apply that to deepfakes.
And the third thing is let’s work together to find a standard, a common framework for authentication of video. So we’re throwing our hat in the ring with this idea. Maybe it’s not the right idea, I don’t know, but now’s the time for us to start chatting about it because the press is chatting about it a lot, but we should be chatting about it. Look around you, we’re in a room full of 750 engineers building the future of video, building the future encoders, the future platforms, building our future in video. If we’re not going to be the ones to solve it, then who is? Thank you.
Matthew McClure: Are you going to answer some questions? I think we have some.
Roderick Hodgson: Oh, yeah. Ok, cool.
Matthew McClure: Ok. So I think the top-rated one was can completely fake people be detected, and the reference is for thispersondoesnotexist.com.
Roderick Hodgson: Yes. So I mean, I guess it comes down to one of the first examples I showed, which was training an AI to detect deepfakes. We can detect some of the patterns that this fake content is generating. The question is we need to get more training material to do that and we’ll have to constantly be fighting against the new algorithms that are generating these deepfakes, but certainly, we can do something. We can start, we can put a bit of resistance there and be like let’s stop, at least, the script kiddies version of deepfakes. We might not be able to stop a nation-state doing an attack by doing this type of technology, but these algorithms, the training a neural network is definitely something that can help with those kind of basic, instantly generated ones.
Matthew McClure: A little behind, so I need to go ahead, but there’s a ton of awesome questions in the Q&A thread.
Roderick Hodgson: Cool. I’ll have to have a look there later on, yeah. Thank you.
Matthew McClure: Thanks again, Roderick.
