Content Credentials Rollout
December 7th, 2024
Why Content Credentials
As an amateur photographer who shares my work online this is something I’ve been mindful of for a long time. Digital image manipulation has been advancing for many years now to the point where you regularly see pictures that are literally unbelievable. Many times the results are impressive, even spectacular but they’re not actual photographs, they’re photo illustrations. I’m enjoy photo illustrations but now that tools have become better its sometimes impossible to tell the difference between an image that was created at a desk out of many different photographs (and generative AI tools), and an image that was created by someone standing behind a camera in in the actual environment that has been recorded in the image.
This is taken directly from the contentcredentials.org website and I think is does a much better job of summarizing it than I can.
Content Credentials make the origin and history of content available for everyone to access, anytime. With this information at your fingertips, you have the ability to decide if you trust the content you see—understanding what it is and how much editing or manipulation it went through.
Generating Content Credentials
Generating and applying a content credential to your images is pretty easy now that Adobe and Capture One have incorporated the feature into their photo editing tools. Just setup the initial configuration in the “Export” module and then every time you export an image it will have a valid content credential on it. It’s as simple as making sure that the EXIF information is included with your images.
If you are so inclined you can also generate your own content credentials. The only hitch is that to generate credentials independently you need to purchase an X.509 v3 security certificate from a valid certificate authority (CA). This is fine for a revenue generating organization but as a hobbiest the certificate cost and workflow complexity is difficult to justify when Adobe has the feature available within tools many of us already have.
So I’m just sticking to using the options provided by Adobe.
Displaying Content Credential Information
The ecosystem of available end user tools is nascent. There is excellent information and several options available to developers, but few end user tools have been created so far. Those that do exist have stagnated a bit.
From what I can see as of now there’s a Google Chrome (browser) plugin that will detect whether a credential is present in images you’re viewing and put a small logo in the upper left-hand corner of your image. While the C2PA recommends having a logo over the image I find it visually distracting; it’s essentially the same thing as having a watermark on the image. It can be a blob of text or fancy looking calligraphy, but it’s still a mark that’s obscuring the image. Not to mention that if you don’t use the Chrome browser you’re currently out of luck.
Operating systems (MacOS/Linux/Windows) don’t appear to have incorporated this natively yet although I’d expect that to happen sometime in the future. We’ll have to wait and see though, it might be a while.
Website software, CMSs and other products don’t seem to have incorporated this functionality yet either, or at least it’s spotty. I would also expect that this will take a long time.
So as a user who’s interested in seeing whether Content Credentials are present on images they’re viewing there’s really not an accessible way to do it just yet.
So Then What Are The Options?
C2PA Toolset
The Coalition for Content Provenance and Authenticity (C2PA) has published a set of tools that works on all of those operating systems and it lets you query (and generate) Content Credentials. Querying credential information is trivial with this tool. To use it you just need to install the tool on your computer, download the image(s) you want to examine, and then run the command against the image. The credential text is complete but it’s not exactly user friendly.
Here’s the entire output from a single photograph of mine:
#c2patool ./M10M2808-2.jpg
{
"active_manifest": "adobe:urn:uuid:91788c15-3aff-46a2-9c2a-2b61912a3d55",
"manifests": {
"adobe:urn:uuid:91788c15-3aff-46a2-9c2a-2b61912a3d55": {
"claim_generator": "Lightroom_Classic/14.0.1 cr_sdk/17.0 adobe_c2pa/0.9.3 c2pa-rs/0.31.0",
"claim_generator_info": [
{
"name": "Lightroom Classic",
"version": "14.0.1"
}
],
"title": "M10M2808-2.jpg",
"format": "image/jpeg",
"instance_id": "xmp:iid:7f6e7d68-2372-4a18-8e99-0c86aa54f817",
"thumbnail": {
"format": "image/jpeg",
"identifier": "self#jumbf=/c2pa/adobe:urn:uuid:91788c15-3aff-46a2-9c2a-2b61912a3d55/c2pa.assertions/c2pa.thumbnail.claim.jpeg"
},
"ingredients": [
{
"title": "M10M2808.jpg",
"format": "image/jpeg",
"document_id": "xmp.did:bd3e2500-b76f-437b-aac6-c26410f34ddd",
"instance_id": "xmp.iid:bd3e2500-b76f-437b-aac6-c26410f34ddd",
"thumbnail": {
"format": "image/jpeg",
"identifier": "self#jumbf=c2pa.assertions/c2pa.thumbnail.ingredient.jpeg"
},
"relationship": "parentOf"
}
],
"assertions": [
{
"label": "c2pa.actions",
"data": {
"actions": [
{
"action": "c2pa.opened",
"parameters": {
"ingredient": {
"url": "self#jumbf=c2pa.assertions/c2pa.ingredient",
"hash": "xn4m+cA4WKw4j9GHIfnaYe5owlfIHSoEkx9mHmg8YUE="
}
}
}
]
}
},
{
"label": "stds.schema-org.CreativeWork",
"data": {
"@context": "https://schema.org",
"@type": "CreativeWork",
"author": [
{
"@type": "Person",
"name": "John Chabalko"
}
]
},
"kind": "Json"
}
],
"signature_info": {
"alg": "Ps256",
"issuer": "Adobe Inc.",
"cert_serial_number": "28651076926158642445677524766118780318",
"time": "2024-12-11T03:24:39+00:00"
},
"label": "adobe:urn:uuid:91788c15-3aff-46a2-9c2a-2b61912a3d55"
}
}
}C2PA Verify Site
Another good option that’s much more user friendly is to use the C2PA Verify site
This site gives you the most detailed information about the credential for a specific image in a visual and textual format. The only downside is that you need to download a copy of that image you want to check and upload it to that site; it’s great for examining individual images but isn’t viable to use for bulk image analysis by end users, and it certainly doesn’t work when you’re combing through a bunch of images in a web browser. Give it a try with the image below, or with any of the images on this site and you’ll see at once how useful it can be and how difficult it would be to use it regularly
The verify site had previously allowed the ability to externally link to images but that feature appears to have been disabled. If it worked it would allow anyone to query the content credentials of any image easily using any available browser. It would also allow website maintainers to easily enable users to view detailed content credentials for any image. This feature still exists in the Chrome Plugin mentioned above but it’ doesn’t work’s broken. I would guess that this was disabled due to misuse and/or bulk automated operations against the site. It also speaks to how up to date some of the tools are. Hopefully this ability will return in the future.
With the availability of the developer tools provided by the c2pa there are some pretty straight-forward ways to let users of any private website, including this one, see whether a content credential exists on a given image and to examine some high-level information about that credential without having to jump through a bunch of hoops like downloading the image and using the verify site.
This Site Runs on WordPress and Here’s How It Works
I have previously set up some structured metadata to be stored and displayed for each image i posted (camera/lens/film/developer etc…). A popular WordPress plugin called Advanced Custom Fields (ACF) is what enabled me to do this. I worked with a WordPress developer who’s helped me with other projects and extending this feature to include the necessary information about Content Credentials was pretty straight-forward.
- I added an additional custom field to each image using ACF.
- When any image is uploaded to this website via the standard WordPress Media Library it is scanned for the presence of a Content Credential using the c2patool.
- If a credential is detected the output is stored the custom field associated with that particular image.
- When a user of this website loads a page that has image(s) with content credentials the Content Credential logo appears under the image to the right along with the other metadata associated with that image (more info here).
- If the user clicks on the Content Credential logo a small pop-up will appear displaying high-level information from the credential (Date created, author, software tool(s) used, and whether or not Generative AI tools were used on the image.
Sometime in the future I’d guess that there will be a WordPress plugin developed that does this for anyone who wants it but that certainly doesn’t exist today. To do this I worked with a WordPress developer who’s helped me with other projects and he made pretty quick work of it.
Here’s are 2 example images that I’ve posted elsewhere on the site just for demonstration purposes. You can see how it works here on my site:
Digital photograph modified with basic photographic editing using Adobe Lightroom Classic. This should display "Generative AI Tools Used: No" in the Content Credentials
Digital photograph that has had the sky swapped out using Generative AI tools in Adobe Photoshop. This image should display "Generative AI Tools Used: Yes" in the Content Credential.
Determining Whether an Image Was Generated With AI
Trying to figure out the best way to indicate whether or not an image was created or edited using generative AI tools was pretty interesting. I couldn’t find anything definitive looking around online (at first). So I figured the best thing to do would be to just create a a few images using generative AI tools and then examine content credential output using the c2patool program. There should be an easy to find flag indicating that the image was created using generative AI tools and then I can parse for that string in any image’s credential and use that to indicate whether generative AI tools were used in the image creation.
Seems pretty easy but it didn’t work (reliably).
Different programs use different strings to note the use of different tools used. I used Adobe Photoshop to create an image and it uses a tool called “Firefly.” I bet there are hundred of these tools around now, so in general that wasn’t going to work, and Lightroom formats the credential text slightly differently. I’d found a couple of key:value pairs that seemed to work but after testing some more they only appeared to work identifying edits from a very specific set of tools.
To cut to the chase: International Press Telecommunications Council (IPTC) tags are a great way to do this. IPTC tags are used in content credentials and in lots of other areas of digital media management (including photo management software like Lightroom and Capture One). To many people this is a pretty dry topic but I find it kind of fascinating. If you have a large photo library categorizing your images can help you find them efficiently. Imagine if you managed a press service with millions of images and thousands more coming in every day? Tagging, attribution, and provenance information for every image is a basic necessity for services of that size and I’d argue that it’s of the same importance for anyone who creates digital media and puts it on the internet today.
I used the fact that I was digging into all of this to go down the rabbit hole of examining all available IPTC tags trying to find what I needed for AI tool attribution. To get a sense of the depth of this particular rabbit hole consider that there are approximately 1500 individual tags, including a specific set of tags dedicated just to American Football. It’s not like trying finding a needle in a haystack, but there are a lot of tagging options.
The tags that are directly relevant to generative AI tools happen to be part of the scheme, DigitalSourceType which I found before too long. After figuring that out and identifying several IPTC tags that are focused specifically on generative AI I was pretty sure I had a reliable way to confirm with confidence whether a content credential contained evidence about the use of generative AI.
That also lead me to this section of documentation that I’d missed the first time around which essentially confirmed what I had just discovered on my own.
As of December 2024 there are currently 5 IPTC codes relevant to generative AI. The first 2 are recommended for use by IPTC in their documentation
http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia
http://cv.iptc.org/newscodes/digitalsourcetype/compositeSynthetic
http://cv.iptc.org/newscodes/digitalsourcetype/compositeWithTrainedAlgorithmicMedia
http://cv.iptc.org/newscodes/digitalsourcetype/algorithmicallyEnhanced
http://cv.iptc.org/newscodes/digitalsourcetype/algorithmicMediaUsing this method I’ve been to reliably scan AI generated images using those tags as identifiers for generative AI tool use. It’ll be interesting to see how this space evolves in the coming months and years.
Are there any downsides to using Content Credentials
Yes. But there are some issues…
Generally speaking I think digital content creators should have the means to enforce their copyright and to not let others take advantage of them by taking their work and misrepresenting it as their own. Maybe worse: is the work you’ve posted online going to be used to train AI models that will then create images (or text, audio, video) that mimic your work in some way without providing attribution to you?
Content Credentials are currently the best way to ascribe that attribution to the work you create, so you should use them.
That said, like anything if there’s not widespread adoption it ends up being kind of a niche thing that never really gains critical mass, and therefore doesn’t become a widely accepted standard. In which case it doesn’t really matter what happens with it.
There’s a “Producer” field that you need to configure, the intent is that this is your name so that images with your name on them can be attributed to you. That’s great and all but there’s nothing stopping you from using a fake name, or from other people falsely attributing content to you. In the C2PA specification for Content Credentials they have a number of use case examples for both positive and negative examples of how this can be used.
The simplest one I can come up with is that I don’t want my real name (or business name, etc) tied to an image that I post on reddit, or imgur. Not because the image is inappropriate, i just value my privacy and the wilds of internet forums aren’t a place where I want to use my real name by default. If you export images via Lightroom you can manually disable content credentials from being applied to your images. This works but is an extra step in your workflow that you need to manage. If you have a content credential capable camera (there are a couple out there now and more coming) your name will be associated with that image using the from the moment the shutter was activated.
Given that this space is very much still developing I would love it if creator privacy without loss of attribution was one of the areas that evolved considerably.
Domain Registrars do this by associating your real contact information that you give them with a unique public identifier (your domain name).
For content credentials: make the producer field a GUID – or some other unique identifier like a reddit user name is – let you as an individual (or corporate copyright holder) create a profile at C2PA central tied to that GUID and expose your contact info publicly only if you choose to. Use that profile to allow you to track the use of your images. Also use it to allow consumers of your media the ability to contact you via proxy without broadcasting your full contact information out there for all to see.
Allow me the option of configuring Lightroom, cameras etc, to use that unique ID in the producer field so the media I produce is tied back to me always but not in a way that directly exposes my private information.
I think this is going to be a hurdle for content credentials to go mainstream.