Content Credentials Show Promise, But Ecosystem Still Young

Source: Thapana_Studio via Shutterstock

The effort to establish digitally verifiable images, video, and other content using signed metadata known as Content Credentials promises an internet where users can easily determine the source of media and whether it is authentic. An easy-to-use implementation of that vision is still under construction.

The brainchild of the Coalition for Content Provenance and Authenticity (C2PA), Content Credentials allow the signing of a metadata audit trail — a manifest — that accompanies images and other media. A photo could be captured with a smartphone, cropped and lightened with photo-editing software, and then compressed by a content delivery network. Content Credentials show each of those steps as part of an audit log, which provides people with information about whether the content they are viewing is real or has been somehow modified. The companies behind the standard include internet providers, software makers, device technology makers, and media giants.

In the last year, major camera makers — Canon, FujiFilm, Leica, Nikon, and Sony — announced support for the Content Credentials standard, but only a few models with the capability have hit the market. Leica has released its second camera with the technology, the Leica SL3-S. At this year’s Consumer Electronics Show in January, Samsung announced its upcoming Galaxy S25 mobile phone will support Content Credentials, but only to label images that have been edited by AI. It will not label the original photo taken with the smartphone’s camera.

And other major smartphone makers, such as Apple, have not announced support for the standard yet.

Meanwhile, computer-based editing software that supports Content Credentials is mainly limited to Adobe’s products. As a founder of the content-authenticity movement, Adobe has extensive support for Content Credentials in its own products — such as a beta feature in Photoshop and tagging images generated with its generative AI service, Adobe Firefly.

Still, some islands of functionality have appeared: Images from OpenAI’s DALL-e and Adobe’s Firefly are labeled with Content Credentials tagging them as AI-generated, while end-to-end services, such as Truepic, use the technology in its platform to digitally sign and authenticate images.

It’s a good start, but an end-to-end workflow requires more: Cameras or smartphones to generate signed images, support for Content Credentials in a wide variety of image-editing software, and the ability to view authenticated metadata on social media and websites.

“It is crucial to ensure that Content Credentials are enabled on all devices throughout the entire workflow—from capture to editing to sharing,” says Nico Köhler, head of product experiences for Leica Camera AG. “This requires that all tools and platforms involved in the process support Content Credentials. … Ensuring compatibility across the entire workflow is key to preserving the authenticity of the content.”

Where Does the Content Credential Work?

Closed end-to-end ecosystems that incorporate the Content Credentials specification show the potential of the digital authentication feature.

Truepic, for example, essentially created its own end-to-end authenticated image service based on Content Credentials, allowing companies to know the provenance of images. Credit bureaus can request authenticated images of office locations to verify legitimate businesses, dispensing with the need for expensive on-site visits. Insurance companies can request photos of damaged assets from policyholders, avoiding deepfake and edited photos from claiming fictitious damages.

Because smartphones do not yet have the Content Credential technology embedded in the device, Truepic requires its app be used to take photos and video.

“We believe that unless a digital process is backed and secured by image and data authentication, enterprises will not be able to address or even understand the amount of fraud they are missing,” says Mounir Ibrahim, chief communications officer at Truepic. “With widespread adoption of credentials, businesses will have a stronger foundation for detecting tampering and ensuring content authenticity, but they will still need a trusted verification platform that can ingest, analyze, and validate digital content at scale and within their environments.”

Interoperable Workflow is Still Not Ready

While different manufacturers are releasing specific implementations of Content Credentials, creating an end-to-end workflow for images — from creation to editing to distribution to end users — continues to be a challenge.

In early February, for example, Cloudflare tackled one small part of a typical workflow, the content delivery network, announcing that its CDN service would preserve image credentials, even through automated compression and image resizing. Most current infrastructure inadvertently strips away the Content Credential or invalidates the signature by transforming the image.

The Cloudflare changes allow its Images service to add actions to the Content Credential manifest and re-authenticate using the company’s credentials, Will Allen, head of privacy and media products at Cloudflare, wrote in a blog post describing the feature.

“When you use Images to resize or change the file format to your images, these transformations will be cryptographically signed by Cloudflare,” he said. “This ensures, for example, that the end-user who sees the photograph on your website can use an open-source verification service … to verify the full provenance chain.”

The Content Credential ecosystem at work. A picture taken with a Leica camera is edited with Adobe Photoshop, with each stage documented in the credential. Source: Contentcredential.org/verify using Leica image

Yet, even companies that are forging ahead with their own services look forward to when the wrinkles in the interoperability are ironed out. Truepic’s Ibrahim, for example, argues that greater support is the end goal.

“Although closed ecosystems and business processes are where our clients are deriving the most benefit today, we see this as the first step to a more authentic internet,” he says. “Interoperable standards will be the essential foundation to a more trusted digital ecosystem and shared global economy.”

About the Author

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.