Digital signature as a means of non repudiation is exactly the way this should be done. Any official docs or releases should be signed and easily verifiable by any public official.
Technology
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
Would someone have a high level overview or ELI5 of what this would look like, especially for the average user. Would we need special apps to verify it? How would it work for stuff posted to social media
linking an article is also ok :)
Depending on the implementation, there are two cryptographic functions that might be used (perhaps in conjunction):
-
Cryptographic hash: An arbitrary amount of data (like a video file) is used to create a “hash”—a shorter, (effectively) unique text string. Anyone can run the file through the same function to see if it produces the same hash; if even a single bit of the file is changed, the hash will be completely different and you’ll know the data was altered.
-
Public key cryptography: A pair of keys are created, one of which can only encrypt data (but can’t decrypt its own output), and the other, “public” key can only decrypt data that was encrypted by the first key. Users (like the White House) can post their public key on their website; then if a subsequent message purporting to come from that user can be decrypted using their public key, it proves it came from them.
a shorter, (effectively) unique text string
A note on this. There are other videos that will hash to the same value as a legitimate video. Finding one that is coherent is extraordinarily difficult. Maybe a state actor could do it?
But for practical purposes, it'll do the job. Hell, if a doctored video with the same hash comes out, the White House could just say no, we punished this one, and that alone would be remarkable.
Finding one that is coherent is extraordinarily difficult.
You’d need to find one that was not just coherent, but that looked convincing and differed in a way that was useful to you—and that likely wouldn’t be guaranteed, even theoretically.
The best way this could be handled is a green check mark near the video that you could click on it and it would give you all the meta data of the video (location, time, source, etc) with a digital signature (what would look like a random string of text) that you could click on and your browser would show you the chain of trust, where the signature came from, that it's valid, probably the manufacturer of the equipment it was recorded on, etc.
it would potentially be associated with a law that states that you must not misrepresent a “verified” UI element like a check mark etc, and whilst they could technically add a verified mark wherever they like, the law would prevent that - at least for US companies
it may work in the same way as hardware certifications - i believe that HDMI has a certification standard that cables and devices must be manufactured to certain specifications to bear the HDMI logo, and the HDMI logo is trademarked so using it without permission is illegal… it doesn’t stop cheap knock offs, but it means if you buy things in stores in most US-aligned countries that bear the HDMI mark, they’re going to work
There’s already some kind of legal structure for what you’re talking about: trademark. It’s called “I’m Joe Biden and I approve this message.”
If you’re talking about HDCP you can break that with an HDMI splitter so IDK.
i wouldn’t say signature exactly, because that ensures that a video hasn’t been altered in any way: no re-encoded, resized, cropped, trimmed, etc… platforms almost always do some of these things to videos, even if it’s not noticeable to the end-user
there are perceptual hashes, but i’m not sure if they work in a way that covers all those things or if they’re secure hashes. i would assume not
perhaps platforms would read the metadata in a video for a signature and have to serve the video entirely unaltered if it’s there?
You don't need to bother with cryptographically verifying downstream videos, only the source video needs to be able to be cryptographically verified. That way you have an unedited, untampered cut that can be verified to be factually accurate to the broadcast.
The White House could serve the video themselves if they so wanted to. Just use something similar to PGP for signature validation and voila. Studios can still do all the editing, cutting, etc - it shouldn't be up to the end user to do the footwork on this, just for the studios to provide a kind of 'chain of custody' - they can point to the original verification video for anyone to compare to; in order to make sure alterations are things such as simple cuts, and not anything more than that.
I have said for years all media that needs to be verifiable needs to be signed. Gpg signing lets gooo
Very few people understand why a GPG signature is reliable or how to check it. Malicious actors will add a "GPG Signed" watermark to their fake videos and call it a day, and 90% of victims will believe it.
As soon as VLC adds the gpg sig feature, it's over.
No, it's not. People don't use VLC to watch misinformation videos. They see it on Reddit, Facebook, YouTube, or TikTok.
Huh. They actually do something right for once instead of spending years trying to ban A.I tools. I'm pleasantly surprised.
Bingo. If, at the limit, the purpose of a generative AI is to be indistinguishable from human content, then watermarking and AI detection algorithms are absolutely useless.
The ONLY means to do this is to have creators verify their human-generated (or vetted) content at the time of publication (providing positive proof), as opposed to attempting to retroactively trying to determine if content was generated by a human (proving a negative).
I don't blame them for wanting to, but this won't work. Anyone who would be swayed by such a deepfake won't believe the verification if it is offered.
I don't think that's what this is for. I think this is for reasonable people, as well as for other governments.
Besides, passwords can be phished or socially engineered, and some people use "abc123." Does that mean we should get rid of password auth?
Yeah good luck getting to general public to understand what “cryptographically verified” videos mean
The general public doesn't have to understand anything about how it works as long as they get a clear "verified by ..." statement in the UI.
Democrats will want cryptographically verified videos, Republicans will be happy with a stamp that has trumps face on it.
It could work the same way the padlock icon worked for SSL sites in browsers back in the day. The video player checks the signature and displays the trusted icon.
the technology to do this has existed for decades and it's crazy to me that people aren't doing it all the time yet
You mean to tell me that cryptography isn't the enemy and that instead of fighting it in the name of "terrorism and child protection" that we should be protecting children by having strong encryption instead??
I'm sure they do. AI regulation probably would have helped with that. I feel like congress was busy with shit that doesn't affect anything.
I salute whoever has the challenge of explaining basic cryptography principles to Congress.
I see no difference between creating a fake video/image with AI and Adobe's packages. So to me this isn't an AI problem, it's a problem that should have been resolved a couple of decades ago.
When it comes to misinformation I always remember when I was a kid I'm the early 90s, another kid told me confidently that the USSR had landed on Mars, gathered rocks, filmed it and returned to earth(it now occurs to me that this homeschooled kid was confusing the real moon landing.) I remember knowing it was bullshit but not having a way to check the facts. The Internet solved that problem. Now, by God , the Internet has recreated the same problem.
Government also puts backdoor in said math, gets hacked, official fakes released
Or more likely they will only discredit fake news and not verify actual footage that is a poor reflection. Like a hot mic calling someone a jackass, white House says no comment.
I've always thought that bank statements should require cryptographic signatures for ledger balances. Same with individual financial transactions, especially customer payments.
Without this we're pretty much at the mercy of trust with banks and payment card providers.
I imagine there's a lot of integrity requirements for financial transactions on the back end, but the consumer has no positive proof except easily forged statements.
We need something akin to the simplicity and ubiquity of Google that does this, government funded and with transparent oversight. We're past the point of your aunt needing a way to quickly check if something is obvious bullshit.
Call it something like Exx-Ray, the two Xs mean double check - "That sounds very unlikely that they said that Aunt Pat... You need to Exx-Ray shit like that before you talk about it at Thanksgiving"
Or same thing, but with the word Check, CHEXX - "No that sounds like bullshit, I'm gonna CHEXX it... Yup that's bullshit, Randy."
This is sadly necessary
So should Taylor Swift
I've been saying for a long time now that camera manufacturers should just put encryption circuits right inside the sensors. Of course that wouldn't protect against pointing the camera at a screen showing a deepfake or someone painstakingly dissolving top layers and tracing out the private key manually, but that'd be enough of the deterrent from forgery. And also media production companies should actually put out all their stuff digitally signed. Like, come on, it's 2024 and we still don't have a way to find out if something was filmed or rendered, cut or edited, original or freebooted.
If you've been saying this for a long time please stop. This will solve nothing. It will be trivial to bypass for malicious actors and just hampers normal consumers.
It's a good idea. And I hope to see more of this in other types of communications.