Social Media Provenance Challenge (www.tbray.org)

A practical provenance system — illustrated by the “Nadia” vignette — would add C2PA-backed signatures to images at upload so viewers see a visible badge and can verify who posted a file and when. Signed media retains a tamper-evident assertion (e.g., cawg.social_media for “Who” and c2pa.time-stamp for “When”) and shows a Cr badge in apps; altered pixels, stripped metadata, or reposts without valid signatures remove or change that badge and make misattribution and tampering easy to spot. The user story shows how provenance reduces misinformation and affects virality: authenticators get trusted, sloppy re-posters lose credibility, and more sophisticated attackers have to work harder to spoof provenance. Technically this is achievable with existing building blocks: embed C2PA assertions and sign them with the host’s TLS private key (the server’s PKIX cert), validate with PKIX/trust-store libraries, and parse assertions with C2PA libraries (e.g., c2pa-rs). Key gaps are policy/spec decisions (how to accept non‑publisher TLS certs vs a Verified Publishers list), modest server tooling (Nginx/Apache signing hooks), and UX for “Sign this image?”. For AI/ML, reliable provenance improves dataset integrity, provenance-based filtering of training data, and automatable detection of multi-signed or tampered media — a practical, near-term defense against deepfakes and coordinated misinformation.