COMMENTARY: Artificial intelligence (AI) has obliterated the distinctions between reality and fiction, driving an arms race of fraud. With
GenAI technologies readily available to scammers, hyper-real deepfakes and AI-generated content all contribute to an escalation of sophisticated digital fraud with far-reaching implications for businesses, governments, and individuals.
According to the 2025 Identity Fraud Report, digital forgeries account for
57% of all document fraud, representing a 244% increase over the past year and a 1,600% rise since 2021.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Institutions and individuals are challenged today to uphold trust, truth, and transparency in digital content. The Coalition for Content Provenance and Authenticity (
C2PA) represents a collaborative effort by media and technology organizations to address this challenge of ensuring trust in digital content. The C2PA standard offers a way to verify the
provenance, or origins, of the information, as well as modifications to the digital content throughout its lifecycle.
How C2PA works
When a piece of digital media, such as a photo snapped by a C2PA-enabled camera, has
content credentials attached to it, information regarding its source (location, date, and author) is cryptographically sealed together in a tamper-evident manifest tied to that item of media for its entire lifespan. If the content gets edited afterwards (touched up in Photoshop), those edits are recorded and appended to the file's history, building a complete and transparent record.
Once the content gets published or shared, anyone can verify its origin by playing it back using a C2PA-compatible player: it’s as simple as clicking on the “content credentials” pin.
Each piece of content — be it a video, image, or news report — can hold a content credential, a secure piece of
metadata that gives answers to vital questions, such as the creator of the content, its origin and whether it's been modified since, and whether the content adheres to its initial description. However, the metadata itself cannot simply solve matters of provenance, as it’s possible to strip it away either by mistake or design. For instance, taking a screen capture can strip away the metadata. On the other hand, validation checks can identify any stripping of metadata contained within a manifest.
Fundamental mechanisms of C2PA
Here are the essential elements of C2PA:
Provenance metadata: C2PA integrates
metadata into digital content that records the content's origin, creation tools, and any subsequent edits or modifications. Every action on the content creates a cryptographically signed “manifest” that’s chained to the media to ensure its authenticity and integrity.
Tamper evidence: C2PA standards incorporate verification tools that let users authenticate that the embedded metadata has not been altered. The system can alert users to any change in the media or its provenance data that breaks the cryptographic seal, indicating potential manipulation.
Content credentials: C2PA offers details of the digital asset through a content credentials icon. Users can click this icon to see the full edit history and source details, which lets them assess the content’s credibility.
Interoperability: C2PA was designed as platform- and system-interoperable, which lets organizations easily adopt the standard within their existing asset management infrastructure and processes.
Failsafe: If provenance information gets maliciously or inadvertently tampered with, C2PA recovers it by comparing embedded data to the original manifest.
How C2PA can balance privacy with transparency
C2PA integrates several privacy-preserving methods that let content creators disclose provenance information on a selective basis without compromising the transparency of digital content verification. The standard lets users assure the authenticity of digital material without being compelled to divulge sensitive information, such as the creator's identity.
It also allows selective disclosure to creators and publishers to control the amount of provenance information included while maintaining content authenticity. It supports redaction for users with specific privacy needs, allowing the exclusion of certain metadata without compromising the integrity of the remaining data on provenance. Alternatively, users can employ cryptographic signatures to not reveal personal information.
C2PA lets users see the actions performed on an image before it’s shared online. Armed with that information, they can decide on the image's authenticity. C2PA was not intended as a fact-checking tool to determine whether an image is real or not. For instance, an AI tool supported by content credentials can attest that the image was created using AI. Any subsequent edits to the image using C2PA-enabled editing software tools would also be captured. This makes the users progressively better informed to form their own conclusions and opinions regarding the authenticity of the content, but not to judge it as real or fake.
Why organizations should adopt C2PA
The deluge of AI-created content including deepfakes has increasingly eroded user trust in what they see and hear in mobile apps and on the web. Consequently, when actual authentic content containing useful information appears online, people will increasingly question its authenticity. C2PA offers a framework through which users can verify digital content to confirm that the provenance information is tamper-free from creation until publication: it’s how we can preserve trust in digital information.
When something gets labeled as “authentic” or “verified,” it often receives undue trust — even if it’s incorrect, misleading, or harmful.
C2PA introduces a significant layer of transparency; however, it can also create a misleading sense of security if users blindly accept credentials. Here are some potential risks:
Account breaches: A malicious individual could infiltrate a legitimate creator’s account and share deceptive or fake content — complete with credentials.Exploitation of AI training: Adversaries might train generative AI models solely on C2PA-verified media to create fakes that can deceive basic provenance checks.Provenance piggybacking: Attackers can layer deepfakes over authentic, credentialed backgrounds, creating a façade of legitimacy. Over-reliance on the signal of authenticity becomes a classic false positive issue — where trusted markers are mistaken for trustworthy content. While C2PA offers a robust foundation, true resilience necessitates a multi-faceted defense: user education, platform accountability, and continuous skepticism.
The C2PA specifications mandate the inclusion of provenance metadata in digital content that can help organizations combat misinformation, practice transparency, and guarantee the trustworthiness of their content. The advantages outweigh the downside issues with this method. As digital content becomes increasingly central to business and communication, the C2PA standard adoption promises to become instrumental for organizations that uphold the highest form of content integrity.
Perry Carpenter, chief human risk management strategist, KnowBe4SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
