Trusting digital images to not be fake or altered

I’m working on a solution for first responders to be able to take images that efficiently hold up in a legal setting, which may be a common problem in the future.

It’s 2020 and there’s a multitude of ways to create fake photos, for different purposes, many of which look convincingly real. Here are some examples.

There’s Rosebud AI, which can dynamically edit stock photos or models.

 
rosebudai.png
 

There’s Nvidia’s StyleGAN implementation, which can generate images of people (or things) with target qualities (gender, race, age, etc). You can see a live demo of it at thispersondoesnotexist.com (or perhaps a more popular version: thiscatdoesnotexist.com).

 
Screen Shot 2020-02-02 at 8.37.09 PM.png
 

And my favorite. Bill Hader turns into Arnold Schwarzenegger.

 
 

What about in a legal setting

Will digitally faked or altered photos become a common issue in legal environments, if not already?

I don’t believe it is *currently* a common issue, but there are concerns it could be in the near future.

I’m participating in a team competing in one of NIST’s $2.2M TechToProtect competitions, which solicits solutions for first responders to be able to take photos on a smart phone that can efficiently be proven authentic later in a legal setting. As of this writing, we are finalists in the competition.

There are a number of tricky challenges a good solution needs to address.

  • Anyone can download a camera app and run it in an emulator to trick it into taking fake photos.

  • Any “secure” photo produced needs to be verified later in different environments.

  • How is the photo “secure”? E.g. simply adding a watermark is not sufficient.

  • Can legal professionals understand it? Even if it’s perfectly “secure” solution, if it confuses people, it’s useless.

Our solution

We developed a camera app that cryptographically signs the photos it takes. A public website can be used to verify the photo in any environment with an internet connection.

The public website has a FIDO2 server, which the app needs to register with before hand. This registration is vetted and requires some out-of-band authentication, such as the agency posting a proof on it’s .gov website. This prevents anyone from using the app to produce “secure” photos, and restricts to first responders.

The cryptographic key is generated in the app at registration, and stored in the mobile phones hardware-based key storage (like the secure enclave on iPhone). This prevents the key from being copied outside of the app.

The signature of the photo is stored in the EXIF (metadata) of the photo itself. This allows the photo to be as portable as any JPEG. Our website simply gets the hash and signature from the photo and sends to the FIDO2 server for validation.

Screen Shot 2020-02-03 at 11.32.58 AM.png

The FIDO2 authentication protocol is used for signing and verification, which makes the solution easier to audit and certify to have a high security assurance, which can then assure legal professionals.

Next steps

We’ve made a lot of progress and have earned about $20k in contest winnings so far, but we currently have 0 users.

If you have any interest in making photos or video more authentic, or know someone that is, please reach out! My team and I want to make a real impact.

/

Stay updated and subscribe.