Media Provenance with Nostr

Media Provenance with Nostr

"You can't trust any communication anymore unless it is cryptographically signed."

— [Guy Swann](Guy Swann)

With Artificial Intelligence, anything can be created and put in a video. A community called the Content Authenticity Initiative is promoting a centralized media provenance standard to address this problem.

I believe Nostr can provide a better, and decentralized, solution.

The problem

Allow me to illustrate the problem with two sample fake videos.

This is an easy one. The video is telling you that it's fake.

But what about this one?


This short YouTube video has 4M views and realizing that it is fake takes some digging around that most people don't have the time or patience for.

I know it is fake because I searched for the original Joe Rogan podcast episode with Miley Cyrus and saw that he was wearing different clothes for the interview than what this short video shows. This tells me that the two clips, although real, belong to different episodes and Joe Rogan was not making fun of Miley Cyrus.

This is an insidious video that uses two authentic clips of Joe Rogan to create a false story and rack up views.

The centralized solution

The Coalition for Content Provenance and Authenticity, C2PA, is the standard body developing the new media provenance standard. It has some heavy weights behind it: Adobe, Microsoft, Google, Amazon, Intel, ARM and lots of corporate media companies.

Which really makes me wonder: why has it not taken off?

Their solution is not a bad solution, except for one teeny tiny problem: it's uses a fully centralized architecture:

  • Identity is centralized with Central Authorities issuing X.509 certificates to validate the authenticity of the signature of the author.
  • The information containing the provenance of a video is uploaded to the cloud repository of a provider that you, as the consumer of the video, must trust is not manipulating the information.
  • The standard allows for self-signed certificates for when anonymity is required, but it considers this to be an exception, and as such, restricts the usage of self-signing certificates to only instances where the consumer (validator) has manually imported the self-signed certificate, limiting the broad adoption of anonymous material.

To see the system in action with a picture, open the link below and click on the cr icon on the top left corner of the picture to see a pop-up menu with the provenance information. You can go a step further by clicking on the link Verify on ContentCredentials.org at the bottom of the pop-up menu.

https://adobe-cai.smartframe.io/p/img_20211028_173913_1637592139900/3b4a09bdfec70cde02b69400de8c28e7

The Nostr solution

The C2PA specification is built with one use in mind: the distribution of media from a limited set of producers (e.g., corporate media) to a large set of consumers.

The architecture implies that there will be one or two main stream media editing applications (e.g. Adobe) and that the number of Certificate Authorities will be small. It is not meant to scale on the supply side.

This system is not built to protect the communication of regular people. They can't seriously expect regular people to pay a Central Authority to maintain their digital identity.

That's where Nostr comes in. With its decentralized and permission-less architecture, Nostr can deliver media provenance for the masses at no cost and with no central authority acting as the Mnistry of Truth.

Nostr identity

The Nostr solution uses Nostr profiles as identity. You can create your profile without permission from anyone and it's your responsibility to build the reputation of that profile either face-to-face or through consistent online interactions.

The application retrieving the provenance for a video (e.g., a web browser plugin) will use Nostr to retrieve the latest kind:0 event of the author and display his or her information to the consumer of the video.

Nostr events hold media provenance data

NIP-94 defines event type kind:1063 that contains the description of a media file and a series of tags including the URL to the file, the hash of the original file and the hash of the files after processing by the server storing the media.

The Nostr version of the media editing application would upload the media to e.g. creatr.nostr.wine and publish an event kind:1063 with the URL, hash and other relevant provenance information. The event is signed by the author, cryptographically tying him or her to the media. The event would be sent to multiple relays ensuring censorship resistance.

The web browser plugin playing the media would calculate the hash and query any of the relays for an event with the tag matching the hash of the file. Alternatively, the system could also use perception hashes to account for clips and crops.

NIP-94 would need to be modified to support embedded kind:1063 events. A video like the second example above would have a kind:1063 event signed by the author and this event would contain two additional kind:1063 events, both signed by Joe Rogan, one for the video of the Miley Cyrus interview and another one for the second video.

The browser plugin could show a:

  • Green icon: for signed and validated media that is fully unmodified (e..g a full length video created by Joe Rogan).
  • Yellow icon: for signed and validated media that contains multiple clips, all signed and validated as well (like a signed version of the second video above).
  • Red icon: for an non-validated media file or a signed and validated media file where not all clips are signed and validated (like the current version of the second video above).

Challenges ahead

The main challenge is adoption. A I said before, I'm surprised that the C2PA system has not taken off given who is behind it.

In my opinion, Twitter, Facebook, Threads and WhatsApp are the main distribution channels for fake videos and it will be nearly impossible to convince Elon Musk and Mark Zuckerberg to support a Nostr-based solution instead of the C2PA solution.

Let's turn the main strength of our enemy into their weakness. Let's make Nostr clients the place where you come for cryptographically signed videos.

We need three things:

  • On the authentication side: a Nostr client capable of signing media files, uploading the media to the desired repository, and broadcasting the enhanced kind:1063 event to Nostr relays.
    • This could be a standalone app or a plugin for media editing software.
  • On the validation side: a Nostr client capable of querying relays for kind:1063 events containing the hash of the media being played
    • This could be a browser plugin or integrated with existing Nostr clients for a better experience.
  • Relays that accept write and read actions for kind:1063 events

A possible business model would be for the relay to charge per kind:1063 event stored (one time and monthly fee for maintaining it). The company offering the provenance relay could provide the authentication client or could also accept write request from FOSS authentication clients.

What do you think? Please leave your thoughts in the comments below and repost for visibility.

Notable notes

nostr:note19pkmfe2wpt5pplarptkjzxak7ed6wfdk0xvdq69042h3gz2hj2hs89wvg9

nostr:note1sfdk3f8nhxggttkz3ftau4utk6preynnu9gdpjv5qwm0xmt4ytrqmra3g7

Recommendations

Average Gary

Gary is talking the talk and walking the walk, spreading the love of Bitcoin in Virginia through the Shenandoah Bitcoin Club.

You can follow him here.

What did you think of today's newsletter?

Your feedback helps me create the best newsletter possible for you.

Please leave a comment and checkout comments from other subscribers and readers. I love hearing from the Bitcoin For Families community ❤️ 🙏🏻

See you again next week!
— Alejandro

This newsletter is for educational purposes. It does not represent financial advice. Do your own research before buying Bitcoin.