Contributions by: Sam Gbafa (Product Prototyping), Wayne Chang (Strategy), Parke Hunter (Content & Editorial)
Picture this scenario: You're a politician running for state office. It's been a long campaign, and the polls are very close — a virtual tie. It's the night before election day when most of the ballots come in.
You get a call in the middle of the night, and it's the head of your campaign. There seems to be a fake story about you spreading like wildfire that has come out of nowhere. What's worse is that there’s also a video of you confirming and apologizing for the fake allegations spreading alongside, coming from a verified account with a name spelled in a way that looks visually identical to yours! Your campaign manager has already started damage control. You know that this will be disproven, as the allegations are obviously false. But the election is tomorrow– is there enough time? If only people could see that that apology video is fake and didn't come from your campaign. Your campaign manager asks: how should we move forward?
Enter a world with content authenticity…
In a world driven by content authenticity, there is a verifiable way to prove any content's author. In the campaign example, you would have set up a system where you registered digital credentials, including your mobile driver’s license, .gov email, and a state credential that includes your current title to create a verifiable online digital identity.
Every message, video, and post by the campaign has a small reference with it that can be retrieved and verified by platforms, allowing them to give you a special verification symbol with all of your content. Anyone can check this verification and pull down the original content you posted. Social media platforms would instantly make it clear that the apology video didn't come from your campaign. This fake story is still out there, but its power is diminished.
An Introduction to Content Authenticity
Throughout time, the ways in which we’ve encountered news and information in the media have shifted dramatically. With the proliferation of AI, social media platforms, and influencers, it’s become a challenge to weed out the truth from misinformation. Not being able to verify the legitimacy of content is problematic, especially when it comes to political news or government information, as portrayed in the example above.
Multiple organizations are currently working on tech approaches to solve this problem by adding a layer of trust and verification to the content we consume. This layer of trust and verification added to content is called content authenticity. At our core, SpruceID’s mission is to let users control their identity and personal data across the web in a way that facilitates trusted interactions. As a result, contributing to the future of content authenticity, powered by trusted digital identity, is important to us.
The Rise of Digital Content, Platforms and Publishers
From relying on a few major news providers to the rise of citizen “journalism” on social media platforms—the internet has made it easier than ever for anyone to have a global reach. With this new power, it becomes more challenging for information consumers to differentiate what is real from what is fake.
To combat this, platforms have traditionally used verification of notable figures. Tools like the Twitter Blue Checkmark or the Verified Badge on Instagram give users a clear way to know who to trust. However, there have proven to be issues with this approach, including platform risk (as seen with Twitter’s recent changes to verification), bias and discrimination (such as a political campaign being unable to make verifiable statements due to their political opinion), and legitimization of harmful entities if someone can game the verification system to post with authority. These platforms also have the power to allow verified posts to look different and appear more frequently. By modifying their platform, they can increase or decrease trust in “verified” content with their audience.
Currently, these platforms have to design and build their own verification systems, and they are not interoperable with one another. There isn’t a clear way to say that the identity of “The New York Times” on Facebook is the same as that on Twitter (besides the recognition of that entity’s name). These platforms have, in part, understood their responsibility to inform people of what can and cannot be trusted. They have done so with different approaches, including community notes on Twitter and fact-checking on Facebook.
Today, we’ve begun to see political figures address the danger of deepfakes and the need for a solution to AI-generated content. On October 30th, 2023, President Joe Biden spoke out about signing an executive order on artificial intelligence, which is the first of its kind for the U.S. Government. He stated:
“With AI, fraudsters can take a 3-second recording of your voice can generate an impersonation good enough to fool you; it’s mindblowing…I said, ‘when the hell did I say that?’”
With an open executive order calling for technology to solve this problem of verifying who is saying what, this currently remains a pressing issue. We believe that one way to approach this issue is by introducing a way to verify who posted what content by tying said content to the poster’s verifiable identity using digital credentials.
SpruceID Proof of Concept
In order to demonstrate a potential solution for content authenticity, we created a proof-of-concept using our SpruceKit open-source libraries. We recently presented this proof-of-concept in Washington D.C. at D.C. Fintech Week to show what a solution could hypothetically look like. Here, we’ll break down the technology in our proof-of-concept and describe how these tools can be used to verify content and build trust across all platforms.
Key SpruceKit Components for Content Authenticity
This proof of concept uses the following technologies we’ve developed as part of SpruceKit, our open-source libraries. We will reference these tools in our walkthrough below:
SpruceID Libraries used in this demo:
Rebase is a tool that allows you to run a credential issuer. Rebase lets you run a witness that can programmatically examine multiple proofs from someone requesting a credential, verify those proofs, and then issue a credential.
Kepler is a data storage system where you permission who has access to this data with your Ethereum keys. You sign in with your Ethereum keys, and that signature permits the app you are using to access and store data.
Other technologies used:
Ethereum Attestation Service is an infrastructure for making attestations on or off of a blockchain about anything. We use it as a place to make attestations.
Base is the blockchain we are using for this demo. It allows for low-cost attestations (100s of attestations per dollar). Someone must pay this fee for a transaction to be posted as a public blockchain.
IPFS and web3.storage are tools we use to store and retrieve data verifiably. IPFS summarizes the file into a Content ID, which can then be used to retrieve that file. It does this in a way so that it’s verifiable that the file you upload is the file you retrieve. We use web3.storage as an easy way to interact with the IPFS network.
Content Authenticity in Action
In this walkthrough, we’ll break down how to both create and verify Content Authenticity claims in order to make a statement or claim and then “stamp” that claim (with a high assurance credential such as a mobile driver’s license or a .gov email) so that your audience can be confident that it was you who made it.
1) Account Setup and Adding Credentials
When you land on the Content Authenticity page, you can either create a Content Authenticity claim or verify one. First, let’s create a claim.
To create a Content Authenticity claim, you will first need to sign in. We use Sign-in with Ethereum to connect to Kepler in order to store and retrieve data associated with our account. This data includes the credentials we have and any files we have uploaded.
If this is your first time interacting with your account, you’ll need to create a data vault with Kepler (our data storage system). This second signature request creates a place where your data is stored.
If you have no credentials, you can easily create them. Our Rebase issuer powers the process of creating credentials. To create a credential, select “issue first credential,” and you’ll be taken to the following page.
From here, we'll choose the Email credential.
In the process of adding a credential, you prove two things:
1) you are in control of the keys you want to associate with the email
2) You control the email you want to associate with the keys.
If both of these are verified by the witness, then it will issue you a credential. Going through the steps here proves these things to the witness. In step 1, you say what email you’ll be using. Step 2 prompts you to sign a message with the email and Ethereum public key in it. This message and signature are cryptographically verifiable, and the witness checks that. Lastly, you are sent an email with a unique challenge to the email provided. If you have control of this email account, you can respond to the challenge correctly. Providing this proves access to the email. Once proven, the witness will issue you a credential that says your email is the same as your Ethereum public key. This credential is an important pillar in our content authenticity solution, as it anchors the cryptographic signer to other identities.
Once they are added, any credentials you have, such as your Twitter handle, email address, etc. will be displayed under the Credential section below.
In this example, the issuer is the Spruce Rebase Demo Witness, but there can be many other credential issuers, including your organization, your government, or a club you are a part of. These credential issuers may have other requirements besides the simple proofs to issue an email credential. Our demo trusts credentials issued by the Spruce Rebase Demo Witness, but ultimately, a user may have different trust models, such as trusting an issuing key that belongs to the New York Times or the California DMV.
2) Upload Your Content
Upload a file to IPFS and get its content identifier to accompany your claim. This identifier is both a cryptographic hash of the content and a way to retrieve the content from the IPFS network. Anything uploaded is public and irreversible.
Select the file, and then you can make claims about that content.
3) Make a Claim About Your Content
Once you have your credentials and have uploaded the content you want to make a claim about, you can use this tool to make those claims!
First, select the credentials you want to use in order to make a claim. I’ll select my GitHub and email accounts.
Then, you select the file you want to make a claim about.
This flow supports Content Credentials, an effort by the Coalition for Content Provenance and Authenticity to develop technical standards for certifying media content's source and history (or provenance). Some hardware and software support content credentials, which prove the source and modifications to an image. You can export those and add them as part of this optional step. Depending on the use case, having that cryptographic verification of where an image came from is just as necessary as who is posting it.
The uploader can add additional claims you want to make regarding the image. This example demonstrates making a claim about the SpruceID logo.
Review and submit the transaction to the blockchain. This page lets you preview the data and submit it to the blockchain. You can go back and fix any errors. Once it’s submitted, it can never be undone. It will be public and permanent.
4) Verifying a Claim
You'll be sent to the verification page once a content authenticity claim has been posted. This page is the public page that others see when examining this content.
This page verifies the data and includes cryptographic checks about the credentials, the issuer of those credentials, and the identity of the poster of the claim to ensure they all add up. It also retrieves and displays the content so you can see the content about which a claim was made.
Watch a Demo
This demo walks you through the same steps above to recap how one would create and verify content authenticity claims.
What’s next for Content Authenticity?
From the increasing need for solving content trust and verification to our hypothetical example of how this problem could be addressed today, it’s difficult to say exactly how the world will tackle this complex problem. SpruceID has the knowledge and expertise to help tie provable high-assurance identity attributes (such as a mobile driver’s license) into content that is put out to the public in order to elevate the level of trust in the person or entity making the statement. Empowering users to control their identity and personal data across the web is woven into our DNA. We’re excited to share this proof-of-concept to help shape a future with trusted identity and interactions online.
About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.