G&L CEO Alexander Leschinsky Talks C2PA and Today's Digital Content Landscape
Provenance and authenticity of content have become critical issues as Generative AI-derived content and disinformation flood the digital world. The Coalition from Content Provenance and Authenticity (C2PA) has formed to authenticate content in today's digital landscape, with an eye to combatting fake content and restoring trust in media. In this interview, G&L Systemhaus CEO Alexander Leschinsky discusses the challenges and limitations of C2PA--particularly with live content--and G&L's role in helping broadcasters and media companies implement C2PA standards.
What Is C2PA?
Leschinsky explains that C2PA emerged in response to "a growing demand by the market to be able to cryptographically prove that certain content is coming from a certain content owner or from a certain device." Today, he says, it's "easier than ever before to fake content, to claim authorship of content, or to take foreign content that has been produced by somebody else and claim it was yours. And in the digital market, there is a lot [of concern] about trust in brands, especially in the news sector. Fake news and claims of authenticity can cause difficulties for democracy," he contends, and it can even "cause violence." Created as a project of the Joint Development Foundation, a Washington, DC-based 501c6 non-profit, C2PA was initiated to address media provenance issues "at scale for publishers, creators and consumers" by "developing technical specifications for establishing content provenance and authenticity." The coalition grew out of Project Origin, a coordinated digital "disinformation defence" effort initiated in 2020 by BBC, CBC/Radio, and the New York Times.
C2PA was founded shortly thereafter in February 2021, and it released a draft technical spec in September of that year. The version 1.0 specification followed in January 2022.
Two years later, Leschinsky says, we still see "a huge demand on the content side from companies that want to invest in the trust that their audience has with their brands. They need a means to somehow prove that content comes from them, and that nobody else can claim that they are the author of a certain piece of content."
Prior to Project Origin and C2PA, "there were some organizations that took care of content authenticity," but the need remained for "an industry organization that covers both content site and device manufacturers and also streaming services so that they can focus on defining a standard that can be used globally and helps to improve trust of all the audience into content of brands they like to consume. That's where C2PA comes in."
G&L's Role in the Content Integrity Ecosystem
So, where does G&L fit in? As a system integrator and managed service provider for the streaming media industry, Leschinsky says, "we work with 150 products from different partners. We integrate them into solutions, and create a management user interface and APIs. Customers come to us if they have workflows that need to be very customized to their individual, historically grown infrastructure, with a high degree of automation and reliability. So we integrate video transcoding, video streaming, playback, analytics, content delivery, you name it."
Assessing what G&L could do to support C2PA, Leschinsky concluded that "C2PA, in the end, is a resource-intensive process because it involves taking media content, which can be small compressed content for distribution, or uncompressed content in production and contribution, and it needs to compute a hash out of that content. And hash computation is not very complex, but it's compute-intensive. So it's a service that customers do not necessarily want to do on their own."
One of the services G&L routinely provides to its customers is storing and processing media content--including those massive contribution and production files that require substantial compute resources. As a result, G&L manages exabytes of storage and operates live and on-demand transcoding farms "and many customers would like us to help them do the heavy lifting of the C2PA signing. And that involves calculating the hashes of media content and then doing the signing process. That's where we usually help."
With the processing load that G&L is already carrying, handling C2PA signing is "just one more step in the signal chain. So we do not stop with transcoding. We do not stop with content aggregation. In between, we also sign the content. Customers like that it's part of a signal chain that we cover anyway. It's just one more step where we can support them without the need for them to create something completely new from scratch or create a new workflow on their site. They can just chain it into something that already exists."
Legislating Authenticity Standards
In February 2024, the California state Assembly began committee review on AB 3211, the California Digital Content Provenance Standards, a bill created to set forth a comprehensive framework for authenticating both synthetic and real content. While the bill has yet to pass the California legislature, its attempt to establish a coordinated plan to develop standards and technologies for determining digital provenance represents a step in the right direction, particularly the amended Senate version that "would require a generative artificial intelligence (AI) provider [to] apply provenance data to synthetic content produced or significantly modified by a generative AI system that the provider makes available, as those terms are defined, and to conduct adversarial testing exercises, as prescribed." It would also "prohibit, among other things, providers and distributors of software and online services from making available a system, application, tool, or service that is designed for the primary purpose of removing provenance data from synthetic content, as provided."
Leschinsky says in both the EU and in member countries such as Germany (where G&L is headquartered) legal means currently exist to enforce proof of authenticity for digital content. "The main driver behind that," he says, "is identification of artificial intelligence that is taking part in the creation of content or has modified that content."
He goes on to note that the intent behind C2PA is not to identify or inhibit the public proliferation of "AI-supported content creation. It has metadata markers that can identify AI," he explains, but flagging AI content is not its raison d'etre. "But in many ways, C2PA is being used to fulfill a legal need or a mandatory requirement to identify AI, because it has the necessary metadata flags to do so."
Social media networks and platforms like LinkedIn, TikTok, and YouTube, he says, display C2PA metadata in content on their platform only if the content is AI-generated or modified to identify it as such. "This isn't necessarily the way that the C2PA would like to see it, because if users get trained to that, they'll see the C2PA logo more like a warning label, which is not the intention. "
The C2PA's purpose, he says, is not to flag AI content, but rather to say, "Hey, this is content where there is cryptographic proof that the author or the publisher is actually the entity that created that content, or it takes responsibility for it." But it's mostly being used as an "Created by AI" warning label, and existing legislation in the EU trends in that direction as well.
How G&L Assists with C2PA Compliance
Echoing his insistence that C2PA's mission is broader than flagging AI-derived content, Leschinsky likens C2PA certification of content authenticity to having an SSL/TLS certificate on a website's origin server to verify the site's identity and ownership. "If you go to streaming media.com," he says, "it's streaming media.com because you have at some point acquired a certificate for that and nobody can claim to be streaming media.com because you have that domain and that certificate there. The same is true with C2PA. Entities can get these certificates. That's the first part. The second part is they take digital content--images, PDF files, video on-demand--and these assets can be hash-computed, and the hash together with metadata can be signed with the certificate. That's the main workflow that you have in C2PA."
G&L's role, he continues, is to "help customers to look at their workflow and see where that workflow best opens up for adding C2PA information. And then we help them to implement a workflow that is automated and transparent and reliable. That's our main task here."
C2PA certification, then, can take two forms, in terms of the entity being identified. One would be the device used to create the content, like a Sony or Panasonic camera. "Whenever you make a recording with that camera, the output contains two C2PA signatures with that certificate." This also applies to software used to edit or modify that content, like Adobe Photoshop or Premiere Pro or OpenAI DALL-E. By including C2PA metadata, the vendor who provides the tool signals, "This is from an authentic company and we sign these pieces of content."
The other certified source, of course, would be the publisher. "These entities do not necessarily want to advertise that they're using Sony cameras or Adobe Photoshop. They want to prove, 'Hey, I'm BBC, I'm CNN, I'm Fox.' Whoever wants to prove that wants to show that this content has been authored by them. So this is the separate part where the publisher or the editorial teams want to add their signature so they also can apply for certificates. And these broadcasters are the ones we are helping to go beyond what the device manufacturers integrate so that they can add proof for their own editorial provenance."
C2PA and Live Content
It's still early days for the C2PA, and as with other nascent standards, opportunities remain to improve on the standards themselves and how they're applied and implemented. C2PA's initial focus has been on images because, as Leschinsky says, "they're the easiest to fake and the easiest to protect." The coalition has made significant inroads with publishers of on-demand video as well.
"But the huge gap we have with C2PA as a standard," according to Leschinsky, "is with live and just-in-time packaging, which are not yet supported." What's more, he says, "the way they chose to implement the hashing and cryptographical encryption makes it difficult to move that to live because" live video lacks a fixed "start or end time. It's just a continuum in which you have to somehow try to get your hashes. That's difficult, and it's currently something that is lacking in the market."
For that reason, when G&L joined C2PA, they initially focused on working with the coalition's live workflow task force. Although G&L is considerably smaller than C2PA members like Microsoft, Google, Sony, and Meta, he says, "we have a lot of experience with very difficult and very different live streaming setups, because we have seen hundreds of customer projects over the last two decades and everything is slightly different and everybody comes with a different set of requirements. With that experience, we can ask some important questions in these task forces and we can also channel demands that we get from our customers into these working groups."
G&L also brings expertise in integrating available tools into reliable streaming workflows. "Of course, customers can use the available open-source tools for C2PA signing themselves, or they can use FGmpeg for transcoding," Leschinsky concedes. "This is fun for as long as you try to work with that in the lab. But on day two, on day three, when it's Saturday evening and something goes wrong, you need a company that really takes care of that 24/7 workload and that knows what to do to make this a reliable and repeatable workflow that also works on Christmas Eve. That's where we come into play."
Next Steps for C2PA Compliance
For online video publishers looking to achieve C2PA compliance, Leschinsky says, there are a few basic steps to follow. The first is to find a vendor that creates the appropriate certificate (G&L is one such company). "Then you need to get these certificates on some kind of trust list. There are different trust lists, and it's a bit like the trust system that is built into the browsers and devices that can work with websites. There is at least one trust list that is [for those] coming from the editorial side where the broadcasters and news agencies are. If you're a device manufacturer, you want to get in the official C2PA trust list."
The next step for publishers, he says, is to figure out what kind of media content they want to support and bring into compliance with the C2PA standard. For most companies, it makes sense to start with images and photos, since those types are the most common and the easiest and quickest to implement. "It's also the part," he says, "where C2PA is most mature."
Once you get your feet wet with photos, he says, it's easier to move on to VOD, "add that to your workflow, and make a decision if you just want to use it as a signal toward your audience. Do you want to sign content that you deliver to your audience so that they can trust you, or do you do it the other way around and request from your partners that deliver content to you?"
Given that most broadcasters don't create all of their content in-house, but work with contractors that, for example, deliver news content to them from the field, proper compliance means building in an additional step so you're verifying content at its original source. "Do you, as a broadcaster, require the subcontractors to sign content themselves so that you can trust that it's coming from the source it's claiming to be coming from? Those are decisions that you have to make your mind up about. We can help you have these discussions and then make an implementation plan that creates an economical, feasible, reliable infrastructure for actually doing the assigning and the delivery of that content."