If you have spent any time on social media in the past few years, you are already aware of the growing issue with media attribution and provenance. The feeds are flooded with AI-generated content, voices that sound remarkably similar to real people, videos of fabricated events, and entire personas constructed solely from pixels. While some of this content is harmless and even amusing, a significant portion has real-world consequences.
I am not writing this article to warn about the dangers of deepfakes or AI generated content. There have been plenty of articles published discussing these dangers and how to possibly address them. My purpose is to highlight a fundamental flaw in the current approach surrounding this problem and to draw attention to a crucial standard being quietly developed that could have a profound impact in this area. This standard is called C2PA, and it’s currently gaining attention across the industry when it comes to media attribution and provenance.
This article marks the beginning of a series titled “Modern Day Provenance.” Over the next few weeks, I will dive into the intricacies of C2PA, its developers, its limitations, and its implications for individuals working in the field of digital trust and media generation.
So what are we actually facing?
In a nutshell, we have lost the ability to trust what we see and hear online, and this loss has accelerated faster than anyone could have anticipated.
This is not a new phenomenon. People have been generating fake photographs since the 1800s and editing and manipulation tools have been around for more than 30 years. Along those same lines, misinformation has been circulating on social platforms, long before the advent of generative AI. What sets this moment apart is the simultaneous advancement in three key areas.
First, the cost of generating synthetic media has plummeted. Tools that once required access to a research lab can now be run on a laptop or mobile device. Second, the quality of these resources has reached a point where it’s difficult for the average person to distinguish between real and synthetic media. In fact, a 2025 iProov study revealed that only 0.1 percent of people were able to accurately identify the differences between real and synthetic media presented during the study. Third, the distribution channels for these resources have become global and instantaneous. This allows synthetic media to reach millions of people before anyone can even question its origin.
Unfortunately, the statistics support this alarming trend. Pindrop reported a staggering 680 percent year-over-year increase in voice deepfake attacks in 2025. Modern voice cloning tools can replicate a voice from just three seconds of audio. Resemble AI tracked 487 verified deepfake incidents in the second quarter of 2025. By the third quarter, that number had risen to over 2,000. The European Parliamentary Research Service estimated that the volume of deepfake videos online surged from approximately 500,000 in 2023 to around 8 million in 2025. Regardless of your perspective on this issue, it is progressing at a pace that surpasses even the most pessimistic projections.
One of the most widely discussed and impactful examples of this phenomenon was the Hong Kong incident in early 2024. A finance employee at a multinational firm joined a video call with what appeared to be the company’s CFO and several colleagues. The CFO instructed the employee to wire approximately 25 million dollars to a series of accounts. Every individual on the call was synthetically generated. The convergence of social engineering and generative AI represents one of the most critical security risks we face in the enterprise environment to date.
This problem is not theoretical or hypothetical; it is a reality that has already emerged and is predicted to grow both in pace and complexity.
We cannot ignore it. We have to act now. Every system we build today without thinking about provenance is one we will be retrofitting tomorrow.
Can we just invest in detection technology?
This is a valid question and I wish it was that easy. The first instinct is to ask if we can build better detectors. If AI can create synthetic media, surely AI can detect it. That is the obvious answer, but it is also the wrong answer.
I want to be careful here. I am not saying detection is useless and does not work. In fact, I am saying the opposite. There are smart people building detection tools, algorithms, and processes, and their work is valuable. However, detection alone can’t solve this problem. The more I have researched, the more I am convinced that basing the future of media attribution and provenance on detection alone is a losing strategy and a massive risk.
First, generative models are improving faster than detection models. Every technique a detector learns to spot synthetic media is fed back into the next round of training data for the generators. It is an arms race where the offense has structural advantages over the defense, and the gap is widening, not closing.
Second, even world class detection fails at scale. If a detector is 99% accurate and the volume of synthetic media is in the magnitude of millions, the 1% that gets through is still massive. It still presents a massive risk with real consequences to the general public and society.
Third, and most importantly, detection only works after distribution. By the time something is flagged as fake, people have already seen it, shared it, and absorbed it into their existing beliefs. The damage is done before the verdict comes in. You can’t un-see a video or un-hear a voice clip. The cycle is over before the detector finishes thinking.
Let me be clear: nothing is perfect, and I have been around long enough to know that. I have seen many technical promises and also seen the failures of those promises. It will take a coordinated effort of detection, tagging, signing, validation, and most importantly education, to successfully combat the risks associated with synthetic media.
With that said, detection plays a very large role in that, but it is not the answer for the future of media attribution and provenance.
Why is this such a problem?
Two legal scholars, Bobby Chesney and Danielle Citron, wrote a paper back in 2019 in the California Law Review where they coined a term called the liar’s dividend. The argument is uncomfortable, and once you see it, you cannot unsee it.
As the public becomes more aware that deepfakes exist and are convincing, bad actors gain a new tool. They can claim that real evidence is fake. The skepticism people develop in response to synthetic media becomes something that anyone shameless enough can exploit.
This is the part of the problem detection cannot fix no matter how good it gets. If anything, the better detection gets, the more credible a liar’s claim that detection failed in their specific case becomes. The very awareness of the problem becomes the cover for the lie.
Step back from the technology for a minute and think about what this means for how a society functions. Courts depend on evidence. Journalism depends on sources. Insurance depends on documentation. Elections depend on a shared record of what candidates have actually said. Every one of those institutions runs on the assumption that there is a baseline of evidence everyone can agree exists, even if they disagree about what it means.
Take that baseline away and you do not just have more misinformation.
You have a society where any inconvenient fact is deniable, and any uncomfortable truth can be dismissed by waving a hand and saying “AI.” That is the consequence. Not just bad content on social media, but the slow erosion of the foundations that institutions across the world rely on to function.
If detection is not the answer, what is?
Once you accept that detection is not the answer, the question reframes itself. It is not “How do we spot what is fake?” It is “How do we prove what is real?”
That sounds like a small change, but do not be fooled. It is not.
Detection is a defensive posture. You sit and wait for synthetic media to arrive, and then act upon it. Proving what is real is an offensive posture. At the moment of creation, you attach a record of where it came from, who made it, what tools were used, and what has been done to it since. The record travels with the file. Anyone can verify it, and anyone can see if it has been tampered with. That concept has a name. It is called provenance.
Provenance is not new. It has been the backbone of authenticity in the physical world for as long as anyone has cared about authenticity at all. Courts use it to establish chain of custody for evidence. Art galleries use it to separate a real Picasso from a forgery. Sports memorabilia markets live or die on it. The value of a signed Mickey Mantle baseball is not in the ball; it is in the paper trail that proves Mantle actually signed it.
What is new is making provenance work for digital media at scale. That is the technical problem the next several years are going to be spent solving. To be clear: provenance does not declare content true. A signed record from a legitimate news organization can still describe events incorrectly, or a signed photograph can still be staged. What provenance offers is something narrower and more useful than truth. It offers reliable information about origin. The viewer is still free to absorb the content and decide its credibility for themselves. That part is fundamental. All we are doing is attesting to how the media was created or modified.
The goal is simple. Stop trying to detect what is synthetic and start making it possible to prove what is real.
So what is C2PA?
C2PA stands for the Coalition for Content Provenance and Authenticity.
It was founded in February 2021 by Adobe, Arm, BBC, Intel, Microsoft, and Truepic, and operates as a project of the Joint Development Foundation under the Linux Foundation. It publishes an open, royalty-free technical specification for attaching cryptographically verifiable provenance metadata to digital media.
Before going any further, there are three names that come up constantly in this space and it is worth taking a minute to sort out how they relate, because the relationships are easy to get tangled.
The first is C2PA itself. That is the standards body and the technical specification. It is the part that defines, in detail, how a signed provenance record actually gets attached to a piece of digital media. If you want to know exactly what is in a manifest, what algorithms are allowed, or how a signature is validated, you are reading C2PA documentation. It is the technical spine of the whole effort.
The second is the Content Authenticity Initiative, almost always shortened to CAI. CAI is the cross-industry community that grew up around this work, founded by Adobe a couple of years before C2PA itself was formalized. While C2PA defines the standard, CAI is the group that actually drives adoption. They build open-source tooling, run outreach to creators and publishers, push the ecosystem to implement the spec, and generally do the unglamorous work of getting a standard from “published” to “actually used.”
The third is Project Origin, which most people have not heard of unless they are deep in the weeds. Project Origin was an earlier effort focused specifically on content provenance for journalism. Its work fed into what eventually became C2PA. You do not need to remember much about it, but if you see the name, that is the context.
Since launch, the C2PA ecosystem has expanded well beyond its founding members. Major media organizations, hardware manufacturers, generative AI platforms, and certificate authorities are all participating now. SSL.com is among them, and was the first publicly trusted CA in the C2PA ecosystem, issuing the certificates that signers use to bind verifiable provenance to the media they create or modify. Active work in the standards body covers everything from hardware-level capture to generative AI labeling to validation tooling for publishers and platforms.
So what is next?
So you are probably sitting there thinking, “OK, you laid out the problem. How does C2PA actually fix it?” That is exactly what the rest of this series will work through, building from the technical foundation up to the messy reality of adoption. If you are operating or building systems where trust matters, stick with me. By the end you will have what you need to make real decisions about where C2PA fits in your own work.
Next in series Part 2: The Anatomy of a C2PA Manifest →