Photo news: Lessons learnt from the C2PA debacle

Contents

With firmware 2.00 for the Nikon Z6 III, the camera signs images that were not taken with it. This is exactly what the "Content Authenticity Initiative", founded by Adobe and others in 2019, wanted to prevent: a camera that passes off images that were not taken with it as quasi "genuine". The whole idea behind names such as CAI, C2PA or Content Credentials is to prove that a photo was taken with a specific camera, by whom, when and where exactly, and to prove this cryptographically. The many names that have been around for a whole six years show just how inconsistently the industry operates – and why CAI, let's stick with that name, can't get its act together.

What is missing today, especially in press photos that are distributed worldwide in seconds, is digital provenance, i.e. proof of origin. This is not about absolute protection against forgery, that cannot exist. Every system has loopholes, security is a process, not something that can be achieved through a one-off action such as buying a particular camera. But at the beginning of the chain of taking a picture, you have to trust someone or something, that's the "chain of trust". And with CAI, which is often referred to as the "seal of authenticity for photos", that is the camera.

That's why Nikon's firmware bug weighs quite heavily when it comes to the CAI system itself: if the chain of trust already has massive weaknesses in the very first link, it doesn't matter how stable the rest is. Since CAI is still hardly widespread and it took weeks for the extent of the problem to become known, the actual damage, i.e. fake photos, is likely to be minor. Our detailed report shows how a falsely signed photo was taken with the Z6 III and what the chronological sequence was.

The moment the photo is taken is the only chance

The fact that the system is not fully developed was clearly visible. Michael J. Hußmann at Docma also points this out: "You only have one chance to forgery-proof document the creation of an image by taking a picture with a specific camera, namely during the storage of the image file in the camera." The beginning of the chain. Everything that comes after that – editing, cropping, resizing – can be documented, as provided for in the C2PA workflow. However, the origin is the image itself and its provenance. The origin, however, is the image itself and its provenance.

Because such an error, as caused by Nikon's firmware, has apparently not been considered until now, the company has only one drastic reaction: the verification of the C2PA signature by Nikon's online systems has been switched off completely until further notice. And this applies to all Nikons, not just the Z6 III. As the discoverer Adam Horshack has already shown, other test sites continue to accept the falsified images. That's why Petapixel wrote quite correctly: Nikon cannot solve the problem on its own.

Like other digital security mechanisms, C2PA is based on certificates. You know that, simplified example: If you are currently reading this column with a standard browser, it will display a small lock somewhere. This says that the connection between your device and the server is secure. – heise.de – actually leads to our offer. The connection between the device and us is encrypted. The server has a certificate for this, which we have to renew regularly and which can also be revoked. As I said, it's all somewhat simplified.

And a global recall of these certificates is probably not planned for C2PA. Similarly, the camera itself indicates that its certificate may be invalid or out of date. In addition to Nikon's own problem, this is what the whole alliance for C2PA, the CAI, has to solve. It is imperative that Nikon brings a firmware update and that photos from a Z6 III with firmware 2.00 are no longer accepted anywhere.

The CAI must work more closely together

However, it would also make sense – and this is where we finally get constructive – if the numerous members of the CAI worked together to check new firmware versions for such gaps. Competition between companies must be put aside, even if the market launch of a new camera or an update for C2PA functions takes longer. The fraying of the CAI, which we noticed a good year and a half ago, must finally stop. The entire system must be as secure as possible, and it must not be possible to circumvent it during recording.

Incidentally, it is not enough to take a photo of a monitor, a screen, or a printout to undermine it, as is often claimed. As mentioned above, it is about the complete provenance: who took the picture, where, when and with which device? This is stored in encrypted form with the image data in the camera when the picture is taken. And later compared with servers. When Max Mustermann publishes a photo of the US President taken from his monitor in Hintertupfing, it has little credibility. And none at all if such data is missing.

If, on the other hand, a well-known professional photographer from a large agency publishes this picture, taken in front of the White House, then that alone is an indication of authenticity. And even more so if the data in the photo is cryptographically secured. One reason why C2PA is needed is that EXIF data can be changed at will without the history being verifiably recorded. Incidentally, C2PA cameras often store much more data than EXIF, including autofocus information for the depth of the elements in an image. Sony recently pointed this out.

Prices for a view into space

After this difficult topic, a little relaxation is in order. So let's take a look at the sky, or rather, let astrophotographers do so. Because the "Astrophotography Prize 2025" was awarded last week. If you look at the gallery of images at DPreview in full screen – our Long Click for the weekend – also contains the recording data, not signed by C2PA of course, but with the names of the photographers. Alternatively, there is a long watch of just under an hour on YouTube of the award ceremony with comments from the jurors on the wonderful pictures.

(nie)